Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cli/generate: automatic cryptsetup configuration #1223

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

cli/generate: automatic cryptsetup configuration #1223

wants to merge 1 commit into from

Conversation

davidweisse
Copy link
Contributor

This implements RFC 009 and automatically adds the necessary configuration to set up an encrypted mount using the contrast.edgeless.systems/secure-pv annotation, which translates to a configured Initializer on contrast generate.

A successful run for the volumestatefulset test can be found here.

@davidweisse davidweisse added the changelog PRs that should be part of the release notes label Feb 11, 2025
@github-actions GitHub Actions
Copy link

PR Preview Action v1.6.0

🚀 View preview at
https://edgelesssys.github.io/contrast/pr-preview/pr-1223/

Built to branch gh-pages at 2025-02-11 15:16 UTC.
Preview will be ready when the GitHub Pages deployment is complete.

burgerdev
burgerdev reviewed Feb 11, 2025
View reviewed changes
docs/docs/architecture/secrets.md
Functionally the initializer will act as a sidecar container which serves to set up a secure mount inside an `emptyDir` mount shared with the main container.
Applications can set up trusted storage on top of an untrusted block device based on the workload secret using the `contrast.edgeless.systems/secure-pv` annotation.
This annotation enables `contrast generate` to configure the Initializer to set up a LUKS-encrypted volume at the specified device and mount it to a specified volume.
Configure any resource with the following annotation:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Configure any resource with the following annotation:
Configure any pod-generating resource with the following annotation:

... not sure whether this is readable, but it's more specific.

docs/docs/architecture/secrets.md
@@ -49,11 +49,38 @@ If the data owner fully trusts the seed share owner (when they're the same entit
### Secure persistence

Remember that persistent volumes from the cloud provider are untrusted.
Using the built-in `cryptsetup` subcommand of the initializer, applications can set up trusted storage on top of untrusted block devices based on the workload secret.
Functionally the initializer will act as a sidecar container which serves to set up a secure mount inside an `emptyDir` mount shared with the main container.
Applications can set up trusted storage on top of an untrusted block device based on the workload secret using the `contrast.edgeless.systems/secure-pv` annotation.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe remove based on the workload secret from here and add a standalone sentence along the lines of

The volume is encrypted using the workload secret introduced in the last section.

docs/docs/architecture/secrets.md
Comment on lines +67 to +79
```yaml
spec: # v1.PodSpec
containers:
- name: my-container
image: "my-image@sha256:..."
volumeMounts:
- mountPath: /secure
mountPropagation: HostToContainer
name: secure
volumes:
- name: secure
emptyDir: {}
```
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this example is confusing:

  1. It declares the emptyDir volume although that should not be necessary.
  2. It does not use the annotation, which might help clarify which names go where.
  3. It does not have a block device volume.

initializer/mount.go
Comment on lines +89 to +90
signalChan := make(chan os.Signal, 1)
signal.Notify(signalChan, syscall.SIGTERM, syscall.SIGINT)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we move signal handling closer to main, use signal.NotifyContext and wait for the context to expire at the end of this function?

internal/kuberesource/mutators.go
}
}
}
return fmt.Errorf("device %s not found", volumeName)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return fmt.Errorf("device %s not found", volumeName)
return fmt.Errorf("device %q not found", volumeName)

internal/kuberesource/mutators.go
Comment on lines +217 to +220
if volume.EmptyDir != nil {
return fmt.Errorf("device %s cannot be of type EmptyDir", *volume.Name)
}
return nil
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We might be able to exclude more invalid configurations here, because there are not many volume types that can be block devices.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@burgerdev burgerdev burgerdev left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
changelog PRs that should be part of the release notes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@davidweisse @burgerdev