Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nunki -> contrast #192

Merged
merged 1 commit into from
Mar 5, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .github/workflows/e2e_openssl.yml
Original file line number Diff line number Diff line change
Expand Up @@ -52,16 +52,16 @@ jobs:
- name: Get credentials for CI cluster
run: |
just get-credentials
- name: Build, deploy, nunki generate, nunki set, nunki verify
- name: Build, deploy, contrast generate, contrast set, contrast verify
run: |
just default openssl nunki.cli
just default openssl contrast.cli
- name: Setup Summary
run: |
cat ./workspace/just.namespace | tee -a "${GITHUB_STEP_SUMMARY}"
cat ./workspace/just.perf | tee -a "${GITHUB_STEP_SUMMARY}"
- name: E2E Test
run: |
env K8S_NAMESPACE=$(cat ./workspace/just.namespace) nix shell .#nunki.e2e --command openssl.test -test.v
env K8S_NAMESPACE=$(cat ./workspace/just.namespace) nix shell .#contrast.e2e --command openssl.test -test.v
- name: Undeploy
if: always() && inputs.skip-undeploy != 'true'
run: |
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/e2e_simple.yml
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ jobs:
- name: Get credentials for CI cluster
run: |
just get-credentials
- name: Build, deploy, nunki generate, nunki set, nunki verify
- name: Build, deploy, contrast generate, contrast set, contrast verify
run: |
just default simple cli-release
- name: Summary
Expand Down
22 changes: 11 additions & 11 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -104,18 +104,18 @@ jobs:
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: ${{ needs.process-inputs.outputs.WORKING_BRANCH }}
path: nunki-working
path: contrast-working
- name: Checkout main
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: main
path: nunki-main
path: contrast-main
- name: Bump flake version to post release patch pre-version
id: bump
uses: ./nunki-working/.github/actions/bump_version # Run action from working branch!
uses: ./contrast-working/.github/actions/bump_version # Run action from working branch!
with:
version: ${{ needs.process-inputs.outputs.NEXT_MINOR_PRE_WITHOUT_V }}
working-directory: nunki-main
working-directory: contrast-main
commit: false
- name: Create PR
uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0
Expand All @@ -131,7 +131,7 @@ jobs:
committer: edgelessci <[email protected]>
author: edgelessci <[email protected]>
token: ${{ secrets.NUNKI_CI_COMMIT_PUSH_PR }}
path: ./nunki-main
path: ./contrast-main

release:
name: Build and push artifacts, create release
Expand Down Expand Up @@ -165,12 +165,12 @@ jobs:
commit: false
- name: Push containers with release tag
run: |
nix run .#containers.push-coordinator -- "$container_registry/nunki/coordinator"
nix run .#containers.push-initializer -- "$container_registry/nunki/initializer"
nix run .#containers.push-coordinator -- "$container_registry/contrast/coordinator"
nix run .#containers.push-initializer -- "$container_registry/contrast/initializer"
- name: Create portable coordinator resource definitions
run: |
mkdir -p workspace
nix run .#scripts.write-coordinator-yaml -- "${container_registry}/nunki/coordinator:${{ inputs.version }}" > workspace/coordinator.yaml
nix run .#scripts.write-coordinator-yaml -- "${container_registry}/contrast/coordinator:${{ inputs.version }}" > workspace/coordinator.yaml
- name: Update coordinator policy hash
run: |
yq < workspace/coordinator.yaml \
Expand All @@ -192,7 +192,7 @@ jobs:
tag_name: ${{ inputs.version }}
target_commitish: ${{ needs.process-inputs.outputs.WORKING_BRANCH }}
files: |
result-cli/bin/nunki
result-cli/bin/contrast
workspace/coordinator.yaml
- name: Reset temporary changes
run: |
Expand Down Expand Up @@ -225,13 +225,13 @@ jobs:
gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/edgelesssys/nunki/milestones |
/repos/edgelesssys/contrast/milestones |
jq -r '.[] | .title' | \
grep -xqF "${{ inputs.version }}" && exit 0
gh api \
--method POST \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/edgelesssys/nunki/milestones \
/repos/edgelesssys/contrast/milestones \
-f title='${{ inputs.version }}' \
-f state='open'
6 changes: 3 additions & 3 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,11 +68,11 @@ just [default <deployment-name>]

This will build, containerize and push all relevant components.
Ensure the pushed container images are accessible to your cluster.
The manifest will the be generated (`nunki generate`).
The manifest will the be generated (`contrast generate`).

