Merge pull request #5 from edgelesssys/feat/v0.2.0

Feat/v0.2.0

README.md

@@ -102,22 +102,25 @@ Deploy the application to Minikube using the Marblerun.
     curl --cacert marblerun.crt --data-binary @tools/manifest.json https://$MARBLERUN/manifest
     ```
 
+    * If you're running emojivoto on a custom domain, you can set the certificate's CN accordingly
+
+    ```bash
+    manifest=$(sed 's/localhost/<your-domain>/g' tools/manifest.json)
+    curl --cacert marblerun.crt --data-binary "$manifest" https://$MARBLERUN/manifest
+    ```
+
 1. Deploy emojivoto
 
     * If you're deploying on a cluster with nodes that support SGX1+FLC (e.g. AKS or minikube + Azure Standard_DC*s)
 
     ```bash
     helm install -f ./kubernetes/sgx_values.yaml emojivoto ./kubernetes --create-namespace -n emojivoto
-    # You can set the web-svc certificate's CommonName via
-    helm install -f ./kubernetes/sgx_values.yaml emojivoto ./kubernetes --create-namespace -n emojivoto --set hosts="<cluster-domain>"
     ```
 
     * Otherwise
 
     ```bash
     helm install -f ./kubernetes/nosgx_values.yaml emojivoto ./kubernetes --create-namespace -n emojivoto
-    # You can set the web-svc certificate's CommonName via
-    helm install -f ./kubernetes/nosgx_values.yaml emojivoto ./kubernetes --create-namespace -n emojivoto --set hosts="<cluster-domain>"
     ```
 
     You can check with `kubectl get pods -n emojivoto` that all pods is running.
@@ -139,29 +142,22 @@ Deploy the application to Minikube using the Marblerun.
     tools/check_manifest.sh tools/manifest.json
     ```
 
+    * If you're running with a custom domain
+
+    ```
+    echo -n $manifest > /tmp/manifest.json
+    tools/check_manifest.sh /tmp/manifest.json
+    ```
+
+
 1. Use the app!
 
     ```bash
     sudo kubectl -n emojivoto port-forward svc/web-svc 443:443 --address 0.0.0.0
     ```
 
     * Browse to [https://localhost](https://localhost).
-    * Notes on DNS: If you're running emojivoto on a remote machine you can add the machine's DNS name to the emojivoto certificate (e.g. `emojivoto.example.org`):
-        * Open the `kubernetes/sgx_values.yaml` or `kubernetes/nosgx_values.yaml` file depending on your type of deployment
-        * Add your DNS name to the `hosts` field:
-            * `hosts: "emojivoto.example.org"`
-        * You need to apply your changes with:
-            * If you're using `kubernetes/sgx_values.yaml` for your deployment:
-
-                ```bash
-                helm upgrade -f ./kubernetes/sgx_values.yaml emojivoto ./kubernetes -n emojivoto
-                ```
-
-            * Otherwise:
-
-                ```bash
-                helm upgrade -f ./kubernetes/nosgx_values.yaml emojivoto ./kubernetes -n emojivoto
-                ```
+    * If your running on a custom domain browse to https://<your-domain>
 
 ### In AKS
 
@@ -227,9 +223,9 @@ mkdir -p build && pushd build && cmake .. && make && popd
 Build docker images:
 
 ```bash
-docker buildx build --secret id=signingkey,src=<path to private.pem> --target release_web --tag ghcr.io/edgelesssys/emojivoto-web:latest .
-docker buildx build --secret id=signingkey,src=<path to private.pem> --target release_emoji_svc --tag ghcr.io/edgelesssys/emojivoto-emoji-svc:latest .
-docker buildx build --secret id=signingkey,src=<path to private.pem> --target release_voting_svc --tag ghcr.io/edgelesssys/emojivoto-voting-svc:latest .
+docker buildx build --secret id=signingkey,src=<path to private.pem> --target release_web --tag ghcr.io/edgelesssys/emojivoto/web:latest .
+docker buildx build --secret id=signingkey,src=<path to private.pem> --target release_emoji_svc --tag ghcr.io/edgelesssys/emojivoto/emoji-svc:latest .
+docker buildx build --secret id=signingkey,src=<path to private.pem> --target release_voting_svc --tag ghcr.io/edgelesssys/emojivoto/voting-svc:latest .
 ```
 
