diff --git a/README.md b/README.md index d7ea475..076f499 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ -# trustee-operator +# Introduction -The `trustee-operator` manages the lifecycle of [trustee](https://github.com/confidential-containers/trustee) along with it's configuration when deployed -in a Kubernetes cluster +The `trustee-operator` manages the lifecycle of [trustee](https://github.com/confidential-containers/trustee) +along with it's configuration when deployed in a Kubernetes cluster ## Description @@ -83,9 +83,10 @@ type TdxConfigSpec struct { // kbsTdxConfigMapName is the name of the configmap containing sgx_default_qcnl.conf file // +optional KbsTdxConfigMapName string `json:"kbsTdxConfigMapName,omitempty"` -}``` +} +``` -Note: the default deployment type is ```MicroservicesDeployment```. +>Note: the default deployment type is ```MicroservicesDeployment```. The examples below apply to this mode. An example configmap for the KBS configuration looks like this: @@ -193,82 +194,67 @@ spec: ## Getting Started You’ll need a Kubernetes cluster to run against. You can use [KIND](https://sigs.k8s.io/kind) to get a local cluster for testing, or run against a remote cluster. -**Note:** Your controller will automatically use the current context in your kubeconfig file (i.e. whatever cluster `kubectl cluster-info` shows). - -### Running on the cluster -- Export env variables. - - Set `REGISTRY` environment variable to point to your container registry. - For example: +>Note: Your controller will automatically use the current context in your kubeconfig file (i.e. whatever cluster `kubectl cluster-info` shows). - ```sh - export REGISTRY=quay.io/user - ``` +### Running on the cluster -- Build and push your image to the location specified by `IMG`. +#### Deploying prebuilt operator image - ```sh - make docker-build docker-push IMG=${REGISTRY}/kbs-operator:latest - ``` +If you want to deploy latest prebuilt image, then run the following command: - Change the tag from `latest` to any other based on your requirements. - Also ensure that the image is public. +```sh +make deploy IMG=quay.io/confidential-containers/trustee-operator:latest +``` -- Deploy the controller to the cluster with the image specified by `IMG`. +#### Deployment of CRDs, ConfigMaps and Secrets - ```sh - make deploy IMG=${REGISTRY}/kbs-operator:latest - ``` +This is an example. Change it to real values as per your requirements. -- Deployment of CRDs, ConfigMaps and Secrets +```sh +cd config/samples/microservices +# or config/samples/all-in-one for the integrated mode - This is an example. Change it to real values as per your requirements. +# create authentication keys +openssl genpkey -algorithm ed25519 > privateKey +openssl pkey -in privateKey -pubout -out kbs.pem - ```sh - cd config/samples/microservices - # or config/samples/all-in-one for the integrated mode +# create all the needed resources +kubectl apply -k . +``` - # create authentication keys - openssl genpkey -algorithm ed25519 > privateKey - openssl pkey -in privateKey -pubout -out kbs.pem - - # create all the needed resources - kubectl apply -k . - ``` +Among various things, the command above is also responsible for injecting reference values into the RVPS component. The default json file is an empty sequence, but you may want to inject real values by applying a ConfigMap like the one below: - Among various things, the command above is also responsible for injecting reference values into the RVPS component. The default json file is an empty sequence, but you may want to inject real values by applying a ConfigMap like the one below: - - ``` yaml - apiVersion: v1 - kind: ConfigMap - metadata: - name: rvps-reference-values - namespace: trustee-operator-system - data: - reference-values.json: | - apiVersion: v1 - kind: ConfigMap - metadata: - name: rvps-reference-values - namespace: trustee-operator-system - data: - reference-values.json: | - [ - { - "name": "sample.svn", - "expired": "2025-01-01T00:00:00Z", - "hash-value": [ - { - "alg": "sha256", - "value": "1" - } - ] - } - ] - ``` +``` yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: rvps-reference-values + namespace: trustee-operator-system +data: + reference-values.json: | + apiVersion: v1 + kind: ConfigMap + metadata: + name: rvps-reference-values + namespace: trustee-operator-system + data: + reference-values.json: | + [ + { + "name": "sample.svn", + "expired": "2025-01-01T00:00:00Z", + "hash-value": [ + { + "alg": "sha256", + "value": "1" + } + ] + } + ] +``` - It is also possible to create the K8s secrets (a commented out example is provided in the [kustomization.yaml](config/samples/microservices/kustomization.yaml)). To enable the secrets you'd need to uncomment the relevant secret generator entry and patch. +It is also possible to create the K8s secrets (a commented out example is provided in the [kustomization.yaml](config/samples/microservices/kustomization.yaml)). To enable the secrets you'd need to uncomment the relevant secret generator entry and patch. ### IBM Secure Execution @@ -315,12 +301,43 @@ which provide a reconcile function responsible for synchronizing resources until make run ``` -**NOTE:** You can also run this in one step by running: `make install run` +>Note: You can also run this in one step by running: `make install run` + +#### Building your own operator image + +If using a remote Kubernetes cluster for testing, then you'll need to +build the controller image and deploy it. + +- Export env variables. + + Set `REGISTRY` environment variable to point to your container registry. + For example: + + ```sh + export REGISTRY=quay.io/user + ``` + +- Build and push your image to the location specified by `IMG`. + + ```sh + make docker-build docker-push IMG=${REGISTRY}/trustee-operator:latest + ``` + + Change the tag from `latest` to any other based on your requirements. + Also ensure that the image is public. + +- Deploy the controller to the cluster with the image specified by `IMG`. + + ```sh + make deploy IMG=${REGISTRY}/trustee-operator:latest + ``` ### Integration tests -An attestation with the sample-attester is performed in an ephemeral kind cluster -Pre-requirements: +An attestation with the sample-attester is performed in an ephemeral kind cluster: + +Prerequisites: + - [kuttl](https://kuttl.dev/docs/cli.html#setup-the-kuttl-kubectl-plugin) plugin installed - [kind](https://kind.sigs.k8s.io/docs/user/quick-start/#installation) installed @@ -338,7 +355,7 @@ If you are editing the API definitions, generate the manifests such as CRs or CR make manifests ``` -**NOTE:** Run `make --help` for more information on all potential `make` targets +>Note: Run `make --help` for more information on all potential `make` targets More information can be found via the [Kubebuilder Documentation](https://book.kubebuilder.io/introduction.html)