-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document: Optimized the path of resources. #21
Conversation
parameters: | ||
- in: cookie | ||
name: kbs-session-id | ||
schema: | ||
type: string | ||
- name: repository | ||
in: path | ||
description: A parent path of resource, can be empty to use the default repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure what this is for. Could you give an example here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is similar to the concept of container image repository (docker.io/{repository}/{image_name}:{tag}
), which is used to facilitate users to manage different resource groups. Its name should be completely set by users.
For example, if the user has two TEE Pod instances, the repository
field can be used to manage the resources that need to be provided to the two TEE Pod instances:
/kbs/v0/resource/tee-instance-abcde123/key/<key-id>
/kbs/v0/resource/tee-instance-edcba321/key/<key-id>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And, if KBS needs to support multiple tenants in the future, repository
can also be the name of the tenant, for example:
/kbs/v0/resource/Alice/key/<key-id>
cfc648f
to
0275714
Compare
docs/kbs_attestation_protocol.md
Outdated
@@ -383,20 +383,22 @@ A request for protected resource can fail for three reasons: | |||
3. The requested resource does not exist. The KBS implementation sends an HTTP | |||
response with a 404 (`Not Found`) status code. | |||
|
|||
The KBS protocol currently supports two kinds of resources for an attester to | |||
request: keys and tokens. | |||
### Resource Path |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we call that one ### Secret Resource
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, updated now.
docs/kbs_attestation_protocol.md
Outdated
Keys are generic protected resources that an authenticated attester can get by | ||
sending a `GET` HTTP request to the `/kbs/v0/resources/key/<key_id>` endpoint. | ||
``` | ||
/kbs/v0/resources/<repository>/<type>/<tag> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You need to fix the path here as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, done.
KBS should not only support the acquisition of keys, but also support the acquisition of multiple confidential resources. This commit revises the path of resource location and describes resources in a more unified format. Signed-off-by: Jiale Zhang <[email protected]>
…references/konflux-references chore(deps): update konflux references to v0.2
KBS should not only support the acquisition of keys, but also support the acquisition of multiple confidential resources. This commit revises the path of resource location and describes resources in a more unified format.
cc @sameo @Xynnn007
Refer to: confidential-containers/documentation#85