OBLV Deploy CLI
OBLV CLI (Oblivious Command Line Interface) is a reverse proxy designed to forward client HTTP requests to the enclave using a secure TLS connection.
CLI Command Reference
OBLV CLI provides several commands for managing configurations, attesting and establishing connections with enclaves. Here is an overview of each command and its functionality:
oblv attest
Synopsis
Attestation is the most important feature of an enclave. It is a process to verify that the software running in the enclave is exactly the same that is required by the user.
oblv attest requires a config file which contains the PCR codes and the digests of the containers used by the application
running in the enclave.
Usage
oblv attest --url <URL> --config <CONFIG>
Options
-u, --url <URL>
The enclave URL that CLI is connecting to.
-c, --config <CONFIG>
The YAML configuration file used to validate the enclave.
Flags
-h, --help
Print help.
oblv configure
Synopsis
oblv configure is a command used to manage and update the YAML configuration file containing the information to validate the enclave and configuration settings required by the CLI itself.
It supports subcommands for updating specific configuration aspects like PCR codes, plugin configuration, log settings, and authentication details.
Usage
Usage: oblv configure [OPTIONS] --config <CONFIG> [COMMAND]
Options
--config <CONFIG>
The YAML configuration file used to validate the enclave.
--oblv-enclave-version <OBLV_ENCLAVE_VERSION>
Oblv API Version required on the enclave side (optional argument)
--pcr0 <PCR0>
Value for PCR0: Hash of the Enclave image file
--pcr1 <PCR1>
Value for PCR1: Hash of Linux kernel and bootstrap
--pcr2 <PCR2>
Value for PCR2: Hash of the Application
--pcr16 <PCR16>
Value for PCR16: Hash of the oblv manifest.
--pcr-check <PCR_CHECK>
Pcr validation: if false, disables the PCR validation (Not recommended for production, should be only used for debugging) [possible values: true, false]
--pcr-server <PCR_SERVER>
Url for the PCR server. more details.
--use-pcr-server <USE_PCR_SERVER>
Use the pcr server: if true, uses the PCR server for PCR validation during the attestation process, otherwise uses the PCR values from the configuration file [possible values: true, false]
--max-retries <MAX_RETRIES>
max retries for health check and attestation requests
--retry-timeout <RETRY_TIMEOUT>
retry timeout for health and attestation requests
Flags
-h, --help
Print help
Subcommands include:
oblv configure imageConfigure the image in the configuration file the image and the digest can be updated in the configuration file using this commandoblv configure pluginConfigure the plugin in the configuration file the plugin name and the config digest can be updated in the configuration file using this commandoblv configure authConfigure the auth details in the configuration file the auth server url, client_id, client_secret, grant_type, and scope can be updated in the configuration file using this commandoblv configure logConfigure the logging details in the configuration file the log level, max size, and retaintion period can be updated in the configuration file using this command
oblv configure image
Synopsis
Configure the image in the configuration file the image and the digest can be updated in the configuration file using this command
Note: oblv configure image just updates the image-name and the digest for a given image.
It does not update the other configuration details in the configuration file.
If a new image name is provided, it creates a new entry for that image with empty/default values in the configuration file.
Usage
oblv configure --config <CONFIG> image --image <IMAGE> --digest <DIGEST>
Options
--config <CONFIG>
The YAML configuration file used to validate the enclave.
-i, --image <IMAGE>
The Docker Image name (required argument)
-d, --digest <DIGEST>
digest for the docker image (required argument)
Flags
-h, --help
Print help
oblv configure plugin
Synopsis
Just like the container images, plugins also need to be verified. The plugins have the configurations and the digests for those configurations.
oblv configure plugin adds plugin configurations.
Note: oblv configure plugin just updates the plugin-name and the digest for a given plugin.
It does not update the other configuration details in the configuration file.
If a new plugin name is provided, it creates a new entry for that image with empty/default values in the configuration file.
Usage
oblv configure --config <CONFIG> plugin --name <NAME> --config-digest <CONFIG_DIGEST>
Options
--config <CONFIG>
The YAML configuration file used to validate the enclave.
-n, --name <NAME>
plugin name (required argument)
-c, --config-digest <CONFIG_DIGEST>
plugin config digest (required argument)
Flags
-h, --help
Print help
oblv configure auth
Synopsis
If the application running in the enclave requires authentication, it can be configured using the command.
oblv configure auth. The following auth mechanisms are supported by the OBLV CLI.
Oauth.
Usage
oblv configure --config <CONFIG> auth [OPTIONS] --url <URL> --client-id <CLIENT_ID> --client-secret <CLIENT_SECRET>
Options
--config <CONFIG>
The YAML configuration file used to validate the enclave.
-u, --url <URL>
auth server url (required argument)
-c, --client-id <CLIENT_ID>
client_id (required argument)
-s, --client-secret <CLIENT_SECRET>
client secret (required argument)
-g, --grant-type <GRANT_TYPE>
grant-type (required argument)
-S, --scope <SCOPE>
scope (required argument)
Flags
-h, --help
Print help
oblv configure log
Synopsis
Set the logging properties of the command line interface.
Usage
oblv configure --config <CONFIG> log [OPTIONS]
Options
--config <CONFIG>
The YAML configuration file used to validate the enclave.
-l, --log-level <LOG_LEVEL>
The log level (optional argument) valid options: "info", "error", "debug", "warn", "trace", ""
-m, --max-size-in-mb <MAX_SIZE_IN_MB>
The maximum size of a single log file (in Mbs) (optional argument)
-r, --retaintion-period-in-days <RETAINTION_PERIOD_IN_DAYS>
The retaintion for which the log file would be kept (optional argument)
Flags
-h, --help
Print help
oblv connect
Synopsis
Connects to the enclave and starts the reverse proxy. In this process the OBLV CLI:
- Performs the health check on the enclave.
- Performs the attestation using the details provided in the config file.
- Upon the successful attestation, the CLI starts the reverse proxy using which the application running in the enclave can be accessed.
Usage
oblv configure log [OPTIONS]
Options
--config <CONFIG>
The YAML configuration file used to validate the enclave.
-u, --url <URL>
the enclave FQDN that you are connecting to
-c, --controller
controller
-m, --manifest <MANIFEST>
manifest file: the controller should provide these manifest files
-l, --local-port <LOCAL_PORT>
local port used to connect to the enclave
-h, --host <HOST>
host ip, required in the user mode for example: "127.0.0.1" or "0.0.0.0" the ip used to start the reverse proxy
Flags
-c, --controller
controller flag: if set, the cli operates in the controller mode otherwise it operates in the user mode
-a, --auth-passthrough
auth pass through, this flag is useful when the enclave application hosts it's own auth service and does not need external auth_creds. It is an optional argument
-h, --help
print help
oblv get-config
Synopsis
To handwrite the config file required to connect to the enclave is a tedious task. OBLV CLI provides a way to make it easy.
The oblv get-config command generates a config.yaml file from the enclave's manifest file.
This is the template config file which contains all of the information about the enclave, but it needs to be updated for user-specific details such as:
- auth credentials
- Users' preference for logging etc.
Usage
oblv get-config [OPTIONS] --manifest <MANIFEST> --config <CONFIG>
Options
--manifest <MANIFEST>
manifest file
-c, --config <CONFIG>
The YAML configuration file used to validate the enclave.
--log-level <LOG_LEVEL>
log level
Flags
-h, --help
Print help
What's Next?
For additional information on how to install OBLV CLI, refer to the Installing the CLI Proxy page.