Documentation
¶
Index ¶
- Constants
- Variables
- func EncryptSecret(name string, value []byte, sek x25519.PublicKey) (string, error)
- func ManifestExists() bool
- func PrepareSecrets(cfg []*SecretConfig) map[string][]byte
- func PushBundleToOciRepository(bundleFn, dst string) (string, hash.Hash, error)
- type AppAuthPolicy
- type ArtifactsConfig
- type ContainerArtifactsConfig
- type Deployment
- type EnclaveIdentity
- type Machine
- type Manifest
- type ResourcesConfig
- type SecretConfig
- type SecretEnvelope
- type StorageConfig
- type TargetWithProgress
- type TrustRootConfig
Constants ¶
const ( AppKindRaw = "raw" AppKindContainer = "container" )
Supported ROFL app kinds.
const ( TEETypeSGX = "sgx" TEETypeTDX = "tdx" )
Supported TEE types.
const ( ScriptBuildPre = "build-pre" ScriptBuildPost = "build-post" ScriptBundlePost = "bundle-post" )
Well-known scripts.
const ( StorageKindNone = "none" StorageKindDiskEphemeral = "disk-ephemeral" StorageKindDiskPersistent = "disk-persistent" StorageKindRAM = "ram" )
Supported storage kinds.
const DefaultDeploymentName = "default"
DefaultDeploymentName is the name of the default deployment that must always be defined and is used in case no deployment is passed.
const DefaultMachineName = "default"
DefaultMachineName is the name of the default machine into which the app is deployed when no specific machine is passed.
const DefaultOCIRegistry = "rofl.sh"
DefaultOCIRegistry is the default OCI registry.
Variables ¶
var LatestBasicArtifacts = ArtifactsConfig{
Firmware: "https://github.com/oasisprotocol/oasis-boot/releases/download/v0.6.2/ovmf.tdx.fd#db47100a7d6a0c1f6983be224137c3f8d7cb09b63bb1c7a5ee7829d8e994a42f",
Kernel: "https://github.com/oasisprotocol/oasis-boot/releases/download/v0.6.2/stage1.bin#e5d4d654ca1fa2c388bf64b23fc6e67815893fc7cb8b7cfee253d87963f54973",
Stage2: "https://github.com/oasisprotocol/oasis-boot/releases/download/v0.6.2/stage2-basic.tar.bz2#9a2b4d71e9779801bde73c16b3be789bc50672019a87e8c90fe3c94e034907c1",
}
LatestBasicArtifacts are the latest TDX ROFL basic app artifacts.
var LatestContainerArtifacts = ArtifactsConfig{ Firmware: "https://github.com/oasisprotocol/oasis-boot/releases/download/v0.6.2/ovmf.tdx.fd#db47100a7d6a0c1f6983be224137c3f8d7cb09b63bb1c7a5ee7829d8e994a42f", Kernel: "https://github.com/oasisprotocol/oasis-boot/releases/download/v0.6.2/stage1.bin#e5d4d654ca1fa2c388bf64b23fc6e67815893fc7cb8b7cfee253d87963f54973", Stage2: "https://github.com/oasisprotocol/oasis-boot/releases/download/v0.6.2/stage2-podman.tar.bz2#b2ea2a0ca769b6b2d64e3f0c577ee9c08f0bb81a6e33ed5b15b2a7e50ef9a09f", Container: ContainerArtifactsConfig{ Runtime: "https://github.com/oasisprotocol/oasis-sdk/releases/download/rofl-containers%2Fv0.7.3/rofl-containers#964fbd8edaea8041fd9c5304bb4631b7126d57d06062cc3922e50313cdeef618", }, }
LatestContainerArtifacts are the latest TDX container app artifacts.
var ManifestFileNames = []string{
"rofl.yaml",
"rofl.yml",
}
ManifestFileNames are the manifest file names that are tried when loading the manifest.
Functions ¶
func EncryptSecret ¶
EncryptSecret encrypts the given secret given its plain-text name and value together with the secrets encryption key (SEK) obtained for the given application. Returns the Base64-encoded value that can be used in the configuration.
func ManifestExists ¶
func ManifestExists() bool
ManifestExists checks whether a manifest file exist. No attempt is made to load, parse or validate any of the found manifest files.
func PrepareSecrets ¶
func PrepareSecrets(cfg []*SecretConfig) map[string][]byte
PrepareSecrets transforms the secrets configuration into a format suitable for updating the ROFL app configuration.
