Add sidecar support #4
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Create pkg/cluster package for Kubernetes cluster operations - GetNodeIPs: Retrieves all node IP addresses from cluster - Attempts ExternalIP first, falls back to InternalIP - Deduplicates IPs across multiple nodes - Uses kubectl with jsonpath for reliable extraction This enables auto-detection of node IPs for server certificate SANs, allowing sidecar access via NodePort without manual IP configuration. Co-Authored-By: Claude <[email protected]> Signed-off-by: Pradipta Banerjee <[email protected]>
- Create pkg/trustee/kbs.go with public upload functions - UploadResource: Upload single resource to Trustee KBS - UploadResources: Batch upload multiple resources - GetKBSPodName: Retrieve KBS pod name from namespace - WaitForKBSReady: Wait for KBS pod readiness - Refactor populateSecrets to kbs.go for reusability These utilities enable programmatic upload of certificates and other secrets to Trustee KBS during init and apply operations. Co-Authored-By: Claude <[email protected]> Signed-off-by: Pradipta Banerjee <[email protected]>
- Generate certificates for sidecar mTLS connection - Default sidecar image is quay.io/confidential-devhub/coco-secure-access:latest - Exposes a dashboard to query pod attestation status and other metadata - Allows to forward a specific application port - Single port: Served at root / - Update documentation Co-Authored-By: Claude <[email protected]> Signed-off-by: Pradipta Banerjee <[email protected]>
Changes server certificate generation to use DigitalSignature instead of KeyEncipherment/DataEncipherment for TLS 1.3 compatibility. The sidecar enforces TLS 1.3 only, which uses Diffie-Hellman key exchange and requires DigitalSignature for handshake signing, not RSA key encipherment. This fixes browser access (Chrome, Safari) which strictly validate key usage for TLS 1.3. Curl was more lenient and worked with the old key usage. Changes: - Update GenerateServerCert KeyUsage from KeyEncipherment|DataEncipherment to DigitalSignature (pkg/sidecar/certs/generator.go:135) - Add comprehensive TROUBLESHOOTING.md guide for sidecar browser access issues Co-Authored-By: Claude <[email protected]> Signed-off-by: Pradipta Banerjee <[email protected]>
Updates the dashboard HTML with the official Confidential Containers color scheme and branding to match confidentialcontainers.org. Changes: - Add official CoCo icon from CNCF artwork repository - Use CoCo brand colors: primary blue (#005c94), accent red (#ff4d4d) - Modern gradient background and improved typography - Professional header with logo and subtitle - Enhanced table styling with blue gradient headers - Styled badges for attestation status (green for attested, yellow for unavailable) - Footer with link to confidentialcontainers.org - Better spacing, shadows, and responsive design Co-Authored-By: Claude <[email protected]> Signed-off-by: Pradipta Banerjee <[email protected]>
- Add nosec comments for safe file reads and kubectl commands - Add t.Helper() to test helper functions - Exclude staticcheck and thelper from test files in golangci config Co-Authored-By: Claude <[email protected]> Signed-off-by: Pradipta Banerjee <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.