Fetch platform certificates by calling libvirt API

This reverts fetching of the certs from the node labeller. If fetched directly in virt-launcher context that will automatically handle certificates rotation since the API call will return the most recent state. Signed-off-by: Vasiliy Ulyanov <[email protected]>
KarstenB · Jun 23, 2023 · a32b3f0 · a32b3f0
1 parent 38424c8
commit a32b3f0
Show file tree

Hide file tree

Showing 8 changed files with 2 additions and 84 deletions.
diff --git a/cmd/virt-handler/virt-handler.go b/cmd/virt-handler/virt-handler.go
@@ -392,8 +392,6 @@ func (app *virtHandlerApp) Run() {
 		recorder,
 		vmiSourceInformer,
 		app.VirtShareDir,
-		nodeLabellerController.SEV.PDH,
-		nodeLabellerController.SEV.CertChain,
 	)
 
 	promdomain.SetupDomainStatsCollector(app.virtCli, app.VirtShareDir, app.HostOverride, app.MaxRequestsInFlight, vmiSourceInformer)

diff --git a/cmd/virt-launcher/node-labeller/node-labeller.sh b/cmd/virt-launcher/node-labeller/node-labeller.sh
@@ -36,10 +36,6 @@ virtqemud -d
 
 virsh domcapabilities --machine $MACHINE --arch $ARCH --virttype $VIRTTYPE > /var/lib/kubevirt-node-labeller/virsh_domcapabilities.xml
 
-if grep "sev supported='yes'" /var/lib/kubevirt-node-labeller/virsh_domcapabilities.xml; then
-    virsh nodesevinfo > /var/lib/kubevirt-node-labeller/nodesevinfo
-fi
-
 cp -r /usr/share/libvirt/cpu_map /var/lib/kubevirt-node-labeller
 
 # hypervisor-cpu-baseline command only works on x86

diff --git a/pkg/virt-handler/node-labeller/cpu_plugin.go b/pkg/virt-handler/node-labeller/cpu_plugin.go
@@ -20,7 +20,6 @@
 package nodelabeller
 
 import (
-	"bufio"
 	"encoding/xml"
 	"fmt"
 	"os"
@@ -210,15 +209,6 @@ func (n *NodeLabeller) getDomCapabilities() (HostDomCapabilities, error) {
 		hostDomCapabilities.SEV.SupportedES = "no"
 	}
 
-	if err == nil && hostDomCapabilities.SEV.Supported == "yes" {
-		if pdh, certChain, err := n.parseNodeSEVInfo(n.nodeSEVInfoFileName); err != nil {
-			return HostDomCapabilities{}, err
-		} else {
-			hostDomCapabilities.SEV.PDH = pdh
-			hostDomCapabilities.SEV.CertChain = certChain
-		}
-	}
-
 	return hostDomCapabilities, err
 }
 
@@ -259,42 +249,3 @@ func (n *NodeLabeller) getStructureFromXMLFile(path string, structure interface{
 
 	return xml.Unmarshal(rawFile, structure)
 }
-
-func (n *NodeLabeller) parseNodeSEVInfo(fileName string) (pdh string, certChain string, err error) {
-	file, err := os.Open(filepath.Join(n.volumePath, fileName))
-	if err != nil {
-		return "", "", err
-	}
-	defer file.Close()
-
-	scanner := bufio.NewScanner(file)
-	for scanner.Scan() {
-		line := scanner.Text()
-		if len(line) == 0 {
-			continue
-		}
-		fields := strings.Split(line, ":")
-		if len(fields) != 2 {
-			return "", "", fmt.Errorf("failed to parse '%s'", line)
-		}
-		switch strings.TrimSpace(fields[0]) {
-		case "pdh":
-			pdh = strings.TrimSpace(fields[1])
-		case "cert-chain":
-			certChain = strings.TrimSpace(fields[1])
-		}
-	}
-	if err := scanner.Err(); err != nil {
-		return "", "", err
-	}
-
-	if pdh == "" {
-		return "", "", fmt.Errorf("pdh not found")
-	}
-
-	if certChain == "" {
-		return "", "", fmt.Errorf("cert-chain not found")
-	}
-
-	return pdh, certChain, nil
-}
diff --git a/pkg/virt-handler/node-labeller/cpu_plugin_test.go b/pkg/virt-handler/node-labeller/cpu_plugin_test.go
@@ -73,7 +73,6 @@ var _ = BeforeSuite(func() {
 		logger:                  log.DefaultLogger(),
 		volumePath:              "testdata",
 		domCapabilitiesFileName: "virsh_domcapabilities.xml",
-		nodeSEVInfoFileName:     "nodesevinfo",
 		hostCPUModel:            hostCPUModel{requiredFeatures: make(map[string]bool, 0)},
 	}
 })
@@ -187,8 +186,6 @@ var _ = Describe("Node-labeller config", func() {
 					Expect(nlController.SEV.CBitPos).To(Equal(uint(47)))
 					Expect(nlController.SEV.ReducedPhysBits).To(Equal(uint(1)))
 					Expect(nlController.SEV.MaxGuests).To(Equal(uint(15)))
-					Expect(nlController.SEV.PDH).To(Equal("AAABBBCCC"))
-					Expect(nlController.SEV.CertChain).To(Equal("DDDEEEFFF"))
 
