OBLV Client
Generating Configurations
The OBLV Client validates enclave services based on their manifests conforming to the expectations of the client, as set out in a configuration file. The configuration file is essentially a distillation of the manifest into a compact representation via a one-to-one mapping.
This means that for any given service manifest, the client can generate the configuration file locally and validate they are connecting to the service they are expecting, without any third-party reliance. This is our take on what you see is what you get validation and assurance (WYSIWYG).
In this guide, we will walk through how to generate a configuration file from an OBLV Deploy manifest and how to use it to validate an enclave deployment.
Components of a Configuration File
The table below details the various components that are found in a configuration file used by the OBLV Client.
| Category | Field | Description |
|---|---|---|
| Tooling Version | Version | The version of the oblv tooling/api. |
| Platform Configuration | PCR Codes | The Platform Configuration Register (PCR) codes, which can be fetched from a file or dynamically from a PCR server. |
| Container Images | Image Name | The name of the container image used by the application. |
| Image Digest | The digest of the container image. | |
| Application Ports | The ports that the user application uses. | |
| Plugins | Plugin Name | Name of the plugin used by the enclave. |
| Config File Name | Configuration file name for the plugin. | |
| Config File Hash | Hash of the plugin configuration file. | |
| Authentication | Auth Server URL | URL of the auth server. |
| Client ID | Client identifier for authentication. | |
| Client Secret | Secret key for client authentication. | |
| Grant Type | Authorisation grant type. | |
| Scope | Authorisation Scope. | |
| CLI Operation | Log Level | Logging level (e.g., INFO, ERROR). |
| Log Retention Period | Log rotation period in days. | |
| Log File Max Size | Maximum size of a single log file in Mb. | |
| Timeout | Timeout in seconds for health-check and attestation requests. | |
| Max Retries | Maximum number of retries for health-check and attestation in case of failure. |
An example configuration file can be found below:
Example configuration file
Example configuration file
oblvVersion: 0.1.0
usePCRServer: false
manifestDigest: sha256:ee199a79e58f7f96159a522085edb43e07487a8df25f0d52adc5ffbd2196f572
enclave:
pcrs:
- PCR0:e78d5cf2fa3c6a75e72d0241c81db9560d9886773f3ccca4824b646679a8ca314486298e22001b6fd3eca75c489c39d9
- PCR1:e13ab034d10392c6bf876e5bcd08d2ea5ea41b17cd5b89632470f167b7b1e78bfe22c213b06cc3524308822440b07434
- PCR2:2c84413e5b57b1d94b8b509ab4657993980b45d59e96987fef399f19469efaeaa01e1d6a9bb58c3ed73b085887f5e367
- PCR16:134a6ed89e41dfbd5d6bfbf23b9e35df55b7239ed3b96e0bc469b8504382181fdc33f90c07a60c2e740919a8ee675ddb
pcrCheck: false
pcrServer: ''
images:
- image: acme/sample-fastapi-app-pvt:1.0
digest: sha256:5adb8754823ba1cc18308dac0d116a4809ujfnhdjuna921e60ca0f7df98cf850
name: fastapi
userAppPorts:
- 8001
configs: []
outboundConnections:
- fqdn: auth.docker.io
redirects: false
port: 443
tls: true
- fqdn: production.cloudflare.docker.com
redirects: false
port: 443
tls: true
- fqdn: index.docker.io
redirects: false
port: 443
tls: true
specDigest: sha256:dd8f57b74638edd3be54ffac29c7941b9681ee67f6029f5da72967f01b461437
plugins:
fluent-bit-logging-plugin:
image: docker.io/fluent/fluent-bit:2.1.10
digest: sha256:5766d881ddb1fdacd9c5b24c9f28371ae22d44faaf3f7a510e5e86e37fd6244f
name: fluent-bit-logging-plugin
namespace: default
outboundConnections: []
securityContext:
capabilities:
add:
- SYS_PTRACE
- SYS_ADMIN
configs:
- name: fluent-bit.yaml
digest: sha256:37e3c0aaa422c9245fe5a39b223f056f023e14dbc855ced8979ea066516148b1
specDigest: sha256:4cd186ecfa9c48573a378d9e1390e3e04b32fab3e5e7ca5bd79332dc8c64aab5
oauthkeeper-auth-plugin:
