SCONE Mesh Manifest Description (0.2.1)

Download OpenAPI specification:Download

mesh

A mesh manifest (aka Meshfile) defines a confidential service meshes. To create a confidential service mesh, execute sconectl apply -f manifest.yaml.

Note that the manifest must be given in yaml. The json request samples are only displayed to be able to get some idea about default values and the structure.

Definition: Confidential Service Mesh.

Request Body schema: application/json

OpenAPI manifest description:

apiVersion
required
string

API Version

  • Expecting 'scone/'. The VERSION must be '5.8.0' or higher
apiVersion: scone/5.8
required
Array of objects (Cas)

Define CAS instances for service, access, image and attestation policies. In most cases, they might all be stored in the same CAS. However, in enterprise settings, we might use different CAS instances. For example, one might use central instances to maintain, e.g., the attestation policy.

cas:
- name: cas # cas used to store the policy of this application
  # use alias in case CAS instance has multiple roles
  alias: ["image", "security", "access", "attestation"] 
  cas_url: edge.scone-cas.cf
  # tolerance: only use the following during development - never in production!
  tolerance: "--only_for_testing-trust-any --only_for_testing-debug  --only_for_testing-ignore-signer -C -G -S"
required
Array of objects (ServiceKeyValue)

Environment section defines key value pairs to configure the individual services of the mesh. One can define global key value pairs - which are like default values. One can overwrite these global values by specifying specific values for the specific services.

env:
# global section - shared amongst all services
# can be overwritten in the service and `helm` sections
- service: global
  env:
    - name: "session_secrets" 
      value: "../secrets"
    - name: "useSGXDevPlugin"    # kubernetes image pull secret
      value: "scone"             # to FASTAPI_CA_CERT
- service: maria_db # mariadb-related definitions
  env:
    - name: "database_user"  # user name used in MariaDB
      value: "mariadb_user"
    - name: "database_host"  # host name of MariaDB
      value: "mariadb_host"
Array of objects (Mode)

FUTURE EXTENSION - STILL BEING IMPLEMENTED. Section Mode can define additional SCONE CAS policies that are uploaded to SCONE CAS.

helm_extra_values
string <string>

Extra values for helm charts - given via simple yaml values.

kind
required
string

We define a single kind of manifest:

  • 'mesh'
kind: mesh
required
object (Policy)

Define policy related definitions. For now, this is mainly the namespace in which the policies for this mesh should be stored. Namespaces need to be unique. Hence, we add a random extension to namespaces in tutorials: it is unlikely that one gets into a name collision. For production, one should avoid such random namespace names.

policy:
  namespace: myUniqueNamespace    # namespaces need to be unique!
object (Repo) Nullable

Section repo describes what to do with the images of the mesh. Should they be squashed? Should they be stripped? Should they be signed? Should they be pushed to a different repo? THIS IS WORK IN PROGRESS - NOT ALL OPTIONS ARE FINALIZED YET.

repo:
  destination: registry.scontain.com/repo
  squash: false
  signature: cosign.key
required
Array of objects (Service)

A mesh consists of a set of services. We assign each a unique name like memcached. In case you need differently configured memcache services in your mesh, please give them different names like memcached_ratelimiter or memcached_db_accelerator. Images can be repeated, i.e., both memcached services could use the same container image.

services:
- name: memcached
  image: registry.scontain.com/cicd/memcached:latest
- name: nginx_scone
  image: registry.scontain.com/cicd/nginx:latest
- name: maria_db
  image: registry.scontain.com/cicd/mariadb:latest

Request samples

Content type
application/json
{
  • "apiVersion": "scone/5.8.0",
  • "cas": [
    ],
  • "env": [
    ],
  • "extra_policies": [
    ],
  • "helm_extra_values": "string",
  • "kind": "mesh",
  • "policy": {
    },
  • "repo": {
    },
  • "services": [
    ]
}