From 0e5e2750b065206ab44fbfe312b103e49b5dbbfa Mon Sep 17 00:00:00 2001
From: Magnus Kulke <magnuskulke@microsoft.com>
Date: Wed, 24 Jan 2024 13:37:39 +0100
Subject: [PATCH] keyprovider: extend docker image and documentation

The keyprovider docker image has been extended to bundle a
keyprovider-capable skopeo and include a convenience script
that simplifies the creation of encrypted images for usage
in CoCo.

Documentation has been added to use the image.

Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
---
 attestation-agent/coco_keyprovider/README.md  | 41 ++++++++
 .../docker/Dockerfile.keyprovider             | 98 ++++++++++++++++---
 2 files changed, 128 insertions(+), 11 deletions(-)

diff --git a/attestation-agent/coco_keyprovider/README.md b/attestation-agent/coco_keyprovider/README.md
index e4bfbc9e9..53a4b78a6 100644
--- a/attestation-agent/coco_keyprovider/README.md
+++ b/attestation-agent/coco_keyprovider/README.md
@@ -13,6 +13,47 @@ The following guide will help make an encrypted image using [skopeo](https://git
 
 ## Encryption
 
+### Docker
+
+A docker image provides prebuilt CoCo keyprovider and skopeo to simplify image encryption:
+
+```bash
+$ docker run ghcr.io/confidential-containers/coco-keyprovider /encrypt.sh -h
+usage: /encrypt.sh [-k <b64-encoded key>] [-i <key id>] [-s <source>] [-d <destination>]
+```
+
+Source and destination have to be provided as [container/image](https://github.com/containers/image/blob/main/docs/containers-transports.5.md) transport URIs.
+
+This example will encrypt an image from docker/library and buffer the resulting encrypted image in a local `./output` folder:
+
+```bash
+head -c 32 /dev/urandom | openssl enc > image_key
+mkdir output
+docker run -v "$PWD/output:/output" ghcr.io/confidential-containers/coco-keyprovider /encrypt.sh \
+	-k "$(base64 < image_key)" \
+	-i some/key/id \
+	-s docker://nginx:stable \
+	-d dir:/output
+```
+
+The image can then be pushed to a registry using skopeo:
+
+```bash
+skopeo copy dir:output docker://ghcr.io/confidential-containers/nginx-encrypted
+```
+
+Alternatively, an authorization file can be mounted to the container to be able to access private registries directly:
+
+```bash
+docker run -v ~/.docker/config.json:/root/.docker/config.json ghcr.io/confidential-containers/coco-keyprovider /encrypt.sh \
+	-k "$(base64 < image_key)" \
+	-i some/key/id \
+	-s docker://private.registry.io/nginx:stable \
+	-d docker://private.registry.io/nginx:encrypted
+```
+
+### Detailed instructions
+
 Build and run CoCo keyprovider at localhost on port 50000:
 
 ```shell
diff --git a/attestation-agent/docker/Dockerfile.keyprovider b/attestation-agent/docker/Dockerfile.keyprovider
index e032458c9..73ca5d4a7 100644
--- a/attestation-agent/docker/Dockerfile.keyprovider
+++ b/attestation-agent/docker/Dockerfile.keyprovider
@@ -1,26 +1,102 @@
 # Copyright (c) 2023 by Alibaba.
 # Licensed under the Apache License, Version 2.0, see LICENSE for details.
 # SPDX-License-Identifier: Apache-2.0
+FROM rust:1.75-slim-bookworm as builder
 
-FROM rust:1.67 as builder
+LABEL org.opencontainers.image.source="https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/docker/Dockerfile.keyprovider"
 
-WORKDIR /usr/src/coco-keyprovider
+RUN apt-get update && apt-get install -y \
+	build-essential \
+	git \
+	libssl-dev \
+	pkg-config \
+	protobuf-compiler
+WORKDIR /build
+COPY . .
+RUN cargo build --release -p coco_keyprovider
+RUN mv target/release/coco_keyprovider .
 
-RUN apt-get update && apt-get install protobuf-compiler -y && \
-    rustup component add rustfmt
+FROM golang:1.21.6-bookworm as skopeo
+RUN apt-get update && apt-get install -y \
+	make\
+	libgpgme-dev \
+	libassuan-dev \
+	libbtrfs-dev \
+	libdevmapper-dev \
+	pkg-config
+RUN git clone https://github.com/containers/skopeo $GOPATH/src/github.com/containers/skopeo 
+WORKDIR $GOPATH/src/github.com/containers/skopeo
+RUN git checkout v1.14.1
+ENV DISABLE_DOCS=1
+RUN make bin/skopeo
+RUN make install
 
-COPY . .
+FROM debian:bookworm-slim
+RUN apt-get update && apt-get install -y \
+	ca-certificates \
+	libdevmapper1.02.1 \
+	libgpgme11 \
+	--no-install-recommends
+COPY --from=builder /build/coco_keyprovider /usr/local/bin/coco_keyprovider
+COPY --from=skopeo /usr/local/bin/skopeo /usr/local/bin/skopeo
+COPY <<EOF /etc/ocicrypt.conf
+{
+	"key-providers": {
+		"attestation-agent": {
+			"grpc": "localhost:50000"
+		}
+	}
+}
+EOF
+ENV OCICRYPT_KEYPROVIDER_CONFIG="/etc/ocicrypt.conf"
+COPY <<"EOF" /encrypt.sh
+#!/bin/bash
 
-LABEL org.opencontainers.image.source="https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/docker/Dockerfile.keyprovider"
+set -euo pipefail
 
-RUN cd attestation-agent/coco_keyprovider && cargo install --path .
+usage="usage: $0 [-k <b64-encoded key>] [-i <key id>] [-s <source>] [-d <destination>]"
 
-FROM ubuntu:20.04
+while getopts ":k:i:s:d:h" o; do
+	case "${o}" in
+	k)
+		key=${OPTARG}
+		if [ "$(echo "$key" | base64 -d | wc --bytes)" != "32" ]; then
+			echo "key should be a b64-encoded 32 byte key" 1>&2; exit 1
+		fi
+		;;
+	i)
+		key_id=${OPTARG}
+		;;
+	s)
+		src=${OPTARG}
+		;;
+	d)
+		dst=${OPTARG}
+		;;
+	h)
+		echo "$usage"; exit 0
+		;;
+	*)
+		echo "$usage" 1>&2; exit 1
+		;;
+	esac
+done
+shift $((OPTIND-1))
 
-RUN apt-get update && apt install openssl -y && rm -rf /var/lib/apt/lists/*
+if [ -z "${key-}" ] || [ -z "${key_id-}" ] || [ -z "${src-}" ] || [ -z "${dst-}" ]; then
+	echo "$usage" 1>&2; exit 1
+fi
 
-COPY --from=builder /usr/local/cargo/bin/coco_keyprovider /usr/local/bin/coco_keyprovider
+key_path=/key
+echo "$key" | base64 -d > "$key_path"
 
-CMD ["coco_keyprovider", "--socket", "0.0.0.0:50000"]
+coco_keyprovider --socket 127.0.0.1:50000 &
+sleep 1
+
+params="provider:attestation-agent:keypath=${key_path}::keyid=kbs:///${key_id}::algorithm=A256GCM"
+skopeo copy --insecure-policy --encryption-key "$params" "$src" "$dst"
+EOF
+RUN chmod +x /encrypt.sh
 
+CMD ["coco_keyprovider", "--socket", "0.0.0.0:50000"]
 EXPOSE 50000