Skip to main content

Manifest Updates

the attesstation proxy is identified by the enclave from the outboundConnections section of the Oblv-deploy manifest.

1
Attestation proxy configuration for the enclave
- fqdn: kms.us-east-2.amazonaws.com
port: 443
type: proxy
proxyUrl: http://oblv-attestation-proxy.yourdomain.com
attestationPort: 12008
attestationIntervalSeconds: 60

Here,

  • fqdn: indicates the fqdn for the actual resource, a KMS in this case.
  • port: the port for the KMS which will be used for the connection.
  • type: The type of connection, this can be one of
    • proxy
    • default
    • enclave The proxy indicates that to access this resource, the enclave needs to use an attestation proxy.
  • proxyUrl: Url for the attestation proxy, which will be used to perform the attestation.
  • attestationPort: It's the port for the attestation proxy, which will be used to perform attestation. The enclave will send the attestation request to the attestation proxy on this port.
  • attestationIntervalSeconds: The time interval in seconds for the enclave to perform periodic attestation with the attestation proxy.
Complete Manifest
apiVersion: 1.1.0
kind: NitroEnclave
metadata:
name: sample-nitro-enclave-service
namespace: default
spec:
containers:
- name: fastapi
image: some-docker-image
ports:
- name: image-name
containerPort: 8001
hostPort: 4455
command:
- "python"
- "/app/uvicorn_runner.py"
outboundConnections:
- fqdn: index.docker.io
port: 443
type: default
- fqdn: registry-1.docker.io
port: 443
type: default
- fqdn: auth.docker.io
type: default
port: 443
- fqdn: production.cloudflare.docker.com
type: default
port: 443
- fqdn: docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com
type: default
port: 443
- fqdn: google.com
port: 443
- fqdn: kms.us-east-2.amazonaws.com
port: 443
type: proxy
proxyUrl: http://oblv-dev-attestation-proxy.yourdomain.com
attestationPort: 12008
attestationIntervalSeconds: 60