CLI Proxy
Generating Configurations
The OBLV Deploy CLI Proxy validates enclave services based on their manifests conforming to the expectations of the client, as set out in a configuration file. The configuration file is essentially a distillation of the manifest into a compact representation via a one-to-one mapping.
This means that for any given service manifest, the client can generate the configuration file locally and validate they are connecting to the service they are expecting, without any third-party reliance. This is our take on what you see is what you get validation and assurance (WYSIWYG).
In this guide, we will walk through how to generate a configuration file from an OBLV Deploy manifest and how to use it to validate an enclave deployment.
Components of a Configuration File
The table below details the various components that are found in a configuration file used by the OBLV Deploy CLI.
| Category | Field | Description |
|---|---|---|
| Tooling Version | Version | The version of the oblv tooling/api. |
| Platform Configuration | PCR Codes | The Platform Configuration Register (PCR) codes, which can be fetched from a file or dynamically from a PCR server. |
| Container Images | Image Name | The name of the container image used by the application. |
| Image Digest | The digest of the container image. | |
| Application Ports | The ports that the user application uses. | |
| Plugins | Plugin Name | Name of the plugin used by the enclave. |
| Config File Name | Configuration file name for the plugin. | |
| Config File Hash | Hash of the plugin configuration file. | |
| Authentication | Auth Server URL | URL of the auth server. |
| Client ID | Client identifier for authentication. | |
| Client Secret | Secret key for client authentication. | |
| Grant Type | Authorisation grant type. | |
| Scope | Authorisation Scope. | |
| CLI Operation | Log Level | Logging level (e.g., INFO, ERROR). |
| Log Retention Period | Log rotation period in days. | |
| Log File Max Size | Maximum size of a single log file in Mb. | |
| Timeout | Timeout in seconds for health-check and attestation requests. | |
| Max Retries | Maximum number of retries for health-check and attestation in case of failure. |
An example configuration file can be found below:
Example configuration file
oblvVersion: 0.1.0
usePCRServer: false
manifestDigest: sha256:ee199a79e58f7f96159a522085edb43e07487a8df25f0d52adc5ffbd2196f572
enclave:
pcrs:
- PCR0:e78d5cf2fa3c6a75e72d0241c81db9560d9886773f3ccca4824b646679a8ca314486298e22001b6fd3eca75c489c39d9
- PCR1:e13ab034d10392c6bf876e5bcd08d2ea5ea41b17cd5b89632470f167b7b1e78bfe22c213b06cc3524308822440b07434
- PCR2:2c84413e5b57b1d94b8b509ab4657993980b45d59e96987fef399f19469efaeaa01e1d6a9bb58c3ed73b085887f5e367
- PCR16:134a6ed89e41dfbd5d6bfbf23b9e35df55b7239ed3b96e0bc469b8504382181fdc33f90c07a60c2e740919a8ee675ddb
pcrCheck: false
pcrServer: ''
images:
