Document: Optimized the path of resources. #21
Conversation
| parameters: | ||
| - in: cookie | ||
| name: kbs-session-id | ||
| schema: | ||
| type: string | ||
| - name: repository | ||
| in: path | ||
| description: A parent path of resource, can be empty to use the default repository. |
There was a problem hiding this comment.
I am not sure what this is for. Could you give an example here?
There was a problem hiding this comment.
This is similar to the concept of container image repository (docker.io/{repository}/{image_name}:{tag}), which is used to facilitate users to manage different resource groups. Its name should be completely set by users.
For example, if the user has two TEE Pod instances, the repository field can be used to manage the resources that need to be provided to the two TEE Pod instances:
/kbs/v0/resource/tee-instance-abcde123/key/<key-id>
/kbs/v0/resource/tee-instance-edcba321/key/<key-id>
There was a problem hiding this comment.
And, if KBS needs to support multiple tenants in the future, repository can also be the name of the tenant, for example:
/kbs/v0/resource/Alice/key/<key-id>
jialez0
force-pushed
the
main
branch
2 times, most recently
from
cfc648f
to
0275714
Compare
docs/kbs_attestation_protocol.md
Outdated
| @@ -383,20 +383,22 @@ A request for protected resource can fail for three reasons: | |||
| 3. The requested resource does not exist. The KBS implementation sends an HTTP | |||
| response with a 404 (`Not Found`) status code. | |||
|
|
|||
| The KBS protocol currently supports two kinds of resources for an attester to | |||
| request: keys and tokens. | |||
| ### Resource Path | |||
There was a problem hiding this comment.
Could we call that one ### Secret Resource
docs/kbs_attestation_protocol.md
Outdated
| Keys are generic protected resources that an authenticated attester can get by | ||
| sending a `GET` HTTP request to the `/kbs/v0/resources/key/<key_id>` endpoint. | ||
| ``` | ||
| /kbs/v0/resources/<repository>/<type>/<tag> |
There was a problem hiding this comment.
You need to fix the path here as well.
KBS should not only support the acquisition of keys, but also support the acquisition of multiple confidential resources. This commit revises the path of resource location and describes resources in a more unified format. Signed-off-by: Jiale Zhang <[email protected]>
…references/konflux-references chore(deps): update konflux references to v0.2
KBS should not only support the acquisition of keys, but also support the acquisition of multiple confidential resources. This commit revises the path of resource location and describes resources in a more unified format.
cc @sameo @Xynnn007
Refer to: confidential-containers/documentation#85