NOISSUE - Update cocos to match certs changes #520
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #520 +/- ##
==========================================
+ Coverage 67.67% 67.81% +0.14%
==========================================
Files 76 76
Lines 6833 6792 -41
==========================================
- Hits 4624 4606 -18
+ Misses 1860 1844 -16
+ Partials 349 342 -7 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
SammyOina
requested changes
Sep 15, 2025
pkg/atls/atls.go
Outdated
| certsEndpoint := "certs" | ||
| csrEndpoint := "csrs" | ||
| endpoint := fmt.Sprintf("%s/%s/%s", certsEndpoint, csrEndpoint, cvmId) | ||
| endpoint := fmt.Sprintf("%s/%s/%s/%s", domainId, certsEndpoint, csrEndpoint, cvmId) |
Contributor
There was a problem hiding this comment.
let's import and use sdk directly. Import sdk in main.go if caURL is provided and pass the sdk to internal or where needed. if not provided use the fallback. we don't need to duplicate sdk methods in am-certs
SammyOina
requested changes
Sep 15, 2025
cmd/agent/main.go
Outdated
Comment on lines
157
to
158
| CertsURL: cfg.CAUrl, | ||
| HostURL: cfg.CAUrl, |
Contributor
There was a problem hiding this comment.
this looks like it will result in an error if both are provided, or update certs sdk, since it only needs one url
cmd/agent/main.go
Outdated
| HostURL: cfg.CAUrl, | ||
| } | ||
|
|
||
| crtSDK := certsSDK.NewSDK(ctrsdkconfig) |
Contributor
There was a problem hiding this comment.
only init sdk if url is provided, otherwise agent should use default
cmd/agent/main.go
Outdated
| } | ||
|
|
||
| mc, err := cvmsapi.NewClient(pc, svc, eventsLogsQueue, logger, server.NewServer(logger, svc, cfg.AgentGrpcHost, cfg.CAUrl, cfg.CVMId), storageDir, reconnectFn, cvmGRPCClient) | ||
| mc, err := cvmsapi.NewClient(pc, svc, eventsLogsQueue, logger, server.NewServer(logger, svc, cfg.AgentGrpcHost, crtSDK, cfg.CAUrl, cfg.CVMId, cfg.DomainId), storageDir, reconnectFn, cvmGRPCClient) |
Contributor
There was a problem hiding this comment.
update the function signature now that sdk is being passed remove redundant values
internal/server/grpc/grpc.go
Outdated
| var _ server.Server = (*Server)(nil) | ||
|
|
||
| func New(ctx context.Context, cancel context.CancelFunc, name string, config server.ServerConfiguration, registerService serviceRegister, logger *slog.Logger, authSvc auth.Authenticator, caUrl string, cvmId string) server.Server { | ||
| func New(ctx context.Context, cancel context.CancelFunc, name string, config server.ServerConfiguration, registerService serviceRegister, logger *slog.Logger, authSvc auth.Authenticator, casdk sdk.SDK, caUrl, cvmId string, domainId string) server.Server { |
Contributor
There was a problem hiding this comment.
remove values we no longer need
internal/server/grpc/grpc.go
Outdated
| var _ server.Server = (*Server)(nil) | ||
|
|
||
| func New(ctx context.Context, cancel context.CancelFunc, name string, config server.ServerConfiguration, registerService serviceRegister, logger *slog.Logger, authSvc auth.Authenticator, caUrl string, cvmId string) server.Server { | ||
| func New(ctx context.Context, cancel context.CancelFunc, name string, config server.ServerConfiguration, registerService serviceRegister, logger *slog.Logger, authSvc auth.Authenticator, casdk sdk.SDK, caUrl, cvmId string, domainId string) server.Server { |
Contributor
There was a problem hiding this comment.
remove values we no longer need
internal/server/grpc/grpc.go
Outdated
| var _ server.Server = (*Server)(nil) | ||
|
|
||
| func New(ctx context.Context, cancel context.CancelFunc, name string, config server.ServerConfiguration, registerService serviceRegister, logger *slog.Logger, authSvc auth.Authenticator, caUrl string, cvmId string) server.Server { | ||
| func New(ctx context.Context, cancel context.CancelFunc, name string, config server.ServerConfiguration, registerService serviceRegister, logger *slog.Logger, authSvc auth.Authenticator, casdk sdk.SDK, caUrl, cvmId string, domainId string) server.Server { |
Contributor
There was a problem hiding this comment.
remove values we no longer need
internal/server/grpc/grpc.go
Outdated
| tlsConfig := &tls.Config{ | ||
| ClientAuth: tls.NoClientCert, | ||
| GetCertificate: atls.GetCertificate(s.caUrl, s.cvmId), | ||
| GetCertificate: atls.GetCertificate(s.caSDK, s.caUrl, s.cvmId, s.domainId), |
Contributor
There was a problem hiding this comment.
why are you passing caurl and sdk at the same time
pkg/atls/atls.go
Outdated
| url := fmt.Sprintf("%s/%s?%s", caUrl, endpoint, query_string) | ||
|
|
||
| _, body, err := processRequest(http.MethodPost, url, data, nil, http.StatusOK) | ||
| cert, err := caSDK.IssueFromCSR(cvmId, ttlString, string(csr.CSR), domainId, "") |
Contributor
There was a problem hiding this comment.
which value is empty string
Contributor
There was a problem hiding this comment.
also shouldn't this be IssueFromCSRInternal absmach/certs#156 (comment)
SammyOina
requested changes
Sep 16, 2025
pkg/atls/atls.go
Outdated
| url := fmt.Sprintf("%s/%s?%s", caUrl, endpoint, query_string) | ||
|
|
||
| _, body, err := processRequest(http.MethodPost, url, data, nil, http.StatusOK) | ||
| cert, err := caSDK.IssueFromCSRInternal(cvmId, ttlString, string(csr.CSR)) |
Contributor
There was a problem hiding this comment.
there should be a token/secret
Contributor
Author
There was a problem hiding this comment.
This is yet to be added on certs.
test/cvms/main.go
Outdated
Comment on lines
197
to
199
| caSDK := sdk.NewSDK(sdk.Config{ | ||
| CertsURL: caUrl, | ||
| }) |
Contributor
There was a problem hiding this comment.
test cvm server does not use this, only agent, remove
WashingtonKK
changed the title
Contributor
|
@WashingtonKK Please rebase. |
1 similar comment
Contributor
|
@WashingtonKK Please rebase. |
dborovcanin
approved these changes
Sep 23, 2025
SammyOina
requested changes
Sep 25, 2025
Comment on lines
46
to
57
| LogLevel string `env:"AGENT_LOG_LEVEL" envDefault:"debug"` | ||
| Vmpl int `env:"AGENT_VMPL" envDefault:"2"` | ||
| AgentGrpcHost string `env:"AGENT_GRPC_HOST" envDefault:"0.0.0.0"` | ||
| CAUrl string `env:"AGENT_CVM_CA_URL" envDefault:""` | ||
| CVMId string `env:"AGENT_CVM_ID" envDefault:""` | ||
| DomainId string `env:"AGENT_DOMAIN_ID" envDefault:""` | ||
| CertsToken string `env:"AGENT_CERTS_TOKEN" envDefault:""` | ||
| AgentMaaURL string `env:"AGENT_MAA_URL" envDefault:"https://sharedeus2.eus2.attest.azure.net"` | ||
| AgentOSBuild string `env:"AGENT_OS_BUILD" envDefault:"UVC"` | ||
| AgentOSDistro string `env:"AGENT_OS_DISTRO" envDefault:"UVC"` | ||
| AgentOSType string `env:"AGENT_OS_TYPE" envDefault:"UVC"` |
Contributor
There was a problem hiding this comment.
update agent service readme, also open a pr in cocos docs
manager/service.go
Outdated
| agentCvmClientKey = "AGENT_CVM_GRPC_CLIENT_KEY" | ||
| agentCvmServerCaCertKey = "AGENT_CVM_GRPC_SERVER_CA_CERTS" | ||
| agentCvmId = "AGENT_CVM_ID" | ||
| agentDomainId = "AGENT_DOMAIN_ID" |
Contributor
There was a problem hiding this comment.
also test to make sure this works from manager since this contant seems to be missing
manager/service.go
Outdated
| agentLogLevelKey: req.AgentLogLevel, | ||
| agentCvmGrpcUrlKey: req.AgentCvmServerUrl, | ||
| agentCvmId: id, | ||
| agentDomainId: req.DomainId, |
Contributor
There was a problem hiding this comment.
same here, test manager with agent
pkg/atls/atls.go
Outdated
Comment on lines
68
to
65
| type CSRRequest struct { | ||
| CSR string `json:"csr,omitempty"` | ||
| } |
Contributor
Author
There was a problem hiding this comment.