 					if withES {
 						Expect(nlController.SEV.SupportedES).To(Equal("yes"))
@@ -204,8 +201,6 @@ var _ = Describe("Node-labeller config", func() {
 					Expect(nlController.SEV.MaxGuests).To(BeZero())
 					Expect(nlController.SEV.SupportedES).To(Equal("no"))
 					Expect(nlController.SEV.MaxESGuests).To(BeZero())
-					Expect(nlController.SEV.PDH).To(Equal(""))
-					Expect(nlController.SEV.CertChain).To(Equal(""))
 				}
 			},
 			Entry("when only SEV is supported", true, false),

diff --git a/pkg/virt-handler/node-labeller/model.go b/pkg/virt-handler/node-labeller/model.go
@@ -97,8 +97,6 @@ type SEVConfiguration struct {
 	MaxGuests       uint   `xml:"maxGuests"`
 	MaxESGuests     uint   `xml:"maxESGuests"`
 	SupportedES     string `xml:"-"`
-	PDH             string
-	CertChain       string
 }
 
 type KSMConfiguration struct {

diff --git a/pkg/virt-handler/node-labeller/node_labeller.go b/pkg/virt-handler/node-labeller/node_labeller.go
@@ -87,7 +87,6 @@ type NodeLabeller struct {
 	cpuModelVendor          string
 	volumePath              string
 	domCapabilitiesFileName string
-	nodeSEVInfoFileName     string
 	capabilities            *api.Capabilities
 	hostCPUModel            hostCPUModel
 	SEV                     SEVConfiguration
@@ -109,7 +108,6 @@ func newNodeLabeller(clusterConfig *virtconfig.ClusterConfig, clientset kubecli.
 		queue:                   workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "virt-handler-node-labeller"),
 		volumePath:              volumePath,
 		domCapabilitiesFileName: "virsh_domcapabilities.xml",
-		nodeSEVInfoFileName:     "nodesevinfo",
 		hostCPUModel:            hostCPUModel{requiredFeatures: make(map[string]bool, 0)},
 		KSM:                     KSMConfiguration{SysfsFilePath: ksmSysFsFilePath},
 	}

diff --git a/pkg/virt-handler/node-labeller/testdata/nodesevinfo b/pkg/virt-handler/node-labeller/testdata/nodesevinfo
diff --git a/pkg/virt-handler/rest/lifecycle.go b/pkg/virt-handler/rest/lifecycle.go
@@ -46,17 +46,13 @@ type LifecycleHandler struct {
 	recorder     record.EventRecorder
 	vmiInformer  cache.SharedIndexInformer
 	virtShareDir string
-	pdh          string
-	certChain    string
 }
 
-func NewLifecycleHandler(recorder record.EventRecorder, vmiInformer cache.SharedIndexInformer, virtShareDir, pdh, certChain string) *LifecycleHandler {
+func NewLifecycleHandler(recorder record.EventRecorder, vmiInformer cache.SharedIndexInformer, virtShareDir string) *LifecycleHandler {
 	return &LifecycleHandler{
 		recorder:     recorder,
 		vmiInformer:  vmiInformer,
 		virtShareDir: virtShareDir,
-		pdh:          pdh,
-		certChain:    certChain,
 	}
 }
 
@@ -247,7 +243,7 @@ func (lh *LifecycleHandler) getVMILauncherClient(request *restful.Request, respo
 }
 
 func (lh *LifecycleHandler) SEVFetchCertChainHandler(request *restful.Request, response *restful.Response) {
-	/*vmi, client, err := lh.getVMILauncherClient(request, response)
+	vmi, client, err := lh.getVMILauncherClient(request, response)
 	if err != nil {
 		return
 	}
@@ -259,13 +255,6 @@ func (lh *LifecycleHandler) SEVFetchCertChainHandler(request *restful.Request, r
 		log.Log.Object(vmi).Reason(err).Error("Failed to get SEV platform info")
 		response.WriteError(http.StatusInternalServerError, err)
 		return
-	}*/
-
-	log.Log.Infof("Retrieving SEV platform info")
-
-	sevPlatformInfo := v1.SEVPlatformInfo{
-		PDH:       lh.pdh,
-		CertChain: lh.certChain,
 	}
 
 	response.WriteEntity(sevPlatformInfo)