Skip to content

sconectl [COMMAND] [OPTIONS]

sconectl helps to transform cloud-native applications into cloud-confidential applications. It supports converting native services into confidential services and services meshes into confidential service meshes.

sconectl is a CLI that runs on your development machine and executes scone commands in a local container: scone is a platform to convert native applications into confidential applications. sconectl uses docker or podman to run the commands.

Ensure all files you want to pass along are in the current working directory or subdirectories. This is needed since we pass the current working directory to the docker image that executes the command.

If you want to use podman instead, please set the environment variable DOCKER_HOST to your podman API (printed by podman during startup). Currently, podman still has some open issues that need to be solved.

sconectl runs on macOS and Linux, and if there is some demand, on Windows. Try out

https://github.com/scontain/scone_mesh_tutorial

to test your sconectl setup. In particular, it will test that all prerequisites are satisfied and gives some examples on how to use sconectl:

sconectl [COMMAND] [OPTIONS]

sconectl helps to transform cloud-native applications into cloud-confidential applications. It supports converting native services into confidential services and services meshes into confidential service meshes. 

sconectl is a CLI that runs on your development machine and executes scone commands in a local container: [scone](https://sconedocs.github.io/) is a platform to convert native applications into confidential applications. sconectl uses docker or podman to run the commands. 

Ensure all files you want to pass along are in the current working directory or subdirectories. This is needed since we pass the current working directory to the docker image that executes the command.

If you want to use podman instead, please set the environment variable DOCKER_HOST to your podman API (printed by podman during startup). Currently, podman still has some open issues that need to be solved.

sconectl runs on macOS and Linux, and if there is some demand, on Windows. Try out

   https://github.com/scontain/scone_mesh_tutorial 

to test your sconectl setup. In particular, it will test that all prerequisites are satisfied
and gives some examples on how to use sconectl.

COMMAND:
  apply   apply manifest. Execute sconectl apply --help for more info.


OPTIONS:

  --help
          Print help information. Other OPTIONS depend on the type of MANIFEST. 
          You need to specify -m <MANIFEST> to print more specific help messages.     

ENVIRONMENT:

  SCONECTL_REPO
           Set this to the OCI image repo that you are using. The default repo
           is 'registry.scontain.com:5050/sconectl'


  SCONECTL_NOPULL
           By default, sconectl pulls the CLI image 'sconecli:latest' first. If this environment 
           variable is defined, sconectl does not pull the image. 

VERSION: sconectl 0.2.11

COMMAND apply

The options of apply depends on the type of manifest one applies. It supports

  • service manifest (i.e., manifests of kind: genservice): apply executes a command scone_genservice.
  • mesh manifest (i.e., manifests of kind: mesh): we call these manifests also meshfiles. Command apply executes a command scone_mesh.

Service Manifests

For service manifests, we have access to the following options:

scone_genservice 0.1.2
SCONE Team
Scone scone_genservice creates a confidential application image. The choices are

USAGE:
    scone_genservice [OPTIONS]

OPTIONS:
    -d, --dry-run
            Specify 'dry_run' in case you do not want to upload the sessions

    -f, --filename <FILENAME>
            The manifest describes what wrapper needs to be generated

            [default: Manifest.yaml]

    -h, --helm-template <HELM_TEMPLATE>
            Set a path for a directory containing generic helm templates. By default, we use an
            generic template files included with the binary. One can customize these template files
            and define a path to these customized template files

            [default: templates-genservice]

        --help
            Print help information

        --mode <MODE>
            Define the mode, i.e., if the application should run in "production" or in "debug" mode.
            By default, we use "production" mode

            [default: production]

    -n, --no-push
            by default, we push the image to the repo. Use the --no-push option to avoid pushing
            images

    -p, --print-defaults
            Print the environment variables and their default values for this image. This can be
            used to determine which values one a) can configure, i.e., those with a default value,
            and b) one must configure, i.e., values that do not have a default value

    -q, --quiet
            Less output per occurrence

    -t, --target-directory <TARGET_DIRECTORY>
            The directory in which the policies will be stored

            [default: ./target]

    -v, --verbose
            More output per occurrence

    -V, --version
            Print version information

For example, we might execute

sconectl apply -f service.yaml -vvvvvvv

Mesh Manifests (a.k.a. Meshfiles)

Meshfiles are processed by a command named scone_mesh. This command supports a variety of options:

scone_mesh 0.2.0
SCONE Team
Scone Mesh creates SCONE policies for an application mesh.

USAGE:
    scone_mesh [OPTIONS]

OPTIONS:
    -d, --dry-run
            Specify 'dry_run' in case you do not want to upload the sessions

    -f, --filename <FILENAME>
            The manifest describes what wrapper needs to be generated

            [default: Meshfile.yaml]

    -h, --help
            Print help information

        --host-pwd <HOST_PWD>
            define the PWD of the laptop - needed when running nested in container we set this
            automatically when using scone apply. when running on host, we use the real OS

            [default: $PWD]

    -m, --maa <MAA>
            By default we use dcap-based attestation using Intel's attestation service.
            Alternatively, we can use Azure MAA to attest the services. Please specify the MAA URL
            here to switch on MAA-based attestation

        --mode <MODE>
            Define the mode, i.e., if the application should run in "production" or in "debug" mode.
            By default, we use "production" mode

            [default: production]

    -n, --no-pull
            No pull option implies that this tool does NOT pull the service image(s) first. This can
            be useful in case you have built the container images on the local server with the
            --no-push option. One might only push the images in a later step, e.g., after signing
            the images

    -o, --output <OUTPUT>
            The output format to be used: "helm_chart" or "yaml". If yaml format is selected, a
            "manifests" directory will be created within the target directory. A HELM chart is
            always issued

            [default: helm_chart]
            [possible values: helm_chart, yaml]

        --otp <OTP>
            define the OTP for signing container images this is used for access control to the
            cosign signing key

            shall we sign the images before pushing using native/confidential cosign?
            build.repo.config_id: - if defined, we sign confidentially and this is is the config_id
            of cosign - if not defined, we sign with native cosign

            build.repo.key_file: - if confidential cosign and key_file is defined, this file
            contains the secret of the the generate OTP key - if confidential cosign and key_file is
            not defined, we use this OTP passed via command line argument to sign an image. This
            works only for one image only! - if native cosign, this file contains the key and OTP
            contains the password for this key_file, i.e., COSIGN_PASSWORD

            Limitation: implementation is not complete

    -p, --print-defaults
            Print the environment variables and their default values for each of the images

        --policy-namespace <POLICY_NAMESPACE>
            [default: ]

    -q, --quiet
            Less output per occurrence

    -t, --target-directory <TARGET_DIRECTORY>
            The directory to which the policies are stored

            [default: ./target]

    -v, --verbose
            More output per occurrence

    -V, --version
            Print version information

For example, we might execute

sconectl apply -f mesh.yaml -vvvvvvv

To use the Microsoft Attestation Service instead of Intel DCAP attestation, you might build your service as follows:

sconectl apply -f Meshfile.yaml -vvvvv --maa=https://sharedweu.weu.attest.azure.ne

scone_init

On your Kubernetes cluster, the SCONE SGX Plugin service and the SCONE LAS service needs to be installed. By default, we use Kubernetes namespace scone.

You can install them by first creating an access token (see how) and then running:

export SECRET_TOKEN="..."
export SECRET_EMAIL="..."
export SECRET_USERNAME="..."
sconectl scone_init --image-pull-secret --secret-email "$SECRET_EMAIL"  --secret-token "$SECRET_TOKEN" --secret-username "$SECRET_USERNAME"

You can check whether the two DaemonSets are installed by executing:

kubectl get daemonsets las -n scone
kubectl get daemonsets sgxplugin-sample-sgxdevplugin -n scone

Manual page:

Scone Init installs scone deployments in a Kubernetes cluster using HELM. It installs LAS and the
SGX Device Plugin by default.

USAGE:
    scone_init [OPTIONS]

OPTIONS:
    -c, --cas
            Installs a CAS instance in the K8s cluster

        --cas-extra-values <CAS_EXTRA_VALUES>
            YAML file with values for CAS release. Values in this file will override the default
            ones. See https://helm.sh/docs/chart_template_guide/values_files/ for more information

            [default: ]

    -d, --debug
            Install CAS in debug mode. Used only if --cas is defined

    -h, --help
            Print help information

    -i, --image-pull-secret
            If defined, creates an image pull secret using kubectl. --secret-username,
            --secret-token, and --secret-email must be provided if this option is set. See
            https://sconedocs.github.io/helm/#scone-hub-credentials for more information

    -n, --namespace <NAMESPACE>
            Namespace in which the apps will be installed

            [default: scone]

    -q, --quiet
            Less output per occurrence

        --secret-email <SECRET_EMAIL>
            Image pull secret e-mail. Used only if --image-pull-secret is defined

            [default: ]

        --secret-token <SECRET_TOKEN>
            Image pull secret token. Used only if --image-pull-secret is defined

            [default: ]

        --secret-username <SECRET_USERNAME>
            Image pull secret username. Used only if --image-pull-secret is defined

            [default: ]

    -v, --verbose
            More output per occurrence

    -V, --version
            Print version information