- image: acme/sample-fastapi-app-pvt:1.0
digest: sha256:5adb8754823ba1cc18308dac0d116a4809ujfnhdjuna921e60ca0f7df98cf850
name: fastapi
userAppPorts:
- 8001
configs: []
outboundConnections:
- fqdn: auth.docker.io
redirects: false
port: 443
tls: true
- fqdn: production.cloudflare.docker.com
redirects: false
port: 443
tls: true
- fqdn: index.docker.io
redirects: false
port: 443
tls: true
specDigest: sha256:dd8f57b74638edd3be54ffac29c7941b9681ee67f6029f5da72967f01b461437
plugins:
fluent-bit-logging-plugin:
image: docker.io/fluent/fluent-bit:2.1.10
digest: sha256:5766d881ddb1fdacd9c5b24c9f28371ae22d44faaf3f7a510e5e86e37fd6244f
name: fluent-bit-logging-plugin
namespace: default
outboundConnections: []
securityContext:
capabilities:
add:
- SYS_PTRACE
- SYS_ADMIN
configs:
- name: fluent-bit.yaml
digest: sha256:37e3c0aaa422c9245fe5a39b223f056f023e14dbc855ced8979ea066516148b1
specDigest: sha256:4cd186ecfa9c48573a378d9e1390e3e04b32fab3e5e7ca5bd79332dc8c64aab5
oauthkeeper-auth-plugin:
image: oryd/oathkeeper:v0.38.6
digest: sha256:80ac597442d75f8059e6ade47bb42b01bcebbc4f6d1a61237a4402547f6f5f82
name: oauthkeeper-auth-plugin
namespace: default
outboundConnections:
- fqdn: ec2-18-222-109-15.us-east-2.compute.amazonaws.com
redirects: false
port: 4444
tls: false
configs:
- name: config.yaml
digest: sha256:bc2a7a8a395af60d28911a0a95f6563463d9d269682e96d9205769bb0eb70587
- name: rules.json
digest: sha256:87e880caf5ac4bc6cd0a52790ee3436b3e64f471483ac1becc7b67cf8b259b26
specDigest: sha256:2beaec9b8086482bb1135e701baed517bcddcea654d9b83009abe77ab8d28056
telemetry-plugin:
image: public.ecr.aws/oblivious-ai/oblv-telemetry-dev:latest
digest: sha256:36a5a637b3d5178a5742d4c46fa2ae0ea2cf71305fdc1652f7526b8afedb44e7
name: telemetry-plugin
namespace: default
outboundConnections:
- fqdn: ec2-18-117-159-153.us-east-2.compute.amazonaws.com
redirects: false
port: 4318
tls: false
- fqdn: public.ecr.aws
redirects: false
port: 443
tls: true
- fqdn: d2glxqk2uabbnd.cloudfront.net
redirects: false
port: 443
tls: true
configs:
- name: config.yaml
digest: sha256:15698935ea2f06c3cbdb9ac329759de699f0500c34790a90d051830e85b222d1
specDigest: sha256:0e56bbc6e66302d0b619a2830aaad0a0b56c400b4212f5503af46e465207cf8a
creds:
authCreds:
clientId: '8jf9dj8fu-09de-8v36-b095-dijfhyn8d'
clientSecret: 'wsdfjZjf9fhng8jmkd~9ijmhn4'
url: 'http://auth.acme.com:4444/oauth2/token'
grantType: 'client_credentials'
scope: 'competitor'
maxRetries: 0
retryTimeout: 5
log:
logLevel: info
maxSizeInMb: 5
retaintionPeriodInDays: 7
Configuration Files from Manifests
The OBLV CLI can be used to generate these configuration files from manifests directly via the following command:
oblv get-config --manifest <path-to-manifest-file> --config <path-to-config-file>
An example manifest and resulting configuration file can be examined below:
Example manifest file
apiVersion: k8s.oblv.com/v1alpha1
kind: NitroEnclaveDeployment
metadata:
name: sample-oblv-msnifest
namespace: default
spec:
enclaveSpec:
containers:
- name: fastapi
image: acme/sample-fastapi-app-pvt:1.0
imagePullSecret: myregistrykey
ports:
- containerPort: 8001
hostPort: 8001
command:
- "python"
- "/app/uvicorn_runner.py"
plugins:
auth:
image: oryd/oathkeeper:v0.38.6
kind: Auth
name: oauthkeeper-auth-plugin
proxyPort: 4455
spec:
command:
- oathkeeper
- serve
- --config
- /auth/config.yaml
volumes:
- containerPath: /auth
name: auth-plugin-vol
readOnly: true
source:
configMap:
items:
- key: config.yaml
path: config.yaml
- key: rules.json
path: rules.json
name: authconfigmap
outboundConnections:
- fqdn:
value: ec2-18-222-109-15.us-east-2.compute.amazonaws.com
port: 4444
redirects: false
tls: false
logging:
image: docker.io/fluent/fluent-bit:2.1.10
kind: Logging
name: fluent-bit-logging-plugin
spec:
command:
- /fluent-bit/bin/fluent-bit
args:
- --workdir=/fluent-bit/etc
- --config=/fluent-bit/etc/conf/fluent-bit.yaml
env:
- name: ELASTICSEARCH_USERNAME
valueFrom:
secretKeyRef:
key: elasticserach-username
name: elasticsearch-secret
optional: false
- name: ELASTICSEARCH_PASSWORD
valueFrom:
secretKeyRef:
key: elasticsearch-password
name: elasticsearch-secret
optional: false
volumes:
- containerPath: /var/log
readOnly: true
source:
hostPath: /var/log
name: var-log-vol
- containerPath: /fluent-bit/etc/conf
readOnly: true
source:
configMap:
name: fluentbitconfigmap
items:
- key: fluent-bit.yaml
path: fluent-bit.yaml
name: fluent-bit-config-vol
securityContext:
capabilities:
add:
- SYS_PTRACE
- SYS_ADMIN
logsAccess: all
telemetry:
kind: Telemetry
image: public.ecr.aws/oblivious-ai/oblv-telemetry-dev:latest
name: telemetry-plugin
spec:
volumes:
- containerPath: /etc/oblv
readOnly: true
source:
configMap:
name: telemetryconfigmap
items:
- key: config.yaml
path: config.yaml
name: telemetry-config-vol
env:
- name: HOST_PORT
value: '8100'
- name: EXPORTER_URL
value: "http://ec2-18-117-159-153.us-east-2.compute.amazonaws.com:4318"
outboundConnections:
- fqdn:
value: ec2-18-117-159-153.us-east-2.compute.amazonaws.com
port: 4318
tls: false
redirects: false
- fqdn:
value: public.ecr.aws
port: 443
tls: true
redirects: false
- fqdn:
value: d2glxqk2uabbnd.cloudfront.net
port: 443
tls: true
redirects: false
tags:
- key: Purpose
value: TestEnclave
instanceType: m5.4xlarge
internetFacing: true
keyName: oblv-eu-central-1-keypair
replicaCount: 2
securityGroupIDs:
- sg-0b2baf9fa5c0831ec
serviceDomainName: telemetry-alpha.antigranular.com
subnetID: subnet-04c91bee7f6825745
amiId: ami-05c5defc714b6dc07
iamInstanceProfile:
arn: arn:aws:iam::494148202604:instance-profile/oblv_ec2_enclave_kms_role
tags:
- key: Environment
value: Test
- key: creator
value: oblv
- key: purpose
value: k8s_testing
tlsCertificate:
secretKey: dummy_cert.pem
secretName: tls-cert
caCertDetails:
bucket: oblv-deploy
caCertS3Key: "dev/certs/ca.crt"
caEncryptedS3Key: "dev/certs/ca.key"
awsRegion: us-east-2
kmsKeyId: "arn:aws:kms:us-east-2:494148202604:key/c2c1fcf9-a819-4a9a-8072-47b51eb52840"
encryptionAlgorithm: "SYMMETRIC_DEFAULT"
containers:
- name: web
image: nginx:1.25.3
env:
- name: USERNAME
value: webserver
- name: PASSWORD
valueFrom:
configMapKeyRef:
key: NGINX_OPEN_PASSWORD
name: sampleConfigMap
optional: false
ports:
- name: web
containerPort: 80
hostPort: 8080
- name: fastapi
image: acme_org/sample-fastapi-app-pvt:1.0
imagePullSecret: myregistrykey
ports:
- name: fastapi
containerPort: 8001
hostPort: 8001
command:
- "python"
- "/app/uvicorn_runner.py"
tags:
- key: Purpose
value: TestEnclave
plugins:
auth:
kind: Auth
image: oryd/oathkeeper:v0.38.6
name: auth-plugin
namespace: default
spec:
ports:
- containerPort: 4455
hostPort: 4455
- containerPort: 4456
hostPort: 4456
command:
- "oathkeeper"
- "serve"
- "--config"
- "/auth/config.yaml"
volumes:
- containerPath: /auth
readOnly: true
source:
configMap:
name: authConfigMap
items:
- key: config.yaml
path: config.yaml
- key: rules.json
path: rules.json
name: auth-plugin-vol
outboundConnections:
- redirects: false
fqdn:
value: ec2-15-22-15-44.us-east-1.compute.amazonaws.com
tls: false
port: 4444
logging:
kind: Logging
image: docker.io/fluent/fluent-bit:2.1.10
name: fluentbit-logging
namespace: default
spec:
ports:
- containerPort: 2020
hostPort: 2020
command:
- /fluent-bit/bin/fluent-bit
args:
- --workdir=/fluent-bit/etc
- --config=/fluent-bit/etc/conf/fluent-bit.yaml
env:
- name: ELASTICSEARCH_USERNAME
valueFrom:
secretKeyRef:
key: elasticserach-username
name: elasticsearch-secret
optional: false
- name: ELASTICSEARCH_PASSWORD
valueFrom:
secretKeyRef:
key: elasticsearch-password
name: elasticsearch-secret
optional: false
volumes:
- containerPath: /var/log
readOnly: true
source:
hostPath: /var/log
name: var-log-vol
- containerPath: /fluent-bit/etc/conf
readOnly: true
source:
configMap:
name: fluentbitConfigMap
items:
- key: fluent-bit.yaml
path: fluent-bit.yaml
name: fluent-bit-config-vol
capabilities:
- SYS_PTRACE
- SYS_ADMIN
outboundConnections:
- fqdn:
configMap:
name: fluentbitConfigMap
key: fluent-bit.yaml
type: yaml
ref: "pipeline#outputs#0#host"
redirects: true
- fqdn:
configMap:
name: fluentbitConfigMap
key: fluent-bit.yaml
type: yaml
ref: "pipeline#outputs#1#host"
redirects: false
logsAccess: all
restartPolicy: always
proxy:
kind: Proxy
image: docker.io/haproxy:latest
name: haproxy-plugin
namespace: default
spec:
ports:
- containerPort: 2020
hostPort: 2020
volumes:
- containerPath: /usr/local/etc/haproxy
readOnly: true
source:
configMap:
name: proxyConfigMap
items:
- key: haproxy.cfg
path: haproxy.cfg
name: haproxy-config-vol
outboundConnections:
- fqdn:
value: www.google.com
port: 80
tls: false
redirects: true
configMaps:
- name: fluentbitConfigMap
data:
fluent-bit.yaml: |
service:
daemon: off
flush: 1
log_level: info
parsers_file: /fluent-bit/etc/parsers.conf
http_server: on
http_listen: 0.0.0.0
http_port: 2020
health_check: on
pipeline:
inputs:
- name: tail
path: /var/log/containers/*.log
tag: kube.*
mem_buf_limit: 5MB
skip_long_lines: on
outputs:
- name: es
match: kube.*
host: elasticsearch-master.com
logstash_format: on
- name: es
match: host.*
host: elasticsearch-master-2.com
logstash_format: on
logstash_prefix: node
- name: sampleConfigMap
data:
NGINX_OPEN_PASSWORD: myopensercret
- name: authConfigMap
data:
config.yaml: |
serve:
proxy:
port: 4455 # run the proxy at port 4455
api:
port: 4456 # run the api at port 4456
access_rules:
repositories:
- file:///auth/rules.json
errors:
fallback:
- json
handlers:
json:
enabled: true
config:
verbose: true
mutators:
noop:
enabled: true
authorizers:
allow:
enabled: true
deny:
enabled: true
authenticators:
jwt:
enabled: true
config:
jwks_urls:
- http://auth.acme.com:4444/.well-known/jwks.json
anonymous:
enabled: true
config:
subject: guest
noop:
enabled: true
rules.json: |
[
{
"id": "allow-anonymous-with-all-host-header",
"upstream": {
"url": "http://fastapi:8001"
},
"match": {
"url": "http://<.*>:<.*>/<.*>",
"methods": [
"GET",
"POST"
]
},
"authenticators": [
{
"handler": "jwt",
"config": {
"jwks_urls": [
"http://auth.acme.com:4444/.well-known/jwks.json"
],
"trusted_issuers": [
"http://127.0.0.1:4444",
"http://auth.acme.com:4444"
]
}
}
],
"authorizer": {
"handler": "allow"
},
"mutators": [{
"handler": "noop"
}]
}
]
- name: proxyConfigMap
data:
haproxy.cfg: |
global
log stdout format raw local0 info
ca-base /tmp/oblv/certs
crt-base /etc/ssl/private
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
no strict-limits
stats socket /var/lib/haproxy/stats
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
frontend main
bind *:5000
use_backend my_backend
backend my_backend
server server1 www.google.com:80 check
secrets:
- name: elasticsearch-secret
data:
elasticserach-username: bXktZWxhc39ijfyhngud # echo -n 'my-elastic-user' | base64
elasticsearch-password: bXktZWxhc3RpYy1wYX9ijhfuhnd8 # echo -n 'my-elastic-password' | base64
- name: myregistrykey
data:
.dockerconfigjson: ewoJImF1dGhzIjogewoJjfhnssjikfngMud8fjnmSWGtyLmVjci51cy1lYXN0LTIuYW1hem9uYXdzLmNvbSI6IHsKCQkJImF1dGgiOiAiUVZkVE9tVjVTbmRaV0d4ellqSkdhMGxxYjJsWlZURnNTek5qTVZaSWJ6SlNSa1UwWWtjNE1WcFhSazlSYlhCcFZtMUtjRlpYTVdwVlZXd3dZa2RHVUU1dGR6VmpibG95VmpGV2NGUXljRlpYUkVwS1lrZG9jVlZIYkRGaGJWWnRWVEJKZUZkclJtMWxibkEwV1hwa01rMUZjSFppUmxKWVZWVTFSV05WUm5wV1ZtaEpWak5vVlZwVlpEWlRRemwyWTJ4S2RGWlVWbWhpTWpReFRIcENSbUpIV1hKWlYwNXhVbXhCZDJWV2NIcFBSMmhJWkVSc05XVlZiekZUVms1RVkydFNiVTR3VlRWUFNGWjFUVEZHTkU1dVFYZFNSbWQzWXpKNGExSjZhSE5YUjNNeFpGY3hSbEZyV20xT1ZGcFdUMWRuTVVzd01YSlRia0ozVlZoYWNVd3pRbkJTUmtwS1N6RmtXR016UmpCaU0wWnhWVEIwUkdSSVRsUmFWR013VjJ4T2NreDVPV3RSVld4VVRsZE9XVnBWTVVSa1ZYaFBaR3MwZDAxVVpGcFRSemg2V1RKNFRsTkdRalpWYWtaMFpFUmtSVk14UlRCa1JVWlpaVVpTYkdWVlJuQk9XR1J4WXpGT1dGWkdWblZpUjBZMlVXNUNjbEZYT1ROalJ6VllZakZPU21ReFZYcGxSWGh6VlZWb2VXTnJaSFZSTUdneFpWUnNhRTVXYkdwbFdFa3hZMnhPYmxSVE9URldlbHBHV25wU1ZGWXpXVFZTYlhCWFZYcGpNMHg2VW5WV1NHUk5XVE5LY2xSc2FGTlNWRnB4VGtSV1YxcHJOSGRTTW14eVZqRm9URll4VGtSWGFtZDZVa1JTVlU1cVozaGlSVll5V1c1a1QwMHlkRmhrTUhneldWUktjbGxyT0hwTWVrNUlXWHBTY2s1cldtMVpiVkpoVGxOMGVsUkVTbGRVYTJoRFZVWkdUbFJyVWpCaFJuQjFWVmhDYkdSdE9UTmpWRXAzVjIxMGQxbFZVa2RXV0ZKV1lUQkdlbUpHV2t0YVJURTJVbXRPZEdKdFRUVlNiVEZwV1d4U2NGWXhjRmhpV0d0eVRtNVdkMWRHU1hwU1F6bDNXa1JPVjFNeFRrbFdNblJNVVdzMWJGZHNUbTFaYWxGM1dYcGFZVkZ0Um5wUlYxWjFWVEpTVlZwSWNIUk5SbVF3WVVoc1ZFMHpVbEZYYmtsMlUwaE9WazVET1VoT2VteEpZMVZTTUU1SVZrOU5SVVV5WlVSWmVsZHFTbkJOTUdnMVRVUkdhMUpVYTNaT2JGa3hUVmhHZUZWSVFsQk9TRTB3VFd0b1JWcHNWbWhpZWxJMVlVaE5OVkp1Um14aVZGVXdZa1YzZVZsc1NrVmxTR3g0VmpKMGQwOUhiREJsU0ZwMFZtMVdhV0pWYjNaaVNGSlFUVmhhU21GNlFrTldWbVJ2VWtoT01WcFVZelZPVkU1YVZURlNiV05GYkROVk1GSjBWVVJvYUZOcWJHeFBWRTV2Wlc1Q1drOVlUblZqTTBaT1dWYzBNa3d6VlRSWFJGRjJXbFU0TlZGcldsRlVTRkpVVTI1T1JtRkhTbXhsVkU1VFpGZE9RbVJET1RabGJFbDJUbnBvVEZveFdrNVJWRW8xVFRKb2FXTnVWbXhWYW14dldraHJNbE14VWt4U1IyUkVVakJHUmxsV1JsZFRhbWhJWVVOME5sSkVVbEppTUVVeVpERndjVlZzV2pCWGJrcHlaREpXV0VzelRqQmtNVlo2VjBWc1NGZFhSa3BVVlZKaFRVVktVMVJVVGxkTlJXUjNUVEJ3VDFsc1drNVRNVmwyV1c1S1VscFZkekJhZWxacFlsaGtiMDVHYkZkaFIzaHNUbXRXYVZKVVl6QmFWRnBDVmtWU1VXSkVVbEJTVnpsdVVsVndWMkZZVGs5YWEwcFBUVEZhUjA1VVVsZGtNRll4VkdwU1RFNUVaekZVVld3d1RsVXhTMVZGYUhWVmEzaHdZMVpzUkdSVk5WVlpXRVpoVGxaS1RsWnRlRkZXUnpWNVkwWmFkRTR3TVhWVFZFWlRWbTVhVDA1cVNuWmtNR3gwWkRCNFNsWkdUWHBaTWxKUlZteEdNRkl6UWpSVlNFNDBZbFZqTWxWNlFURmhSMDVZVGxad1JXSlVXbnBrYWtreVpGVk5kbUZyVVRSWFJFNHhUa2hrY0dJeFZtNVdNbVIyVWxWU01tUldTa1JTTUZaNFlUSm9SRlJIWkVWUk1VNXRUbGQ0UkZWR1ZqTlphbVI0VFc1V2MySXhZelZpYlhReVdXdDBhazR4V25SVmFYTjVaRVZrUkZGV1RYbE5lbXhLV201U1NtTXdiM1prYW14SllsVlNjbFl5Y0cxa1JGcElVVEJrTm1KVmVFVk9hMWsxVkZkd1ZWTnNUazloUmxaSVVrUkNiMDR6YkVaUk1EVkpZMVUxTTFNeFFscE5NRW93VFcxMGNWZEhiM0poYlRWU1ZsVTVOVlJWWkRSVlYyeDJXa2hqT1ZCVFNYTkpiVkpvWkVkR2NscFlhMmxQYVVwQ1ZWVldRMUZWYUhGUmFtTjJZVmRrTTFSWFl6QlViRUl6V1ZoV2VXVkdUa3BYV0djd1UwZGFkV1ZJVmtoWmVUZ3dUMGRLUldReldqTlNTRUpQVjFaa1lWb3dSa0pSVldjd1pESmFRbGRWY0V4aU1YQktZVWhhYWxSclJsSlpNR1IyVW5wb00xbHNSa3BSYTBaRlVXMDVRMW95ZEhoaFIzUndVbnBzTTAxRlNrTmtNRll6VTBka1dsTnNiRXBYYTJ4Q1ZqRldSVkZyUmtaa1ZURkRVbFZXUlZGWVNrUk9VM1F6WVdzNVZXUlZkRXRPZWtaeFpVVkdTbEZyVmtwUlZHUjFXbGRzVTFaclJrTmtNRnB3VTBSYWExWldTbXRoUnpsRVRsVnJlV1JZV2pOVE1WSTFZVVV3ZW1WdGFFOVpXRTVxWWxVeGExUnNTbnBVVkZwdVdXMHdlVXN3U21wT2F6RkZXVzVvTlZGdVNsZFpNRnBzWlZjNE1sTXpXa1pTYlZadlZXeHdhRlJ0U201UVUwbHpTVzVhYkdOdVRuQmlNalJwVDJsSmVVbHBkMmxrU0d4M1dsTkpOa2xyVWtKV1JVWm1VekJXV2tscGQybGFXR2gzWVZoS2FHUkhiSFppYVVrMlRWUmpkMDFFV1ROTmFtdDNUbTR3UFE9PSIKCQl9LAoJCSJodHRwczovL2luZGV4LmRvY2tlci5pby92MS8iOiB7CgkJCSJhdXRoIjogIllYTnBabWx4WW1Gc01UazVOenB2WW14MlgyUnZZMnRsY2tBeE1qTT0iCgkJfQoJfQp9
Resulting configuration file
oblvVersion: 0.1.0
usePCRServer: false
manifestDigest: sha256:ee199a79e58f7f96159a522085edb43e07487a8df25f0d52adc5ffbd2196f572
enclave:
pcrs:
- PCR0:e78d5cf2fa3c6a75e72d0241c81db9560d9886773f3ccca4824b646679a8ca314486298e22001b6fd3eca75c489c39d9
