k8s: add overlay to deploy with a custom Intel DCAP config

Signed-off-by: Mikko Ylinen <[email protected]>

kbs/config/kubernetes/README.md

@@ -58,6 +58,16 @@ Once you deploy the KBS, you can use the services' nodeport and the Kubernetes n
 echo $(kubectl get nodes -o jsonpath='{.items[0].status.addresses[0].address}'):$(kubectl get svc kbs -n coco-tenant -o jsonpath='{.spec.ports[0].nodePort}')
 ```
 
+## Optional: Use custom Intel DCAP configuration
+
+If you would like to override the default `sgx_default_qcnl.conf` in the KBS/AS images, copy/configure one into `custom_pccs/` directory and deploy using:
+
+```bash
+export DEPLOYMENT_DIR=custom_pccs
+```
+
+NB: this currently builds on `nodeport` kustomization.
+
 ## Deploy KBS
 
 Deploy KBS by running the following command:

kbs/config/kubernetes/custom_pccs/kustomization.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: coco-tenant
+
+resources:
+- ../nodeport
+
+patches:
+- path: set_custom_pccs.yaml
+  target:
+    kind: Deployment
+    name: kbs
+
+configMapGenerator:
+- files:
+  - sgx_default_qcnl.conf
+  name: dcap-attestation-conf

kbs/config/kubernetes/custom_pccs/set_custom_pccs.yaml

@@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kbs
+spec:
+  template:
+    spec:
+      containers:
+      - name: kbs
+        volumeMounts:
+        - name: qplconf
+          mountPath: /etc/sgx_default_qcnl.conf
+          subPath: sgx_default_qcnl.conf
+      volumes:
+      - name: qplconf
+        configMap:
+          name: dcap-attestation-conf
+          items:
+          - key: sgx_default_qcnl.conf
+            path: sgx_default_qcnl.conf

kbs/config/kubernetes/custom_pccs/sgx_default_qcnl.conf

@@ -0,0 +1 @@
+{"collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/"}