From eae8b860a9500bd5fd3df3aa8a6a994341aac216 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@matterlabs.dev>
Date: Tue, 6 Aug 2024 09:38:03 +0200
Subject: [PATCH] feat: add Kubernetes pod spec for vault-unseal and update
 docs

- Add `vault-unseal-pod-*.yaml` for Kubernetes deployment.
- Update `README.md` to reflect changes in unseal and sign commands.
- Add `vault` to the `shells/teepot/default.nix` package list.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
---
 examples/README.md                   |  5 ++--
 examples/k8s/vault-unseal-pod-0.yaml | 40 ++++++++++++++++++++++++++++
 examples/k8s/vault-unseal-pod-1.yaml | 40 ++++++++++++++++++++++++++++
 examples/k8s/vault-unseal-pod-2.yaml | 40 ++++++++++++++++++++++++++++
 shells/teepot/default.nix            |  3 ++-
 5 files changed, 125 insertions(+), 3 deletions(-)
 create mode 100644 examples/k8s/vault-unseal-pod-0.yaml
 create mode 100644 examples/k8s/vault-unseal-pod-1.yaml
 create mode 100644 examples/k8s/vault-unseal-pod-2.yaml

diff --git a/examples/README.md b/examples/README.md
index b99e24f..10b9fc4 100644
--- a/examples/README.md
+++ b/examples/README.md
@@ -30,7 +30,8 @@ $ docker compose up
 2023-08-23T14:48:07.278090Z  INFO vault_unseal: Got Response: {"unseal_keys":["wcDMA9FaOxXbOhL7AQv7BoGfG5K+78RHV6LGqT5k/M1e8GP3pvBHTeY1lReCo2bkLmm4k4KBxdqNLSE8lV4urN5iWTAt74jCoC+uuAeA2OSL7AidX+HcftzcAXhJp2INtkyqsL8xGaPgpZxXj77fJ/Z7HW1mUlAxJowdZudvA5DmJls6u8VK6YtY3deLGbMRVygXFG+NGabNrRQ0nnFMMMCPXZ39ETitJyfFX6x4BizVQixagN9IqkozXLiupoHD4N0LOESDIm2MuqPnGAk0X6YgyZhFZc8uCrN9W/zNkXQ7eJxIamsLysVnPGaNQ92VQlz4aFAJLKrMCvGrtrxQJk9N+P47EArGCl9bP2hXfg783arXF6Bp/YgGgpvJRFZ04nMNDlIcIFuV5QBfiJX1hNIXg0MVlqmzVeGDVHlys+2mOvOO8seIBG1p4FGRQr6YWI4KxaN6sVA5DNclvITWiH/6H50SUJqXQ5M6rfEoBajYenpzZwYXb0oGzVHrUg5AnfPSuYRT0p8dAPz3/9vE0nEBzNeNVedEwwbgHP1aSPK8J3pPgoRVMyiq7gXzJEXoG5PLJEq4poQ1QwevAVTNv5Pu/TvTacDkJfVcBL5fukB9fj/WJktxEXmznEK3GMBBmvIAVLkgCEl+dH17CxvKq2ik6AfAHVdmEPcNw0ViNCZj1Q=="]}
 {"unseal_keys":["wcDMA9FaOxXbOhL7AQv7BoGfG5K+78RHV6LGqT5k/M1e8GP3pvBHTeY1lReCo2bkLmm4k4KBxdqNLSE8lV4urN5iWTAt74jCoC+uuAeA2OSL7AidX+HcftzcAXhJp2INtkyqsL8xGaPgpZxXj77fJ/Z7HW1mUlAxJowdZudvA5DmJls6u8VK6YtY3deLGbMRVygXFG+NGabNrRQ0nnFMMMCPXZ39ETitJyfFX6x4BizVQixagN9IqkozXLiupoHD4N0LOESDIm2MuqPnGAk0X6YgyZhFZc8uCrN9W/zNkXQ7eJxIamsLysVnPGaNQ92VQlz4aFAJLKrMCvGrtrxQJk9N+P47EArGCl9bP2hXfg783arXF6Bp/YgGgpvJRFZ04nMNDlIcIFuV5QBfiJX1hNIXg0MVlqmzVeGDVHlys+2mOvOO8seIBG1p4FGRQr6YWI4KxaN6sVA5DNclvITWiH/6H50SUJqXQ5M6rfEoBajYenpzZwYXb0oGzVHrUg5AnfPSuYRT0p8dAPz3/9vE0nEBzNeNVedEwwbgHP1aSPK8J3pPgoRVMyiq7gXzJEXoG5PLJEq4poQ1QwevAVTNv5Pu/TvTacDkJfVcBL5fukB9fj/WJktxEXmznEK3GMBBmvIAVLkgCEl+dH17CxvKq2ik6AfAHVdmEPcNw0ViNCZj1Q=="]}
 
-❯ echo wcDMA9FaOxXbOhL7AQv7BoGfG5K+78RHV6LGqT5k/M1e8GP3pvBHTeY1lReCo2bkLmm4k4KBxdqNLSE8lV4urN5iWTAt74jCoC+uuAeA2OSL7AidX+HcftzcAXhJp2INtkyqsL8xGaPgpZxXj77fJ/Z7HW1mUlAxJowdZudvA5DmJls6u8VK6YtY3deLGbMRVygXFG+NGabNrRQ0nnFMMMCPXZ39ETitJyfFX6x4BizVQixagN9IqkozXLiupoHD4N0LOESDIm2MuqPnGAk0X6YgyZhFZc8uCrN9W/zNkXQ7eJxIamsLysVnPGaNQ92VQlz4aFAJLKrMCvGrtrxQJk9N+P47EArGCl9bP2hXfg783arXF6Bp/YgGgpvJRFZ04nMNDlIcIFuV5QBfiJX1hNIXg0MVlqmzVeGDVHlys+2mOvOO8seIBG1p4FGRQr6YWI4KxaN6sVA5DNclvITWiH/6H50SUJqXQ5M6rfEoBajYenpzZwYXb0oGzVHrUg5AnfPSuYRT0p8dAPz3/9vE0nEBzNeNVedEwwbgHP1aSPK8J3pPgoRVMyiq7gXzJEXoG5PLJEq4poQ1QwevAVTNv5Pu/TvTacDkJfVcBL5fukB9fj/WJktxEXmznEK3GMBBmvIAVLkgCEl+dH17CxvKq2ik6AfAHVdmEPcNw0ViNCZj1Q== | base64 --decode | gpg -dq | RUST_LOG=info cargo run -p vault-unseal --  --sgx-mrsigner c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d     --sgx-allowed-tcb-levels SwHardeningNeeded      --server https://20.172.154.218:8443    unseal
+❯ echo wcDMA9FaOxXbOhL7AQv7BoGfG5K+78RHV6LGqT5k/M1e8GP3pvBHTeY1lReCo2bkLmm4k4KBxdqNLSE8lV4urN5iWTAt74jCoC+uuAeA2OSL7AidX+HcftzcAXhJp2INtkyqsL8xGaPgpZxXj77fJ/Z7HW1mUlAxJowdZudvA5DmJls6u8VK6YtY3deLGbMRVygXFG+NGabNrRQ0nnFMMMCPXZ39ETitJyfFX6x4BizVQixagN9IqkozXLiupoHD4N0LOESDIm2MuqPnGAk0X6YgyZhFZc8uCrN9W/zNkXQ7eJxIamsLysVnPGaNQ92VQlz4aFAJLKrMCvGrtrxQJk9N+P47EArGCl9bP2hXfg783arXF6Bp/YgGgpvJRFZ04nMNDlIcIFuV5QBfiJX1hNIXg0MVlqmzVeGDVHlys+2mOvOO8seIBG1p4FGRQr6YWI4KxaN6sVA5DNclvITWiH/6H50SUJqXQ5M6rfEoBajYenpzZwYXb0oGzVHrUg5AnfPSuYRT0p8dAPz3/9vE0nEBzNeNVedEwwbgHP1aSPK8J3pPgoRVMyiq7gXzJEXoG5PLJEq4poQ1QwevAVTNv5Pu/TvTacDkJfVcBL5fukB9fj/WJktxEXmznEK3GMBBmvIAVLkgCEl+dH17CxvKq2ik6AfAHVdmEPcNw0ViNCZj1Q== 
+| base64 --decode | gpg -dq | RUST_LOG=info cargo run -p vault-unseal --  --sgx-mrsigner c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d     --sgx-allowed-tcb-levels SwHardeningNeeded      --server https://20.172.154.218:8443    unseal
     Finished dev [unoptimized + debuginfo] target(s) in 0.09s
      Running `target/debug/vault-unseal --sgx-mrsigner c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d --sgx-allowed-tcb-levels SwHardeningNeeded --server 'https://20.172.154.218:8443' unseal`
 2023-08-23T14:48:20.735605Z  INFO tee_client: Getting attestation report
@@ -54,7 +55,7 @@ to sign the admin tee:
 ```bash
 ❯ (id=$(docker create teepot-vault-admin-sgx-azure); docker cp $id:/app/teepot-vault-admin-sgx-azure.sig ~/teepot-vault-admin-sgx-azure.sig; docker rm -v $id)
 ❯ cargo run -p vault-admin -- create-sign-request --tee-name admin ~/teepot-vault-admin-sgx-azure.sig > ~/sign_admin_tee.json
-❯ vim sign_admin_tee.json
+❯ vim ~/sign_admin_tee.json
 ❯ gpg --local-user test@example.com --detach-sign --armor ~/sign_admin_tee.json
 ❯ RUST_LOG=info cargo run -p vault-admin -- \
   sign-tee \
diff --git a/examples/k8s/vault-unseal-pod-0.yaml b/examples/k8s/vault-unseal-pod-0.yaml
new file mode 100644
index 0000000..d358c11
--- /dev/null
+++ b/examples/k8s/vault-unseal-pod-0.yaml
@@ -0,0 +1,40 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    app: teepot-vault-unseal-0
+  name: teepot-vault-unseal-0
+  namespace: stage2
+spec:
+  tolerations:
+    - key: sgx.intel.com/provision
+      operator: Exists
+      effect: NoSchedule
+  containers:
+    - image: matterlabsrobot/teepot-vault-unseal-sgx-azure:latest
+      name: vault-unseal
+      imagePullPolicy: Always
+      env:
+        - name: VAULT_ADDR
+          value: "https://teepot-vault-0.teepot-vault:8210"
+        - name: ALLOWED_TCB_LEVELS
+          value: "SwHardeningNeeded"
+        - name: VAULT_SGX_ALLOWED_TCB_LEVELS
+          value: "SwHardeningNeeded"
+        #        - name: VAULT_SGX_MRENCLAVE
+        #          value: "7754423259719411a536d3a11d0bf764b0910e44a9e15721d879d763a5f3fa39"
+        - name: VAULT_SGX_MRSIGNER
+          value: "c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d"
+      ports:
+        - containerPort: 8443
+          name: https
+          protocol: TCP
+      resources:
+        limits:
