Commit 099c1a09 authored by Robert Schambach's avatar Robert Schambach
Browse files

Adapt for Azure Kubernetes Service usage

parent fecc0342
# First stage: apply the binary-fs
# FOR BUILDING WITH BINARYFS
FROM registry.scontain.com:5050/sconecuratedimages/apps:python-3.7.3-alpine3.10-scone5.0.0 AS binary-fs
#FROM registry.scontain.com:5050/sconecuratedimages/apps:python-3.7.3-alpine3.10-scone5.0.0 AS binary-fs
FROM registry.scontain.com:5050/sconecuratedimages/apps:python-3.7.3-alpine3.10-scone5.1.0-binaryFS AS binary-fs
COPY rest_api.py /.
COPY requirements.txt requirements.txt
......@@ -23,7 +24,8 @@ RUN rm /usr/lib/python3.7/config-3.7m-x86_64-linux-gnu/libpython3.7m.a && \
# Second stage: compile the binary fs
FROM registry.scontain.com:5050/sconecuratedimages/crosscompilers:alpine-scone5.0.0 as crosscompiler
# FROM registry.scontain.com:5050/sconecuratedimages/crosscompilers:alpine-scone5.0.0 as crosscompiler
FROM registry.scontain.com:5050/sconecuratedimages/crosscompilers:alpine-scone5.1.0-binaryFS as crosscompiler
COPY --from=binary-fs /binary-fs.c /.
......@@ -31,7 +33,8 @@ RUN scone gcc /binary-fs.c -O0 -shared -o /libbinary-fs.so
# Third stage: patch the binary-fs into the enclave executable
FROM registry.scontain.com:5050/sconecuratedimages/apps:python-3.7.3-alpine3.10-scone5.0.0
#FROM registry.scontain.com:5050/sconecuratedimages/apps:python-3.7.3-alpine3.10-scone5.0.0
FROM registry.scontain.com:5050/sconecuratedimages/apps:python-3.7.3-alpine3.10-scone5.1.0-binaryFS
COPY --from=crosscompiler /libbinary-fs.so /.
......
......@@ -12,7 +12,7 @@ access_policy:
security:
attestation:
tolerate: [debug-mode, hyperthreading, outdated-tcb, insecure-configuration]
tolerate: [debug-mode, hyperthreading, outdated-tcb, insecure-configuration, software-hardening-needed]
ignore_advisories: "*"
# Service: mariadb
......
......@@ -12,7 +12,7 @@ access_policy:
security:
attestation:
tolerate: [debug-mode, hyperthreading, outdated-tcb, insecure-configuration]
tolerate: [debug-mode, hyperthreading, outdated-tcb, insecure-configuration, software-hardening-needed]
ignore_advisories: "*"
services:
......
name: $FASTAPI_SESSION
version: "0.3"
# Access control:
# - only the data owner (CREATOR) can read or update the session
# - even the data owner cannot read the session secrets (i.e., the volume key and tag) or delete the session
access_policy:
read:
- CREATOR
update:
- CREATOR
security:
attestation:
tolerate: [debug-mode, hyperthreading, outdated-tcb, insecure-configuration, software-hardening-needed]
ignore_advisories: "*"
services:
- name: serve
image_name: client_image
command: ["python3", "rest_api.py"]
mrenclaves: ["$MRENCLAVE_SIMPLECLIENT_FASTAPI"]
pwd: /
# fspf_path: /fspf.pb
# fspf_key: $FASTAPI_POLICY_FSPF_KEY
# fspf_tag: $FASTAPI_POLICY_FSPF_TAG
environment:
DB_HOST: $DB_HOST
DB_USER: $DB_USER
MC_HOST: $MEMCACHED_HOST
images:
- name: client_image
injection_files:
- path: /etc/fastapi-ca.crt
content: $$SCONE::FASTAPI_CA_CERT.chain$$
- path: /etc/server.crt
content: $$SCONE::fastapi.crt$$
- path: /etc/server.key
content: $$SCONE::fastapi.key$$
- path: /etc/client.crt
content: $$SCONE::FASTAPI_CLIENT_CERT.crt$$ # export client certificate
- path: /etc/client.key
