Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

k8s: docs: DCAP kustomization + non-release images #375

Merged
merged 2 commits into from
May 1, 2024
Merged

k8s: docs: DCAP kustomization + non-release images #375

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
53490c9
k8s: add overlay to deploy with a custom Intel DCAP config
mythi Apr 24, 2024
da065bd
k8s: document how to use non-release images
mythi Apr 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions kbs/config/kubernetes/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,19 @@ kustomize edit add resource ingress.yaml
popd
```

## Optional: Use non-release images

Sometimes it may be desirable to deploy KBS with an image that is not what is set in the repo (typically
the latest release image). To change the deployment to use a staging build, set the image using `kustomize`:

```bash
pushd base
kustomize edit set image kbs-container-image=ghcr.io/confidential-containers/staged-images/kbs:65ee7e1acccd13dcb515058e71c5f8bfb4281e35
popd
```

The available image tags can be found in the [CoCo packages listing](https://github.com/orgs/confidential-containers/packages?repo_name=trustee).

## Optional: Expose KBS using Nodeport

If you would like to expose KBS service using Nodeport then export the following environment variable:
Expand All @@ -58,6 +71,16 @@ Once you deploy the KBS, you can use the services' nodeport and the Kubernetes n
echo $(kubectl get nodes -o jsonpath='{.items[0].status.addresses[0].address}'):$(kubectl get svc kbs -n coco-tenant -o jsonpath='{.spec.ports[0].nodePort}')
```

## Optional: Use custom Intel DCAP configuration

If you would like to override the default `sgx_default_qcnl.conf` in the KBS/AS images, copy/configure one into `custom_pccs/` directory and deploy using:

```bash
export DEPLOYMENT_DIR=custom_pccs
```

NB: this currently builds on `nodeport` kustomization.

## Deploy KBS

Deploy KBS by running the following command:
Expand Down
17 changes: 17 additions & 0 deletions kbs/config/kubernetes/custom_pccs/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: coco-tenant

resources:
- ../nodeport

patches:
- path: set_custom_pccs.yaml
target:
kind: Deployment
name: kbs

configMapGenerator:
- files:
- sgx_default_qcnl.conf
name: dcap-attestation-conf
20 changes: 20 additions & 0 deletions kbs/config/kubernetes/custom_pccs/set_custom_pccs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: kbs
spec:
template:
spec:
containers:
- name: kbs
volumeMounts:
- name: qplconf
mountPath: /etc/sgx_default_qcnl.conf
subPath: sgx_default_qcnl.conf
volumes:
- name: qplconf
configMap:
name: dcap-attestation-conf
items:
- key: sgx_default_qcnl.conf
path: sgx_default_qcnl.conf
1 change: 1 addition & 0 deletions kbs/config/kubernetes/custom_pccs/sgx_default_qcnl.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{"collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/"}
Loading