Panics in case the configuration is malformed.
Types ¶
type AppAuthPolicy ¶ added in v0.13.1
type AppAuthPolicy struct {
// Quotes is a quote policy.
Quotes quote.Policy `json:"quotes" yaml:"quotes"`
// Enclaves is the set of allowed enclave identities.
Enclaves []*EnclaveIdentity `json:"enclaves" yaml:"enclaves"`
// Endorsements is the set of allowed endorsements.
Endorsements []rofl.AllowedEndorsement `json:"endorsements" yaml:"endorsements"`
// Fees is the gas fee payment policy.
Fees rofl.FeePolicy `json:"fees" yaml:"fees"`
// MaxExpiration is the maximum number of future epochs for which one can register.
MaxExpiration beacon.EpochTime `json:"max_expiration" yaml:"max_expiration"`
}
AppAuthPolicy is the per-application ROFL policy.
This is a different type from `rofl.AppAuthPolicy` in order to add extra structure that makes it easier to configure without changing the on-chain representation.
func (*AppAuthPolicy) AsDescriptor ¶ added in v0.13.1
func (p *AppAuthPolicy) AsDescriptor() *rofl.AppAuthPolicy
AsDescriptor converts the structure into an on-chain policy descriptor.
func (*AppAuthPolicy) Validate ¶ added in v0.13.1
func (p *AppAuthPolicy) Validate() error
Validate validates the policy for correctness.
type ArtifactsConfig ¶
type ArtifactsConfig struct {
// Builder is the OCI reference to the builder container image. Empty to not use a builder.
Builder string `yaml:"builder,omitempty" json:"builder,omitempty"`
// Firmware is the URI/path to the firmware artifact.
Firmware string `yaml:"firmware,omitempty" json:"firmware,omitempty"`
// Kernel is the URI/path to the kernel artifact.
Kernel string `yaml:"kernel,omitempty" json:"kernel,omitempty"`
// Stage2 is the URI/path to the stage 2 disk artifact.
Stage2 string `yaml:"stage2,omitempty" json:"stage2,omitempty"`
// Container is the container artifacts configuration.
Container ContainerArtifactsConfig `yaml:"container,omitempty" json:"container,omitempty"`
}
ArtifactsConfig is the artifact location override configuration.
func (*ArtifactsConfig) UpgradeTo ¶ added in v0.15.1
func (ac *ArtifactsConfig) UpgradeTo(latest *ArtifactsConfig) bool
UpgradeTo upgrades the artifacts to the latest version by updating any relevant fields.
Returns true iff any artifacts have been updated.
type ContainerArtifactsConfig ¶
type ContainerArtifactsConfig struct {
// Runtime is the URI/path to the container runtime artifact (empty to use default).
Runtime string `yaml:"runtime,omitempty" json:"runtime,omitempty"`
// Compose is the URI/path to the docker-compose.yaml artifact (empty to use default).
Compose string `yaml:"compose,omitempty" json:"compose,omitempty"`
}
ContainerArtifactsConfig is the container artifacts configuration.
func (*ContainerArtifactsConfig) UpgradeTo ¶ added in v0.15.1
func (cc *ContainerArtifactsConfig) UpgradeTo(latest *ContainerArtifactsConfig) bool
UpgradeTo upgrades the artifacts to the latest version by updating any relevant fields.
Returns true iff any artifacts have been updated.
type Deployment ¶
type Deployment struct {
// AppID is the Bech32-encoded ROFL app ID.
AppID string `yaml:"app_id,omitempty" json:"app_id,omitempty"`
// Network is the identifier of the network to deploy to.
Network string `yaml:"network" json:"network"`
// ParaTime is the identifier of the paratime to deploy to.
ParaTime string `yaml:"paratime" json:"paratime"`
// Admin is the identifier of the admin account.
Admin string `yaml:"admin,omitempty" json:"admin,omitempty"`
// Debug is a flag denoting whether this is a debuggable deployment.
Debug bool `yaml:"debug,omitempty" json:"debug,omitempty"`
// OCIRepository is the optional OCI repository where one can push the ORC to.
OCIRepository string `yaml:"oci_repository,omitempty" json:"oci_repository,omitempty"`
// TrustRoot is the optional trust root configuration.