content: $$SCONE::FASTAPI_CLIENT_CERT.key$$ # export client key
- path: /etc/mariadb-ca.crt
content: $$SCONE::MARIADB_CA_CERT.chain$$ # Use the database session's CA certificate as a trusted root CA cert. We can use chain here because we verify the session name in the DB
- path: /etc/mariadb-client.crt
content: $$SCONE::MARIADB_CLIENT_CERT.crt$$
- path: /etc/mariadb-client.key
content: $$SCONE::MARIADB_CLIENT_CERT.key$$
- path: /etc/memcached-ca.crt
content: $$SCONE::MEMCACHED_CA_CERT.chain$$
- path: /etc/memcached-client.crt
content: $$SCONE::MEMCACHED_CLIENT_CERT.crt$$
- path: /etc/memcached-client.key
content: $$SCONE::MEMCACHED_CLIENT_CERT.key$$
# Network files
- path: /etc/resolv.conf
content: |
nameserver 10.0.0.10
search default.svc.cluster.local svc.cluster.local cluster.local kfwuuip3wh5exmh5swgv03fnlg.xx.internal.cloudapp.net
options ndots:5
# nameserver 10.96.0.10
# search sgx-scone.svc.cluster.local svc.cluster.local cluster.local
# options ndots:5
- path: /etc/hosts
content: |
# Kubernetes-managed hosts file.
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
fe00::0 ip6-mcastprefix
fe00::1 ip6-allnodes
fe00::2 ip6-allrouters
10.244.2.49 secure-doc-management-fastapi-scone
- path: /etc/hostname
content: |
secure-doc-management-fastapi-scone
# Import client credentials from DB session.
secrets:
# fastapi - mariadb tls
- name: db_user
kind: ascii
value: $DB_USER
- name: MARIADB_CLIENT_CERT
import:
session: $DB_SESSION
secret: MARIADB_CLIENT_CERT
- name: MARIADB_CA_CERT
import:
session: $DB_SESSION
secret: MARIADB_CA_CERT
# fastapi - memcached tls
- name: MEMCACHED_CLIENT_CERT
import:
session: $MEMCACHED_SESSION
secret: MEMCACHED_CLIENT_CERT
- name: MEMCACHED_CA_CERT
import:
session: $MEMCACHED_SESSION
secret: MEMCACHED_CA_CERT
# specific for fastapi - nginx tls
- name: fastapi-key # automatically generate FASTAPI server certificate
kind: private-key
- name: fastapi # automatically generate FASTAPI server certificate
private_key: fastapi-key
issuer: FASTAPI_CA_CERT
kind: x509
dns:
- $FASTAPI_HOST
- name: FASTAPI_CLIENT_KEY
kind: private-key
export:
- session: $NGINX_SESSION
- name: FASTAPI_CLIENT_CERT # automatically generate client certificate
private_key: FASTAPI_CLIENT_KEY
issuer: FASTAPI_CA_CERT
common_name: FASTAPI_CLIENT_CERT
kind: x509
export:
- session: $NGINX_SESSION # export client cert/key to upload session
- name: FASTAPI_CA_KEY # export session CA certificate as FASTAPI CA certificate
kind: private-key
- name: FASTAPI_CA_CERT # export session CA certificate as FASTAPI CA certificate
kind: x509-ca
common_name: FASTAPI_CA
private_key: FASTAPI_CA_KEY
export:
- session: $NGINX_SESSION # export the session CA certificate to upload session
......@@ -12,7 +12,7 @@ access_policy:
security:
attestation:
tolerate: [debug-mode, hyperthreading, outdated-tcb, insecure-configuration]
tolerate: [debug-mode, hyperthreading, outdated-tcb, insecure-configuration, software-hardening-needed]
ignore_advisories: "*"
# Service: memcached
......
......@@ -12,7 +12,7 @@ access_policy:
security:
attestation:
tolerate: [debug-mode, hyperthreading, outdated-tcb, insecure-configuration]
tolerate: [debug-mode, hyperthreading, outdated-tcb, insecure-configuration, software-hardening-needed]
ignore_advisories: "*"
services:
......
