Add feature "confidential"

spotlesstofu · spotlesstofu · commit 8a92c657a108 · 2024-06-21T10:01:56.000+01:00
Remove dummy feature "timeTravel".

Add two functions:
  - handleFeatureConfidential
  - updateConfigMap (in utils.go)

When the feature is enabled, handleFeatureConfidential sets config maps to confidential values.

Changes the ImageConfigMap, so that the image creation job will create a confidential image.
This will happen at the first reconciliation loop, before the image creation job starts.

Changes the peer pods configMap to enable confidential.
This will happen likely after several reconciliation loops, because it has prerequisites:

  - Peer pods must be enabled in the KataConfig.
  - The peer pods config map must exist.

When the feature is disabled, handleFeatureConfidential resets the config maps to non-confidential values.

Signed-off-by: Camilla Conte &lt;cconte@redhat.com&gt;
diff --git a/controllers/confidential_handler.go b/controllers/confidential_handler.go
@@ -0,0 +1,78 @@
+package controllers
+
+import (
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+)
+
+// When the feature is enabled, handleFeatureConfidential sets config maps to confidential values.
+//
+// Changes the ImageConfigMap, so that the image creation job will create a confidential image.
+// This will happen at the first reconciliation loop, before the image creation job starts.
+//
+// Changes the peer pods configMap to enable confidential.
+// This will happen likely after several reconciliation loops, because it has prerequisites:
+//
+//   - Peer pods must be enabled in the KataConfig.
+//   - The peer pods config map must exist.
+//
+// When the feature is disabled, handleFeatureConfidential resets the config maps to non-confidential values.
+func (r *KataConfigOpenShiftReconciler) handleFeatureConfidential(state FeatureGateState) error {
+
+	// ImageConfigMap
+
+	if err := InitializeImageGenerator(r.Client); err != nil {
+		return err
+	}
+	ig := GetImageGenerator()
+
+	if ig.provider == unsupportedCloudProvider {
+		r.Log.Info("unsupported cloud provider, skipping confidential image configuration")
+	} else {
+		if ig.isImageIDSet() {
+			r.Log.Info("Image ID is already set, skipping confidential image configuration")
+		} else {
+			if state == Enabled {
+				// Create ImageConfigMap, if it doesn't exist already.
+				if err := ig.createImageConfigMapFromFile(); err != nil {
+					return err
+				}
+
+				// Patch ImageConfigMap.
+				imageConfigMapData := map[string]string{"CONFIDENTIAL_COMPUTE_ENABLED": "yes"}
+				if err := updateConfigMap(r.Client, r.Log, ig.getImageConfigMapName(), OperatorNamespace, imageConfigMapData); err != nil {
+					return err
+				}
+			} else {
+				// Patch ImageConfigMap.
+				imageConfigMapData := map[string]string{"CONFIDENTIAL_COMPUTE_ENABLED": "no"}
+				if err := updateConfigMap(r.Client, r.Log, ig.getImageConfigMapName(), OperatorNamespace, imageConfigMapData); err != nil {
+					if k8serrors.IsNotFound(err) {
+						// Nothing to do, feature is disabled and configMap doesn't exist.
+					} else {
+						return err
+					}
+				}
+			}
+		}
+	}
+
+	// peer pods config
+
+	// Patch peer pods configMap, if it exists.
+	var peerpodsCMData map[string]string
+	if state == Enabled {
+		peerpodsCMData = map[string]string{"DISABLECVM": "false"}
+	} else {
+		peerpodsCMData = map[string]string{"DISABLECVM": "true"}
+	}
+	if err := updateConfigMap(r.Client, r.Log, peerpodsCMName, OperatorNamespace, peerpodsCMData); err != nil {
+		if k8serrors.IsNotFound(err) {
+			// When feature is Enabled: ConfigMap doesn't exist yet, will try again at the next reconcile run.
+			// Else: Nothing to do, feature is disabled and configMap doesn't exist.
+		} else {
+			return err
+		}
+	}
+
+	return nil
+}
diff --git a/controllers/fg_handler.go b/controllers/fg_handler.go
@@ -9,19 +9,20 @@ import (
 )
 
 const (
-	TimeTravelFeatureGate = "timeTravel"
-	FgConfigMapName       = "osc-feature-gates"
+	FgConfigMapName         = "osc-feature-gates"
+	ConfidentialFeatureGate = "confidential"
 )
 
 var DefaultFeatureGates = map[string]bool{
-	"timeTravel": false,
+	ConfidentialFeatureGate: false,
 }
 
 type FeatureGateStatus struct {
 	FeatureGates map[string]bool
 }
 
 // Create enum to represent the state of the feature gates
+// While today we just have two states, we retain the flexibility in case we want to introduce some additional states.
 type FeatureGateState int
 
 const (
@@ -78,27 +79,22 @@ func (r *KataConfigOpenShiftReconciler) processFeatureGates() error {
 
 	// Check which feature gates are enabled in the FG ConfigMap and
 	// perform the necessary actions
-
-	if IsEnabled(fgStatus, TimeTravelFeatureGate) {
-		r.Log.Info("Feature gate is enabled", "featuregate", TimeTravelFeatureGate)
-		// Perform the necessary actions
-		r.handleTimeTravelFeature(Enabled)
-	} else {
-		r.Log.Info("Feature gate is disabled", "featuregate", TimeTravelFeatureGate)
-		// Perform the necessary actions
-		r.handleTimeTravelFeature(Disabled)
+	if r.kataConfig.Spec.EnablePeerPods {
+		if IsEnabled(fgStatus, ConfidentialFeatureGate) {
+			r.Log.Info("Feature gate is enabled", "featuregate", ConfidentialFeatureGate)
+			// Perform the necessary actions
+			if err := r.handleFeatureConfidential(Enabled); err != nil {
+				return err
+			}
+		} else {
+			r.Log.Info("Feature gate is disabled", "featuregate", ConfidentialFeatureGate)
+			// Perform the necessary actions
+			if err := r.handleFeatureConfidential(Disabled); err != nil {
+				return err
+			}
+		}
 	}
 
 	return err
 
 }
-
-// Function to handle the TimeTravel feature gate
-func (r *KataConfigOpenShiftReconciler) handleTimeTravelFeature(state FeatureGateState) {
-	// Perform the necessary actions for the TimeTravel feature gate
-	if state == Enabled {
-		r.Log.Info("Starting TimeTravel")
-	} else {
-		r.Log.Info("Stopping TimeTravel")
-	}
-}
diff --git a/controllers/utils.go b/controllers/utils.go
@@ -9,6 +9,7 @@ import (
 	"time"
 
 	yaml "github.com/ghodss/yaml"
+	"github.com/go-logr/logr"
 	configv1 "github.com/openshift/api/config/v1"
 	ccov1 "github.com/openshift/cloud-credential-operator/pkg/apis/cloudcredential/v1"
 	mcfgv1 "github.com/openshift/machine-config-operator/pkg/apis/machineconfiguration.openshift.io/v1"
@@ -192,3 +193,34 @@ func getClusterID(c client.Client) (string, error) {
 	// Return first 8 characters of the cluster id
 	return string(clusterVersion.Spec.ClusterID[:8]), nil
 }
+
+func updateConfigMap(client client.Client, logger logr.Logger, cmName string, namespace string, newData map[string]string) error {
+	// Get current configMap.
+	configMap := &corev1.ConfigMap{}
+	if err := client.Get(context.TODO(), types.NamespacedName{
+		Name:      cmName,
+		Namespace: namespace,
+	}, configMap); err != nil {
+		return err
+	}
+
+	update := false
+
+	// Loop over each new value
+	// Update the value if it's different.
+	// Log the change.
+	for key, newValue := range newData {
+		if configMap.Data[key] != newValue {
+			logger.Info("updateConfigMap", "namespace", namespace, "name", cmName, "key", key, "value", newValue)
+			configMap.Data[key] = newValue
+			update = true
+		}
+	}
+
+	if update {
+		// Update the configMap on Kubernetes.
+		return client.Update(context.TODO(), configMap)
+	} else {
+		return nil
+	}
+}
