docs: add demo for workload secrets #1045
Conversation
|
| :::note[Runtime class and Initializer] | ||
|
|
||
| The deployment YAML shipped for this demo is already configured to be used with Contrast. | ||
| A [runtime class](https://docs.edgeless.systems/contrast/components/runtime) `contrast-cc-<platform>-<runtime-hash>` |
There was a problem hiding this comment.
Nit: only during generate is contrast-cc expanded to contrast-cc-<platform>-<hash>.
There was a problem hiding this comment.
This should also be patched for the Emojivoto docs.
| A [runtime class](https://docs.edgeless.systems/contrast/components/runtime) `contrast-cc-<platform>-<runtime-hash>` | ||
| was added to the pods to signal they should be run as Confidential Containers. During the generation process, | ||
| the Contrast [Initializer](../components/overview.md#the-initializer) will be added as an init container to these | ||
| workloads to facilitate the attestation and certificate pulling before the actual workload is started. |
There was a problem hiding this comment.
Maybe mention here that it's also responsible for fetching the workload secret.
| During the initialization process of the workload pod, the Contrast Initializer | ||
| sends an attestation report to the Coordinator and retrieves a randomly | ||
| generated workload secret, seeded with the workload secret ID specified in the | ||
| manifest, and writes it to a `volumeMount`. |
There was a problem hiding this comment.
I think we should emphasize here that this is a secure-memory-backed mount.
| Using the `mysql` command line interface, you can connect to the database as the | ||
| root user with the password specified in the deployment YAML (`password`). |
There was a problem hiding this comment.
I think this setup does not sound ideal, even for a demo. Could we maybe mention the service mesh here to ensure only Contrast deployments can access the MySQL server?
| deterministically generate the same key again and open the already partitioned | ||
| LUKS device. | ||
|
|
||
| For example, after making changes to the deployment files, the runtime policies |
There was a problem hiding this comment.
The advice here is not correct. If you change the deployment, you're likely to get a different policy hash, resulting in a different workload secret. This is where the WorkloadSecretID comes in, which may be, well, underdocumented right now.
There was a problem hiding this comment.
Do we need a disclaimer here, mentioning:
- Risk of data loss without backups.
- Workload owner vs data owner concerns.
- Security concerns with unauthenticated encryption, PBKDF2 defaults, etc.
There was a problem hiding this comment.
Although, we might want those disclaimers in the general architecture/feature description and likely only refer to them here, right?
| # cryptsetup complains if there is no /run directory. | ||
| mkdir /run |
There was a problem hiding this comment.
Consider adding an emptyDir mount instead.
There was a problem hiding this comment.
We also already have the same(?) script in https://github.com/edgelesssys/contrast/blob/main/internal/kuberesource/sets.go#L504. We likely want to build a function returning the string (maybe add some templating if needed) and use it in both places.
| # No matter if this is the first initialization derive the key (again) and open the device. | ||
| uuid=$(blkid "${device}" -s UUID -o value) | ||
| openssl kdf -keylen 32 -kdfopt digest:SHA2-256 -kdfopt key:$(cat "${workload_secret_path}") \ | ||
| -kdfopt info:${uuid} -binary HKDF | base64 | tr -d '\n' > "${disk_encryption_key_path}" |
There was a problem hiding this comment.
| -kdfopt info:${uuid} -binary HKDF | base64 | tr -d '\n' > "${disk_encryption_key_path}" | |
| -kdfopt info:${uuid} -binary HKDF | base64 -w0 > "${disk_encryption_key_path}" |
| -kdfopt info:${uuid} -binary HKDF | base64 | tr -d '\n' > "${disk_encryption_key_path}" | ||
| cryptsetup luksUUID "${device}" | ||
| cryptsetup open "${device}" state -d "${disk_encryption_key_path}" | ||
| mkdir -p /data |
| WithFailureThreshold(20). | ||
| WithPeriodSeconds(5). | ||
| WithExec(applycorev1.ExecAction(). | ||
| WithCommand("/bin/sh", "-c", "cat /done"), |
There was a problem hiding this comment.
| WithCommand("/bin/sh", "-c", "cat /done"), | |
| WithCommand("/bin/test", "-f", "/done"), |
... might be clearer.
This adds a demo application running a MySQL server with an encrypted volume mount, similar to the
volume-tester. For this, thecryptsetupinit container uses the workload secret to set up a LUKS partition that is mounted to/var/lib/mysql. The demo is also provided as a release artifact asmysql-demo.yml.