Sconectl Service Description (0.2.1)

Download OpenAPI specification:Download

genservice

Describe the service manifest that guides the creation of confidential images. To create a confidential image, execute sconectl apply -f manifest.yaml

Objective: describe how to build a confidential image.

Request Body schema: application/json

Some interesting description

apiVersion required	string API Version Expecting 'scone/'. The VERSION must be '5.8.0' or higher `apiVersion: scone/5.8`
required	object (Build) Section Build defines how to build the confidential image. build: name: python-hello-user kind: python to: $APP_IMAGE_REPO/python_hello_user:1 pwd: /python command: python3 print_env.py requirements: requirements.txt copy: - print_env.py signature: sign: true run: - > echo 'You can also RUN additional commands in the same way as docker build RUN commands' && echo 'If you use multi-line commands, please do not forget to start lines with &&.' && echo 'A multi-line command like this will be added as a single line. No need for \' - echo 'Or use single line command' - echo 'Each command is executed by a single RUN command'
required	object (Environment) Define environment variables: `local` environment variables are defined in the service manifest and are reused across meshes (aka applications). `global` environment variables are defined in the mesh file. We might define a default value here. If no default is set, this value must be defined in the mesh file.
	Array of objects (InjectionFiles) Nullable Define files that should be injected into the confidential image. These injected files might contain secrets that are retrieved from SCONE CAS. `injection_files: # todo: ensure this cert is available - path: /etc/nginx_ca.crt content: $$SCONE::NGINX_SERVER_CA_CERT.chain$$ # Network files - path: /etc/resolv.conf content: \| nameserver {{CLUSTER_DNS_IP}} search {{K8sNAMESPACE}}.svc.cluster.local svc.cluster.local cluster.local options ndots:5`
kind required	string We define a single kind of manifest: 'genservice' `kind: genservice`
	object (Secrets) Define secrets that are managed by SCONE CAS `secrets: global: - name: password kind: ascii size: 10`

Request samples

Payload

Content type

application/json

{"apiVersion": "scone/5.8.0",
"build": {"binaries": ["string"
],
"command": "python3 print_env.py",
"copy": ["string"
],
"dirs": ["string"
],
"from": "$My_APP_IMAGE_REPO/base_image",
"fs_dirs": ["string"
],
"fs_files": ["string"
],
"gen_policy": {"policy": "./policy.yaml"
},
"host_paths": ["string"
],
"kind": "string",
"name": "string",
"plain_files": ["string"
],
"plains": ["string"
],
"pwd": "/working_directory",
"requirements": "requirements.txt",
"run": ["string"
],
"signature": {"key": "target/identity.pem",
"sign": true
},
"stable": "$APP_IMAGE_REPO/python_hello_user:stable",
"to": "$APP_IMAGE_REPO/python_hello_user:latest",
"volumes": [{"export": [{"session": "another-session",
"session_hash": "668e9aaba22c7631bbcc89b627d77e53539bcaade9e7c2c08242f56aab272088",
"update_policy": "rollback_protected",
"volume_alias": "their_expected_volume_name"
}
],
"import": {"session": "the_exporting_session",
"volume": "my_database"
},
"name": "their_database",
"path": "/media/database"
}
]
},
"environment": {"global": [{"name": "SCONE_HEAP",
"value": "760M"
}
],
"local": [{"name": "my_key",
"value": "my_value"
}
]
},
"injection_files": [{"content": "$$SCONE::NGINX_SERVER_CA_CERT.chain$$",
"path": "/etc/nginx_ca.crt"
}
],
"kind": "genservice",
"secrets": {"global": [{"application_secret": "dGmbyTBE4JNAN3JJobeD",
"client_id": "e6c9c526-f1aa-4e0d-b207-50bad9a89d21",
"common_name": "example.com",
"dns": ["string"
],
"endpoint": "server",
"export_public": "true",
"issuer": "my_ca_certificate",
"key_type": "RSA-3072",
"kind": "ascii",
"migrate": "true",
"name": "my_secret",
"private_key": "my_ca_private_key",
"size": "string",
"tenant_id": "",
"valid_for": "90 days",
"value": "DEADBEEF"
}
],
"import": ["string"
]
}
}