Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

how to configure image decryption keys #391

Open
reclock opened this issue Apr 18, 2024 · 4 comments
Open

how to configure image decryption keys #391

reclock opened this issue Apr 18, 2024 · 4 comments

Comments

@reclock
Copy link

reclock commented Apr 18, 2024

yaml:

apiVersion: v1
kind: Pod
metadata:
  name: enclave-cc-pod-test
spec:
  containers:
  - image: ghcr.io/confidential-containers/test-container-enclave-cc:encrypted
    name: hello-world
    workingDir: "/run/rune/boot_instance/"
    env:
    - name: OCCLUM_RELEASE_ENCLAVE
      value: "1"
    command:
    - /run/rune/boot_instance/build/bin/occlum-run
    - /bin/hello_world
  runtimeClassName: enclave-cc

error:

image

@mythi
Copy link
Contributor

mythi commented Apr 23, 2024

@reclock
Copy link
Author

reclock commented Apr 23, 2024

  1. git clone https://github.com/confidential-containers/kbs.git && cd kbs
  2. docker compose up -d
    then error:

image

@reclock
Copy link
Author

reclock commented Apr 23, 2024

The key and the key id are defined in the test image's Dockerfile

Must the key and keyid be declared in the dockerfile? Do I also need to modify the key here if I want to change it? Shouldn't it be provided by kbs?

@mythi
Copy link
Contributor

mythi commented Apr 26, 2024

2. docker compose up -d
   then error:

you should be able to use the pre-built images instead of getting them built yourself (uncomment the images and pick the latest from https://github.com/orgs/confidential-containers/packages?repo_name=trustee

Must the key and keyid be declared in the dockerfile? Do I also need to modify the key here if I want to change it? Shouldn't it be provided by kbs?

No, the labels are just "notes". The setup doc should use the same "secrets" used for encrypting the test image we use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants