COCOS - 397 - Agent certificate generation via CA service #410
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SammyOina
requested changes
Mar 21, 2025
agent/README.md
Outdated
| | AGENT_CVM_GRPC_SERVER_KEY | Path to gRPC server key in pem format | "" | | ||
| | AGENT_CVM_GRPC_SERVER_CA_CERTS | Path to gRPC server CA certificate | "" | | ||
| | AGENT_CVM_GRPC_CLIENT_CA_CERTS | Path to gRPC client CA certificate | "" | | ||
| | AGENT_CA_URL | URL for CA service, if provided it will be used for certificate generation | "" | |
There was a problem hiding this comment.
make this env configurable through manager
Line 408 in ebe1196
agent/README.md
Outdated
| | AGENT_CVM_GRPC_SERVER_KEY | Path to gRPC server key in pem format | "" | | ||
| | AGENT_CVM_GRPC_SERVER_CA_CERTS | Path to gRPC server CA certificate | "" | | ||
| | AGENT_CVM_GRPC_CLIENT_CA_CERTS | Path to gRPC client CA certificate | "" | | ||
| | AGENT_CA_URL | URL for CA service, if provided it will be used for certificate generation | "" | |
There was a problem hiding this comment.
make this env configurable through manager
Line 408 in ebe1196
SammyOina
requested changes
Mar 21, 2025
There was a problem hiding this comment.
you also need to set this variable from cli here
Line 67 in ebe1196
SammyOina
requested changes
Mar 21, 2025
cmd/agent/main.go
Outdated
| LogLevel string `env:"AGENT_LOG_LEVEL" envDefault:"debug"` | ||
| Vmpl int `env:"AGENT_VMPL" envDefault:"2"` | ||
| CAUrl string `env:"AGENT_CVM_CA_URL" envDefault:""` | ||
| CVMEntityId string `env:"AGENT_CVM_ENTITY_ID" envDefault:""` |
There was a problem hiding this comment.
we can simplify to AGENT_CVM_ID
SammyOina
requested changes
Mar 25, 2025
| Subject: pkix.Name{ | ||
| var certDERBytes []byte | ||
|
|
||
| if caUrl == "" || cvmId == "" { |
There was a problem hiding this comment.
currently for client (cli) we disable tls verification when atls is enabled since cert is generated by agent. However with this change we can allow provision of ca cert to cli and in this case we don't have to skip tls verification. so enable tls verification for atls when ca is provided and load the ca cert on client ca pool
cocos/pkg/clients/grpc/atls.go
Line 30 in ebe1196
|
@jovan-djukic Please rebase and address remarks. |
SammyOina
reviewed
Mar 28, 2025
agent/README.md
Outdated
| | AGENT_CVM_GRPC_SERVER_KEY | Path to gRPC server key in pem format | "" | | ||
| | AGENT_CVM_GRPC_SERVER_CA_CERTS | Path to gRPC server CA certificate | "" | | ||
| | AGENT_CVM_GRPC_CLIENT_CA_CERTS | Path to gRPC client CA certificate | "" | | ||
| | AGENT_CVM_CA_URL | URL for CA service, if provided it will be used for certificate generation | "" | |
There was a problem hiding this comment.
only for atls at the moment
SammyOina
requested changes
Mar 28, 2025
test/cvms/main.go
Outdated
| } | ||
|
|
||
| gs := grpcserver.New(ctx, cancel, svcName, grpcServerConfig, registerAgentServiceServer, logger, nil, nil) | ||
| gs := grpcserver.New(ctx, cancel, svcName, grpcServerConfig, registerAgentServiceServer, logger, nil, nil, "", "") |
There was a problem hiding this comment.
read the values from args, so we can test from using this tool as well
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #410 +/- ##
==========================================
- Coverage 55.14% 54.17% -0.97%
==========================================
Files 60 60
Lines 5239 5364 +125
==========================================
+ Hits 2889 2906 +17
- Misses 2047 2151 +104
- Partials 303 307 +4 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
SammyOina
approved these changes
Mar 28, 2025
…travioletrs#411) * Add vtpm attestation support to agent service and server Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Update mockery version to v2.53.2 and refactor VM factory to include logger Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Send event notification when computation is stopped in agentService Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Remove redundant assignment of Stderr in qemuVM Start method Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Rename SVM references to CVM in tracing, logging, metrics, and service layers Signed-off-by: Sammy Oina <sammyoina@gmail.com> --------- Signed-off-by: Sammy Oina <sammyoina@gmail.com>
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 28.0.1+incompatible to 28.0.4+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](moby/moby@v28.0.1...v28.0.4) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
) Bumps google.golang.org/protobuf from 1.36.5 to 1.36.6. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ultravioletrs#396) * Disable SSH service and update user shell in cloud config Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Remove SSH server and clean up dependencies in cloud config Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Add firewall configuration and ensure iptables rules persist after reboot Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Add algo_user configuration and setup script for container execution Signed-off-by: Sammy Oina <sammyoina@gmail.com> --------- Signed-off-by: Sammy Oina <sammyoina@gmail.com>
dborovcanin
approved these changes
Apr 2, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
This is a feature because it adds the following functionality: Agent certificate generation via CA service
What does this do?
If agent is provided with CA service URL via env variables, it will generate a CSR which will be passed to CA service for certificate generation.
Which issue(s) does this PR fix/relate to?
Have you included tests for your changes?
No.
Did you document any new/modified feature?
Yes
Notes