- PCR1:e13ab034d10392c6bf876e5bcd08d2ea5ea41b17cd5b89632470f167b7b1e78bfe22c213b06cc3524308822440b07434
- PCR2:2c84413e5b57b1d94b8b509ab4657993980b45d59e96987fef399f19469efaeaa01e1d6a9bb58c3ed73b085887f5e367
- PCR16:134a6ed89e41dfbd5d6bfbf23b9e35df55b7239ed3b96e0bc469b8504382181fdc33f90c07a60c2e740919a8ee675ddb
pcrCheck: false
pcrServer: ''
images:
- image: public.ecr.aws/oblivious-ai/oblv-sample-fastapi:latest
digest: sha256:5adb8754823ba1cc18308dac0d116a48019dc6afe2ea921e60ca0f7df98cf850
name: fastapi
userAppPorts:
- 8001
configs: []
outboundConnections:
- fqdn: auth.docker.io
redirects: false
port: 443
tls: true
- fqdn: production.cloudflare.docker.com
redirects: false
port: 443
tls: true
- fqdn: index.docker.io
redirects: false
port: 443
tls: true
specDigest: sha256:dd8f57b74638edd3be54ffac29c7941b9681ee67f6029f5da72967f01b461437
plugins:
fluent-bit-logging-plugin:
image: docker.io/fluent/fluent-bit:2.1.10
digest: sha256:5766d881ddb1fdacd9c5b24c9f28371ae22d44faaf3f7a510e5e86e37fd6244f
name: fluent-bit-logging-plugin
namespace: default
outboundConnections: []
securityContext:
capabilities:
add:
- SYS_PTRACE
- SYS_ADMIN
configs:
- name: fluent-bit.yaml
digest: sha256:37e3c0aaa422c9245fe5a39b223f056f023e14dbc855ced8979ea066516148b1
specDigest: sha256:4cd186ecfa9c48573a378d9e1390e3e04b32fab3e5e7ca5bd79332dc8c64aab5
oauthkeeper-auth-plugin:
image: oryd/oathkeeper:v0.38.6
digest: sha256:80ac597442d75f8059e6ade47bb42b01bcebbc4f6d1a61237a4402547f6f5f82
name: oauthkeeper-auth-plugin
namespace: default
outboundConnections:
- fqdn: ec2-18-222-109-15.us-east-2.compute.amazonaws.com
redirects: false
port: 4444
tls: false
configs:
- name: config.yaml
digest: sha256:bc2a7a8a395af60d28911a0a95f6563463d9d269682e96d9205769bb0eb70587
- name: rules.json
digest: sha256:87e880caf5ac4bc6cd0a52790ee3436b3e64f471483ac1becc7b67cf8b259b26
specDigest: sha256:2beaec9b8086482bb1135e701baed517bcddcea654d9b83009abe77ab8d28056
telemetry-plugin:
image: public.ecr.aws/oblivious-ai/oblv-telemetry-dev:latest
digest: sha256:36a5a637b3d5178a5742d4c46fa2ae0ea2cf71305fdc1652f7526b8afedb44e7
name: telemetry-plugin
namespace: default
outboundConnections:
- fqdn: ec2-18-117-159-153.us-east-2.compute.amazonaws.com
redirects: false
port: 4318
tls: false
- fqdn: public.ecr.aws
redirects: false
port: 443
tls: true
- fqdn: d2glxqk2uabbnd.cloudfront.net
redirects: false
port: 443
tls: true
configs:
- name: config.yaml
digest: sha256:15698935ea2f06c3cbdb9ac329759de699f0500c34790a90d051830e85b222d1
specDigest: sha256:0e56bbc6e66302d0b619a2830aaad0a0b56c400b4212f5503af46e465207cf8a
creds:
authCreds:
clientId: ''
clientSecret: ''
url: ''
grantType: ''
scope: ''
maxRetries: 0
retryTimeout: 5
log:
logLevel: info
maxSizeInMb: 5
retaintionPeriodInDays: 7
Note on Placeholders
The generated configuration contains empty fields for Auth credentials and PCR codes, as these are not automatically provided. Update these sections using the OBLV CLI in the following guides.