github/confidential-containers
1
0
Fork 0
mirror of https://github.com/confidential-containers/confidential-containers.git synced 2025-10-21 23:48:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update Quickstart for v0.8

Browse Source 
Fixes: https://github.com/confidential-containers/enclave-cc/issues/181

- Add the content of deploy KBS cluster and create encrypted image in enclave-cc.md
- Delete verdictd in enclave-cc.md and add cc-kbc and sample-kbc content, and give examples of usage
- Modify the creation of enclave-cc custom resource in quickstart.md

Signed-off-by: Huiting Hou <huiting.hou@linux.alibaba.com>
This commit is contained in:
Huiting Hou
2023-07-25 17:49:42 +08:00
committed by Tobin Feldman-Fitzthum
parent 99a84b7d1e
commit 16099d2328
2 changed files with 35 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
guides/enclave-cc.md
View File

@@ -7,12 +7,16 @@ section of the [quickstart guide](../quickstart.md).
## Configuring enclave-cc custom resource to use a different KBC
**Note** Before configuring KBC, please refer to the
[guide](../quickstart.md#deploy-and-configure-tenant-side-coco-key-broker-system-cluster) to deploy KBS cluster.
**Note** The KBC configuration changes to the enclave-cc custom resource yaml
must be made **before** deploying it.
Enclave CC supports Verdictd and in order to use it, users will have to
properly configure a decrypt_config.conf, in order to set the `KBC` (`sample_kbc`
or `eaa_kbc`) `IP`,`PORT`, and the `SECURITY_VALIDATE` (`false` or `true`)
Enclave CC supports cc-kbc and sample-kbc, in order to use them, users will have to
properly configure a `decrypt_config.conf`, in order to set the `KBC` (`cc_kbc`
or `sample_kbc`) `IP`,`PORT`, and the `SECURITY_VALIDATE` (`false` or `true`).
```json
{
"key_provider": "provider:attestation-agent:KBC::IP:PORT",
@@ -20,6 +24,23 @@ or `eaa_kbc`) `IP`,`PORT`, and the `SECURITY_VALIDATE` (`false` or `true`)
}
```
The following is an example of `cc_kbc`:
```json
{
"key_provider": "provider:attestation-agent:cc_kbc::http://127.0.0.1:8080",
"security_validate": true
}
```
The following is an example of `sample_kbc`:
```json
{
"key_provider": "provider:attestation-agent:sample_kbc::127.0.0.1:50000",
"security_validate": false
}
```
Once that's set according to the users needs, the user will then have to run:
`cat decrypt_config.conf | base64 -w 0` in order to get the data encoded and
set it accordingly [here](https://github.com/confidential-containers/operator/blob/6f241fbc056f0a5d9e1bd2c10b2cedc0782b99ff/config/samples/enclave-cc/base/ccruntime-enclave-cc.yaml#L124).
@@ -27,7 +48,11 @@ set it accordingly [here](https://github.com/confidential-containers/operator/bl
## Creating a sample CoCo workload using enclave-cc
As an example, we setup a sample *hello world*
workload with an encrypted and cosign signed container image using the `enclave-cc` runtime class for process based TEEs.
workload with an encrypted and cosign signed container image using the `enclave-cc` runtime class for process based TEEs.
This encrypted image is only used for testing.
If you want to use it in your own production use cases, please refer to
the [guide](../quickstart.md#encrypting-an-image) to create a new encrypted image and deploy it.
The deployment below assumes the hardware SGX mode build is installed by the operator. To try on a non-TEE system, please
use simulate SGX mode build.