[launcher] add flag to disable GCA refresh

The new flag allow user to disable the default initial and hourly
GCA attestation token refresh.

Delete an obsolete flag (tee-gpu-driver-version) in a test.

Author: jkl73

launcher/container_runner.go

@@ -621,8 +621,9 @@ func (r *ContainerRunner) Run(ctx context.Context) error {
 		return fmt.Errorf("failed to measure CEL events: %v", err)
 	}
 
-	// Only refresh token if agent has a default GCA client (not ITA use case).
-	if r.launchSpec.ITAConfig.ITARegion == "" {
+	// Only refresh token if agent has a default GCA client (not ITA use case)
+	// AND GcaRefresh is not disabled
+	if r.launchSpec.ITAConfig.ITARegion == "" && !r.launchSpec.DisableGcaRefresh {
 		if err := r.fetchAndWriteToken(ctx); err != nil {
 			return fmt.Errorf("failed to fetch and write OIDC token: %v", err)
 		}

launcher/spec/launch_spec.go

@@ -94,6 +94,7 @@ const (
 	cgroupNS                   = "tee-cgroup-ns"
 	gcaServiceEnv              = "gca-service-env"
 	installGpuDriver           = "tee-install-gpu-driver"
+	disableGcaRefreshKey       = "tee-disable-gca-refresh"
 )
 
 const (
@@ -135,11 +136,11 @@ type LaunchSpec struct {
 	LogRedirect                LogRedirectLocation
 	Mounts                     []launchermount.Mount
 	ITAConfig                  verifier.ITAConfig
-	// DevShmSize is specified in kiB.
-	DevShmSize        int64
-	AddedCapabilities []string
-	CgroupNamespace   bool
-	InstallGpuDriver  bool
+	DevShmSize                 int64 // DevShmSize is specified in kiB.
+	AddedCapabilities          []string
+	CgroupNamespace            bool
+	InstallGpuDriver           bool
+	DisableGcaRefresh          bool
 }
 
 // UnmarshalJSON unmarshals an instance attributes list in JSON format from the metadata
@@ -306,6 +307,13 @@ func (s *LaunchSpec) UnmarshalJSON(b []byte) error {
 		}
 	}
 
+	if val, ok := unmarshaledMap[disableGcaRefreshKey]; ok && val != "" {
+		var err error
+		if s.DisableGcaRefresh, err = strconv.ParseBool(val); err != nil {
+			return fmt.Errorf("invalid value for %v (not a boolean): %w", disableGcaRefreshKey, err)
+		}
+	}
+
 	return nil
 }
 

launcher/spec/launch_spec_test.go

@@ -30,8 +30,9 @@ func TestLaunchSpecUnmarshalJSONHappyCases(t *testing.T) {
 		Experiments: experiments.Experiments{
 			EnableItaVerifier: true,
 		},
-		GcaAddress:       "https://confidentialcomputing.googleapis.com",
-		InstallGpuDriver: true,
+		GcaAddress:        "https://confidentialcomputing.googleapis.com",
+		InstallGpuDriver:  true,
+		DisableGcaRefresh: false,
 	}
 
 	var testCases = []struct {
@@ -79,8 +80,7 @@ func TestLaunchSpecUnmarshalJSONHappyCases(t *testing.T) {
 				"tee-mount":"type=tmpfs,source=tmpfs,destination=/tmpmount;type=tmpfs,source=tmpfs,destination=/sized,size=222",
 				"ita-region":"US",
 				"ita-api-key":"test-api-key",
-				"tee-install-gpu-driver":"true",
-				"tee-gpu-driver-version":"590.48.01"
+				"tee-install-gpu-driver":"true"
 			}`,
 			modifyWant: func(ls LaunchSpec) LaunchSpec {
 				ls.GcaAddress = ""
@@ -105,8 +105,7 @@ func TestLaunchSpecUnmarshalJSONHappyCases(t *testing.T) {
 				"ita-region":"US",
 				"ita-api-key":"test-api-key",
 				"gca-service-env":"prod",
-				"tee-install-gpu-driver":"true",
-				"tee-gpu-driver-version":"590.48.01"
+				"tee-install-gpu-driver":"true"
 			}`,
 			modifyWant: func(ls LaunchSpec) LaunchSpec {
 				return ls
@@ -130,14 +129,37 @@ func TestLaunchSpecUnmarshalJSONHappyCases(t *testing.T) {
 				"ita-region":"US",
 				"ita-api-key":"test-api-key",
 				"gca-service-env":"staging",
-				"tee-install-gpu-driver":"true",
-				"tee-gpu-driver-version":"590.48.01"
+				"tee-install-gpu-driver":"true"
 			}`,
 			modifyWant: func(ls LaunchSpec) LaunchSpec {
 				ls.GcaAddress = "https://staging-confidentialcomputing.sandbox.googleapis.com"
 				return ls
 			},
 		},
+		{
+			testName: "DisableGcaRefreshSetToTrue",
+			mdsJSON: `{
+				"tee-cmd":"[\"--foo\",\"--bar\",\"--baz\"]",
+				"tee-env-foo":"bar",
+				"tee-image-reference":"docker.io/library/hello-world:latest",
+				"tee-signed-image-repos":"docker.io/library/hello-world,gcr.io/cloudrun/hello",
+				"tee-restart-policy":"Always",
+				"tee-impersonate-service-accounts":"sv1@developer.gserviceaccount.com,sv2@developer.gserviceaccount.com",
+				"tee-container-log-redirect":"true",
+				"tee-monitoring-memory-enable":"true",
+				"tee-dev-shm-size-kb":"234234",
+				"tee-mount":"type=tmpfs,source=tmpfs,destination=/tmpmount;type=tmpfs,source=tmpfs,destination=/sized,size=222",
+				"ita-region":"US",
+				"ita-api-key":"test-api-key",
+				"tee-install-gpu-driver":"true",
+				"tee-disable-gca-refresh":"true"
+			}`,
+			modifyWant: func(ls LaunchSpec) LaunchSpec {
+				ls.GcaAddress = ""
+				ls.DisableGcaRefresh = true
+				return ls
+			},
+		},
 	}
 
 	for _, testcase := range testCases {
@@ -239,6 +261,13 @@ func TestLaunchSpecUnmarshalJSONBadInput(t *testing.T) {
 				"gca-service-env":""
 			}`,
 		},
+		{
+			"EmptyStringAsDisableGcaRefresh",
+			`{
+				"tee-image-reference":"docker.io/library/hello-world:latest",
+				"tee-disable-gca-refresh":"badvalue"
+			}`,
+		},
 	}
 
 	for _, testcase := range testCases {
@@ -274,6 +303,7 @@ func TestLaunchSpecUnmarshalJSONWithDefaultValue(t *testing.T) {
 		MonitoringEnabled: None,
 		GcaAddress:        "",
 		InstallGpuDriver:  false,
+		DisableGcaRefresh: false,
 	}
 
 	if !cmp.Equal(spec, want) {