Skip to content

COCOS - 397 - Agent certificate generation via CA service#410

Merged
dborovcanin merged 50 commits into
ultravioletrs:mainfrom
jovan-djukic:issue-397
Apr 2, 2025
Merged

COCOS - 397 - Agent certificate generation via CA service#410
dborovcanin merged 50 commits into
ultravioletrs:mainfrom
jovan-djukic:issue-397

Conversation

@jovan-djukic

Copy link
Copy Markdown
Contributor

What type of PR is this?

This is a feature because it adds the following functionality: Agent certificate generation via CA service

What does this do?

If agent is provided with CA service URL via env variables, it will generate a CSR which will be passed to CA service for certificate generation.

Which issue(s) does this PR fix/relate to?

Have you included tests for your changes?

No.

Did you document any new/modified feature?

Yes

Notes

Comment thread agent/README.md Outdated
| AGENT_CVM_GRPC_SERVER_KEY | Path to gRPC server key in pem format | "" |
| AGENT_CVM_GRPC_SERVER_CA_CERTS | Path to gRPC server CA certificate | "" |
| AGENT_CVM_GRPC_CLIENT_CA_CERTS | Path to gRPC client CA certificate | "" |
| AGENT_CA_URL | URL for CA service, if provided it will be used for certificate generation | "" |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

make this env configurable through manager

func tmpEnvironment(id string, req *CreateReq) (string, error) {

Comment thread agent/README.md Outdated
| AGENT_CVM_GRPC_SERVER_KEY | Path to gRPC server key in pem format | "" |
| AGENT_CVM_GRPC_SERVER_CA_CERTS | Path to gRPC server CA certificate | "" |
| AGENT_CVM_GRPC_CLIENT_CA_CERTS | Path to gRPC client CA certificate | "" |
| AGENT_CA_URL | URL for CA service, if provided it will be used for certificate generation | "" |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

make this env configurable through manager

func tmpEnvironment(id string, req *CreateReq) (string, error) {

@SammyOina SammyOina left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you also need to set this variable from cli here

cmd.Flags().StringVar(&agentLogLevel, logLevel, "", "Agent Log level")

Comment thread cmd/agent/main.go Outdated
LogLevel string `env:"AGENT_LOG_LEVEL" envDefault:"debug"`
Vmpl int `env:"AGENT_VMPL" envDefault:"2"`
CAUrl string `env:"AGENT_CVM_CA_URL" envDefault:""`
CVMEntityId string `env:"AGENT_CVM_ENTITY_ID" envDefault:""`

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can simplify to AGENT_CVM_ID

Subject: pkix.Name{
var certDERBytes []byte

if caUrl == "" || cvmId == "" {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

currently for client (cli) we disable tls verification when atls is enabled since cert is generated by agent. However with this change we can allow provision of ca cert to cli and in this case we don't have to skip tls verification. so enable tls verification for atls when ca is provided and load the ca cert on client ca pool

InsecureSkipVerify: true,

@dborovcanin

Copy link
Copy Markdown
Contributor

@jovan-djukic Please rebase and address remarks.

Comment thread agent/README.md Outdated
| AGENT_CVM_GRPC_SERVER_KEY | Path to gRPC server key in pem format | "" |
| AGENT_CVM_GRPC_SERVER_CA_CERTS | Path to gRPC server CA certificate | "" |
| AGENT_CVM_GRPC_CLIENT_CA_CERTS | Path to gRPC client CA certificate | "" |
| AGENT_CVM_CA_URL | URL for CA service, if provided it will be used for certificate generation | "" |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

only for atls at the moment

Comment thread test/cvms/main.go Outdated
}

gs := grpcserver.New(ctx, cancel, svcName, grpcServerConfig, registerAgentServiceServer, logger, nil, nil)
gs := grpcserver.New(ctx, cancel, svcName, grpcServerConfig, registerAgentServiceServer, logger, nil, nil, "", "")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

read the values from args, so we can test from using this tool as well

@codecov

codecov Bot commented Mar 28, 2025

Copy link
Copy Markdown

Codecov Report

Attention: Patch coverage is 29.72973% with 104 lines in your changes missing coverage. Please review.

Project coverage is 54.17%. Comparing base (ebe1196) to head (ed5ffe6).

Files with missing lines Patch % Lines
internal/server/grpc/grpc.go 25.45% 81 Missing and 1 partial ⚠️
pkg/clients/grpc/atls.go 46.66% 12 Missing and 4 partials ⚠️
agent/cvms/server/cvm.go 0.00% 4 Missing ⚠️
cli/manager.go 0.00% 2 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main     #410      +/-   ##
==========================================
- Coverage   55.14%   54.17%   -0.97%     
==========================================
  Files          60       60              
  Lines        5239     5364     +125     
==========================================
+ Hits         2889     2906      +17     
- Misses       2047     2151     +104     
- Partials      303      307       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

SammyOina and others added 21 commits April 1, 2025 21:59
…travioletrs#411)

* Add vtpm attestation support to agent service and server

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* Update mockery version to v2.53.2 and refactor VM factory to include logger

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* Send event notification when computation is stopped in agentService

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* Remove redundant assignment of Stderr in qemuVM Start method

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* Rename SVM references to CVM in tracing, logging, metrics, and service layers

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

---------

Signed-off-by: Sammy Oina <sammyoina@gmail.com>
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 28.0.1+incompatible to 28.0.4+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](moby/moby@v28.0.1...v28.0.4)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
)

Bumps google.golang.org/protobuf from 1.36.5 to 1.36.6.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ultravioletrs#396)

* Disable SSH service and update user shell in cloud config

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* Remove SSH server and clean up dependencies in cloud config

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* Add firewall configuration and ensure iptables rules persist after reboot

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* Add algo_user configuration and setup script for container execution

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

---------

Signed-off-by: Sammy Oina <sammyoina@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants