You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+18-22Lines changed: 18 additions & 22 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,28 +2,30 @@
2
2
3
3
This is a validated pattern for deploying confidential containers on OpenShift.
4
4
5
-
The target operating model has two clusters:
5
+
There are two topologies for deploying this pattern:
6
6
7
-
- One in a "trusted" zone where the remote attestation, KMS and Key Broker infrastructure are deployed.
8
-
- A second where a subset of workloads are deployed in confidential containers.
7
+
1.*Default* using a single cluster. This breaks the RACI expected in a remote attestation architecture, however, makes it easier to test. This uses the `simple``clusterGroup`.
8
+
2. A more secure operating model that has two clusters:
9
+
- One in a "trusted" zone where the remote attestation, KMS and Key Broker infrastructure are deployed. This is also the Advanced Cluster Manager Hub cluster. It uses the `trusted-hub``clusterGroup`.
10
+
- A second where a subset of workloads are deployed in confidential containers. It uses the `spoke``clusterGroup`
9
11
10
12
The current version of this application the confidential containers assumes deployment to Azure.
11
13
12
-
On the platform a sample workload is deployed:
14
+
On the cluster where confidential workloads are deployed two sample applications are deployed:
13
15
14
16
1. Sample hello world applications to allow users to experiment with the policies for CoCo and the KBS (trustee).
15
17
2. A sample application `kbs-access` which presents secrets obtained from trustee to a web service. This is designed to allow users to test locked down environments.
16
18
17
19
Future work includes:
18
20
19
-
1. Supporting a multiple cluster deployment
20
-
2. Supporting multiple infrastructure providers
21
-
3. Supporting a more sophisticated workload such as confidential AI inference with protected GPUs.
21
+
1.~~Supporting a multiple cluster deployment~~ Done
22
+
2. Supporting multiple infrastructure providers - Work in Progress.
23
+
3. Supporting air-gapped deployments - Work in Progress.
24
+
4. Supporting a more sophisticated workload such as confidential AI inference with protected GPUs.
22
25
23
26
## Current constraints and assumptions
24
27
25
28
- Only currently is known to work with `azure` as the provider of confidential vms via peer-pods.
26
-
- Only known to work today with everything on one cluster. The work to expand this is in flight.
27
29
- Below version 3.1, if not using ARO you must either provide your own CA signed certs, or use let's encrypt.
28
30
- Must be on 4.16.14 or later.
29
31
@@ -61,9 +63,6 @@ The pattern has been tested on Azure for two installation methods:
61
63
1. Installing onto an ARO cluster
62
64
2. Self managed OpenShift install using the `openshift-install` CLI.
63
65
64
-
> [!IMPORTANT]
65
-
> You need an external CA signed certificate for to be added (e.g. with let's encrypt) to a self-managed install
66
-
67
66
### `1.0.0`
68
67
69
68
1.0.0 supports OpenShift Sandboxed containers version `1.8.1` along with Trustee version `0.2.0`.
@@ -73,18 +72,15 @@ The pattern has been tested on Azure for one installation method:
73
72
1. Self managed OpenShift install using the `openshift-install` CLI
74
73
2. Installing on top of an existing Azure Red Hat OpenShift (ARO) cluster
75
74
76
-
## Validated pattern flavours
75
+
## Changing deployment topoloiges
77
76
78
-
**Today the demo has one flavour**.
79
-
A number are planned based on various different hub cluster-groups.
80
-
You can change between behaviour by configuring [`global.main.clusterGroupName`](https://validatedpatterns.io/learn/values-files/) key in the `values-global.yaml` file.
77
+
**Today the demo has two deployment topologies**
78
+
The most important change is what `clusterGroup` is deployed to your main or 'hub' cluster.
81
79
82
-
`values-simple.yaml`: or the `simple` cluster group is the default for the pattern.
83
-
It deploys a hello-openshift application 3 times:
80
+
You can change between behaviour by configuring [`global.main.clusterGroupName`](https://validatedpatterns.io/learn/values-files/) key in the `values-global.yaml` file.
84
81
85
-
- A standard pod
86
-
- A kata container with peer-pods
87
-
- A confidential kata-container
82
+
-`values-simple.yaml`: or the `simple` cluster group is the default for the pattern. It deploys everything in one cluster.
83
+
-`values-trusted-hub`: or the `trusted-hub` cluster group can be configured as the main cluster group. A second cluster should be deployed with the `spoke` cluster group. Follow [instructions here](https://validatedpatterns.io/learn/importing-a-cluster/) to add the second cluster.
88
84
89
85
## Setup instructions
90
86
@@ -110,12 +106,12 @@ This only has to be done once.
110
106
> [!NOTE]
111
107
> Once generated this script will not override secrets. Be careful when doing multiple tests.
112
108
113
-
#### Configuring let's encrypt
109
+
#### Configuring let's encrypt (deprecated)
114
110
115
111
> [!IMPORTANT]
116
112
> Ensure you have password login available to the cluster. Let's encrypt will replace the API certificate in addition to the certificates to user with routes.
117
113
118
-
Trustee requires a trusted CA issued certificate. Let's Encrypt is included for environments without a trusted cert on OpenShift's routes.
114
+
Trustee (guest agents) requires that Trustee uses a Mozilla trusted CA issued certificate, or a specific certificate which is known in advance. Today the pattern uses specific self signed certs. Let's encrypt was an option for getting a trusted certificate onto OpenShift's routes, and therefore Trustee. Ths functionality will be removed at a later date.
119
115
120
116
If you need a Let's Encrypt certificate to be issued the `letsencrypt` application configuration needs to be changed as below.
0 commit comments