......@@ -55,7 +55,14 @@ if [ ! -z "$FASTAPI_SESSION" ]; then
export TABLE="test_table"
echo "Uploading policy $FASTAPI_SESSION (fastapi server)..."
scone session create --use-env "${BASH_SOURCE%/*}/fastapi_session.yml"
if [ "$USE_AZURE" = "true" ]
then
scone session create --use-env "${BASH_SOURCE%/*}/fastapi_session_azure.yml"
else
scone session create --use-env "${BASH_SOURCE%/*}/fastapi_session.yml"
fi
echo ""
echo "export FASTAPI_CONFIG_ID="$FASTAPI_SESSION"" > "${BASH_SOURCE%/*}/myenv"
......
......@@ -14,6 +14,19 @@ All of these components run securely inside of enclaves using the SCONE framewor
- [Helm setup](https://sconedocs.github.io/helm/) was performed
- The [SGX Plugin](https://sconedocs.github.io/sgxinstall/) is installed
## Azure Kubernetes Services (AKS) Usage
By default, this Demo works on Azure.
To set up the necessary infrastructure on azure, execute:
(you may have to change the tags according to your AKS Nodes)
```bash
helm install las sconeappsEE/las \
--set useSGXDevPlugin=azure \
--set sgxEpcMem=16 \
--set image=registry.scontain.com:5050/sconecuratedimages/services:las-scone5.0.0 \
--set nodeSelector.agentpool="confcompool1"
```
## TL;DR
- ask us for the corresponding permissions (registry secret, repository access)
- pull this [repository](https://gitlab.scontain.com/enterJazz/secure-doc-management)
......@@ -311,7 +324,7 @@ We intend this example to be run on a Kubernetes cluster.
Get access to `SconeApps` (see https://sconedocs.github.io/helm/):
```bash
helm repo add sconeapps https://${GH_TOKEN}@raw.githubusercontent.com/scontain/sconeapps/master/
helm repo add sconeappsEE https://${GH_TOKEN}@raw.githubusercontent.com/scontain/SconeAppsEE/master/
helm repo update
```
......@@ -324,13 +337,20 @@ export SCONE_HUB_EMAIL=...
kubectl create secret docker-registry sconeapps --docker-server=registry.scontain.com:5050 --docker-username=$SCONE_HUB_USERNAME --docker-password=$SCONE_HUB_ACCESS_TOKEN --docker-email=$SCONE_HUB_EMAIL
```
Start a Local Attestation Service (LAS) (we use a remote CAS):
Start Local Attestation Service (LAS) with Azure (we use a remote CAS):
```bash
helm install las sconeapps/las --set service.hostPort=true
# nodeSelector may have to be adjusted according to your nodes
helm install las sconeappsEE/las \
--set useSGXDevPlugin=azure \
--set sgxEpcMem=16 \
--set image=registry.scontain.com:5050/sconecuratedimages/services:las-scone5.0.0 \
--set nodeSelector.agentpool="confcompool1"
```
Install the SGX device plugin for Kubernetes:
To setup without Azure:
```bash
helm install las sconeapps/las --set service.hostPort=true
helm install sgxdevplugin sconeapps/sgxdevplugin
```
......@@ -344,7 +364,17 @@ export MEMCACHED_TARGET_IMAGE=your/repo:memcached-tls-protected
export NGINX_TARGET_IMAGE=your/repo:nginx-proxy-server-protected
```
Then use the Helm chart in `./secure-doc-management` to deploy the application to a Kubernetes cluster. We strongly recommend using the script `./setup-secure-doc-management.sh` for this. The helm command is as follows:
