SCONE Mesh Manifest Description (0.2.1)

Download OpenAPI specification:Download

mesh

A mesh manifest (aka Meshfile) defines a confidential service meshes. To create a confidential service mesh, execute sconectl apply -f manifest.yaml.

Note that the manifest must be given in yaml. The json request samples are only displayed to be able to get some idea about default values and the structure.

Definition: Confidential Service Mesh.

Request Body schema: application/json

OpenAPI manifest description:

apiVersion required	string API Version Expecting 'scone/'. The VERSION must be '5.8.0' or higher `apiVersion: scone/5.8`
required	Array of objects (Cas) Define CAS instances for service, access, image and attestation policies. In most cases, they might all be stored in the same CAS. However, in enterprise settings, we might use different CAS instances. For example, one might use central instances to maintain, e.g., the attestation policy. `cas: - name: cas # cas used to store the policy of this application # use alias in case CAS instance has multiple roles alias: ["image", "security", "access", "attestation"] cas_url: edge.scone-cas.cf # tolerance: only use the following during development - never in production! tolerance: "--only_for_testing-trust-any --only_for_testing-debug --only_for_testing-ignore-signer -C -G -S"`
required	Array of objects (ServiceKeyValue) Environment section defines key value pairs to configure the individual services of the mesh. One can define global key value pairs - which are like default values. One can overwrite these global values by specifying specific values for the specific services. env: # global section - shared amongst all services # can be overwritten in the service and `helm` sections - service: global env: - name: "session_secrets" value: "../secrets" - name: "useSGXDevPlugin" # kubernetes image pull secret value: "scone" # to FASTAPI_CA_CERT - service: maria_db # mariadb-related definitions env: - name: "database_user" # user name used in MariaDB value: "mariadb_user" - name: "database_host" # host name of MariaDB value: "mariadb_host"
	Array of objects (Mode) FUTURE EXTENSION - STILL BEING IMPLEMENTED. Section Mode can define additional SCONE CAS policies that are uploaded to SCONE CAS.
helm_extra_values	string <string> Extra values for helm charts - given via simple yaml values.
kind required	string We define a single kind of manifest: 'mesh' `kind: mesh`
required	object (Policy) Define policy related definitions. For now, this is mainly the namespace in which the policies for this mesh should be stored. Namespaces need to be unique. Hence, we add a random extension to namespaces in tutorials: it is unlikely that one gets into a name collision. For production, one should avoid such random namespace names. `policy: namespace: myUniqueNamespace # namespaces need to be unique!`
	object (Repo) Nullable Section `repo` describes what to do with the images of the mesh. Should they be squashed? Should they be stripped? Should they be signed? Should they be pushed to a different repo? THIS IS WORK IN PROGRESS - NOT ALL OPTIONS ARE FINALIZED YET. `repo: destination: registry.scontain.com/repo squash: false signature: cosign.key`
required	Array of objects (Service) A mesh consists of a set of services. We assign each a unique name like `memcached`. In case you need differently configured memcache services in your mesh, please give them different names like `memcached_ratelimiter` or `memcached_db_accelerator`. Images can be repeated, i.e., both memcached services could use the same container image. `services: - name: memcached image: registry.scontain.com/cicd/memcached:latest - name: nginx_scone image: registry.scontain.com/cicd/nginx:latest - name: maria_db image: registry.scontain.com/cicd/mariadb:latest`

Request samples

Payload

Content type

application/json

{"apiVersion": "scone/5.8.0",
"cas": [{"alias": ["string"
],
"cas_encryption_key": "7b21fbe8515b9c0f51bf2a36d1b24aef2f329794d142356941468a6c8f352a98",
"cas_key": "46YyxrywJ8PFRruWX8YLxa9q4axxYJgTbA81tv7NBcJfn43DQt",
"cas_url": "edge.scone-cas.cf",
"mode": "Upload",
"name": "cas",
"tolerance": "--only_for_testing-trust-any --only_for_testing-debug  --only_for_testing-ignore-signer -C -G -S"
}
],
"env": [{"env": [{"name": "string",
"value": "string"
}
],
"service": "global"
}
],
"extra_policies": [{"mode": "do not use",
"name": "do not use."
}
],
"helm_extra_values": "string",
"kind": "mesh",
"policy": {"access_policy_name": "security/policies/access",
"attestation_policy_name": "security/policies/attestation",
"image_policy_namespace": "myImageNamespace",
"maa": "https://sharedweu.weu.attest.azure.net",
"namespace": "myNamespace",
"security_policy_name": "security/policies/security",
"tolerate": "maa-managed-tcb"
},
"repo": {"config_id": "",
"destination": "registry.scontain.com/repo",
"key_file": "/file/with_secret",
"push": true,
"squash": true,
"strip": true
},
"services": [{"env": "templates/mariadb_envs.yaml",
"helm_chart": "templates/mariadb_helm_chart",
"image": "registry.scontain.com/sconectl/mariadb:latest",
"image_policy": "template/mariadb.yaml",
"image_secrets": "templates/mariadb_secrets.yaml",
"name": "maria_db"
}
]
}