From acb1b96b9f3781a9b24f9a775c3b697da1d23694 Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Fri, 17 May 2024 12:01:02 +0200 Subject: [PATCH 1/2] release: publish emojivoto-demo with prepared service mesh Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 98c846ff42..fa8221e86b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -235,8 +235,8 @@ jobs: run: | mkdir -p workspace deployment nix run .#scripts.write-coordinator-yaml -- "${coordinatorImgTagged}" > workspace/coordinator.yml - nix shell .#contrast --command resourcegen --namespace kube-system --image-replacements ./image-replacements.txt runtime > workspace/runtime.yml - nix shell .#contrast --command resourcegen --image-replacements ./image-replacements.txt --add-load-balancers emojivoto > deployment/emojivoto-demo.yml + nix shell .#contrast --command resourcegen --image-replacements ./image-replacements.txt --namespace kube-system runtime > workspace/runtime.yml + nix shell .#contrast --command resourcegen --image-replacements ./image-replacements.txt --add-load-balancers emojivoto-sm-ingress > deployment/emojivoto-demo.yml zip -r workspace/emojivoto-demo.zip deployment/emojivoto-demo.yml - name: Update coordinator policy hash run: | From 53fe07d08ecf50f23698de9c455c8504d16ef49a Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Fri, 17 May 2024 18:00:15 +0200 Subject: [PATCH 2/2] docs: update emojivoto demo for service mesh Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> --- docs/docs/examples/emojivoto.md | 19 +++++++++++-------- .../version-0.6/examples/emojivoto.md | 18 +++++++++++------- 2 files changed, 22 insertions(+), 15 deletions(-) diff --git a/docs/docs/examples/emojivoto.md b/docs/docs/examples/emojivoto.md index e3ade0886a..afdf98f1e7 100644 --- a/docs/docs/examples/emojivoto.md +++ b/docs/docs/examples/emojivoto.md @@ -82,11 +82,14 @@ contrast generate deployment/ :::note[Runtime class and Initializer] The deployment YAML shipped for this demo is already configured to be used with Contrast. -A runtime class `contrast-cc-` was added to the pods to signal they should be run -as Confidential Containers. In addition, the Contrast Initializer was added -as an init container to these workloads to facilitate the attestation and certificate pulling -before the actual workload is started. - +A [runtime class](https://docs.edgeless.systems/contrast/components/runtime) `contrast-cc-` +was added to the pods to signal they should be run as Confidential Containers. In addition, the Contrast +[Initializer](../components/index.md#the-initializer) was added as an init container to these workloads to +facilitate the attestation and certificate pulling before the actual workload is started. + +Further, the deployment YAML is also configured with the Contrast [service mesh](../components/service-mesh.md). +The configured service mesh proxy provides transparent protection for the communication between +the different components of emojivoto. ::: ### Set the manifest @@ -118,9 +121,9 @@ kubectl apply -f deployment/ The Contrast Coordinator issues mesh certificates after successfully validating workloads. These certificates can be used for secure inter-deployment communication. The Initializer sends an attestation report to the Coordinator, retrieves certificates and a private key in return -and writes them to a `volumeMount`. The emojivoto version we're using is patched to only communicate -via mTLS (the original app talks plain HTTP). The different parts of the workload are configured -to use the credentials from the `volumeMount` when communicating with each other. +and writes them to a `volumeMount`. The service mesh sidecar is configured to use the credentials +from the `volumeMount` when communicating with other parts of the deployment over mTLS. +The public facing frontend for voting uses the mesh certificate without client authentication. ::: diff --git a/docs/versioned_docs/version-0.6/examples/emojivoto.md b/docs/versioned_docs/version-0.6/examples/emojivoto.md index e3ade0886a..46ce268908 100644 --- a/docs/versioned_docs/version-0.6/examples/emojivoto.md +++ b/docs/versioned_docs/version-0.6/examples/emojivoto.md @@ -82,10 +82,14 @@ contrast generate deployment/ :::note[Runtime class and Initializer] The deployment YAML shipped for this demo is already configured to be used with Contrast. -A runtime class `contrast-cc-` was added to the pods to signal they should be run -as Confidential Containers. In addition, the Contrast Initializer was added -as an init container to these workloads to facilitate the attestation and certificate pulling -before the actual workload is started. +A [runtime class](https://docs.edgeless.systems/contrast/components/runtime) `contrast-cc-` +was added to the pods to signal they should be run as Confidential Containers. In addition, the Contrast +[Initializer](../components/index.md#the-initializer) was added as an init container to these workloads to +facilitate the attestation and certificate pulling before the actual workload is started. + +Further, the deployment YAML is also configured with the Contrast [service mesh](../components/service-mesh.md). +The configured service mesh proxy provides transparent protection for the communication between +the different components of emojivoto. ::: @@ -118,9 +122,9 @@ kubectl apply -f deployment/ The Contrast Coordinator issues mesh certificates after successfully validating workloads. These certificates can be used for secure inter-deployment communication. The Initializer sends an attestation report to the Coordinator, retrieves certificates and a private key in return -and writes them to a `volumeMount`. The emojivoto version we're using is patched to only communicate -via mTLS (the original app talks plain HTTP). The different parts of the workload are configured -to use the credentials from the `volumeMount` when communicating with each other. +and writes them to a `volumeMount`. The service mesh sidecar is configured to use the credentials +from the `volumeMount` when communicating with other parts of the deployment over mTLS. +The public facing frontend for voting uses the mesh certificate without client authentication. :::