TrustRoot *TrustRootConfig `yaml:"trust_root,omitempty" json:"trust_root,omitempty"`
// Policy is the ROFL app policy.
Policy *AppAuthPolicy `yaml:"policy,omitempty" json:"policy,omitempty"`
// Metadata contains custom metadata.
Metadata map[string]string `yaml:"metadata,omitempty" json:"metadata,omitempty"`
// Secrets contains encrypted secrets.
Secrets []*SecretConfig `yaml:"secrets,omitempty" json:"secrets,omitempty"`
// Machines are the machines on which app replicas are deployed.
Machines map[string]*Machine `yaml:"machines,omitempty" json:"machines,omitempty"`
}
Deployment describes a single ROFL app deployment.
func (*Deployment) HasAppID ¶
func (d *Deployment) HasAppID() bool
HasAppID returns true iff the deployment has an application identifier set.
func (*Deployment) Validate ¶
func (d *Deployment) Validate() error
Validate validates the deployment for correctness.
type EnclaveIdentity ¶ added in v0.13.1
type EnclaveIdentity struct {
// ID is the enclave identity.
ID sgx.EnclaveIdentity `json:"id" yaml:"id"`
// Version is an optional version this enclave identity is for, with an empty value indicating
// the latest version.
//
// This can be used to keep historic versions in the current policy.
Version string `json:"version,omitempty" yaml:"version,omitempty"`
// Description is an optional description of an enclave identity.
Description string `json:"description,omitempty" yaml:"description,omitempty"`
}
EnclaveIdentity is the cryptographic enclave identity.
func (*EnclaveIdentity) IsLatest ¶ added in v0.13.1
func (ei *EnclaveIdentity) IsLatest() bool
IsLatest returns true iff the enclave identity is for the latest app version.
func (*EnclaveIdentity) UnmarshalYAML ¶ added in v0.13.1
func (ei *EnclaveIdentity) UnmarshalYAML(value *yaml.Node) error
UnmarshalYAML implements yaml.Unmarshaler.
func (*EnclaveIdentity) Validate ¶ added in v0.13.1
func (ei *EnclaveIdentity) Validate() error
Validate validates the enclave identity for correctness.
type Machine ¶ added in v0.13.0
type Machine struct {
// Provider is the address of the ROFL market provider to deploy to.
Provider string `yaml:"provider,omitempty" json:"provider,omitempty"`
// Offer is the provider's offer identifier to provision.
Offer string `yaml:"offer,omitempty" json:"offer,omitempty"`
// ID is the identifier of the machine to deploy into.
ID string `yaml:"id,omitempty" json:"id,omitempty"`
// Permissions is a map of permissions for the machine.
Permissions map[string][]string `yaml:"permissions,omitempty" json:"permissions,omitempty"`
}
Machine is a hosted machine where a ROFL app is deployed.
type Manifest ¶
type Manifest struct {
// Name is the human readable ROFL app name.
Name string `yaml:"name" json:"name"`
// Version is the ROFL app version.
Version string `yaml:"version" json:"version"`
// Repository is the ROFL app repository URL.
Repository string `yaml:"repository,omitempty" json:"repository,omitempty"`
// Author is the ROFL app author full name and e-mail.
Author string `yaml:"author,omitempty" json:"author,omitempty"`
// License is the ROFL app SPDX license expression.
License string `yaml:"license,omitempty" json:"license,omitempty"`
// Homepage is the ROFL app homepage.
Homepage string `yaml:"homepage,omitempty" json:"homepage,omitempty"`
// Description is the ROFL app description.
Description string `yaml:"description,omitempty" json:"description,omitempty"`
// TEE is the type of TEE to build for.
TEE string `yaml:"tee" json:"tee"`
// Kind is the kind of ROFL app to build.
Kind string `yaml:"kind" json:"kind"`
// Resources are the requested ROFL app resources.
Resources ResourcesConfig `yaml:"resources" json:"resources"`
// Artifacts are the optional artifact location overrides.
Artifacts *ArtifactsConfig `yaml:"artifacts,omitempty" json:"artifacts,omitempty"`
// Deployments are the ROFL app deployments.
Deployments map[string]*Deployment `yaml:"deployments,omitempty" json:"deployments,omitempty"`
// Scripts are custom scripts that are executed by the build system at specific stages.
