github/confidential-containers
1
0
Fork 0
mirror of https://github.com/confidential-containers/confidential-containers.git synced 2025-10-21 15:31:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Quickstart: change quay to ghcr

Browse Source 
Avoid issues with quay support for encrypted images.
For now ghcr image is hosted via my gh.

Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
This commit is contained in:
Tobin Feldman-Fitzthum
2023-01-17 12:59:59 -05:00
committed by Fabiano Fidêncio
parent 63f79170a7
commit 920e5fd3f9
1 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
quickstart.md
View File

@@ -424,7 +424,7 @@ The `simple-kbs` is a prototype implementation under development and is not inte
For the SEV encrypted image use case, it is required to host the key used to encrypt the container image from the `simple-kbs`.
The CoCo project has created a sample encrypted container image ([encrypted-image-tests](quay.io/kata-containers/encrypted-image-tests:encrypted)). This image is encrypted using a key that comes already provisioned inside the `simple-kbs` for ease of testing. No `simple-kbs` policy is required to get things running.
The CoCo project has created a sample encrypted container image ([encrypted-image-tests](ghcr.io/fitzthum/encrypted-image-tests:encrypted)). This image is encrypted using a key that comes already provisioned inside the `simple-kbs` for ease of testing. No `simple-kbs` policy is required to get things running.
The image encryption key and key for SSH access have been attached to the CoCo sample encrypted container image as docker labels. This image is meant for TEST purposes only as these keys are published publicly. In a production use case, these keys would be generated by the workload administrator and kept secret. For further details, see the section how to [Create an Encrypted Image](#create-an-encrypted-image).
@@ -518,7 +518,7 @@ spec:
runtimeClassName: kata-qemu-sev
containers:
- name: encrypted-image-tests
image: quay.io/kata-containers/encrypted-image-tests:encrypted
image: ghcr.io/fitzthum/encrypted-image-tests:encrypted
imagePullPolicy: Always
```
@@ -549,11 +549,13 @@ Get pod IP:
pod_ip=$(kubectl get pod -o wide | grep encrypted-image-tests | awk '{print $6;}')
```
Get the CoCo sample encrypted container image SSH access key from docker image label and save it to a file:
Get the CoCo sample encrypted container image SSH access key from docker image label and save it to a file.
Currently the docker client cannot pull encrypted images. We can inspect the unencrypted image instead,
which has the same labels. You could also use `skopeo inspect` to get the labels from the encrypted image.
```
docker pull quay.io/kata-containers/encrypted-image-tests:encrypted
docker inspect quay.io/kata-containers/encrypted-image-tests:encrypted | \
docker pull ghcr.io/fitzthum/encrypted-image-tests:unencrypted
docker inspect ghcr.io/fitzthum/encrypted-image-tests:unencrypted | \
jq -r '.[0].Config.Labels.ssh_key' \
| sed "s|\(-----BEGIN OPENSSH PRIVATE KEY-----\)|\1\n|g" \
| sed "s|\(-----END OPENSSH PRIVATE KEY-----\)|\n\1|g" \
@@ -866,7 +868,7 @@ measurement=$(sev-snp-measure --mode=sev --output-format=base64 \
If the container image is not already present, pull it:
```
encrypted_image_url="quay.io/kata-containers/encrypted-image-tests:encrypted"
encrypted_image_url="ghcr.io/fitzthum/encrypted-image-tests:unencrypted"
docker pull "${encrypted_image_url}"
```