Add mesh VPN support to the CDH

Cargo.toml

@@ -53,6 +53,7 @@ rstest = "0.17"
 serde = { version = "1.0", features = ["derive"] }
 serde_with = { version = "3.13.0", features = ["base64"] }
 serde_json = "1.0"
+serde_yml = "0.0.11"
 serial_test = "3"
 sha2 = "0.10.9"
 strum = { version = "0.27", features = ["derive"] }

confidential-data-hub/Makefile

@@ -15,6 +15,7 @@ TARGET_DIR := ../target
 BIN_NAME := confidential-data-hub
 
 ONE_SHOT ?= false
+OVERLAY_NETWORK ?= false
 
 SOURCE_ARCH := $(shell uname -m)
 RPC ?= ttrpc
@@ -59,6 +60,10 @@ ifneq ($(KMS_PROVIDER), none)
     features += $(KMS_PROVIDER)
 endif
 
+ifeq ($(OVERLAY_NETWORK), true)
+    features += overlay-network
+endif
+
 ifeq ($(LIBC), musl)
     ifeq ($(ARCH), $(filter $(ARCH), s390x powerpc64le))
         $(error ERROR: Confidential Data Hub does not support building with the musl libc target for s390x and ppc64le architectures!)

confidential-data-hub/example.config.json

@@ -28,5 +28,13 @@
         },
         "extra_root_certificates": "-----BEGIN CERTIFICATE-----\nMIIFTDCCAvugAwIBAgIBADBGBgkqhkiG9w0BAQowOaAPMA0GCWCGSAFlAwQCAgUA\noRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAgUAogMCATCjAwIBATB7MRQwEgYD\nVQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDASBgNVBAcMC1NhbnRhIENs\nYXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5jZWQgTWljcm8gRGV2aWNl\nczESMBAGA1UEAwwJU0VWLU1pbGFuMB4XDTIzMDEyNDE3NTgyNloXDTMwMDEyNDE3\nNTgyNlowejEUMBIGA1UECwwLRW5naW5lZXJpbmcxCzAJBgNVBAYTAlVTMRQwEgYD\nVQQHDAtTYW50YSBDbGFyYTELMAkGA1UECAwCQ0ExHzAdBgNVBAoMFkFkdmFuY2Vk\nIE1pY3JvIERldmljZXMxETAPBgNVBAMMCFNFVi1WQ0VLMHYwEAYHKoZIzj0CAQYF\nK4EEACIDYgAExmG1ZbuoAQK93USRyZQcsyobfbaAEoKEELf/jK39cOVJt1t4s83W\nXM3rqIbS7qHUHQw/FGyOvdaEUs5+wwxpCWfDnmJMAQ+ctgZqgDEKh1NqlOuuKcKq\n2YAWE5cTH7sHo4IBFjCCARIwEAYJKwYBBAGceAEBBAMCAQAwFwYJKwYBBAGceAEC\nBAoWCE1pbGFuLUIwMBEGCisGAQQBnHgBAwEEAwIBAzARBgorBgEEAZx4AQMCBAMC\nAQAwEQYKKwYBBAGceAEDBAQDAgEAMBEGCisGAQQBnHgBAwUEAwIBADARBgorBgEE\nAZx4AQMGBAMCAQAwEQYKKwYBBAGceAEDBwQDAgEAMBEGCisGAQQBnHgBAwMEAwIB\nCDARBgorBgEEAZx4AQMIBAMCAXMwTQYJKwYBBAGceAEEBEDDhCejDUx6+dlvehW5\ncmmCWmTLdqI1L/1dGBFdia1HP46MC82aXZKGYSutSq37RCYgWjueT+qCMBE1oXDk\nd1JOMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0B\nAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBA4ICAQACgCai9x8DAWzX/2IelNWm\nituEBSiq9C9eDnBEckQYikAhPasfagnoWFAtKu/ZWTKHi+BMbhKwswBS8W0G1ywi\ncUWGlzigI4tdxxf1YBJyCoTSNssSbKmIh5jemBfrvIBo1yEd+e56ZJMdhN8e+xWU\nbvovUC2/7Dl76fzAaACLSorZUv5XPJwKXwEOHo7FIcREjoZn+fKjJTnmdXce0LD6\n9RHr+r+ceyE79gmK31bI9DYiJoL4LeGdXZ3gMOVDR1OnDos5lOBcV+quJ6JujpgH\nd9g3Sa7Du7pusD9Fdap98ocZslRfFjFi//2YdVM4MKbq6IwpYNB+2PCEKNC7SfbO\nNgZYJuPZnM/wViES/cP7MZNJ1KUKBI9yh6TmlSsZZOclGJvrOsBZimTXpATjdNMt\ncluKwqAUUzYQmU7bf2TMdOXyA9iH5wIpj1kWGE1VuFADTKILkTc6LzLzOWCofLxf\nonhTtSDtzIv/uel547GZqq+rVRvmIieEuEvDETwuookfV6qu3D/9KuSr9xiznmEg\nxynud/f525jppJMcD/ofbQxUZuGKvb3f3zy+aLxqidoX7gca2Xd9jyUy5Y/83+ZN\nbz4PZx81UJzXVI9ABEh8/xilATh1ZxOePTBJjN7lgr0lXtKYjV/43yyxgUYrXNZS\noLSG2dLCK9mjjraPjau34Q==\n-----END CERTIFICATE-----",
         "work_dir": "/run/image-rs"
+    },
+    "overlay_network": {
+        "enable": "true",
+        "nebula": {
+            "lighthouse_pub_ip": "127.0.0.1",
+            "lighthouse_overlay_ip": "192.168.100.100",
+            "overlay_netmask": "255.255.255.0"
+        }
     }
 }