Scripts map[string]string `yaml:"scripts,omitempty" json:"scripts,omitempty"`
// contains filtered or unexported fields
}
Manifest is the ROFL app manifest that configures various aspects of the app in a single place.
func LoadManifest ¶
LoadManifest attempts to find and load the ROFL app manifest from a local file.
func (*Manifest) GetMetadata ¶ added in v0.12.0
GetMetadata derives metadata from the attributes defined in the manifest and combines it with the metadata for the specified deployment.
func (*Manifest) Save ¶
Save serializes the manifest and writes it to the file returned by `SourceFileName`, overwriting any previous manifest.
If no previous source filename is available, a default one is set.
func (*Manifest) SourceFileName ¶
SourceFileName returns the filename of the manifest file from which the manifest was loaded or an empty string in case the filename is not available.
type ResourcesConfig ¶
type ResourcesConfig struct {
// Memory is the amount of memory needed by the app in megabytes.
Memory uint64 `yaml:"memory" json:"memory"`
// CPUCount is the number of vCPUs needed by the app.
CPUCount uint8 `yaml:"cpus" json:"cpus"`
// Storage is the storage configuration.
Storage *StorageConfig `yaml:"storage,omitempty" json:"storage,omitempty"`
}
ResourcesConfig is the resources configuration.
func (*ResourcesConfig) Validate ¶
func (r *ResourcesConfig) Validate() error
Validate validates the resources configuration for correctness.
type SecretConfig ¶
type SecretConfig struct {
// Name is the name of the secret.
Name string `yaml:"name" json:"name"`
// PublicName is the public name of the secret. It will be visible to everyone on-chain, but is
// otherwise ignored.
PublicName string `yaml:"public_name,omitempty" json:"public_name,omitempty"`
// Value is the Base64-encoded encrypted value.
Value string `yaml:"value" json:"value"`
}
SecretConfig is the configuration of a given secret.
func (*SecretConfig) Validate ¶
func (s *SecretConfig) Validate() error
Validate validates the secret configuration for correctness.
type SecretEnvelope ¶
type SecretEnvelope struct {
// Pk is the ephemeral public key used for X25519.
Pk x25519.PublicKey `json:"pk"`
// Nonce.
Nonce [deoxysii.NonceSize]byte `json:"nonce"`
// Name is the encrypted secret name.
Name []byte `json:"name"`
// Value is the encrypted secret value.
Value []byte `json:"value"`
}
SecretEnvelope is the envelope used for storing encrypted secrets.
type StorageConfig ¶
type StorageConfig struct {
// Kind is the storage kind.
Kind string `yaml:"kind" json:"kind"`
// Size is the amount of storage in megabytes.
Size uint64 `yaml:"size" json:"size"`
}
StorageConfig is the storage configuration.
func (*StorageConfig) Validate ¶
func (e *StorageConfig) Validate() error
Validate validates the storage configuration for correctness.
type TargetWithProgress ¶ added in v0.15.3
type TargetWithProgress struct {
oras.Target
Message string
UpdateInterval time.Duration
BytesRead *atomic.Uint64
BytesTotal uint64
// contains filtered or unexported fields
}
TargetWithProgress wraps oras.Target and provides updates via a progress bar.
func NewTargetWithProgress ¶ added in v0.15.3
func NewTargetWithProgress(target oras.Target, bytesTotal uint64, msg string) *TargetWithProgress
NewTargetWithProgress creates a new TargetWithProgress. bytesTotal is the size to use for the 100% value (use 0 if unknown). msg is the message to display in front of the progress bar.
func (*TargetWithProgress) Push ¶ added in v0.15.3
func (t *TargetWithProgress) Push(ctx context.Context, desc v1.Descriptor, content io.Reader) error
Push wraps the oras.Target Push method with progress bar updates.
func (*TargetWithProgress) StartProgress ¶ added in v0.15.3
func (t *TargetWithProgress) StartProgress()
StartProgress starts updating the progress bar.
func (*TargetWithProgress) StopProgress ¶ added in v0.15.3
func (t *TargetWithProgress) StopProgress()
StopProgress stops the progress bar updates.
type TrustRootConfig ¶
type TrustRootConfig struct {
// Height is the consensus layer block height where to take the trust root.
Height uint64 `yaml:"height,omitempty" json:"height,omitempty"`
// Hash is the consensus layer block header hash corresponding to the passed height.
Hash string `yaml:"hash,omitempty" json:"hash,omitempty"`
}
TrustRootConfig is the trust root configuration.
Source Files
Directories