Commit 276a7291 authored by Robert Schambach's avatar Robert Schambach
Browse files

Correct DNS injection for binaryfs for Kubernetes

parent 0432c886
......@@ -57,8 +57,8 @@ images:
# Network files
- path: /etc/resolv.conf
content: |
nameserver 10.96.0.10
search sgx-scone.svc.cluster.local svc.cluster.local cluster.local
nameserver $CLUSTER_DNS_IP
search $NAMESPACE.svc.cluster.local svc.cluster.local cluster.local
options ndots:5
- path: /etc/hosts
content: |
......@@ -69,7 +69,6 @@ images:
fe00::0 ip6-mcastprefix
fe00::1 ip6-allnodes
fe00::2 ip6-allrouters
10.244.2.49 secure-doc-management-fastapi-scone
- path: /etc/hostname
content: |
secure-doc-management-fastapi-scone
......
name: $FASTAPI_SESSION
version: "0.3"
# Access control:
# - only the data owner (CREATOR) can read or update the session
# - even the data owner cannot read the session secrets (i.e., the volume key and tag) or delete the session
access_policy:
read:
- CREATOR
update:
- CREATOR
security:
attestation:
tolerate: [debug-mode, hyperthreading, outdated-tcb, insecure-configuration, software-hardening-needed]
ignore_advisories: "*"
services:
- name: serve
image_name: client_image
command: ["python3", "rest_api.py"]
mrenclaves: ["$MRENCLAVE_SIMPLECLIENT_FASTAPI"]
pwd: /
# fspf_path: /fspf.pb
# fspf_key: $FASTAPI_POLICY_FSPF_KEY
# fspf_tag: $FASTAPI_POLICY_FSPF_TAG
environment:
DB_HOST: $DB_HOST
DB_USER: $DB_USER
MC_HOST: $MEMCACHED_HOST
images:
- name: client_image
injection_files:
- path: /etc/fastapi-ca.crt
content: $$SCONE::FASTAPI_CA_CERT.chain$$
- path: /etc/server.crt
content: $$SCONE::fastapi.crt$$
- path: /etc/server.key
content: $$SCONE::fastapi.key$$
- path: /etc/client.crt
content: $$SCONE::FASTAPI_CLIENT_CERT.crt$$ # export client certificate
- path: /etc/client.key
content: $$SCONE::FASTAPI_CLIENT_CERT.key$$ # export client key
- path: /etc/mariadb-ca.crt
content: $$SCONE::MARIADB_CA_CERT.chain$$ # Use the database session's CA certificate as a trusted root CA cert. We can use chain here because we verify the session name in the DB
- path: /etc/mariadb-client.crt
content: $$SCONE::MARIADB_CLIENT_CERT.crt$$
- path: /etc/mariadb-client.key
content: $$SCONE::MARIADB_CLIENT_CERT.key$$
- path: /etc/memcached-ca.crt
content: $$SCONE::MEMCACHED_CA_CERT.chain$$
- path: /etc/memcached-client.crt
content: $$SCONE::MEMCACHED_CLIENT_CERT.crt$$
- path: /etc/memcached-client.key
content: $$SCONE::MEMCACHED_CLIENT_CERT.key$$
# Network files
- path: /etc/resolv.conf
content: |
nameserver 10.0.0.10
search default.svc.cluster.local svc.cluster.local cluster.local kfwuuip3wh5exmh5swgv03fnlg.xx.internal.cloudapp.net