Then use the Helm chart in `./secure-doc-management` to deploy the application to a Kubernetes cluster. We strongly recommend using the script:
```bash
./setup-secure-doc-management.sh
# without Azure:
# export USE_AZURE=false; ./setup-secure-doc-management.sh
```
The helm command within this script is as follows:
```bash
helm install secure-doc-management $PWD/secure-doc-management \
--set global.scone.attestation.cas=$SCONE_CAS_ADDR \
......@@ -367,7 +397,12 @@ helm install secure-doc-management $PWD/secure-doc-management \
--set client-scone.extraEnv\[1\].name=NGINX_HOST \
--set client-scone.extraEnv\[1\].value=$NGINX_HOST \
--set client-scone.extraEnv\[2\].name=CAS_MRENCLAVE \
--set client-scone.extraEnv\[2\].value=$CAS_MRENCLAVE
--set client-scone.extraEnv\[2\].value=$CAS_MRENCLAVE \
--set global.useSGXDevPlugin="azure" \
--set nodeSelector.agentpool="confcompool1" \
--set global.sgxEpcMem=16 \
--set lasUseHostIP=false \
--set las="172.17.0.1"
```
<!-- *NOTE:* Setting `service.type=LoadBalancer` will allow the application to get traffic from the internet (through a managed LoadBalancer). -->
......@@ -420,6 +455,7 @@ To uninstall the charts we installed during this demo, execute:
```bash
helm uninstall las
helm uninstall sgxdevplugin
helm uninstall secure-doc-management
# if you are not using Azure:
# helm uninstall sgxdevplugin
```
......@@ -4,8 +4,8 @@
{{- required "A valid '.Values.global.useSGXDevPlugin' is required: \"enabled\"|\"scone\"|\"azure\"|\"disabled\"" .value }}
{{- end }}
{{- if and (eq .Values.global.useSGXDevPlugin "azure") (not .Values.sgxEpcMem) }}
{{- required "Specify '.Values.sgxEpcMem' when using Azure SGX Device Plugin" .value }}
{{- if and (eq .Values.global.useSGXDevPlugin "azure") (not .Values.global.sgxEpcMem) }}
{{- required "Specify '.Values.global.sgxEpcMem' when using Azure SGX Device Plugin" .value }}
{{- end }}
apiVersion: apps/v1
......@@ -82,7 +82,7 @@ spec:
sgx.k8s.io/sgx: 1
{{- else if eq .Values.global.useSGXDevPlugin "azure" }}
limits:
kubernetes.azure.com/sgx_epc_mem_in_MiB: {{ .Values.sgxEpcMem }}
kubernetes.azure.com/sgx_epc_mem_in_MiB: {{ .Values.global.sgxEpcMem }}
{{- end}}
{{- end}}
volumeMounts:
......
......@@ -4,8 +4,8 @@
{{- required "A valid '.Values.global.useSGXDevPlugin' is required: \"enabled\"|\"scone\"|\"azure\"|\"disabled\"" .value }}
{{- end }}
{{- if and (eq .Values.global.useSGXDevPlugin "azure") (not .Values.sgxEpcMem) }}
{{- required "Specify '.Values.sgxEpcMem' when using Azure SGX Device Plugin" .value }}
{{- if and (eq .Values.global.useSGXDevPlugin "azure") (not .Values.global.sgxEpcMem) }}
{{- required "Specify '.Values.global.sgxEpcMem' when using Azure SGX Device Plugin" .value }}
{{- end }}
apiVersion: apps/v1
......@@ -87,7 +87,7 @@ spec:
sgx.k8s.io/sgx: 1
{{- else if eq .Values.global.useSGXDevPlugin "azure" }}
limits:
kubernetes.azure.com/sgx_epc_mem_in_MiB: {{ .Values.sgxEpcMem }}
kubernetes.azure.com/sgx_epc_mem_in_MiB: {{ .Values.global.sgxEpcMem }}
{{- end}}
{{- end}}
volumeMounts:
......
{{- if not .Values.global.useSGXDevPlugin }}
{{- required "A valid '.Values.global.useSGXDevPlugin' is required: \"enabled\"|\"disabled\"" .value }}
{{- else if and (ne .Values.global.useSGXDevPlugin "enabled") (ne .Values.global.useSGXDevPlugin "disabled") }}
{{- required "A valid '.Values.global.useSGXDevPlugin' is required: \"enabled\"|\"disabled\"" .value }}
{{- required "A valid '.Values.global.useSGXDevPlugin' is required: \"enabled\"|\"scone\"|\"azure\"|\"disabled\"" .value }}
{{- else if and (ne .Values.global.useSGXDevPlugin "enabled") (ne .Values.global.useSGXDevPlugin "scone") (ne .Values.global.useSGXDevPlugin "azure") (ne .Values.global.useSGXDevPlugin "disabled") }}
{{- required "A valid '.Values.global.useSGXDevPlugin' is required: \"enabled\"|\"scone\"|\"azure\"|\"disabled\"" .value }}
{{- end }}
{{- if and (eq .Values.global.useSGXDevPlugin "azure") (not .Values.global.sgxEpcMem) }}
{{- required "Specify '.Values.global.sgxEpcMem' when using Azure SGX Device Plugin" .value }}
{{- end }}
apiVersion: apps/v1
......@@ -50,14 +54,17 @@ spec:
- name: mariadb
containerPort: 3306
protocol: TCP
{{- if or (.Values.resources) (eq .Values.global.useSGXDevPlugin "enabled") }}
{{- if or (.Values.resources) (or (or (eq .Values.global.useSGXDevPlugin "scone") (eq .Values.global.useSGXDevPlugin "enabled")) (eq .Values.global.useSGXDevPlugin "azure")) }}
resources:
{{- if .Values.resources }}
{{- toYaml .Values.resources | nindent 12 }}
{{- end }}
{{- if eq .Values.global.useSGXDevPlugin "enabled" }}
{{- if or (eq .Values.global.useSGXDevPlugin "scone") (eq .Values.global.useSGXDevPlugin "enabled") }}
limits:
sgx.k8s.io/sgx: 1
{{- else if eq .Values.global.useSGXDevPlugin "azure" }}
limits:
kubernetes.azure.com/sgx_epc_mem_in_MiB: {{ .Values.global.sgxEpcMem }}
{{- end}}
{{- end}}
env:
......
......@@ -4,8 +4,8 @@
{{- required "A valid '.Values.global.useSGXDevPlugin' is required: \"enabled\"|\"scone\"|\"azure\"|\"disabled\"" .value }}
{{- end }}
{{- if and (eq .Values.global.useSGXDevPlugin "azure") (not .Values.sgxEpcMem) }}
{{- required "Specify '.Values.sgxEpcMem' when using Azure SGX Device Plugin" .value }}
{{- if and (eq .Values.global.useSGXDevPlugin "azure") (not .Values.global.sgxEpcMem) }}
{{- required "Specify '.Values.global.sgxEpcMem' when using Azure SGX Device Plugin" .value }}
{{- end }}
apiVersion: apps/v1
......@@ -97,7 +97,7 @@ spec:
sgx.k8s.io/sgx: 1
{{- else if eq .Values.global.useSGXDevPlugin "azure" }}
limits:
kubernetes.azure.com/sgx_epc_mem_in_MiB: {{ .Values.sgxEpcMem }}
kubernetes.azure.com/sgx_epc_mem_in_MiB: {{ .Values.global.sgxEpcMem }}
{{- end}}
{{- end}}
volumeMounts:
......
......@@ -4,8 +4,8 @@
{{- required "A valid '.Values.global.useSGXDevPlugin' is required: \"enabled\"|\"scone\"|\"azure\"|\"disabled\"" .value }}
{{- end }}
{{- if and (eq .Values.global.useSGXDevPlugin "azure") (not .Values.sgxEpcMem) }}
{{- required "Specify '.Values.sgxEpcMem' when using Azure SGX Device Plugin" .value }}
{{- if and (eq .Values.global.useSGXDevPlugin "azure") (not .Values.global.sgxEpcMem) }}
{{- required "Specify '.Values.global.sgxEpcMem' when using Azure SGX Device Plugin" .value }}
{{- end }}
apiVersion: apps/v1
......@@ -71,7 +71,7 @@ spec:
sgx.k8s.io/sgx: 1
{{- else if eq .Values.global.useSGXDevPlugin "azure" }}
limits:
kubernetes.azure.com/sgx_epc_mem_in_MiB: {{ .Values.sgxEpcMem }}
kubernetes.azure.com/sgx_epc_mem_in_MiB: {{ .Values.global.sgxEpcMem }}
{{- end}}
{{- end}}
env:
......
