From 127b9a4fcaf9c991c27c732ef1e566c84a318a82 Mon Sep 17 00:00:00 2001
From: Jakob Naucke <jakob.naucke@ibm.com>
Date: Wed, 1 Dec 2021 18:26:33 +0100
Subject: [PATCH] Add documentation on a demo SSH image

There is now a public container image for the SSH demo with publicised
keys. Add the respective references.

Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
---
 demos/ssh-demo/README.md                   | 26 +++++++++++++++++-----
 demos/ssh-demo/aa-offline_fs_kbc-keys.json |  3 +++
 demos/ssh-demo/ccv0-ssh                    |  7 ++++++
 demos/ssh-demo/cri-container-config.yaml   |  4 ++++
 demos/ssh-demo/k8s-cc-ssh.yaml             |  2 +-
 5 files changed, 36 insertions(+), 6 deletions(-)
 create mode 100644 demos/ssh-demo/aa-offline_fs_kbc-keys.json
 create mode 100644 demos/ssh-demo/ccv0-ssh
 create mode 100644 demos/ssh-demo/cri-container-config.yaml

diff --git a/demos/ssh-demo/README.md b/demos/ssh-demo/README.md
index 8ecb84f..683e639 100644
--- a/demos/ssh-demo/README.md
+++ b/demos/ssh-demo/README.md
@@ -7,6 +7,21 @@ It cannot be established by unauthorized parties, such as someone who controls t
 The container image contains the SSH host key that can be used for impersonating the host we will connect to.
 Because this container image is encrypted, and the key to decrypting this image is only provided in measurable ways (e.g. attestation or encrypted initrd), and because the pod/guest memory is protected, even someone who controls the node cannot steal this key.
 
+## Using a pre-provided container image
+
+If you would rather build the image with your own keys, skip to [Building the container image](#building-the-container-image).
+
+A demo image is provided at [docker.io/katadocker/ccv0-ssh](https://hub.docker.com/r/katadocker/ccv0-ssh).
+It is encrypted with [Attestation Agent](https://github.com/confidential-containers/attestation-agent)'s [offline file system key broker](https://github.com/confidential-containers/attestation-agent/tree/64c12fbecfe90ba974d5fe4896bf997308df298d/src/kbc_modules/offline_fs_kbc) and [`aa-offline_fs_kbc-keys.json`](./aa-offline_fs_kbc-keys.json) as its key file.
+The private key for establishing an SSH connection to this container is given in [`ccv0-ssh`](./ccv0-ssh).
+To use it with SSH, its permissions should be adjusted: `chmod 600 ccv0-ssh`.
+The host key fingerprint is `SHA256:wK7uOpqpYQczcgV00fGCh+X97sJL3f6G1Ku4rvlwtR0`.
+
+All keys shown here are for demonstration purposes.
+To achieve actually confidential containers, use a hardware trusted execution environment and **do not** reuse these keys.
+
+Continue at [Connecting to the guest](#connecting-to-the-guest).
+
 ## Building the container image
 
 The image built should be encrypted.
@@ -22,7 +37,7 @@ generates an SSH key `ccv0-ssh` and the correspondent public key `ccv0-ssh.pub`.
 
 ### Building the image
 
-The provided `Dockerfile` expects `ccv0-sh.pub` to exist.
+The provided [`Dockerfile`](./Dockerfile) expects `ccv0-sh.pub` to exist.
 Using Docker, you can build with
 
 ```sh
@@ -34,8 +49,9 @@ The SSH host key fingerprint is displayed during the build.
 
 ## Connecting to the guest
 
-Running the image depends on your exact confidential containers setup.
-A Kubernetes YAML file specifying the [Kata Containers](https://github.com/kata-containers/kata-containers) runtime is included, but the image is still a placeholder at this time.
+A [Kubernetes YAML file](./k8s-cc-ssh.yaml) specifying the [Kata Containers](https://github.com/kata-containers/kata-containers) runtime is included.
+If you use a [self-built image](#building-the-container-image), you should replace the image specification with the image you built.
+The default tag points to an `amd64` image, an `s390x` tag is also available.
 With common CNI setups, on the same host, with the service running, you can connect via SSH with
 
 ```sh
@@ -43,6 +59,6 @@ $ ssh -i ccv0-ssh root@$(kubectl get service ccv0-ssh -o jsonpath="{.spec.cluste
 ```
 
 You will be prompted about whether the host key fingerprint is correct.
-This fingerprint should match the one displayed in the Docker build.
+This fingerprint should match the one specified above/displayed in the Docker build.
 
-A `crictl`-compatible sandbox configuration is also included, which forwards the pod SSH port (22) to 2222 on the host (use the `-p` flag in SSH).
+`crictl`-compatible [sandbox](./cri-sandbox-config.yaml) and [container](./cri-container-config.yaml) configurations are also included, which forward the pod SSH port (22) to 2222 on the host (use the `-p` flag in SSH).
diff --git a/demos/ssh-demo/aa-offline_fs_kbc-keys.json b/demos/ssh-demo/aa-offline_fs_kbc-keys.json
new file mode 100644
index 0000000..b853ffd
--- /dev/null
+++ b/demos/ssh-demo/aa-offline_fs_kbc-keys.json
@@ -0,0 +1,3 @@
+{
+  "key_id": "HUlOu8NWz8si11OZUzUJMnjiq/iZyHBJZMSD3BaqgMc="
+}
diff --git a/demos/ssh-demo/ccv0-ssh b/demos/ssh-demo/ccv0-ssh
new file mode 100644
index 0000000..0657b74
--- /dev/null
+++ b/demos/ssh-demo/ccv0-ssh
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACAfiGV2X4o+6AgjVBaY/ZR2UvZp84dVYF5bpNZGMLylQwAAAIhawtHJWsLR
+yQAAAAtzc2gtZWQyNTUxOQAAACAfiGV2X4o+6AgjVBaY/ZR2UvZp84dVYF5bpNZGMLylQw
+AAAEAwWYIBvBxQZgk0irFku3Lj1Xbfb8dHtVM/kkz/Uz/l2h+IZXZfij7oCCNUFpj9lHZS
+9mnzh1VgXluk1kYwvKVDAAAAAAECAwQF
+-----END OPENSSH PRIVATE KEY-----
diff --git a/demos/ssh-demo/cri-container-config.yaml b/demos/ssh-demo/cri-container-config.yaml
new file mode 100644
index 0000000..b692af2
--- /dev/null
+++ b/demos/ssh-demo/cri-container-config.yaml
@@ -0,0 +1,4 @@
+metadata:
+  name: ccv0-ssh
+image:
+  image: docker.io/katadocker/ccv0-ssh
diff --git a/demos/ssh-demo/k8s-cc-ssh.yaml b/demos/ssh-demo/k8s-cc-ssh.yaml
index dae7a54..c11c224 100644
--- a/demos/ssh-demo/k8s-cc-ssh.yaml
+++ b/demos/ssh-demo/k8s-cc-ssh.yaml
@@ -24,5 +24,5 @@ spec:
       runtimeClassName: kata
       containers:
       - name: ccv0-ssh
-        image: ${to_be_filled}
+        image: docker.io/katadocker/ccv0-ssh
         imagePullPolicy: Always