mirror of
https://github.com/matter-labs/teepot.git
synced 2025-07-21 15:13:56 +02:00
eae8b860a9
- Add `vault-unseal-pod-*.yaml` for Kubernetes deployment. - Update `README.md` to reflect changes in unseal and sign commands. - Add `vault` to the `shells/teepot/default.nix` package list. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
40 lines
1.1 KiB
YAML
40 lines
1.1 KiB
YAML
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
labels:
|
|
app: teepot-vault-unseal-0
|
|
name: teepot-vault-unseal-0
|
|
namespace: stage2
|
|
spec:
|
|
tolerations:
|
|
- key: sgx.intel.com/provision
|
|
operator: Exists
|
|
effect: NoSchedule
|
|
containers:
|
|
- image: matterlabsrobot/teepot-vault-unseal-sgx-azure:latest
|
|
name: vault-unseal
|
|
imagePullPolicy: Always
|
|
env:
|
|
- name: VAULT_ADDR
|
|
value: "https://teepot-vault-0.teepot-vault:8210"
|
|
- name: ALLOWED_TCB_LEVELS
|
|
value: "SwHardeningNeeded"
|
|
- name: VAULT_SGX_ALLOWED_TCB_LEVELS
|
|
value: "SwHardeningNeeded"
|
|
# - name: VAULT_SGX_MRENCLAVE
|
|
# value: "7754423259719411a536d3a11d0bf764b0910e44a9e15721d879d763a5f3fa39"
|
|
- name: VAULT_SGX_MRSIGNER
|
|
value: "c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d"
|
|
ports:
|
|
- containerPort: 8443
|
|
name: https
|
|
protocol: TCP
|
|
resources:
|
|
limits:
|
|
sgx.intel.com/epc: "10Mi"
|
|
requests:
|
|
sgx.intel.com/epc: "10Mi"
|
|
securityContext:
|
|
privileged: true
|
|
restartPolicy: Never
|
|
status: { }
|