SecureDocumentApp/mesh.yaml.template at main · scontain/SecureDocumentApp · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
apiVersion: scone/5.8
kind: mesh

cas:
  - name: cas # cas used to store the policy of this application
    alias: ["image", "security", "access", "attestation"] # use alias in case CAS instance has multiple roles
    cas_url: $CAS_URL # cas.default  # exported as {{cas_cas_cas_url}}
    cas_key: $CAS_KEY
    tolerance: "-G" # TCB out of date
    mode: EncryptedManifest
    cas_encryption_key: $CAS_SESSION_ENCRYPTION_KEY

policy:
  namespace: "$APP_NAMESPACE"
  tolerate: "outdated-tcb, insecure-configuration,hyperthreading, insecure-igpu, software-hardening-needed, aepic-leak"
  ignore_advisories: "*"

# define environment variables
# - this is can be done for each individual service defined in the services section
#   - these definitions are only visible for this service
#   - these definitions overwrite any definitions of the global or helm section
# - we define two special services:
#   - "global": these definitions are shared by all services
#   - "helm": this behaves like the "global" service - the intention is to
#             collect helm specific definitions here

env:
  - service: global
    env:
  # helm related definitions:
    - name: "session_secrets"
      value: "../secrets"
    - name: "imagePullSecrets"    # kubernetes image pull secret
      value: "sconeapps"         # to FASTAPI_CA_CERT
    - name: "useSGXDevPlugin"     # kubernetes image pull secret
      value: "scone"             # to FASTAPI_CA_CERT
    - name: sgxEpcMem
      value: 128
    - name: SCONE_VERSION
      value: 1
  # mariadb-related handlebars:
    - name: "database_host"  # host name of MariaDB certificate
      value: "${RELEASE}-mariadb"      # overwrite default
    - name: "database_port"  # host name of MariaDB certificate
      value: "3306"      # overwrite default
    - name: "sqlInitScript"
      # For multi-line text values we need some extra indentation
      # with fist line starting with " |".
      # this will be fixed in a future version of scone_mesh.
      value: |
         |
                   CREATE USER 'scontain'@'%'
                     REQUIRE SUBJECT '/CN=MARIADB_CLIENT_CERT'
                     AND ISSUER '/CN=MariaDB_CA';
                   GRANT ALL PRIVILEGES ON *.* TO 'scontain'@'%' WITH GRANT OPTION;
                   FLUSH PRIVILEGES;
                   SHOW GRANTS FOR 'scontain'@'%';
                   GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '$$SCONE::MYSQL_ROOT_PASSWORD$$';
                   CREATE DATABASE document_db;
                   CREATE TABLE document_db.document(
                       record_id INT NOT NULL,
                       content TEXT NOT NULL,
                       owner VARCHAR(128) NOT NULL,
                       PRIMARY KEY (record_id, owner)
                   );
                   CREATE TABLE document_db.account(
                       username VARCHAR(128) PRIMARY KEY,
                       hash BLOB NOT NULL,
                       salt BLOB NOT NULL
                   );

  # memcached-related handlebars:
    - name: "memcached_host"   # nginx host name
      value: "${RELEASE}-memcached" # overwrite default
    - name: "memcached_port"   # nginx port
      value: "11211"
  # nginx-related handlebars:
    - name: "nginx_server_name"   # nginx host name
      value: "${RELEASE}-nginx"
    - name: "nginx_backend_server_name"   # nginx host name
      value: "${RELEASE}-fastapi-scone"
    - name: "nginx_backend_server_port"   # nginx host name
      value: "8000"
    - name: "nginx_initContainers_enabled"  # nginx host name
      value: "true"
  # FASTAPI / nginx
    - name: "NGINX_BACKEND_CLIENT_CERT" # map nginx secret NGINX_BACKEND_CLIENT_CERT
      value: "FASTAPI_CLIENT_CERT"     # to FASTAPI_CLIENT_CERT
    - name: "NGINX_BACKEND_CA_CERT"     # map nginx backend NGINX_BACKEND_CA_CERT
      value: "FASTAPI_CA_CERT"         # to FASTAPI_CA_CERT
  # FASTAPI
    - name: fastapi_host
      value: "${RELEASE}-fastapi-scone"
    - name: CLUSTER_DNS_IP
      value: "10.96.0.10"
    - name: K8sNAMESPACE
      value: "default"
    - name: database_user
      value: "scontain"
    - name: APP_SERVICE_PORT
      value: "443"

services:
  - name: memcached
    image: $SCONECTL_REPO/memcached:${VERSION}
  - name: nginx
    image: $SCONECTL_REPO/nginx:${VERSION}
  - name: mariadb
    image: $SCONECTL_REPO/mariadb:${VERSION}
  - name: fastapi-scone
    image: $APP_IMAGE_REPO/secure_document_app
  - name: client
    image: $APP_IMAGE_REPO/secure_document_app_client

helm_extra_values:
  mariadb-scone:
    persistence:
      enabled: true
      existingClaim: maria-data-pvc
      size: 1Gi
      mountPath: /var/lib/mysql
      accessModes:
        - ReadWriteOnce
    extraVolumes:
      - name: external
        persistentVolumeClaim:
          claimName: maria-external-pvc
      - name: vartmp
        persistentVolumeClaim:
          claimName: maria-vartmp-pvc
    extraVolumeMounts:
      - name: external
        mountPath: /external
      - name: vartmp
        mountPath: /var/tmp