aa/cdh: make agent-config path configurable by env

relates-to: confidential-containers/cloud-api-adaptor#1637 Since peerpods will template the agent-config.toml with aa_kbc_params and /etc might be on a read-only volume, we need to make this path configurable. Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
confidential-containers · Jan 11, 2024 · f20d4b5 · f20d4b5
1 parent 7ddecc7
commit f20d4b5
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 23 deletions.
diff --git a/attestation-agent/lib/src/token.rs b/attestation-agent/lib/src/token.rs
@@ -3,10 +3,13 @@
 // SPDX-License-Identifier: Apache-2.0
 //
 
-use anyhow::{anyhow, Result};
+use anyhow::{anyhow, Context, Result};
 use kbs_protocol::{evidence_provider::NativeEvidenceProvider, KbsClientBuilder};
+use log::debug;
 use serde::{Deserialize, Serialize};
+use std::env;
 use std::path::Path;
+use std::sync::OnceLock;
 use tokio::fs;
 
 const PEER_POD_CONFIG_PATH: &str = "/run/peerpod/daemon.json";
@@ -17,6 +20,8 @@ struct Message {
     tee_keypair: String,
 }
 
+static KATA_AGENT_CONFIG_PATH: OnceLock<String> = OnceLock::new();
+
 pub(crate) async fn get_kbs_token() -> Result<Vec<u8>> {
     let evidence_provider = Box::new(NativeEvidenceProvider::new()?);
 
@@ -73,15 +78,20 @@ pub(crate) async fn get_kbc_params_from_config_file() -> Result<String> {
         aa_kbc_params: Option<String>,
     }
 
-    // Hard-code agent config path to "/etc/agent-config.toml" as a workaround
-    let agent_config_str = fs::read_to_string("/etc/agent-config.toml")
+    // check env for KATA_AGENT_CONFIG_PATH, fall back to default path
+    let path: &String = KATA_AGENT_CONFIG_PATH.get_or_init(|| {
+        env::var("KATA_AGENT_CONFIG_PATH").unwrap_or_else(|_| "/etc/agent-config.toml".into())
+    });
+
+    debug!("reading agent config from {}", path);
+    let agent_config_str = fs::read_to_string(path)
         .await
-        .map_err(|e| anyhow!("Failed to read /etc/agent-config.toml file: {e}"))?;
+        .context(format!("Failed to read {path}"))?;
 
-    let agent_config: AgentConfig = toml::from_str(&agent_config_str)
-        .map_err(|e| anyhow!("Failed to deserialize /etc/agent-config.toml: {e}"))?;
+    let agent_config: AgentConfig =
+        toml::from_str(&agent_config_str).context(format!("Failed to deserialize {path}"))?;
 
-    agent_config.aa_kbc_params.ok_or(anyhow!(
-        "no `aa_kbc_params` found in /etc/agent-config.toml!",
-    ))
+    agent_config
+        .aa_kbc_params
+        .ok_or(anyhow!("no `aa_kbc_params` found in {path}!"))
 }
diff --git a/confidential-data-hub/kms/src/plugins/kbs/mod.rs b/confidential-data-hub/kms/src/plugins/kbs/mod.rs
@@ -17,16 +17,20 @@ use std::sync::Arc;
 
 use async_trait::async_trait;
 use lazy_static::lazy_static;
+use log::debug;
 pub use resource_uri::ResourceUri;
 use serde::Deserialize;
-use std::fs;
 use std::path::Path;
+use std::sync::OnceLock;
+use std::{env, fs};
 use tokio::sync::Mutex;
 
 use crate::{Annotations, Error, Getter, Result};
 
 const PEER_POD_CONFIG_PATH: &str = "/run/peerpod/daemon.json";
 
+static KATA_AGENT_CONFIG_PATH: OnceLock<String> = OnceLock::new();
+
 enum RealClient {
     #[cfg(feature = "kbs")]
     Cc(cc_kbc::CcKbc),
@@ -145,25 +149,30 @@ async fn get_aa_params_from_config_file() -> Result<(String, String)> {
         aa_kbc_params: Option<String>,
     }
 
-    // Hard-code agent config path to "/etc/agent-config.toml" as a workaround
-    let agent_config_str = fs::read_to_string("/etc/agent-config.toml").map_err(|e| {
-        Error::KbsClientError(format!("Failed to read /etc/agent-config.toml file: {e}"))
-    })?;
+    // check env for KATA_AGENT_CONFIG_PATH, fall back to default path
+    let path: &String = KATA_AGENT_CONFIG_PATH.get_or_init(|| {
+        env::var("KATA_AGENT_CONFIG_PATH").unwrap_or_else(|_| "/etc/agent-config.toml".into())
+    });
+
+    debug!("reading agent config from {}", path);
+    let agent_config_str = fs::read_to_string(path)
+        .map_err(|e| Error::KbsClientError(format!("Failed to read {path} file: {e}")))?;
 
-    let agent_config: AgentConfig = toml::from_str(&agent_config_str).map_err(|e| {
-        Error::KbsClientError(format!("Failed to deserialize /etc/agent-config.toml: {e}"))
-    })?;
+    let agent_config: AgentConfig = toml::from_str(&agent_config_str)
+        .map_err(|e| Error::KbsClientError(format!("Failed to deserialize {path}: {e}")))?;
 
-    let aa_kbc_params = agent_config.aa_kbc_params.ok_or(Error::KbsClientError(
-        "no `aa_kbc_params` found in /etc/agent-config.toml".into(),
-    ))?;
+    let aa_kbc_params = agent_config
+        .aa_kbc_params
+        .ok_or(Error::KbsClientError(format!(
+            "no `aa_kbc_params` found in {path}"
+        )))?;
 
     let aa_kbc_params_vec = aa_kbc_params.split("::").collect::<Vec<&str>>();
 
     if aa_kbc_params_vec.len() != 2 {
-        return Err(Error::KbsClientError(
-            "Illegal `aa_kbc_params` format provided in /etc/agent-config.toml.".to_string(),
-        ));
+        return Err(Error::KbsClientError(format!(
+            "Illegal `aa_kbc_params` format provided in {path}."
+        )));
     }
 
     Ok((