......@@ -16,6 +16,7 @@ global:
#las: 172.17.0.1
cas: 5-0-0.scone-cas.cf
useSGXDevPlugin: "enabled"
# sgxEpcMem: 16 # in MiB
imagePullSecrets:
- name: sconeapps
......
......@@ -9,9 +9,10 @@ set -o nounset
# Catch the error in case mysqldump fails (but gzip succeeds) in `mysqldump |gzip`
set -o pipefail
# Turn on traces, useful while debugging but commented out by default
#set -o xtrace
set -o xtrace
export IMAGE_PULL_SECRET=${IMAGE_PULL_SECRET:-sconeapps}
export USE_AZURE=${USE_AZURE:-"true"}
cd $PWD/policy-setup
......@@ -70,32 +71,63 @@ export FASTAPI_HOST=${FASTAPI_HOST:-secure-doc-management-fastapi-scone}
export NGINX_HOST=${NGINX_HOST:-secure-doc-management-nginx-scone}
docker run -it --rm --network=host -e SCONE_CAS_ADDR=$SCONE_CAS_ADDR -e SCONE_LAS_ADDR=las-scone -e MARIADB_RELEASE_NAME=$MARIADB_RELEASE_NAME -e DB_HOST=$DB_HOST -e DB_USER=$DB_USER -e MEMCACHED_HOST=$MEMCACHED_HOST -e FASTAPI_HOST=$FASTAPI_HOST -e NGINX_HOST=$NGINX_HOST --device /dev/isgx -v $PWD:/policies registry.scontain.com:5050/sconecuratedimages/sconecli:alpine3.10-scone5.0.0 bash /policies/upload_policies.sh
docker run -it --rm --network=host -e USE_AZURE=$USE_AZURE -e SCONE_CAS_ADDR=$SCONE_CAS_ADDR -e SCONE_LAS_ADDR=las-scone -e MARIADB_RELEASE_NAME=$MARIADB_RELEASE_NAME -e DB_HOST=$DB_HOST -e DB_USER=$DB_USER -e MEMCACHED_HOST=$MEMCACHED_HOST -e FASTAPI_HOST=$FASTAPI_HOST -e NGINX_HOST=$NGINX_HOST --device /dev/isgx -v $PWD:/policies registry.scontain.com:5050/sconecuratedimages/sconecli:alpine3.10-scone5.0.0 bash /policies/upload_policies.sh
source myenv
source mrenclaves.sh
cd $PWD/..
helm install secure-doc-management $PWD/secure-doc-management \
--set global.scone.attestation.cas=$SCONE_CAS_ADDR \
--set global.imagePullSecrets\[0\].name=$IMAGE_PULL_SECRET \
--set mariadb-scone.image=$MARIADB_TARGET_IMAGE \
--set mariadb-scone.imagePullSecrets\[0\].name=sconeapps \
--set mariadb-scone.scone.attestation.DBConfigID=$DB_CONFIG_ID/db \
--set mariadb-scone.scone.attestation.bootstrapConfigID=$DB_CONFIG_ID/bootstrap \
--set mariadb-scone.scone.attestation.createUserConfigID=$DB_CONFIG_ID/create_user \
--set fastapi-scone.image=$FASTAPI_IMAGE \
--set fastapi-scone.scone.attestation.FASTAPIConfigID=$FASTAPI_CONFIG_ID/serve \
--set nginx-scone.image=$NGINX_TARGET_IMAGE \
--set nginx-scone.scone.attestation.NGINXConfigID=$NGINX_CONFIG_ID/nginx \
--set nginx-scone.service.type=NodePort \
--set memcached-scone.image=$MEMCACHED_TARGET_IMAGE \
--set memcached-scone.scone.attestation.MEMCACHEDConfigID=$MEMCACHED_CONFIG_ID/memcached \
--set client-scone.image=$CLIENT_IMAGE \
--set client-scone.extraEnv\[0\].name=NGINX_CONFIG_ID \
--set client-scone.extraEnv\[0\].value=$NGINX_CONFIG_ID \
--set client-scone.extraEnv\[1\].name=NGINX_HOST \
--set client-scone.extraEnv\[1\].value=$NGINX_HOST \
--set client-scone.extraEnv\[2\].name=CAS_MRENCLAVE \
--set client-scone.extraEnv\[2\].value=$CAS_MRENCLAVE