confidential-data-hub/example.config.toml

@@ -201,3 +201,24 @@ http_proxy = "http://127.0.0.1:5432"
 #
 # By default this value is not set.
 no_proxy = "192.168.0.1,localhost"
+
+# (Optional) Overlay network-related configuration
+# If enabled, overlay_network.nebula (and all its fields) are required
+[overlay_network]
+
+# Set enable to true to enable the overlay network
+enable = "true"
+
+[overlay_network.nebula]
+# The public IP address of the lighthouse (localhost just used as an example
+# here).
+lighthouse_pub_ip = "127.0.0.1"
+
+# The (internal/private) IP address of the lighthouse.
+# This MUST match the IP address (i.e. the internal/overlay/vpn IP address)
+# assigned to the lighthouse.
+lighthouse_overlay_ip = "192.168.100.100"
+
+# The netmask of the overlay network. The provided example is a /24 network,
+# allowing for 256 pods in the network.
+overlay_netmask = "255.255.255.0"

confidential-data-hub/hub/Cargo.toml

@@ -45,6 +45,8 @@ env_logger = { workspace = true, optional = true }
 image-rs = { path = "../../image-rs", default-features = false, features = ["kata-cc-rustls-tls"] }
 kms = { path = "../kms", default-features = false }
 log.workspace = true
+nix = { workspace = true, features = ["net"] }
+overlay_network.path = "../overlay-network"
 prost = { workspace = true, optional = true }
 protobuf = { workspace = true, optional = true }
 rand.workspace = true
@@ -102,3 +104,6 @@ grpc = ["prost", "tonic", "tonic-build", "tokio/signal"]
 
 # for secret_cli
 cli = ["clap/derive", "tokio/rt-multi-thread", "tokio/sync", "tokio/macros"]
+
+# support overlay network
+overlay-network = ["overlay_network/overlay-network"]

confidential-data-hub/hub/protos/api.proto

@@ -56,4 +56,8 @@ service SecureMountService {
 
 service ImagePullService {
     rpc PullImage(ImagePullRequest) returns (ImagePullResponse) {};
-}
+}
+
+service OverlayNetworkService {
+    rpc InitOverlayNetwork(InitOverlayNetworkRequest) returns (InitOverlayNetworkResponse) {};
+}

confidential-data-hub/hub/src/api.rs

@@ -32,4 +32,7 @@ pub trait DataHub {
 
     /// Pull image of image url (reference), and place the merged layers in the `bundle_path/rootfs`
     async fn pull_image(&self, _image_url: &str, _bundle_path: &str) -> Result<String>;
+
+    /// Initialize the overlay network
+    async fn init_overlay_network(&self, pod_name: String) -> Result<()>;
 }