sconectl [COMMAND] [OPTIONS]
sconectl helps to transform cloud-native applications into cloud-confidential applications. It supports converting native services into confidential services and services meshes into confidential service meshes.
sconectl is a CLI that runs on your development machine and executes scone commands in a local container: scone is a platform to convert native applications into confidential applications. sconectl uses docker or podman to run the commands.
Ensure all files you want to pass along are in the current working directory or subdirectories. This is needed since we pass the current working directory to the docker image that executes the command.
If you want to use podman instead, please set the environment variable DOCKER_HOST to your podman API (printed by podman during startup). Currently, podman still has some open issues that need to be solved.
sconectl runs on macOS and Linux, and if there is some demand, on Windows. Try out
https://github.com/scontain/scone_mesh_tutorial
to test your sconectl setup. In particular, it will test that all prerequisites are satisfied
and gives some examples on how to use sconectl:
sconectl [COMMAND] [OPTIONS]
sconectl helps to transform cloud-native applications into cloud-confidential applications. It supports converting native services into confidential services and services meshes into confidential service meshes.
sconectl is a CLI that runs on your development machine and executes scone commands in a local container: [scone](https://sconedocs.github.io/) is a platform to convert native applications into confidential applications. sconectl uses docker or podman to run the commands.
Ensure all files you want to pass along are in the current working directory or subdirectories. This is needed since we pass the current working directory to the docker image that executes the command.
If you want to use podman instead, please set the environment variable DOCKER_HOST to your podman API (printed by podman during startup). Currently, podman still has some open issues that need to be solved.
sconectl runs on macOS and Linux, and if there is some demand, on Windows. Try out
https://github.com/scontain/scone_mesh_tutorial
to test your sconectl setup. In particular, it will test that all prerequisites are satisfied
and gives some examples on how to use sconectl.
COMMAND:
apply apply manifest. Execute sconectl apply --help for more info.
OPTIONS:
--help
Print help information. Other OPTIONS depend on the type of MANIFEST.
You need to specify -m <MANIFEST> to print more specific help messages.
ENVIRONMENT:
SCONECTL_REPO
Set this to the OCI image repo that you are using. The default repo
is 'registry.scontain.com/sconectl'
SCONECTL_NOPULL
By default, sconectl pulls the CLI image 'sconecli:latest' first. If this environment
variable is defined, sconectl does not pull the image.
VERSION: sconectl 0.2.11COMMAND apply
The options of apply depends on the type of manifest one applies. It supports
- service manifest (i.e., manifests of
kind: genservice):applyexecutes a commandscone_genservice. - mesh manifest (i.e., manifests of
kind: mesh): we call these manifests also meshfiles. Commandapplyexecutes a commandscone_mesh.
Service Manifests
For service manifests, we have access to the following options:
scone_genservice 0.1.2
SCONE Team
Scone scone_genservice creates a confidential application image. The choices are
USAGE:
scone_genservice [OPTIONS]
OPTIONS:
-d, --dry-run
Specify 'dry_run' in case you do not want to upload the sessions
-f, --filename <FILENAME>
The manifest describes what wrapper needs to be generated
[default: Manifest.yaml]
-h, --helm-template <HELM_TEMPLATE>
Set a path for a directory containing generic helm templates. By default, we use an
generic template files included with the binary. One can customize these template files
and define a path to these customized template files
[default: templates-genservice]
--help
Print help information
--mode <MODE>
Define the mode, i.e., if the application should run in "production" or in "debug" mode.
By default, we use "production" mode
[default: production]
-n, --no-push
by default, we push the image to the repo. Use the --no-push option to avoid pushing
images
-p, --print-defaults
Print the environment variables and their default values for this image. This can be
used to determine which values one a) can configure, i.e., those with a default value,
and b) one must configure, i.e., values that do not have a default value
-q, --quiet
Less output per occurrence
-t, --target-directory <TARGET_DIRECTORY>
The directory in which the policies will be stored
[default: ./target]
-v, --verbose
More output per occurrence
-V, --version
Print version informationFor example, we might execute
sconectl apply -f service.yaml -vvvvvvvMesh Manifests (a.k.a. Meshfiles)
Meshfiles are processed by a command named scone_mesh. This command supports a variety of options:
scone_mesh 0.2.0
SCONE Team
Scone Mesh creates SCONE policies for an application mesh.
USAGE:
scone_mesh [OPTIONS]
OPTIONS:
-d, --dry-run
Specify 'dry_run' in case you do not want to upload the sessions
-f, --filename <FILENAME>
The manifest describes what wrapper needs to be generated
[default: Meshfile.yaml]
-h, --help
Print help information
--host-pwd <HOST_PWD>
define the PWD of the laptop - needed when running nested in container we set this
automatically when using scone apply. when running on host, we use the real OS
[default: $PWD]
-m, --maa <MAA>
By default we use dcap-based attestation using Intel's attestation service.
Alternatively, we can use Azure MAA to attest the services. Please specify the MAA URL
here to switch on MAA-based attestation
--mode <MODE>
Define the mode, i.e., if the application should run in "production" or in "debug" mode.
By default, we use "production" mode
[default: production]
-n, --no-pull
No pull option implies that this tool does NOT pull the service image(s) first. This can
be useful in case you have built the container images on the local server with the
--no-push option. One might only push the images in a later step, e.g., after signing
the images
-o, --output <OUTPUT>
The output format to be used: "helm_chart" or "yaml". If yaml format is selected, a
"manifests" directory will be created within the target directory. A HELM chart is
always issued
[default: helm_chart]
[possible values: helm_chart, yaml]
--otp <OTP>
define the OTP for signing container images this is used for access control to the
cosign signing key
shall we sign the images before pushing using native/confidential cosign?
build.repo.config_id: - if defined, we sign confidentially and this is is the config_id
of cosign - if not defined, we sign with native cosign
build.repo.key_file: - if confidential cosign and key_file is defined, this file
contains the secret of the the generate OTP key - if confidential cosign and key_file is
not defined, we use this OTP passed via command line argument to sign an image. This
works only for one image only! - if native cosign, this file contains the key and OTP
contains the password for this key_file, i.e., COSIGN_PASSWORD
Limitation: implementation is not complete
-p, --print-defaults
Print the environment variables and their default values for each of the images
--policy-namespace <POLICY_NAMESPACE>
[default: ]
-q, --quiet
Less output per occurrence
-t, --target-directory <TARGET_DIRECTORY>
The directory to which the policies are stored
[default: ./target]
-v, --verbose
More output per occurrence
-V, --version
Print version informationFor example, we might execute
sconectl apply -f mesh.yaml -vvvvvvvTo use the Microsoft Attestation Service instead of Intel DCAP attestation, you might build your service as follows:
sconectl apply -f Meshfile.yaml -vvvvv --maa=https://sharedweu.weu.attest.azure.ne