diff --git a/Dockerfile b/Dockerfile index ccffbf5e..af5df4c6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,18 +1,16 @@ -# syntax=docker/dockerfile:experimental - FROM alpine/git:latest AS pull COPY . /emojivoto -FROM ghcr.io/edgelesssys/ego-deploy:latest AS emoji_base +FROM ghcr.io/edgelesssys/ego-deploy:v1.5.3 AS emoji_base RUN apt-get update && \ apt-get install -y --no-install-recommends curl dnsutils iptables jq nghttp2 && \ apt clean && \ apt autoclean COPY ./start.sh /start.sh -FROM ghcr.io/edgelesssys/ego-dev:latest AS emoji_build +FROM ghcr.io/edgelesssys/ego-dev:v1.5.3 AS emoji_build WORKDIR /node -RUN curl -sL https://deb.nodesource.com/setup_10.x -o nodesource_setup.sh && \ +RUN curl -sL https://deb.nodesource.com/setup_16.x -o nodesource_setup.sh && \ bash nodesource_setup.sh RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - && \ echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list @@ -35,7 +33,7 @@ RUN --mount=type=secret,id=signingkey,dst=/emojivoto/emojivoto-web/private.pem,r --mount=type=secret,id=signingkey,dst=/emojivoto/emojivoto-voting-svc/private.pem,required=true \ ego env make build -FROM ghcr.io/edgelesssys/ego-dev:latest AS patch_build +FROM ghcr.io/edgelesssys/ego-dev:v1.5.3 AS patch_build RUN apt update && apt install -y wget tar unzip ARG GEN_GO_VER=1.28.1 ARG GEN_GO_GRPC_VER=1.2.0 diff --git a/README.md b/README.md index e60343e7..1360354d 100644 --- a/README.md +++ b/README.md @@ -65,7 +65,7 @@ Confidential emojivoto is build as a confidential computing application: Assuming you have a PCCS reachable at `https://localhost:8081/sgx/certification/v3/`, install MarbleRun using the following command: ```bash - marblerun install --dcap-qpl=intel --dcap-pccs-url="https://host.minikube.internal:8081/sgx/certification/v3/" --dcap-secure-cert="FALSE" + marblerun install --dcap-pccs-url="https://host.minikube.internal:8081/sgx/certification/v3/" --dcap-secure-cert="FALSE" ``` See [our docs](https://docs.edgeless.systems/marblerun/deployment/kubernetes#dcap-configuration) for more information on how to configure MarbleRun for generic SGX environments. @@ -230,12 +230,11 @@ Confidential emojivoto is build as a confidential computing application: ```bash helm install -f ./kubernetes/sgx_values.yaml emojivoto ./kubernetes --create-namespace -n emojivoto \ - --set dcap.qpl=intel \ --set dcap.pccsUrl="https://host.minikube.internal:8081/sgx/certification/v3/" \ --set dcap.useSecureCert="FALSE" ``` - The values for `dcap.qpl` and `dcap.useSecureCert` should be the same as the values for the flags `--dcap-pccs-url` and `--dcap-secure-cert` used when installing MarbleRun. + The values for `dcap.pccsUrl` and `dcap.useSecureCert` should be the same as the values for the flags `--dcap-pccs-url` and `--dcap-secure-cert` used when installing MarbleRun. * Otherwise @@ -285,13 +284,13 @@ Confidential emojivoto is build as a confidential computing application: To upload the "Update Manifest" we need to authenticate ourselves to the Coordinator using the previously created admin key and certificate: ```bash - marblerun manifest update tools/update-manifest.json $MARBLERUN --cert admin_certificate.crt --key admin_private.key [--insecure] + marblerun manifest update apply tools/update-manifest.json $MARBLERUN --cert admin_certificate.crt --key admin_private.key [--insecure] ``` We can now update the image used by the emojivoto voting Statefulset: ```bash - kubectl set image -n emojivoto statefulset/voting voting-svc=ghcr.io/edgelesssys/emojivoto/voting-svc:v0.5.0-fix + kubectl set image -n emojivoto statefulset/voting voting-svc=ghcr.io/edgelesssys/emojivoto/voting-svc:v0.7.0-fix ``` Updating the manifest will invalidate MarbleRun's certificate chain so that the existing services will not accept old versions of the updated voting service anymore. Hence, we need to restart the other services to obtain a fresh certificate chain: @@ -340,7 +339,7 @@ Confidential emojivoto is build as a confidential computing application: Luckily we provided a recovery key when we first set the manifest. We can now decrypt the recovery secret we received from the coordinator: ```bash - cat recovery.json | jq -r '.RecoverySecrets.recoveryKey1' | base64 -d > recovery_key_encrypted + jq -r '.RecoverySecrets.recoveryKey1' -r recovery.json | base64 -d > recovery_key_encrypted openssl pkeyutl -inkey recovery_priv.key -in recovery_key_encrypted -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -decrypt -out recovery_key_decrypted ``` @@ -428,10 +427,11 @@ ego env make build Build docker images: ```bash -docker buildx build --secret id=signingkey,src= --target release_web --tag ghcr.io/edgelesssys/emojivoto/web:latest . --label org.opencontainers.image.source=https://github.com/edgelesssys/emojivoto.git -docker buildx build --secret id=signingkey,src= --target release_emoji_svc --tag ghcr.io/edgelesssys/emojivoto/emoji-svc:latest . --label org.opencontainers.image.source=https://github.com/edgelesssys/emojivoto.git -docker buildx build --secret id=signingkey,src= --target release_voting_svc --tag ghcr.io/edgelesssys/emojivoto/voting-svc:latest . --label org.opencontainers.image.source=https://github.com/edgelesssys/emojivoto.git -docker buildx build --secret id=signingkey,src= --target release_voting_update --tag ghcr.io/edgelesssys/emojivoto/voting-svc:latest-fix . --label org.opencontainers.image.source=https://github.com/edgelesssys/emojivoto.git +export DOCKER_BUILDKIT=1 +docker build --secret id=signingkey,src= --target release_web --tag ghcr.io/edgelesssys/emojivoto/web:latest . --label org.opencontainers.image.source=https://github.com/edgelesssys/emojivoto.git +docker build --secret id=signingkey,src= --target release_emoji_svc --tag ghcr.io/edgelesssys/emojivoto/emoji-svc:latest . --label org.opencontainers.image.source=https://github.com/edgelesssys/emojivoto.git +docker build --secret id=signingkey,src= --target release_voting_svc --tag ghcr.io/edgelesssys/emojivoto/voting-svc:latest . --label org.opencontainers.image.source=https://github.com/edgelesssys/emojivoto.git +docker build --secret id=signingkey,src= --target release_voting_update --tag ghcr.io/edgelesssys/emojivoto/voting-svc:latest-fix . --label org.opencontainers.image.source=https://github.com/edgelesssys/emojivoto.git ``` ## License diff --git a/kubernetes/nosgx_values.yaml b/kubernetes/nosgx_values.yaml index b1229683..ff6367c4 100644 --- a/kubernetes/nosgx_values.yaml +++ b/kubernetes/nosgx_values.yaml @@ -8,16 +8,14 @@ simulation: resourceInjection: "disabled" -dcap: {} - web: image: ghcr.io/edgelesssys/emojivoto/web - imageVersion: v0.6.0 + imageVersion: v0.7.0 emoji: image: ghcr.io/edgelesssys/emojivoto/emoji-svc - imageVersion: v0.6.0 + imageVersion: v0.7.0 voting: image: ghcr.io/edgelesssys/emojivoto/voting-svc - imageVersion: v0.6.0 + imageVersion: v0.7.0 diff --git a/kubernetes/sgx_values.yaml b/kubernetes/sgx_values.yaml index 0e4897c9..dd9e5f2b 100644 --- a/kubernetes/sgx_values.yaml +++ b/kubernetes/sgx_values.yaml @@ -13,18 +13,17 @@ simulation: resourceInjection: "enabled" dcap: - qpl: "azure" - pccsUrl: "https://localhost:8081/sgx/certification/v3/" - useSecureCert: "TRUE" + pccsUrl: "" + useSecureCert: "" web: image: ghcr.io/edgelesssys/emojivoto/web - imageVersion: v0.6.0 + imageVersion: v0.7.0 emoji: image: ghcr.io/edgelesssys/emojivoto/emoji-svc - imageVersion: v0.6.0 + imageVersion: v0.7.0 voting: image: ghcr.io/edgelesssys/emojivoto/voting-svc - imageVersion: v0.6.0 + imageVersion: v0.7.0 diff --git a/kubernetes/templates/emoji.yml b/kubernetes/templates/emoji.yml index b01d0ec4..c182a530 100644 --- a/kubernetes/templates/emoji.yml +++ b/kubernetes/templates/emoji.yml @@ -36,10 +36,12 @@ spec: configMapKeyRef: name: oe-config key: OE_SIMULATION - {{ if .Values.dcap }} - - name: DCAP_LIBRARY - value: "{{ .Values.dcap.qpl }}" - {{ end }} + {{- if .Values.dcap }} + - name: PCCS_URL + value: {{ .Values.dcap.pccsUrl }} + - name: PCCS_USE_SECURE_CERT + value: {{ .Values.dcap.useSecureCert }} + {{- end }} image: {{ .Values.emoji.image }}:{{ .Values.emoji.imageVersion }} imagePullPolicy: {{ .Values.imagePullPolicy }} name: emoji-svc @@ -53,21 +55,10 @@ spec: volumeMounts: - name: emoji-data mountPath: /emoji-svc/data - {{ if .Values.dcap }} - - name: dcap-conf - mountPath: /etc/sgx_default_qcnl.conf - subPath: sgx_default_qcnl.conf - {{ end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - volumes: - {{ if .Values.dcap }} - - name: dcap-conf - configMap: - name: emojivoto-dcap-config - {{ end }} volumeClaimTemplates: - metadata: name: emoji-data diff --git a/kubernetes/templates/sgx-qcnl.yaml b/kubernetes/templates/sgx-qcnl.yaml deleted file mode 100644 index 08f70aef..00000000 --- a/kubernetes/templates/sgx-qcnl.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{ if .Values.dcap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: emojivoto-dcap-config - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/component: dcap-config - app.kubernetes.io/name: emojivoto-dcap-config -data: - sgx_default_qcnl.conf: | - PCCS_URL={{ .Values.dcap.pccsUrl }} - USE_SECURE_CERT={{ .Values.dcap.useSecureCert }} -{{ end }} diff --git a/kubernetes/templates/voting.yml b/kubernetes/templates/voting.yml index 5cc34cdf..ded6f514 100644 --- a/kubernetes/templates/voting.yml +++ b/kubernetes/templates/voting.yml @@ -36,10 +36,12 @@ spec: configMapKeyRef: name: oe-config key: OE_SIMULATION - {{ if .Values.dcap }} - - name: DCAP_LIBRARY - value: "{{ .Values.dcap.qpl }}" - {{ end }} + {{- if .Values.dcap }} + - name: PCCS_URL + value: {{ .Values.dcap.pccsUrl }} + - name: PCCS_USE_SECURE_CERT + value: {{ .Values.dcap.useSecureCert }} + {{- end }} image: {{ .Values.voting.image }}:{{ .Values.voting.imageVersion }} imagePullPolicy: {{ .Values.imagePullPolicy }} name: voting-svc @@ -53,21 +55,10 @@ spec: volumeMounts: - name: voting-data mountPath: /voting-svc/data - {{ if .Values.dcap }} - - name: dcap-conf - mountPath: /etc/sgx_default_qcnl.conf - subPath: sgx_default_qcnl.conf - {{ end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - volumes: - {{ if .Values.dcap }} - - name: dcap-conf - configMap: - name: emojivoto-dcap-config - {{ end }} volumeClaimTemplates: - metadata: name: voting-data diff --git a/kubernetes/templates/web.yml b/kubernetes/templates/web.yml index 997f032b..757fad6a 100644 --- a/kubernetes/templates/web.yml +++ b/kubernetes/templates/web.yml @@ -36,10 +36,12 @@ spec: configMapKeyRef: name: oe-config key: OE_SIMULATION - {{ if .Values.dcap }} - - name: DCAP_LIBRARY - value: "{{ .Values.dcap.qpl }}" - {{ end }} + {{- if .Values.dcap }} + - name: PCCS_URL + value: {{ .Values.dcap.pccsUrl }} + - name: PCCS_USE_SECURE_CERT + value: {{ .Values.dcap.useSecureCert }} + {{- end }} image: {{ .Values.web.image }}:{{ .Values.web.imageVersion }} imagePullPolicy: {{ .Values.imagePullPolicy }} name: web-svc @@ -53,21 +55,10 @@ spec: volumeMounts: - name: web-data mountPath: /web-svc/data - {{ if .Values.dcap }} - - name: dcap-conf - mountPath: /etc/sgx_default_qcnl.conf - subPath: sgx_default_qcnl.conf - {{ end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - volumes: - {{ if .Values.dcap }} - - name: dcap-conf - configMap: - name: emojivoto-dcap-config - {{ end }} volumeClaimTemplates: - metadata: name: web-data diff --git a/start.sh b/start.sh index 4b669d15..6424a127 100755 --- a/start.sh +++ b/start.sh @@ -1,14 +1,4 @@ #!/usr/bin/bash -if [[ "${DCAP_LIBRARY}" == "intel" ]] -then - # rename the library installed by az-dcap-client - mv /usr/lib/libdcap_quoteprov.so /usr/lib/libdcap_quoteprov.so.azure - # create a link to the intel quote provider library - ln -s /usr/lib/x86_64-linux-gnu/dcap/libdcap_quoteprov.so.intel /usr/lib/x86_64-linux-gnu/libdcap_quoteprov.so - ln -s /usr/lib/x86_64-linux-gnu/dcap/libdcap_quoteprov.so.intel /usr/lib/x86_64-linux-gnu/libdcap_quoteprov.so.1 -else - export AZDCAP_DEBUG_LOG_LEVEL="${AZDCAP_DEBUG_LOG_LEVEL:=ERROR}" -fi - -ego marblerun ${1} +configure-qpl +exec ego marblerun ${1}