Merge pull request #417 from spotlesstofu/feature-confidential

Add feature confidential

Author: bpradipt

Dockerfile

@@ -15,7 +15,6 @@ COPY main.go main.go
 COPY api api/
 COPY config config/
 COPY controllers controllers/
-COPY internal internal/
 
 RUN go mod download
 # needed for docker build but not for local builds

bundle-custom.Dockerfile

@@ -1,5 +1,5 @@
 # Use OpenShift golang builder image
-FROM registry.ci.openshift.org/ocp/builder:rhel-8-golang-1.18-openshift-4.11 AS builder
+FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.21-openshift-4.16 AS builder
 
 WORKDIR /workspace
 
@@ -10,7 +10,6 @@ COPY go.sum go.sum
 COPY api api/
 COPY config config/
 COPY controllers controllers/
-COPY internal internal/
 
 RUN go mod download
 # needed for docker build but not for local builds

controllers/confidential_handler.go

@@ -0,0 +1,78 @@
+package controllers
+
+import (
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+)
+
+// When the feature is enabled, handleFeatureConfidential sets config maps to confidential values.
+//
+// Changes the ImageConfigMap, so that the image creation job will create a confidential image.
+// This will happen at the first reconciliation loop, before the image creation job starts.
+//
+// Changes the peer pods configMap to enable confidential.
+// This will happen likely after several reconciliation loops, because it has prerequisites:
+//
+//   - Peer pods must be enabled in the KataConfig.
+//   - The peer pods config map must exist.
+//
+// When the feature is disabled, handleFeatureConfidential resets the config maps to non-confidential values.
+func (r *KataConfigOpenShiftReconciler) handleFeatureConfidential(state FeatureGateState) error {
+
+	// ImageConfigMap
+
+	if err := InitializeImageGenerator(r.Client); err != nil {
+		return err
+	}
+	ig := GetImageGenerator()
+
+	if ig.provider == unsupportedCloudProvider {
+		r.Log.Info("unsupported cloud provider, skipping confidential image configuration")
+	} else {
+		if ig.isImageIDSet() {
+			r.Log.Info("Image ID is already set, skipping confidential image configuration")
+		} else {
+			if state == Enabled {
+				// Create ImageConfigMap, if it doesn't exist already.
+				if err := ig.createImageConfigMapFromFile(); err != nil {
+					return err
+				}
+
+				// Patch ImageConfigMap.
+				imageConfigMapData := map[string]string{"CONFIDENTIAL_COMPUTE_ENABLED": "yes"}
+				if err := updateConfigMap(r.Client, r.Log, ig.getImageConfigMapName(), OperatorNamespace, imageConfigMapData); err != nil {
+					return err
+				}
+			} else {
+				// Patch ImageConfigMap.
+				imageConfigMapData := map[string]string{"CONFIDENTIAL_COMPUTE_ENABLED": "no"}
+				if err := updateConfigMap(r.Client, r.Log, ig.getImageConfigMapName(), OperatorNamespace, imageConfigMapData); err != nil {
+					if k8serrors.IsNotFound(err) {
+						// Nothing to do, feature is disabled and configMap doesn't exist.
+					} else {
+						return err
+					}
+				}
+			}
+		}
+	}
+
+	// peer pods config
+
+	// Patch peer pods configMap, if it exists.
+	var peerpodsCMData map[string]string
+	if state == Enabled {
+		peerpodsCMData = map[string]string{"DISABLECVM": "false"}
+	} else {
+		peerpodsCMData = map[string]string{"DISABLECVM": "true"}
+	}
+	if err := updateConfigMap(r.Client, r.Log, peerpodsCMName, OperatorNamespace, peerpodsCMData); err != nil {
+		if k8serrors.IsNotFound(err) {
+			// When feature is Enabled: ConfigMap doesn't exist yet, will try again at the next reconcile run.
+			// Else: Nothing to do, feature is disabled and configMap doesn't exist.
+		} else {
+			return err
+		}
+	}
+
+	return nil
+}

controllers/fg_handler.go

@@ -1,52 +1,100 @@
 package controllers
 
 import (
-	"github.com/openshift/sandboxed-containers-operator/internal/featuregates"
+	"context"
+
+	corev1 "k8s.io/api/core/v1"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+const (
+	FgConfigMapName         = "osc-feature-gates"
+	ConfidentialFeatureGate = "confidential"
 )
 
+var DefaultFeatureGates = map[string]bool{
+	ConfidentialFeatureGate: false,
+}
+
+type FeatureGateStatus struct {
+	FeatureGates map[string]bool
+}
+
 // Create enum to represent the state of the feature gates
+// While today we just have two states, we retain the flexibility in case we want to introduce some additional states.
 type FeatureGateState int
 
 const (
 	Enabled FeatureGateState = iota
 	Disabled
 )
 
+// This method returns a new FeatureGateStatus object
+// that contains the status of the feature gates
+// defined in the ConfigMap in the namespace
+// Return default values if the ConfigMap is not found.
+// Return values from the ConfigMap if the ConfigMap is not found. Use default values for missing entries in the ConfigMap.
+// Return an error for any other reason, such as an API error.
+func (r *KataConfigOpenShiftReconciler) NewFeatureGateStatus() (*FeatureGateStatus, error) {
+	fgStatus := &FeatureGateStatus{
+		FeatureGates: make(map[string]bool),
+	}
+
+	cfgMap := &corev1.ConfigMap{}
+	err := r.Client.Get(context.TODO(), types.NamespacedName{Name: FgConfigMapName,
+		Namespace: OperatorNamespace}, cfgMap)
+	if err == nil {
+		for feature, value := range cfgMap.Data {
+			fgStatus.FeatureGates[feature] = value == "true"
+		}
+	}
+
+	// Add default values for missing feature gates
+	for feature, defaultValue := range DefaultFeatureGates {
+		if _, exists := fgStatus.FeatureGates[feature]; !exists {
+			fgStatus.FeatureGates[feature] = defaultValue
+		}
+	}
+
+	if k8serrors.IsNotFound(err) {
+		return fgStatus, nil
+	} else {
+		return fgStatus, err
+	}
+}
+
+func IsEnabled(fgStatus *FeatureGateStatus, feature string) bool {
+	return fgStatus.FeatureGates[feature]
+}
+
 // Function to handle the feature gates
 func (r *KataConfigOpenShiftReconciler) processFeatureGates() error {
 
-	fgStatus, err := featuregates.NewFeatureGateStatus(r.Client)
+	fgStatus, err := r.NewFeatureGateStatus()
 	if err != nil {
 		r.Log.Info("There were errors in getting feature gate status.", "err", err)
 		return err
 	}
 
 	// Check which feature gates are enabled in the FG ConfigMap and
 	// perform the necessary actions
-	// The feature gates are defined in internal/featuregates/featuregates.go
-	// and are fetched from the ConfigMap in the namespace
-	// Eg. TimeTravelFeatureGate
-
-	if featuregates.IsEnabled(fgStatus, featuregates.TimeTravelFeatureGate) {
-		r.Log.Info("Feature gate is enabled", "featuregate", featuregates.TimeTravelFeatureGate)
-		// Perform the necessary actions
-		r.handleTimeTravelFeature(Enabled)
-	} else {
-		r.Log.Info("Feature gate is disabled", "featuregate", featuregates.TimeTravelFeatureGate)
-		// Perform the necessary actions
-		r.handleTimeTravelFeature(Disabled)
+	if r.kataConfig.Spec.EnablePeerPods {
+		if IsEnabled(fgStatus, ConfidentialFeatureGate) {
+			r.Log.Info("Feature gate is enabled", "featuregate", ConfidentialFeatureGate)
+			// Perform the necessary actions
+			if err := r.handleFeatureConfidential(Enabled); err != nil {
+				return err
+			}
+		} else {
+			r.Log.Info("Feature gate is disabled", "featuregate", ConfidentialFeatureGate)
+			// Perform the necessary actions
+			if err := r.handleFeatureConfidential(Disabled); err != nil {
+				return err
+			}
+		}
 	}
 
 	return err
 
 }
-
-// Function to handle the TimeTravel feature gate
-func (r *KataConfigOpenShiftReconciler) handleTimeTravelFeature(state FeatureGateState) {
-	// Perform the necessary actions for the TimeTravel feature gate
-	if state == Enabled {
-		r.Log.Info("Starting TimeTravel")
-	} else {
-		r.Log.Info("Stopping TimeTravel")
-	}
-}

controllers/image_generator.go

@@ -631,6 +631,10 @@ func checkKeysPresentAndNotEmpty(data interface{}, keys []string) bool {
 	return true
 }
 
+func (r *ImageGenerator) getImageConfigMapName() string {
+	return r.provider + "-podvm-image-cm"
+}
+
 // Function to create ConfigMap from a YAML file based on cloud provider
 // azure-podvm-image-cm.yaml for Azure
 // aws-podvm-image-cm.yaml for AWS
@@ -645,14 +649,14 @@ func (r *ImageGenerator) createImageConfigMapFromFile() error {
 	// If it doesn't exist, create the ConfigMap
 
 	if err := r.client.Get(context.TODO(), types.NamespacedName{
-		Name:      r.provider + "-podvm-image-cm",
+		Name:      r.getImageConfigMapName(),
 		Namespace: OperatorNamespace,
 	}, &corev1.ConfigMap{}); err == nil {
 		igLogger.Info("ConfigMap already exists", "name", r.provider+"-podvm-image-cm")
 		return nil
 	}
 
-	filename := r.provider + "-podvm-image-cm.yaml"
+	filename := r.getImageConfigMapName() + ".yaml"
 	configMapYamlFile := filepath.Join(peerpodsImageJobsPathLocation, filename)
 	yamlData, err := readYamlFile(configMapYamlFile)
 	if err != nil {
@@ -693,7 +697,7 @@ func (r *ImageGenerator) updateImageConfigMap() error {
 	// If it doesn't exist, return an error
 	// If it exists, update the ConfigMap
 
-	cmName := r.provider + "-podvm-image-cm"
+	cmName := r.getImageConfigMapName()
 	cm := &corev1.ConfigMap{}
 	if err := r.client.Get(context.TODO(), types.NamespacedName{
 		Name:      cmName,

controllers/utils.go

@@ -9,6 +9,7 @@ import (
 	"time"
 
 	yaml "github.com/ghodss/yaml"
+	"github.com/go-logr/logr"
 	configv1 "github.com/openshift/api/config/v1"
 	ccov1 "github.com/openshift/cloud-credential-operator/pkg/apis/cloudcredential/v1"
 	mcfgv1 "github.com/openshift/machine-config-operator/pkg/apis/machineconfiguration.openshift.io/v1"
@@ -192,3 +193,34 @@ func getClusterID(c client.Client) (string, error) {
 	// Return first 8 characters of the cluster id
 	return string(clusterVersion.Spec.ClusterID[:8]), nil
 }
+
+func updateConfigMap(client client.Client, logger logr.Logger, cmName string, namespace string, newData map[string]string) error {
+	// Get current configMap.
+	configMap := &corev1.ConfigMap{}
+	if err := client.Get(context.TODO(), types.NamespacedName{
+		Name:      cmName,
+		Namespace: namespace,
+	}, configMap); err != nil {
+		return err
+	}
+
+	update := false
+
+	// Loop over each new value
+	// Update the value if it's different.
+	// Log the change.
+	for key, newValue := range newData {
+		if configMap.Data[key] != newValue {
+			logger.Info("updateConfigMap", "namespace", namespace, "name", cmName, "key", key, "value", newValue)
+			configMap.Data[key] = newValue
+			update = true
+		}
+	}
+
+	if update {
+		// Update the configMap on Kubernetes.
+		return client.Update(context.TODO(), configMap)
+	} else {
+		return nil
+	}
+}