 ## License

emojivoto-web/cmd/server.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"crypto/tls"
 	"log"
 	"os"
 	"time"
@@ -30,7 +31,7 @@ func main() {
 	}
 
 	// get TLS config
-	tlsCfg, err := marble.GetClientTLSConfig()
+	tlsCfg, err := marble.GetServerTLSConfig()
 	if err != nil {
 		log.Fatalf("Failed to retrieve server TLS config from ertgolib")
 	}
@@ -64,7 +65,18 @@ func main() {
 	emojiSvcClient := pb.NewEmojiServiceClient(emojiSvcConn)
 	defer emojiSvcConn.Close()
 
-	web.StartServer(webPort, webpackDevServerHost, indexBundle, emojiSvcClient, votingClient, tlsCfg)
+	// Use a different certificate for the web server
+	cert := []byte(os.Getenv("WEB_CERT"))
+	privk := []byte(os.Getenv("WEB_CERT_KEY"))
+
+	tlsCert, err := tls.X509KeyPair(cert, privk)
+	if err != nil {
+		log.Fatalf("cannot create TLS cert: %v", err)
+	}
+	webTLSCfg := &tls.Config{
+		Certificates: []tls.Certificate{tlsCert},
+	}
+	web.StartServer(webPort, webpackDevServerHost, indexBundle, emojiSvcClient, votingClient, webTLSCfg)
 }
 
 func openGrpcClientConnection(host string, creds credentials.TransportCredentials) *grpc.ClientConn {

go.mod

@@ -5,8 +5,8 @@ go 1.13
 require (
 	contrib.go.opencensus.io/exporter/ocagent v0.7.0
 	github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect
-	github.com/edgelesssys/ertgolib v0.1.3-0.20201215075232-c044d27a45a3
-	github.com/edgelesssys/marblerun v0.1.1-0.20201215080004-6b733ac11b4f
+	github.com/edgelesssys/ertgolib v0.1.3
+	github.com/edgelesssys/marblerun v0.2.0
 	github.com/golang/protobuf v1.4.3
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
 	github.com/grpc-ecosystem/grpc-gateway v1.15.2 // indirect

go.sum

@@ -90,8 +90,12 @@ github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1
 github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I=
 github.com/edgelesssys/ertgolib v0.1.3-0.20201215075232-c044d27a45a3 h1:BRVrkxH+e6STNfHit8+9VVVN1SNiROuKseuAhthwiE4=
 github.com/edgelesssys/ertgolib v0.1.3-0.20201215075232-c044d27a45a3/go.mod h1:1E8jAgXZp9wyP3n43wCsLCiEGXxjBQ35+uzxUkypBNs=
+github.com/edgelesssys/ertgolib v0.1.3 h1:rsovbVQNs6oqNXSdRUaTZkgn6yhi7zbAHBsTNlcQpVM=
+github.com/edgelesssys/ertgolib v0.1.3/go.mod h1:1E8jAgXZp9wyP3n43wCsLCiEGXxjBQ35+uzxUkypBNs=
 github.com/edgelesssys/marblerun v0.1.1-0.20201215080004-6b733ac11b4f h1:v1Iar0txpagb0CJ79EhIhv3F45Nfg/qU/50zLD/7bVU=
 github.com/edgelesssys/marblerun v0.1.1-0.20201215080004-6b733ac11b4f/go.mod h1:A9MqN/fOSdeWvRtWr1Rg5o/aoAfQMTwvBL64KG6Or2E=
+github.com/edgelesssys/marblerun v0.2.0 h1:luFTwT4eJRXTRRTudZnQEgO7iudA4x23dfWi8DxKRgM=
+github.com/edgelesssys/marblerun v0.2.0/go.mod h1:SfPX0ip+xQJu6MzZUhtiEgVGCsc3GCAKa7A90av3n4U=
 github.com/edsrzf/mmap-go v1.0.0/go.mod h1:YO35OhQPt3KJa3ryjFM5Bs14WD66h8eGKpfaBNrHW5M=
 github.com/envoyproxy/go-control-plane v0.6.9/go.mod h1:SBwIajubJHhxtWwsL9s8ss4safvEdbitLhGGK48rN6g=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=

