fastapi_session.yml 4.17 KB
Newer Older
1
name: $FASTAPI_SESSION
Robert Schambach's avatar
Robert Schambach committed
2
3
4
5
6
7
8
9
10
11
12
13
14
version: "0.3"

# Access control:
#   - only the data owner (CREATOR) can read or update the session
#   - even the data owner cannot read the session secrets (i.e., the volume key and tag) or delete the session
access_policy:
  read:
   - CREATOR
  update:
   - CREATOR

security:
  attestation:
15
    tolerate: [debug-mode, hyperthreading, outdated-tcb, insecure-configuration, software-hardening-needed]
16
    ignore_advisories: "*"
Robert Schambach's avatar
Robert Schambach committed
17
18
19
20
21

services:
   - name: serve
     image_name: client_image
     command: ["python3", "rest_api.py"]
22
     mrenclaves: ["$MRENCLAVE_SIMPLECLIENT_FASTAPI"]
Robert Schambach's avatar
Robert Schambach committed
23
     pwd: /
24
25
26
#     fspf_path: /fspf.pb
#     fspf_key: $FASTAPI_POLICY_FSPF_KEY
#     fspf_tag: $FASTAPI_POLICY_FSPF_TAG
27
28
29
     environment:
         DB_HOST: $DB_HOST
         DB_USER: $DB_USER
30
         MC_HOST: $MEMCACHED_HOST
Robert Schambach's avatar
Robert Schambach committed
31
32
33
34

images:
  - name: client_image
    injection_files:
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
       - path: /etc/fastapi-ca.crt
         content: $$SCONE::FASTAPI_CA_CERT.chain$$
       - path: /etc/server.crt
         content: $$SCONE::fastapi.crt$$
       - path: /etc/server.key
         content: $$SCONE::fastapi.key$$
       - path: /etc/client.crt
         content: $$SCONE::FASTAPI_CLIENT_CERT.crt$$ # export client certificate
       - path: /etc/client.key
         content: $$SCONE::FASTAPI_CLIENT_CERT.key$$ # export client key
       - path: /etc/mariadb-ca.crt
         content: $$SCONE::MARIADB_CA_CERT.chain$$ # Use the database session's CA certificate as a trusted root CA cert. We can use chain here because we verify the session name in the DB
       - path: /etc/mariadb-client.crt
         content: $$SCONE::MARIADB_CLIENT_CERT.crt$$
       - path: /etc/mariadb-client.key
         content: $$SCONE::MARIADB_CLIENT_CERT.key$$
       - path: /etc/memcached-ca.crt
         content: $$SCONE::MEMCACHED_CA_CERT.chain$$ 
       - path: /etc/memcached-client.crt
         content: $$SCONE::MEMCACHED_CLIENT_CERT.crt$$
       - path: /etc/memcached-client.key
         content: $$SCONE::MEMCACHED_CLIENT_CERT.key$$
57
58
59
       # Network files
       - path: /etc/resolv.conf
         content: |
60
61
            nameserver $CLUSTER_DNS_IP
            search $NAMESPACE.svc.cluster.local svc.cluster.local cluster.local
62
63
64
65
66
67
68
69
70
71
72
73
74
            options ndots:5
       - path: /etc/hosts
         content: |
            # Kubernetes-managed hosts file.
            127.0.0.1	localhost
            ::1	localhost ip6-localhost ip6-loopback
            fe00::0	ip6-localnet
            fe00::0	ip6-mcastprefix
            fe00::1	ip6-allnodes
            fe00::2	ip6-allrouters
       - path: /etc/hostname
         content: |
            secure-doc-management-fastapi-scone
Robert Schambach's avatar
Robert Schambach committed
75
76
77

# Import client credentials from DB session.
secrets:
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
  # fastapi - mariadb tls
  - name: db_user
    kind: ascii
    value: $DB_USER
  - name: MARIADB_CLIENT_CERT
    import:
      session: $DB_SESSION
      secret: MARIADB_CLIENT_CERT
  - name: MARIADB_CA_CERT
    import:
      session: $DB_SESSION
      secret: MARIADB_CA_CERT
  # fastapi - memcached tls
  - name: MEMCACHED_CLIENT_CERT
    import:
      session: $MEMCACHED_SESSION
      secret: MEMCACHED_CLIENT_CERT
  - name: MEMCACHED_CA_CERT
    import:
      session: $MEMCACHED_SESSION
      secret: MEMCACHED_CA_CERT
99
  # specific for fastapi - nginx tls
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
  - name: fastapi-key # automatically generate FASTAPI server certificate
    kind: private-key
  - name: fastapi # automatically generate FASTAPI server certificate
    private_key: fastapi-key
    issuer: FASTAPI_CA_CERT
    kind: x509
    dns:
    - $FASTAPI_HOST
  - name: FASTAPI_CLIENT_KEY
    kind: private-key
    export:
    - session: $NGINX_SESSION
  - name: FASTAPI_CLIENT_CERT # automatically generate client certificate
    private_key: FASTAPI_CLIENT_KEY
    issuer: FASTAPI_CA_CERT
    common_name: FASTAPI_CLIENT_CERT
    kind: x509
    export:
    - session: $NGINX_SESSION # export client cert/key to upload session
  - name: FASTAPI_CA_KEY # export session CA certificate as FASTAPI CA certificate
    kind: private-key
  - name: FASTAPI_CA_CERT # export session CA certificate as FASTAPI CA certificate
    kind: x509-ca
    common_name: FASTAPI_CA
    private_key: FASTAPI_CA_KEY
    export:
    - session: $NGINX_SESSION # export the session CA certificate to upload session