kbs: Add nebula_ca plugin

The plugin can create a Nebula certificate authority to provide
credentials for CoCo PODs (or VMs) that want to join a Nebula encrypted
overlay network. A credential is provided only for attested CoCo PODs.

The steps below can be used to build and start trustee with support for
the 'nebula-ca' plugin. The first step builds the KBS with the
'nebula-ca' cargo feature enabled. The second step configures the
plugin as explained in the kbs/docs/config.md.

$ docker compose build --build-arg NEBULA_CA=true
$ cat >> kbs/config/docker-compose/kbs-config.toml << EOF
[[plugins]]
name = "nebula-ca"
nebula_cert_bin_path = "/usr/local/bin/nebula-cert"
work_dir = "/opt/confidential-containers/kbs/nebula-ca"
[plugins.self_signed_ca]
name = "Nebula CA for Trustee KBS"
EOF
$ docker compose up

The nebula-ca is a self signed certificate authority. When the plugin is
started, it will create the CA key and certificate based on the
configuration provided in the kbs-config.toml file, unless the
${work_dir}/ca/ca.{key,crt} already exists.

A credential can be requested via GET /kbs/v0/nebula-ca/credential.
Additional parameters can be provided via query string:

    /// Required: name of the cert, usually hostname or podname
    name: String,
    /// Required: IPv4 address and network in CIDR notation to assign the cert
    ip: String,
    /// Optional: how long the cert should be valid for.
    /// The default is 1 second before the signing cert expires.
    /// Valid time units are seconds: "s", minutes: "m", hours: "h".
    duration: Option<String>,
    /// Optional: comma separated list of groups.
    groups: Option<String>,
    /// Optional: comma separated list of ipv4 address and network in CIDR notation.
    /// Subnets this cert can serve for
    subnets: Option<String>,

For example, the GET below provides two required parameters via query
string: name and IP address (CIDR notation). Other examples can be found
in the unit test cases defined in the nebula_ca.rs file.

GET /kbs/v0/nebula-ca/credential?name=podA&ip=10.9.8.2/21

Signed-off-by: Claudio Carvalho <cclaudio@linux.ibm.com>

Author: cclaudio

Cargo.lock

@@ -50,6 +50,7 @@ reqwest = { version = "0.12", default-features = false, features = [
 rstest = "0.18.1"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0.132"
+serde_qs = "0.13.0"
 serde_with = { version = "1.11.0", features = ["base64", "hex"] }
 serial_test = "0.9.0"
 sha2 = "0.10"

Cargo.toml

@@ -14,6 +14,7 @@ services:
       - "8080:8080"
     volumes:
       - ./kbs/data/kbs-storage:/opt/confidential-containers/kbs/repository:rw
+      - ./kbs/data/nebula-ca:/opt/confidential-containers/kbs/nebula-ca:rw
       - ./kbs/config/public.pub:/opt/confidential-containers/kbs/user-keys/public.pub
       - ./kbs/config/docker-compose/kbs-config.toml:/etc/kbs-config.toml
     depends_on:

docker-compose.yml

@@ -33,6 +33,9 @@ aliyun = ["kms/aliyun"]
 # Use pkcs11 resource backend to store secrets in an HSM
 pkcs11 = ["cryptoki"]
 
+# Use Nebula CA to provide credentials for nodes (pods) to join a Nebula overlay network
+nebula-ca = []
+
 [dependencies]
 actix-web = { workspace = true, features = ["openssl"] }
 actix-web-httpauth.workspace = true
@@ -59,10 +62,12 @@ regorus.workspace = true
 reqwest = { workspace = true, features = ["json"] }
 rsa = { version = "0.9.2", features = ["sha2"] }
 scc = "2"
+serde_qs.workspace = true
 semver = "1.0.16"
 serde = { workspace = true, features = ["derive"] }
 serde_json.workspace = true
 strum.workspace = true
+tempfile.workspace = true
 thiserror.workspace = true
 time = { version = "0.3.23", features = ["std"] }
 tokio.workspace = true
@@ -89,7 +94,6 @@ attestation-service = { path = "../attestation-service", default-features = fals
 
 
 [dev-dependencies]
-tempfile.workspace = true
 rstest.workspace = true
 reference-value-provider-service.path = "../rvps"
 

kbs/Cargo.toml

@@ -1,5 +1,6 @@
 AS_TYPE ?= coco-as
 ALIYUN ?= false
+NEBULA_CA ?= false
 
 BUILD_ARCH := $(shell uname -m)
 ARCH ?= $(shell uname -m)
@@ -48,6 +49,10 @@ ifeq ($(ALIYUN), true)
   FEATURES += aliyun
 endif
 
+ifeq ($(NEBULA_CA), true)
+  FEATURES += nebula-ca
+endif
+
 ifndef CLI_FEATURES
   ifdef ATTESTER
     CLI_FEATURES = "sample_only,$(ATTESTER)"

kbs/Makefile

@@ -2,6 +2,8 @@ FROM --platform=$BUILDPLATFORM rust:latest AS builder
 ARG BUILDPLATFORM=linux/amd64
 ARG ARCH=x86_64
 ARG ALIYUN=false
+ARG NEBULA_CA=false
+ARG NEBULA_VERSION=v1.9.5
 
 WORKDIR /usr/src/kbs
 COPY . .
@@ -17,11 +19,18 @@ RUN if [ $(uname -m) != ${ARCH} ]; then \
     apt-get install -y libssl-dev:${OS_ARCH}; fi
 
 # Build and Install KBS
-RUN cd kbs && make AS_FEATURE=coco-as-grpc ALIYUN=${ALIYUN} ARCH=${ARCH} && \
+RUN cd kbs && make AS_FEATURE=coco-as-grpc ALIYUN=${ALIYUN} ARCH=${ARCH} NEBULA_CA=${NEBULA_CA} && \
     make ARCH=${ARCH} install-kbs
 
+# Download and install Nebula
+RUN if [ "${NEBULA_CA}" = "true" ]; then \
+       curl -fSLO https://github.com/slackhq/nebula/releases/download/${NEBULA_VERSION}/nebula-$(echo ${BUILDPLATFORM} | sed 's/\//-/').tar.gz && \
+       tar -C /usr/local/bin -xzf nebula-$(echo "${BUILDPLATFORM}" | sed 's/\//-/').tar.gz; \
+    fi
+
 FROM ubuntu:22.04
 
 LABEL org.opencontainers.image.source="https://github.com/confidential-containers/trustee/kbs"
 
 COPY --from=builder /usr/local/bin/kbs /usr/local/bin/kbs
+COPY --from=builder /usr/local/bin/nebula-cert* /usr/local/bin/nebula-cert

kbs/docker/coco-as-grpc/Dockerfile

@@ -250,6 +250,35 @@ This is also called "Repository" in old versions. The properties to be configure
 | `password`        | String | AAP client key password           | Yes      | `8f9989c18d27...`                                   |
 | `cert_pem`        | String | CA cert for the KMS instance      | Yes      | `-----BEGIN CERTIFICATE----- ...`                   |
 
+#### Nebula CA Configuration
+
+The `name` field is `nebula-ca` to enable this plugin.
+
+The plugin can generate credentials for CoCo PODs (or VMs) that want to
+join a Nebula encrypted overlay network. The properties below can be
+used to configure the plugin.
+
+| Property               | Type   | Description                       | Required | Example                                             |
+|------------------------|--------|-----------------------------------|----------|-----------------------------------------------------|
+| `nebula_cert_bin_path` | String | nebula-cert binary path | Yes | `/usr/local/bin/nebula-cert` |
+| `work_dir`             | String | This plugin work directory, it requires `rw` permission | Yes | `/opt/confidential-containers/kbs/nebula-ca` |
+
+The following properties can be set under the `[self_signed_ca]` plugin section to configure the Nebula Certificate Authority.
+The Nebula CA will be re-created only if `${work_dir}/ca/ca.{key,crt}` are not found.
+
+| Property            | Type    | Description                       | Required | Default | Example                                   |
+|---------------------|---------|-----------------------------------|----------|-----------------------------------------------------|
+| `name`              | String  | Name of the certificate authority | Yes      |         | `Nebula Ca for Trustee KBS` |
+| `argon_iterations`  | Integer | Argon2 iterations parameter used for encrypted private key passphrase | No  | 1 | |
+| `argon_memory`      | Integer | Argon2 memory parameter (in KiB) used for encrypted private key passphrase  | No | 2097152 | |
+| `argon_parallelism` | Integer | Argon2 parallelism parameter used for encrypted private key passphrase | No | 4 | |
+| `curve`             | String  | EdDSA/ECDSA Curve (25519, P256) | No | `25519` | |
+| `duration`          | String  | Amount of time the certificate should be valid for. Valid time units are: <hours>"h"<minutes>"m"<seconds>"s" | No | `8760h0m0s` | |
+| `groups`            | String  | Comma separated list of groups. This will limit which groups subordinate certs can use | No | | `server,ssh` |
+| `ips`               | String  | Comma separated list of ipv4 address and network in CIDR notation. This will limit which ipv4 addresses and networks subordinate certs can use for ip addresses | No | | `192.168.100.10/24,192.168.100.15/24` |
+| `out_qr`            | String  | Path to write a QR code image (png) of the certificate | No | | `/opt/confidential-containers/kbs/nebula_ca/ca_qr.crt`|
+| `subnets`           | String  | Comma separated list of ipv4 address and network in CIDR notation. This will limit which ipv4 addresses and networks subordinate certs can use in subnets | No | | `192.168.86.0/24` |
+
 ## Configuration Examples
 
 Using a built-in CoCo AS:
@@ -283,6 +312,13 @@ policy_engine = "opa"
 name = "resource"
 type = "LocalFs"
 dir_path = "/opt/confidential-containers/kbs/repository"
+
+[[plugins]]
+name = "nebula-ca"
+nebula_cert_bin_path = "/usr/local/bin/nebula-cert"
+work_dir = "/opt/confidential-containers/kbs/nebula-ca"
+    [plugins.settings]
+    name = "Nebula CA for Trustee KBS"
 ```
 
 Using a remote CoCo AS:
@@ -302,6 +338,13 @@ as_addr = "http://127.0.0.1:50004"
 name = "resource"
 type = "LocalFs"
 dir_path = "/opt/confidential-containers/kbs/repository"
+
+[[plugins]]
+name = "nebula-ca"
+nebula_cert_bin_path = "/usr/local/bin/nebula-cert"
+work_dir = "/opt/confidential-containers/kbs/nebula-ca"
+    [plugins.settings]
+    name = "Nebula CA for Trustee KBS"
 ```
 
 Running with Intel Trust Authority attestation service:

kbs/docs/config.md

@@ -2,8 +2,12 @@
 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
 // SPDX-License-Identifier: Apache-2.0
 
+#[cfg(feature = "nebula-ca")]
+pub mod nebula_ca;
 pub mod resource;
 pub mod sample;
 
+#[cfg(feature = "nebula-ca")]
+pub use nebula_ca::{NebulaCa, NebulaCaConfig};
 pub use resource::{RepositoryConfig, ResourceStorage};
 pub use sample::{Sample, SampleConfig};