Further the flow will deploy the selected deployment and wait for components to come up.
The manifest will automatically be set (`nunki set`) and the Coordinator will will be verified
(`nunki verify`). The flow will also wait for the workload to get ready.
The manifest will automatically be set (`contrast set`) and the Coordinator will will be verified
(`contrast verify`). The flow will also wait for the workload to get ready.

This target is idempotent and will delete an existing deployment before re-deploying.

Expand Down
40 changes: 20 additions & 20 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
# Nunki
# Contrast

Nunki ([/ˈnʌŋki/](https://en.wikipedia.org/wiki/Sigma_Sagittarii)) runs confidential container deployments
Contrast ([/ˈnʌŋki/](https://en.wikipedia.org/wiki/Sigma_Sagittarii)) runs confidential container deployments
on untrusted Kubernetes at scale.

Nunki is based on the [Kata Containers](https://github.com/kata-containers/kata-containers) and
Contrast is based on the [Kata Containers](https://github.com/kata-containers/kata-containers) and
[Confidential Containers](https://github.com/confidential-containers) projects. Confidential Containers are
Kubernetes pods that are executed inside a confidential micro-VM and provide strong hardware-based isolation
from the surrounding environment. This works with unmodified containers in a lift-and-shift approach.

## The Nunki Coordinator
## The Contrast Coordinator

The Nunki Coordinator is the central remote attestation component of a Nunki deployment. It's a certificate
The Contrast Coordinator is the central remote attestation component of a Contrast deployment. It's a certificate
authority and issues certificates for workload pods running inside confidential containers. The Coordinator
is configured with a *manifest*, a configuration file that holds the reference values of all other parts of
a deployment. The Coordinator ensures that your app's topology adheres to your specified manifest. It verifies
Expand All @@ -22,34 +22,34 @@ To verify your deployment, the remote attestation of the Coordinator and its man
attestation statement for your entire deployment. Anyone can use this to verify the integrity of your distributed
app, making it easier to assure stakeholders of your app's security.

## The Nunki Initializer
## The Contrast Initializer

Nunki provides an Initializer that handles the remote attestation on the workload side transparently and
Contrast provides an Initializer that handles the remote attestation on the workload side transparently and
fetches the workload certificate. The Initializer runs as init container before your workload is started.

## Installation

Download the latest CLI from our release and put it into your PATH:

```sh
curl -fLo nunki https://github.com/edgelesssys/nunki/releases/download/latest/nunki
mv nunki /usr/local/bin/nunki
curl -fLo contrast https://github.com/edgelesssys/contrast/releases/download/latest/contrast
mv contrast /usr/local/bin/contrast
```

## Generic Workflow

### Deploy the Nunki Coordinator
### Deploy the Contrast Coordinator

Install the latest Nunki Coordinator release, comprising a single replica deployment and a
Install the latest Contrast Coordinator release, comprising a single replica deployment and a
LoadBalancer service, into your cluster.

```sh
kubectl apply -f https://github.com/edgelesssys/nunki/releases/download/latest/coordinator.yaml
kubectl apply -f https://github.com/edgelesssys/contrast/releases/download/latest/coordinator.yaml
```

### Preprare your Kubernetes resources

Nunki will add annotations to your Kubernetes YAML files. If you want to keep the original files
Contrast will add annotations to your Kubernetes YAML files. If you want to keep the original files
unchanged, you can copy the files into a separate local directory.
You can also generate files from a Helm chart or from a Kustomization.

Expand All @@ -67,15 +67,15 @@ helm template release-name chart-name > resources/all.yaml

To specify that a workload (pod, deployment, etc.) should be deployed as confidential containers,
add `runtimeClassName: kata-cc-isolation` to the pod spec (pod definition or template).
In addition, add the Nunki Initializer as `initContainers` to these workloads and configure the
In addition, add the Contrast Initializer as `initContainers` to these workloads and configure the
workload to use the certificates written to the `tls-certs` volumeMount.

```yaml
spec: # v1.PodSpec
runtimeClassName: kata-cc-isolation
initContainers:
- name: initializer
image: "ghcr.io/edgelesssys/nunki/initializer:latest"
image: "ghcr.io/edgelesssys/contrast/initializer:latest"
env:
- name: COORDINATOR_HOST
value: coordinator
Expand All @@ -93,7 +93,7 @@ Run the `generate` command generate the execution policies and add them as annot
deployment files. A `manifest.json` with the reference values of your deployment will be created.

```sh
./nunki generate resources/*.yaml
./contrast generate resources/*.yaml
```

### Apply Resources
Expand All @@ -105,7 +105,7 @@ manifest is set at the Coordinator.
kubectl apply -f resources/
```

### Connect to the Nunki Coordinator
### Connect to the Contrast Coordinator

For the next steps, we will need to connect to the Coordinator. The released Coordinator resource
includes a LoadBalancer definition we can use.
Expand All @@ -126,18 +126,18 @@ coordinator=$(kubectl get svc coordinator -o=jsonpath='{.status.loadBalancer.ing
Attest the Coordinator and set the manifest:

```sh
./nunki set -c "${coordinator}:1313" -m manifest.json
./contrast set -c "${coordinator}:1313" -m manifest.json
```

After this step, the Coordinator will start issuing TLS certs to the workloads. The init container
will fetch a certificate for the workload and the workload is started.

### Verify the Coordinator

An end user (data owner) can verify the Nunki deployment using the `verify` command.
An end user (data owner) can verify the Contrast deployment using the `verify` command.

```sh
./nunki verify -c "${coordinator}:1313" -o ./verify
./contrast verify -c "${coordinator}:1313" -o ./verify
```

The CLI will attest the Coordinator using embedded reference values. The CLI will write the service mesh
Expand Down
4 changes: 2 additions & 2 deletions cli/cmd/common.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ const (
settingsFilename = "settings.json"
rulesFilename = "rules.rego"
verifyDir = "./verify"
cacheDirEnv = "NUNKI_CACHE_DIR"
cacheDirEnv = "CONTRAST_CACHE_DIR"
)

var (
Expand All @@ -33,7 +33,7 @@ func cachedir(subdir string) (string, error) {
if err != nil {
return "", err
}
dir = filepath.Join(cachedir, "nunki")
dir = filepath.Join(cachedir, "contrast")
}
return filepath.Join(dir, subdir), nil
}
Expand Down
14 changes: 7 additions & 7 deletions cli/cmd/generate.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,17 +20,17 @@ import (
"slices"
"strings"

"github.com/edgelesssys/nunki/internal/embedbin"
"github.com/edgelesssys/nunki/internal/manifest"
"github.com/edgelesssys/contrast/internal/embedbin"
"github.com/edgelesssys/contrast/internal/manifest"
"github.com/spf13/cobra"
)

const (
kataPolicyAnnotationKey = "io.katacontainers.config.agent.policy"
nunkiRoleAnnotationKey = "nunki.edgeless.systems/pod-role"
kataPolicyAnnotationKey = "io.katacontainers.config.agent.policy"
contrastRoleAnnotationKey = "contrast.edgeless.systems/pod-role"
)

// NewGenerateCmd creates the nunki generate subcommand.
// NewGenerateCmd creates the contrast generate subcommand.
func NewGenerateCmd() *cobra.Command {
cmd := &cobra.Command{
Use: "generate [flags] paths...",
Expand All @@ -45,7 +45,7 @@ func NewGenerateCmd() *cobra.Command {

The hashes of the policies are added to the manifest.

If the Kubernetes YAML contains a Nunki Coordinator pod whose policy differs from
If the Kubernetes YAML contains a Contrast Coordinator pod whose policy differs from
the embedded default, the generated policy will be printed to stdout, alongside a
warning message on stderr. This hash needs to be passed to the set and verify
subcommands.
Expand Down Expand Up @@ -391,5 +391,5 @@ func installDir() (string, error) {
if err != nil {
return "", err
}
return filepath.Join(home, ".nunki"), nil
return filepath.Join(home, ".contrast"), nil
}
16 changes: 8 additions & 8 deletions cli/cmd/policies.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@ import (
"os"
"slices"

"github.com/edgelesssys/nunki/internal/kubeapi"
"github.com/edgelesssys/nunki/internal/manifest"
"github.com/edgelesssys/contrast/internal/kubeapi"
"github.com/edgelesssys/contrast/internal/manifest"
)

func policiesFromKubeResources(yamlPaths []string) (map[string]deployment, error) {
Expand All @@ -31,23 +31,23 @@ func policiesFromKubeResources(yamlPaths []string) (map[string]deployment, error
case kubeapi.Pod:
name = obj.Name
annotation = obj.Annotations[kataPolicyAnnotationKey]
role = obj.Annotations[nunkiRoleAnnotationKey]
role = obj.Annotations[contrastRoleAnnotationKey]
case kubeapi.Deployment:
name = obj.Name
annotation = obj.Spec.Template.Annotations[kataPolicyAnnotationKey]
role = obj.Spec.Template.Annotations[nunkiRoleAnnotationKey]
role = obj.Spec.Template.Annotations[contrastRoleAnnotationKey]
case kubeapi.ReplicaSet:
name = obj.Name
annotation = obj.Spec.Template.Annotations[kataPolicyAnnotationKey]
role = obj.Spec.Template.Annotations[nunkiRoleAnnotationKey]
role = obj.Spec.Template.Annotations[contrastRoleAnnotationKey]
case kubeapi.StatefulSet:
name = obj.Name
annotation = obj.Spec.Template.Annotations[kataPolicyAnnotationKey]
role = obj.Spec.Template.Annotations[nunkiRoleAnnotationKey]
role = obj.Spec.Template.Annotations[contrastRoleAnnotationKey]
case kubeapi.DaemonSet:
name = obj.Name
annotation = obj.Spec.Template.Annotations[kataPolicyAnnotationKey]
role = obj.Spec.Template.Annotations[nunkiRoleAnnotationKey]
role = obj.Spec.Template.Annotations[contrastRoleAnnotationKey]
}
if annotation == "" {
continue
Expand Down Expand Up @@ -98,7 +98,7 @@ func checkPoliciesMatchManifest(policies map[string]deployment, policyHashes map
return nil
}

// getCoordinatorPolicyHash returns the policy hash for the Nunki coordinator among the given deployments.
// getCoordinatorPolicyHash returns the policy hash for the Contrast coordinator among the given deployments.
//
// If the deployments contain a coordinator, that coordinator's policy hash is returned, otherwise
// an empty string is returned.
Expand Down
16 changes: 8 additions & 8 deletions cli/cmd/set.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,19 +16,19 @@ import (
"slices"
"time"

"github.com/edgelesssys/nunki/internal/atls"
"github.com/edgelesssys/nunki/internal/attestation/snp"
"github.com/edgelesssys/nunki/internal/fsstore"
"github.com/edgelesssys/nunki/internal/grpc/dialer"
"github.com/edgelesssys/nunki/internal/manifest"
"github.com/edgelesssys/nunki/internal/spinner"
"github.com/edgelesssys/nunki/internal/userapi"
"github.com/edgelesssys/contrast/internal/atls"
"github.com/edgelesssys/contrast/internal/attestation/snp"
"github.com/edgelesssys/contrast/internal/fsstore"
"github.com/edgelesssys/contrast/internal/grpc/dialer"
"github.com/edgelesssys/contrast/internal/manifest"
"github.com/edgelesssys/contrast/internal/spinner"
"github.com/edgelesssys/contrast/internal/userapi"
"github.com/spf13/cobra"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
)

// NewSetCmd creates the nunki set subcommand.
// NewSetCmd creates the contrast set subcommand.
func NewSetCmd() *cobra.Command {
cmd := &cobra.Command{
Use: "set [flags] paths...",
Expand Down
Loading
Loading