We do not have the CSRRequest on certs.
pkg/atls/atls.go
Outdated
| } | ||
|
|
||
| func (c *CAClient) processRequest(method, reqURL string, data []byte, headers map[string]string, expectedRespCodes ...int) (http.Header, []byte, errors.SDKError) { | ||
| func (c *CAClient) processRequest(method, reqURL string, data []byte, headers map[string]string, token string, expectedRespCodes ...int) (http.Header, []byte, errors.SDKError) { |
Contributor
There was a problem hiding this comment.
use sdk as stated in a previous comment we don't need to redifine this here
test/cvms/main.go
Outdated
Comment on lines
44
to
45
| domainId string | ||
| cvmId string |
Contributor
There was a problem hiding this comment.
these are not defined here, since you don't send them to agent and do not use them for anything
test/cvms/main.go
Outdated
Comment on lines
111
to
112
| flagSet.StringVar(&cvmId, "cvm-id", "", "UUID for a CVM, must be specified if aTLS is used") | ||
| flagSet.StringVar(&domainId, "domain-id", "", "Domain ID for the attestation service, must be specified if aTLS is used") |
pkg/atls/atls.go
Outdated
|
|
||
| func (c *CAClient) RequestCertificate(csrMetadata certs.CSRMetadata, privateKey *ecdsa.PrivateKey, cvmID string, ttl time.Duration) ([]byte, error) { | ||
| func (c *CAClient) RequestCertificate(csrMetadata certs.CSRMetadata, privateKey *ecdsa.PrivateKey, cvmID, domainId string, ttl time.Duration) ([]byte, error) { | ||
| csr, sdkerr := certscli.CreateCSR(csrMetadata, privateKey) |
Contributor
There was a problem hiding this comment.
one of the first comments on this pr was to remove cli
Contributor
|
@WashingtonKK Please rebase. |
SammyOina
requested changes
Sep 26, 2025
| | AGENT_CVM_GRPC_SERVER_KEY | Path to gRPC server key in pem format | "" | | ||
| | AGENT_CVM_GRPC_SERVER_CA_CERTS | Path to gRPC server CA certificate | "" | | ||
| | AGENT_CVM_GRPC_CLIENT_CA_CERTS | Path to gRPC client CA certificate | "" | | ||
| | AGENT_CVM_CA_URL | URL for CA service, if provided it will be used for certificate generation, used only with aTLS at the moment | "" | |
Contributor
Author
There was a problem hiding this comment.
DomainId is not used.
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
SammyOina
requested changes
Sep 26, 2025
pkg/atls/atls_test.go
Outdated
| generator, err := NewProvider(nil, attestation.SNPvTPM, caURL, cvmID) | ||
| assert.NoError(t, err) | ||
| assert.NotNil(t, generator) | ||
| // Skip CA-signed test for now as it requires actual SDK implementation |
Contributor
There was a problem hiding this comment.
use mocked sdk, do not skip tests
SammyOina
requested changes
Sep 29, 2025
cmd/agent/main.go
Outdated
| AgentGrpcHost string `env:"AGENT_GRPC_HOST" envDefault:"0.0.0.0"` | ||
| CAUrl string `env:"AGENT_CVM_CA_URL" envDefault:""` | ||
| CVMId string `env:"AGENT_CVM_ID" envDefault:""` | ||
| DomainId string `env:"AGENT_DOMAIN_ID" envDefault:""` |
Contributor
There was a problem hiding this comment.
SammyOina
requested changes
Sep 29, 2025
cmd/agent/main.go
Outdated
| AgentGrpcHost string `env:"AGENT_GRPC_HOST" envDefault:"0.0.0.0"` | ||
| CAUrl string `env:"AGENT_CVM_CA_URL" envDefault:""` | ||
| CVMId string `env:"AGENT_CVM_ID" envDefault:""` | ||
| DomainId string `env:"AGENT_DOMAIN_ID" envDefault:""` |
Contributor
There was a problem hiding this comment.
SammyOina
requested changes
Sep 29, 2025
SammyOina
requested changes
Sep 29, 2025
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
SammyOina
requested changes
Sep 29, 2025
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
SammyOina
approved these changes
Sep 30, 2025
SammyOina
approved these changes
Sep 30, 2025
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
SammyOina
approved these changes
Oct 6, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
What does this do?
Which issue(s) does this PR fix/relate to?
Have you included tests for your changes?
Did you document any new/modified feature?
Notes