joinservice: cache certificates for Azure SEV-SNP attestation (#2336)

* add ASK caching in joinservice Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * use cached ASK in Azure SEV-SNP attestation Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * update test charts Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix linter Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix typ Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * make caching mechanism less provider-specific Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * update buildfiles Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add `omitempty` flag Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * frontload certificate getter Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * rename frontloaded function Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * pass cached certificates to constructor Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix race condition Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix marshalling of empty certs Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix validator usage Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * [wip] add certcache tests Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add certcache tests Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * tidy Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix validator test Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * remove unused fields in validator Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix certificate precedence Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * use separate context Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * tidy Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * linter fixes Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * linter fixes Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * Remove unnecessary comment Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * use background context Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * Use error format directive Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * `azure` -> `Azure` Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * improve error messages Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add x509 -> PEM util function Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * use crypto util functions Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix certificate replacement logic Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * only require ASK from certcache Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * tidy Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix comment typo Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> --------- Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2025-07-22 06:50:43 -04:00 · 2023-09-29 14:29:50 +02:00 · 2023-09-29 14:29:50 +02:00 · a5021c52d3
commit a5021c52d3
parent 68d8b29335
39 changed files with 1197 additions and 50 deletions
--- a/joinservice/internal/watcher/validator_test.go
+++ b/joinservice/internal/watcher/validator_test.go
@ -8,6 +8,7 @@ package watcher

 import (
 	"context"
+	"crypto/x509"
 	"encoding/asn1"
 	"encoding/json"
 	"io"
@ -39,13 +40,18 @@ func TestMain(m *testing.M) {

 func TestNewUpdateableValidator(t *testing.T) {
 	testCases := map[string]struct {
-		variant variant.Variant
-		config  config.AttestationCfg
-		wantErr bool
+		variant  variant.Variant
+		config   config.AttestationCfg
+		snpCerts *stubSnpCerts
+		wantErr  bool
 	}{
 		"azure": {
 			variant: variant.AzureSEVSNP{},
 			config:  config.DefaultForAzureSEVSNP(),
+			snpCerts: &stubSnpCerts{
+				ask: &x509.Certificate{},
+				ark: &x509.Certificate{},
+			},
 		},
 		"gcp": {
 			variant: variant.GCPSEVES{},
@ -83,6 +89,7 @@ func TestNewUpdateableValidator(t *testing.T) {
 				logger.NewTest(t),
 				tc.variant,
 				handler,
+				tc.snpCerts,
 			)
 			if tc.wantErr {
 				assert.Error(err)
@ -93,6 +100,15 @@ func TestNewUpdateableValidator(t *testing.T) {
 	}
 }

+type stubSnpCerts struct {
+	ask *x509.Certificate
+	ark *x509.Certificate
+}
+
+func (s *stubSnpCerts) SevSnpCerts() (ask *x509.Certificate, ark *x509.Certificate) {
+	return s.ask, s.ark
+}
+
 func TestUpdate(t *testing.T) {
 	assert := assert.New(t)
 	require := require.New(t)