kubernetes/nosgx_values.yaml

@@ -1,8 +1,19 @@
 imagePullSecrets:
   - name: regcred
 
+imagePullPolicy: IfNotPresent
+
 simulation:
   OE_SIMULATION: "1"
 
-# add your host to the list
-hosts: "localhost"
+web:
+  image: ghcr.io/edgelesssys/emojivoto/web
+  imageVersion: v0.2.0
+
+emoji:
+  image: ghcr.io/edgelesssys/emojivoto/emoji-svc
+  imageVersion: v0.2.0
+
+voting:
+  image: ghcr.io/edgelesssys/emojivoto/voting-svc
+  imageVersion: v0.2.0

kubernetes/sgx_values.yaml

@@ -1,6 +1,8 @@
 imagePullSecrets:
   - name: regcred
 
+imagePullPolicy: IfNotPresent
+
 resources:
   requests:
     cpu: 100m
@@ -15,6 +17,15 @@ effect: NoSchedule
 simulation:
   OE_SIMULATION: "0"
 
-# add your host to the list
-hosts: "localhost"
+web:
+  image: ghcr.io/edgelesssys/emojivoto/web
+  imageVersion: v0.2.0
+
+emoji:
+  image: ghcr.io/edgelesssys/emojivoto/emoji-svc
+  imageVersion: v0.2.0
+
+voting:
+  image: ghcr.io/edgelesssys/emojivoto/voting-svc
+  imageVersion: v0.2.0
 

kubernetes/templates/emoji.yml

@@ -42,7 +42,8 @@ spec:
             configMapKeyRef:
               name: oe-config
               key: OE_SIMULATION
-        image: ghcr.io/edgelesssys/emojivoto/emoji-svc:v0.1.0
+        image: {{ .Values.emoji.image }}:{{ .Values.emoji.imageVersion }}
+        imagePullPolicy: {{ .Values.imagePullPolicy }}
         name: emoji-svc
         ports:
         - containerPort: 8080

kubernetes/templates/vote-bot.yml

@@ -25,7 +25,8 @@ spec:
         env:
         - name: WEB_HOST
           value: web-svc:443
-        image: ghcr.io/edgelesssys/emojivoto/web:v0.1.0
+        image: {{ .Values.web.image }}:{{ .Values.web.imageVersion }}
+        imagePullPolicy: {{ .Values.imagePullPolicy }}
         name: vote-bot
         resources:
           requests:

kubernetes/templates/voting.yml

@@ -42,7 +42,8 @@ spec:
             configMapKeyRef:
               name: oe-config
               key: OE_SIMULATION
-        image: ghcr.io/edgelesssys/emojivoto/voting-svc:v0.1.0
+        image: {{ .Values.voting.image }}:{{ .Values.voting.imageVersion }}
+        imagePullPolicy: {{ .Values.imagePullPolicy }}
         name: voting-svc
         ports:
         - containerPort: 8080

kubernetes/templates/web.yml

@@ -34,15 +34,16 @@ spec:
         - name: EDG_MARBLE_TYPE
           value: web
         - name: EDG_MARBLE_DNS_NAMES
-          value: "{{ .Values.hosts }},web-svc,web-svc.emojivoto,web-svc.emojivoto.svc.cluster.local"
+          value: "web-svc,web-svc.emojivoto,web-svc.emojivoto.svc.cluster.local"
         - name: EDG_MARBLE_UUID_FILE
           value: "/web-svc/data/uuid"
         - name: OE_SIMULATION
           valueFrom:
             configMapKeyRef:
               name: oe-config
               key: OE_SIMULATION
-        image: ghcr.io/edgelesssys/emojivoto/web:v0.1.0
+        image: {{ .Values.web.image }}:{{ .Values.web.imageVersion }}
+        imagePullPolicy: {{ .Values.imagePullPolicy }}
         name: web-svc
         ports:
         - containerPort: 4433

tools/aks_install.sh

@@ -171,9 +171,11 @@ echo -e "[$okStatus] Done"
 