if [ "$USE_AZURE" = "true" ]
then
helm install secure-doc-management $PWD/secure-doc-management \
--set global.scone.attestation.cas=$SCONE_CAS_ADDR \
--set global.imagePullSecrets\[0\].name=$IMAGE_PULL_SECRET \
--set mariadb-scone.image=$MARIADB_TARGET_IMAGE \
--set mariadb-scone.imagePullSecrets\[0\].name=sconeapps \
--set mariadb-scone.scone.attestation.DBConfigID=$DB_CONFIG_ID/db \
--set mariadb-scone.scone.attestation.bootstrapConfigID=$DB_CONFIG_ID/bootstrap \
--set mariadb-scone.scone.attestation.createUserConfigID=$DB_CONFIG_ID/create_user \
--set fastapi-scone.image=$FASTAPI_IMAGE \
--set fastapi-scone.scone.attestation.FASTAPIConfigID=$FASTAPI_CONFIG_ID/serve \
--set nginx-scone.image=$NGINX_TARGET_IMAGE \
--set nginx-scone.scone.attestation.NGINXConfigID=$NGINX_CONFIG_ID/nginx \
--set nginx-scone.service.type=NodePort \
--set memcached-scone.image=$MEMCACHED_TARGET_IMAGE \
--set memcached-scone.scone.attestation.MEMCACHEDConfigID=$MEMCACHED_CONFIG_ID/memcached \
--set client-scone.image=$CLIENT_IMAGE \
--set client-scone.extraEnv\[0\].name=NGINX_CONFIG_ID \
--set client-scone.extraEnv\[0\].value=$NGINX_CONFIG_ID \
--set client-scone.extraEnv\[1\].name=NGINX_HOST \
--set client-scone.extraEnv\[1\].value=$NGINX_HOST \
--set client-scone.extraEnv\[2\].name=CAS_MRENCLAVE \
--set client-scone.extraEnv\[2\].value=$CAS_MRENCLAVE \
--set global.useSGXDevPlugin="azure" \
--set nodeSelector.agentpool="confcompool1" \
--set global.sgxEpcMem=16 \
--set lasUseHostIP=false \
--set las="172.17.0.1"
else
helm install secure-doc-management $PWD/secure-doc-management \
--set global.scone.attestation.cas=$SCONE_CAS_ADDR \
--set global.imagePullSecrets\[0\].name=$IMAGE_PULL_SECRET \
--set mariadb-scone.image=$MARIADB_TARGET_IMAGE \
--set mariadb-scone.imagePullSecrets\[0\].name=sconeapps \
--set mariadb-scone.scone.attestation.DBConfigID=$DB_CONFIG_ID/db \
--set mariadb-scone.scone.attestation.bootstrapConfigID=$DB_CONFIG_ID/bootstrap \
--set mariadb-scone.scone.attestation.createUserConfigID=$DB_CONFIG_ID/create_user \
--set fastapi-scone.image=$FASTAPI_IMAGE \
--set fastapi-scone.scone.attestation.FASTAPIConfigID=$FASTAPI_CONFIG_ID/serve \
--set nginx-scone.image=$NGINX_TARGET_IMAGE \
--set nginx-scone.scone.attestation.NGINXConfigID=$NGINX_CONFIG_ID/nginx \
--set nginx-scone.service.type=NodePort \
--set memcached-scone.image=$MEMCACHED_TARGET_IMAGE \
--set memcached-scone.scone.attestation.MEMCACHEDConfigID=$MEMCACHED_CONFIG_ID/memcached \
--set client-scone.image=$CLIENT_IMAGE \
--set client-scone.extraEnv\[0\].name=NGINX_CONFIG_ID \
--set client-scone.extraEnv\[0\].value=$NGINX_CONFIG_ID \
--set client-scone.extraEnv\[1\].name=NGINX_HOST \
--set client-scone.extraEnv\[1\].value=$NGINX_HOST \
--set client-scone.extraEnv\[2\].name=CAS_MRENCLAVE \
--set client-scone.extraEnv\[2\].value=$CAS_MRENCLAVE
fi
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment