COCOS - 397 - Agent certificate generation via CA service#410
Conversation
| | AGENT_CVM_GRPC_SERVER_KEY | Path to gRPC server key in pem format | "" | | ||
| | AGENT_CVM_GRPC_SERVER_CA_CERTS | Path to gRPC server CA certificate | "" | | ||
| | AGENT_CVM_GRPC_CLIENT_CA_CERTS | Path to gRPC client CA certificate | "" | | ||
| | AGENT_CA_URL | URL for CA service, if provided it will be used for certificate generation | "" | |
There was a problem hiding this comment.
make this env configurable through manager
Line 408 in ebe1196
| | AGENT_CVM_GRPC_SERVER_KEY | Path to gRPC server key in pem format | "" | | ||
| | AGENT_CVM_GRPC_SERVER_CA_CERTS | Path to gRPC server CA certificate | "" | | ||
| | AGENT_CVM_GRPC_CLIENT_CA_CERTS | Path to gRPC client CA certificate | "" | | ||
| | AGENT_CA_URL | URL for CA service, if provided it will be used for certificate generation | "" | |
There was a problem hiding this comment.
make this env configurable through manager
Line 408 in ebe1196
| LogLevel string `env:"AGENT_LOG_LEVEL" envDefault:"debug"` | ||
| Vmpl int `env:"AGENT_VMPL" envDefault:"2"` | ||
| CAUrl string `env:"AGENT_CVM_CA_URL" envDefault:""` | ||
| CVMEntityId string `env:"AGENT_CVM_ENTITY_ID" envDefault:""` |
There was a problem hiding this comment.
we can simplify to AGENT_CVM_ID
| Subject: pkix.Name{ | ||
| var certDERBytes []byte | ||
|
|
||
| if caUrl == "" || cvmId == "" { |
There was a problem hiding this comment.
currently for client (cli) we disable tls verification when atls is enabled since cert is generated by agent. However with this change we can allow provision of ca cert to cli and in this case we don't have to skip tls verification. so enable tls verification for atls when ca is provided and load the ca cert on client ca pool
cocos/pkg/clients/grpc/atls.go
Line 30 in ebe1196
|
@jovan-djukic Please rebase and address remarks. |
| | AGENT_CVM_GRPC_SERVER_KEY | Path to gRPC server key in pem format | "" | | ||
| | AGENT_CVM_GRPC_SERVER_CA_CERTS | Path to gRPC server CA certificate | "" | | ||
| | AGENT_CVM_GRPC_CLIENT_CA_CERTS | Path to gRPC client CA certificate | "" | | ||
| | AGENT_CVM_CA_URL | URL for CA service, if provided it will be used for certificate generation | "" | |
There was a problem hiding this comment.
only for atls at the moment
| } | ||
|
|
||
| gs := grpcserver.New(ctx, cancel, svcName, grpcServerConfig, registerAgentServiceServer, logger, nil, nil) | ||
| gs := grpcserver.New(ctx, cancel, svcName, grpcServerConfig, registerAgentServiceServer, logger, nil, nil, "", "") |
There was a problem hiding this comment.
read the values from args, so we can test from using this tool as well
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #410 +/- ##
==========================================
- Coverage 55.14% 54.17% -0.97%
==========================================
Files 60 60
Lines 5239 5364 +125
==========================================
+ Hits 2889 2906 +17
- Misses 2047 2151 +104
- Partials 303 307 +4 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
…travioletrs#411) * Add vtpm attestation support to agent service and server Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Update mockery version to v2.53.2 and refactor VM factory to include logger Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Send event notification when computation is stopped in agentService Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Remove redundant assignment of Stderr in qemuVM Start method Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Rename SVM references to CVM in tracing, logging, metrics, and service layers Signed-off-by: Sammy Oina <sammyoina@gmail.com> --------- Signed-off-by: Sammy Oina <sammyoina@gmail.com>
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 28.0.1+incompatible to 28.0.4+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](moby/moby@v28.0.1...v28.0.4) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
) Bumps google.golang.org/protobuf from 1.36.5 to 1.36.6. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ultravioletrs#396) * Disable SSH service and update user shell in cloud config Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Remove SSH server and clean up dependencies in cloud config Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Add firewall configuration and ensure iptables rules persist after reboot Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Add algo_user configuration and setup script for container execution Signed-off-by: Sammy Oina <sammyoina@gmail.com> --------- Signed-off-by: Sammy Oina <sammyoina@gmail.com>
What type of PR is this?
This is a feature because it adds the following functionality: Agent certificate generation via CA service
What does this do?
If agent is provided with CA service URL via env variables, it will generate a CSR which will be passed to CA service for certificate generation.
Which issue(s) does this PR fix/relate to?
Have you included tests for your changes?
No.
Did you document any new/modified feature?
Yes
Notes