 # set manifest
 echo "[*] Setting the manifest"
+rm -f coordinator-era.json
 wget -q https://github.com/edgelesssys/marblerun/releases/latest/download/coordinator-era.json
 era -c coordinator-era.json -h $MARBLERUN -o marblerun.crt > /dev/null
-curl --fail --silent --show-error --cacert marblerun.crt --data-binary @tools/manifest.json https://$MARBLERUN/manifest
+manifest=$(sed 's/localhost/$EMOJIVOTO/g' tools/manifest.json)
+curl --fail --silent --show-error --cacert marblerun.crt --data-binary "$manifest" https://$MARBLERUN/manifest
 echo -e "[$okStatus] Done"
 
 # install emojivoto
@@ -185,7 +187,6 @@ then
 fi
 helm install emojivoto ./kubernetes \
     -f ./kubernetes/sgx_values.yaml \
-    --set hosts="$EMOJIVOTO" \
     -n emojivoto > /dev/null
 echo -e "[$okStatus] Done"
 
@@ -203,7 +204,7 @@ echo -e "[$okStatus] Done"
 
 # set ingress for emojivoto
 echo "[*] Setting ingress route for emojivoto"
-template=$(cat "tools/emojivoto_ingress.yaml.template" | sed "s/{{DOMAIN}}/$EMOJIVOTO/g")
+template=$(sed "s/{{DOMAIN}}/$EMOJIVOTO/g" tools/emojivoto_ingress.yaml.template)
 echo "$template" | kubectl -n emojivoto apply -f - > /dev/null
 echo -e "[$okStatus] Done"
 

tools/check_manifest.sh

@@ -6,6 +6,6 @@ then
     exit 1
 fi
 
-REMOTE_SIGNATURE=$(curl --silent --cacert mesh.crt "https://$MARBLERUN/manifest" | jq '.ManifestSignature' --raw-output)
+REMOTE_SIGNATURE=$(curl --silent --cacert marblerun.crt "https://$MARBLERUN/manifest" | jq '.ManifestSignature' --raw-output)
 LOCAL_SIGNATURE=$(sha256sum "$1" | awk '{ print $1 }')
 [[ "$REMOTE_SIGNATURE" == "$LOCAL_SIGNATURE" ]] && echo "[+] Success. Manifest signature valid." || echo "[-] Error. Manifest signature invalid."

tools/manifest.json

@@ -28,6 +28,8 @@
 			"Parameters": {
 				"Env": {
 					"WEB_PORT": "4433",
+					"WEB_CERT": "{{ pem .Secrets.web_cert_shared.Cert }}",
+					"WEB_CERT_KEY": "{{ pem .Secrets.web_cert_shared.Private }}",
 				  	"EMOJISVC_HOST": "emoji-svc.emojivoto:8080",
 				  	"VOTINGSVC_HOST": "voting-svc.emojivoto:8080",
 				  	"INDEX_BUNDLE": "/edg/hostfs/dist/index_bundle.js"
@@ -57,5 +59,19 @@
 	},
 	"Clients": {
 		"owner": [9,9,9]
+	},
+	"Secrets": {
+		"web_cert_shared": {
+			"Shared": true,
+			"Size": 256,
+			"Type": "cert-ecdsa",
+			"Cert": {
+				"Subject": {
+					"CommonName": "localhost",
+					"DNSNames": ["localhost"]
+				}
+			},
+			"ValidFor": 7
+		}
 	}
 }