+          sgx.intel.com/epc: "10Mi"
+        requests:
+          sgx.intel.com/epc: "10Mi"
+      securityContext:
+        privileged: true
+  restartPolicy: Never
+status: { }
diff --git a/examples/k8s/vault-unseal-pod-1.yaml b/examples/k8s/vault-unseal-pod-1.yaml
new file mode 100644
index 0000000..8fdbafb
--- /dev/null
+++ b/examples/k8s/vault-unseal-pod-1.yaml
@@ -0,0 +1,40 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    app: teepot-vault-unseal-1
+  name: teepot-vault-unseal-1
+  namespace: stage2
+spec:
+  tolerations:
+    - key: sgx.intel.com/provision
+      operator: Exists
+      effect: NoSchedule
+  containers:
+    - image: matterlabsrobot/teepot-vault-unseal-sgx-azure:latest
+      name: vault-unseal
+      imagePullPolicy: Always
+      env:
+        - name: VAULT_ADDR
+          value: "https://teepot-vault-1.teepot-vault:8210"
+        - name: ALLOWED_TCB_LEVELS
+          value: "SwHardeningNeeded"
+        - name: VAULT_SGX_ALLOWED_TCB_LEVELS
+          value: "SwHardeningNeeded"
+        #        - name: VAULT_SGX_MRENCLAVE
+        #          value: "7754423259719411a536d3a11d0bf764b0910e44a9e15721d879d763a5f3fa39"
+        - name: VAULT_SGX_MRSIGNER
+          value: "c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d"
+      ports:
+        - containerPort: 8443
+          name: https
+          protocol: TCP
+      resources:
+        limits:
+          sgx.intel.com/epc: "10Mi"
+        requests:
+          sgx.intel.com/epc: "10Mi"
+      securityContext:
+        privileged: true
+  restartPolicy: Never
+status: { }
diff --git a/examples/k8s/vault-unseal-pod-2.yaml b/examples/k8s/vault-unseal-pod-2.yaml
new file mode 100644
index 0000000..0b4150c
--- /dev/null
+++ b/examples/k8s/vault-unseal-pod-2.yaml
@@ -0,0 +1,40 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    app: teepot-vault-unseal-2
+  name: teepot-vault-unseal-2
+  namespace: stage2
+spec:
+  tolerations:
+    - key: sgx.intel.com/provision
+      operator: Exists
+      effect: NoSchedule
+  containers:
+    - image: matterlabsrobot/teepot-vault-unseal-sgx-azure:latest
+      name: vault-unseal
+      imagePullPolicy: Always
+      env:
+        - name: VAULT_ADDR
+          value: "https://teepot-vault-2.teepot-vault:8210"
+        - name: ALLOWED_TCB_LEVELS
+          value: "SwHardeningNeeded"
+        - name: VAULT_SGX_ALLOWED_TCB_LEVELS
+          value: "SwHardeningNeeded"
+        #        - name: VAULT_SGX_MRENCLAVE
+        #          value: "7754423259719411a536d3a11d0bf764b0910e44a9e15721d879d763a5f3fa39"
+        - name: VAULT_SGX_MRSIGNER
+          value: "c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d"
+      ports:
+        - containerPort: 8443
+          name: https
+          protocol: TCP
+      resources:
+        limits:
+          sgx.intel.com/epc: "10Mi"
+        requests:
+          sgx.intel.com/epc: "10Mi"
+      securityContext:
+        privileged: true
+  restartPolicy: Never
+status: { }
diff --git a/shells/teepot/default.nix b/shells/teepot/default.nix
index 8056de5..8356b18 100644
--- a/shells/teepot/default.nix
+++ b/shells/teepot/default.nix
@@ -5,12 +5,13 @@
 , teepot
 , dive
 , taplo
-, ...
+, vault
 }:
 mkShell {
   inputsFrom = [ teepot.teepot ];
   packages = [
     dive
     taplo
+    vault
   ];
 }