options ndots:5
# nameserver 10.96.0.10
# search sgx-scone.svc.cluster.local svc.cluster.local cluster.local
# options ndots:5
- path: /etc/hosts
content: |
# Kubernetes-managed hosts file.
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
fe00::0 ip6-mcastprefix
fe00::1 ip6-allnodes
fe00::2 ip6-allrouters
10.244.2.49 secure-doc-management-fastapi-scone
- path: /etc/hostname
content: |
secure-doc-management-fastapi-scone
# Import client credentials from DB session.
secrets:
# fastapi - mariadb tls
- name: db_user
kind: ascii
value: $DB_USER
- name: MARIADB_CLIENT_CERT
import:
session: $DB_SESSION
secret: MARIADB_CLIENT_CERT
- name: MARIADB_CA_CERT
import:
session: $DB_SESSION
secret: MARIADB_CA_CERT
# fastapi - memcached tls
- name: MEMCACHED_CLIENT_CERT
import:
session: $MEMCACHED_SESSION
secret: MEMCACHED_CLIENT_CERT
- name: MEMCACHED_CA_CERT
import:
session: $MEMCACHED_SESSION
secret: MEMCACHED_CA_CERT
# specific for fastapi - nginx tls
- name: fastapi-key # automatically generate FASTAPI server certificate
kind: private-key
- name: fastapi # automatically generate FASTAPI server certificate
private_key: fastapi-key
issuer: FASTAPI_CA_CERT
kind: x509
dns:
- $FASTAPI_HOST
- name: FASTAPI_CLIENT_KEY
kind: private-key
export:
- session: $NGINX_SESSION
- name: FASTAPI_CLIENT_CERT # automatically generate client certificate
private_key: FASTAPI_CLIENT_KEY
issuer: FASTAPI_CA_CERT
common_name: FASTAPI_CLIENT_CERT
kind: x509
export:
- session: $NGINX_SESSION # export client cert/key to upload session
- name: FASTAPI_CA_KEY # export session CA certificate as FASTAPI CA certificate
kind: private-key
- name: FASTAPI_CA_CERT # export session CA certificate as FASTAPI CA certificate
kind: x509-ca
common_name: FASTAPI_CA
private_key: FASTAPI_CA_KEY
export:
- session: $NGINX_SESSION # export the session CA certificate to upload session
......@@ -55,14 +55,7 @@ if [ ! -z "$FASTAPI_SESSION" ]; then
export TABLE="test_table"
echo "Uploading policy $FASTAPI_SESSION (fastapi server)..."
if [ "$USE_AZURE" = "true" ]
then
scone session create --use-env "${BASH_SOURCE%/*}/fastapi_session_azure.yml"
else
scone session create --use-env "${BASH_SOURCE%/*}/fastapi_session.yml"
fi
scone session create --use-env "${BASH_SOURCE%/*}/fastapi_session.yml"
echo ""
echo "export FASTAPI_CONFIG_ID="$FASTAPI_SESSION"" > "${BASH_SOURCE%/*}/myenv"
......@@ -102,6 +95,6 @@ echo "export SCONE_CAS_ADDR="$SCONE_CAS_ADDR"" >> "${BASH_SOURCE%/*}/myenv"
# Uncomment to double check submitted policies.
#scone session read $DB_SESSION
#scone session read $FASTAPI_SESSION
scone session read $FASTAPI_SESSION
#scone session read $MEMCACHED_SESSION
#scone session read $NGINX_SESSION
......@@ -70,8 +70,15 @@ export MEMCACHED_HOST=${MEMCACHED_HOST:-secure-doc-management-memcached-scone}
export FASTAPI_HOST=${FASTAPI_HOST:-secure-doc-management-fastapi-scone}
export NGINX_HOST=${NGINX_HOST:-secure-doc-management-nginx-scone}
# get necessary information for DNS resolution
export CLUSTER_DNS_IP=${CLUSTER_DNS_IP:-$(kubectl -n kube-system get service | grep kube-dns | awk '{print $3}')}
export NAMESPACE=${NAMESPACE:-$(kubectl config view --minify --output 'jsonpath={..namespace}')}
if [ -z $NAMESPACE ]; then
export NAMESPACE=default
fi
docker run -it --rm --network=host -e USE_AZURE=$USE_AZURE -e SCONE_CAS_ADDR=$SCONE_CAS_ADDR -e SCONE_LAS_ADDR=las-scone -e MARIADB_RELEASE_NAME=$MARIADB_RELEASE_NAME -e DB_HOST=$DB_HOST -e DB_USER=$DB_USER -e MEMCACHED_HOST=$MEMCACHED_HOST -e FASTAPI_HOST=$FASTAPI_HOST -e NGINX_HOST=$NGINX_HOST --device /dev/isgx -v $PWD:/policies registry.scontain.com:5050/sconecuratedimages/sconecli:alpine3.10-scone5.0.0 bash /policies/upload_policies.sh
docker run -it --rm --network=host -e CLUSTER_DNS_IP=$CLUSTER_DNS_IP -e NAMESPACE=$NAMESPACE -e SCONE_CAS_ADDR=$SCONE_CAS_ADDR -e SCONE_LAS_ADDR=las-scone -e MARIADB_RELEASE_NAME=$MARIADB_RELEASE_NAME -e DB_HOST=$DB_HOST -e DB_USER=$DB_USER -e MEMCACHED_HOST=$MEMCACHED_HOST -e FASTAPI_HOST=$FASTAPI_HOST -e NGINX_HOST=$NGINX_HOST --device /dev/isgx -v $PWD:/policies registry.scontain.com:5050/sconecuratedimages/sconecli:alpine3.10-scone5.0.0 bash /policies/upload_policies.sh
source myenv
source mrenclaves.sh
......@@ -103,7 +110,7 @@ then
--set client-scone.extraEnv\[2\].value=$CAS_MRENCLAVE \
--set global.useSGXDevPlugin="azure" \
--set nodeSelector.agentpool="confcompool1" \
--set global.sgxEpcMem=16 \
--set global.sgxEpcMem=12 \
--set lasUseHostIP=false \
--set las="172.17.0.1"
else
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment