kbs/resource: Add splitapi plugin

This plugin (based on the Nebula plugin interface) delivers credentials (keys
and certificates) to a sandbox (i.e., confidential PODs or VMs), specifically
to the kata agent to initiate the SplitAPI proxy server so that a workload
owner can communicate with the proxy server using a secure tunnel.

The proxy server's credentials can be requested using the kbs-client:

kbs-client --url http://127.0.0.1:8080 \
           get-resource \
           --path 'plugin/splitapi/credential?ip=60.11.12.13&name=pod6&id=32348'

The IPv4 address, name, and the ID of the sandbox must be provided in the query
string to obtain the credential resources from the kbs.

After receiving the credential request, the splitapi plugin will create a key
pair for the server and client and sign them using the self-signed CA. The
generated ca.crt, server.crt, and server.key are stored in a directory specific
to the sandbox (the caller) and returned to the caller. In addition, ca.key,
client.key, and client.crt are also generated and stored to that particular
directory specific to the sandbox (i.e., caller)

During the credential generation, a directory manager creates a unique
directory specific to the sandbox (i.e., the caller). The manager creates the
unique directory using the sandbox parameters passed in the query string.
A mapping file is also maintained to store the mapping between the sandbox
name and the unique directory created for the sandbox.

The splitapi plugin itself is not initialized by default. To initialize it,
you need to add 'splitapi' to 'manager_plugin_config.enabled_plugins' in
the kbs-config.toml.

Depends on: confidential-containers#451

Signed-off-by: Salman Ahmed <sahmed@ibm.com>

Author: salmanyam

kbs/Cargo.toml

@@ -42,6 +42,7 @@ rustls = ["actix-web/rustls", "dep:rustls", "dep:rustls-pemfile"]
 # Use openssl crypto stack for KBS
 openssl = ["actix-web/openssl", "dep:openssl"]
 nebula-plugin = []
+splitapi-plugin = []
 
 # Use aliyun KMS as KBS backend
 aliyun = ["kms/aliyun"]

kbs/config/kbs-config.toml

@@ -10,7 +10,7 @@ dir_path = "/opt/confidential-containers/kbs/storage"
 
 [plugin_manager_config]
 work_dir = "/opt/confidential-containers/kbs/plugin"
-enabled_plugins = []
+enabled_plugins = ["splitapi"]
 
 [as_config]
 work_dir = "/opt/confidential-containers/attestation-service"

kbs/src/config.rs

@@ -26,7 +26,7 @@ use std::path::{Path, PathBuf};
 
 const DEFAULT_INSECURE_API: bool = false;
 const DEFAULT_INSECURE_HTTP: bool = false;
-const DEFAULT_SOCKET: &str = "127.0.0.1:8080";
+const DEFAULT_SOCKET: &str = "10.100.200.11:8068";
 const DEFAULT_TIMEOUT: i64 = 5;
 
 /// Contains all configurable KBS properties.

kbs/src/resource/plugin/mod.rs

@@ -5,6 +5,9 @@
 #[cfg(feature = "nebula-plugin")]
 mod nebula;
 
+#[cfg(feature = "splitapi-plugin")]
+mod splitapi;
+
 use anyhow::{anyhow, bail, Context, Result};
 use serde::Deserialize;
 use std::fs;
@@ -15,6 +18,9 @@ use tokio::sync::RwLock;
 #[cfg(feature = "nebula-plugin")]
 use crate::resource::plugin::nebula::NebulaPluginConfig;
 
+#[cfg(feature = "splitapi-plugin")]
+use crate::resource::plugin::splitapi::SplitapiPluginConfig;
+
 trait PluginBuild {
     fn get_plugin_name(&self) -> &str;
     fn create_plugin(&self, work_dir: &str) -> Result<Arc<RwLock<dyn Plugin + Send + Sync>>>;
@@ -35,6 +41,9 @@ impl PluginManagerConfig {
         #[cfg(feature = "nebula-plugin")]
         p.push(Box::new(NebulaPluginConfig::default()));
 
+        #[cfg(feature = "splitapi-plugin")]
+        p.push(Box::new(SplitapiPluginConfig::default()));
+
         p
     }