image: oryd/oathkeeper:v0.38.6
digest: sha256:80ac597442d75f8059e6ade47bb42b01bcebbc4f6d1a61237a4402547f6f5f82
name: oauthkeeper-auth-plugin
namespace: default
outboundConnections:
- fqdn: ec2-18-222-109-15.us-east-2.compute.amazonaws.com
redirects: false
port: 4444
tls: false
configs:
- name: config.yaml
digest: sha256:bc2a7a8a395af60d28911a0a95f6563463d9d269682e96d9205769bb0eb70587
- name: rules.json
digest: sha256:87e880caf5ac4bc6cd0a52790ee3436b3e64f471483ac1becc7b67cf8b259b26
specDigest: sha256:2beaec9b8086482bb1135e701baed517bcddcea654d9b83009abe77ab8d28056
telemetry-plugin:
image: public.ecr.aws/oblivious-ai/oblv-telemetry-dev:latest
digest: sha256:36a5a637b3d5178a5742d4c46fa2ae0ea2cf71305fdc1652f7526b8afedb44e7
name: telemetry-plugin
namespace: default
outboundConnections:
- fqdn: ec2-18-117-159-153.us-east-2.compute.amazonaws.com
redirects: false
port: 4318
tls: false
- fqdn: public.ecr.aws
redirects: false
port: 443
tls: true
- fqdn: d2glxqk2uabbnd.cloudfront.net
redirects: false
port: 443
tls: true
configs:
- name: config.yaml
digest: sha256:15698935ea2f06c3cbdb9ac329759de699f0500c34790a90d051830e85b222d1
specDigest: sha256:0e56bbc6e66302d0b619a2830aaad0a0b56c400b4212f5503af46e465207cf8a
creds:
authCreds:
clientId: '8jf9dj8fu-09de-8v36-b095-dijfhyn8d'
clientSecret: 'wsdfjZjf9fhng8jmkd~9ijmhn4'
url: 'http://auth.acme.com:4444/oauth2/token'
grantType: 'client_credentials'
scope: 'competitor'
maxRetries: 0
retryTimeout: 5
log:
logLevel: info
maxSizeInMb: 5
retaintionPeriodInDays: 7
Configuration Files from Manifests
The OBLV Client can be used to generate these configuration files from manifests directly via the following command:
oblv get-config --manifest <path-to-manifest-file> --config <path-to-config-file>
An example manifest and resulting configuration file can be examined below:
Example manifest file
Example manifest file
apiVersion: k8s.oblv.com/v1alpha1
kind: NitroEnclaveDeployment
metadata:
name: hello-fastapi
namespace: default
spec:
userPlugins:
- name: fastapi
image: public.ecr.aws/oblivious-ai/oblv-sample-fastapi:latest
ports:
- containerPort: 8001
hostPort: 4455
command:
- "python"
- "/app/uvicorn_runner.py"
replicas: 1
serviceAccount: enclave-pod
hugepages-1Gi: 12Gi
enclaveCpuCount: 2
ingress:
enabled: true
internetFacing: true
dnsHostName: fastapi-hello.oblv.com
ingressTlsCertificate: my-ingress-tls
ports:
- port: 4455
targetPort: 4455
caCertDetails:
enclaveCertType: ENCLAVE_GENERATED
Resulting configuration file
Resulting configuration file
oblvVersion: 1.2.0
usePCRServer: false
manifestDigest: ec1782953a5f0f55b4813f7cceb05b943d6fc3d6ed98db9bf7d700077c3285b4b3bf111377d1aa96b3357a26bfa8a65b
enclave:
pcrs:
- PCR16:dd1ec020d0dc7322a2dab5c0a16504fba650090832fdc8737de462f83cf7070dbe8567c7e07b0f6a6ae88bc1d68674c6
- PCR0:820e16f5bddddc5f4cb3f89cb07c47d1628434ba7d065da82b67b1dd31b7c6ecb547a20c6d7495e3e012bfc462d020bb
- PCR1:ed7a111c47728b2d104652e9cc885e80e9de93ae5a64afafb34ee5c96ef15d4ea69604b15fa9df830fc7a68be9a4948d
- PCR2:6986ffef628c6a786a2b27ab851f87943d20ba86090f995acda049a886e3fc5d17d458e8e499a514615c3b8626465835
pcrCheck: true
pcrServer: ''
images:
- image: public.ecr.aws/oblivious-ai/oblv-sample-fastapi:latest
digest: sha256:5adb8754823ba1cc18308dac0d116a48019dc6afe2ea921e60ca0f7df98cf850
name: fastapi
userAppPorts:
- 8001
configs: []
outboundConnections:
- fqdn: d2glxqk2uabbnd.cloudfront.net
port: 443
- fqdn: public.ecr.aws
port: 443
specDigest: sha256:0618d44a25490528b19511a78b19c0750dbf3cb286b1069eb1f83546a372c478
plugins: {}
creds:
authCreds:
clientId: ''
clientSecret: ''
url: ''
grantType: ''
scope: ''
maxRetries: 20
retryTimeout: 10
log:
logLevel: info
maxSizeInMb: 5
retaintionPeriodInDays: 7
Note on Placeholders
The generated configuration contains empty fields for Auth credentials and PCR codes, as these are not automatically provided. Update these sections using the OBLV Client in the following guides.