Skip to content

Attestation and Secret Delivery Components

License

Notifications You must be signed in to change notification settings

openshift/trustee

This branch is 25 commits ahead of, 250 commits behind confidential-containers/trustee:main.

Folders and files

NameName
Last commit message
Last commit date
Jun 24, 2024
Dec 14, 2024
Dec 3, 2024
Jun 24, 2024
Sep 6, 2024
Sep 6, 2024
Nov 24, 2023
Nov 10, 2023
Nov 10, 2023
Jun 24, 2024
Jun 11, 2024
Nov 10, 2023
Mar 25, 2024
Feb 28, 2024
Jun 24, 2024
Oct 10, 2024

Repository files navigation

Trusted Components for Attestation and Secret Management

FOSSA Status

This repository contains tools and components for attesting confidential guests and providing secrets to them. Collectively, these components are known as Trustee. Trustee typically operates on behalf of the guest owner and interact remotely with guest components.

Trustee was developed for the Confidential Containers project, but can be used with a wide variety of applications and hardware platforms.

Components

For further information, see documentation of individual components.

Architecture

Trustee is flexible and can be deployed in several different configurations. This figure shows one common way to deploy these components in conjunction with certain guest components.

Loading
flowchart LR
    AA -- attests guest ----> KBS
    CDH -- requests resource --> KBS
    subgraph Guest
        CDH <.-> AA
    end
    subgraph Trustee
        AS -- verifies evidence --> KBS
        RVPS -- provides reference values--> AS
    end
    client-tool -- configures --> KBS

Deployment

There are two main ways to deploy Trustee.

Docker Compose

One simple way to get started with Trustee is with Docker compose, which can be used to quickly setup a cluster matching the diagram above.

Please refer to the cluster setup guide.

This cluster could be run inside a VM or as part of a managed service.

Kubernetes

There are two supported ways of deploying Trustee on Kubernetes. One is via the KBS Operator, which deploys the KBS components. The second option is to use the KBS' provided Kubernetes tooling here.

License

FOSSA Status

About

Attestation and Secret Delivery Components

Resources

License

Security policy

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Rust 67.1%
  • C 23.1%
  • C++ 2.5%
  • Makefile 2.0%
  • Shell 1.6%
  • Open Policy Agent 1.1%
  • Other 2.6%