Remove and replace additional operations in enclave start #1289
Conversation
| OPTOUT_BASE_URL=$(jq -r ".optout_base_url" < "${PARAMETERIZED_CONFIG}") | ||
| DEPLOYMENT_ENVIRONMENT=$(jq -r ".environment" < "${OPERATOR_CONFIG}") | ||
| DEBUG_MODE=$(jq -r ".debug_mode" < "${OPERATOR_CONFIG}") | ||
|
|
There was a problem hiding this comment.
we need to ensure CORE_BASE_URL is not set to random core, as this will result in operator sending token + pcr0 to overridden malicious core.
Basically, updates the logic to always replace URL in config. If prod, use default prod URL otherwise allow override.
This check is not done in GCP, as we attest GCP confidential compute by calling GCP endpoints. Please correct if wrong @atarassov-ttd
| exit 1 | ||
| fi | ||
| done | ||
| FILTER=$(printf '. | {') |
There was a problem hiding this comment.
We do this logic differently in each implementation: In GCP in Java code, in Azure in MAA attestation, and in AWS it was in make_config.py.
| @@ -10,25 +10,6 @@ def get_config(): | |||
| with open('/etc/secret/secret-value/config', 'r') as secret_file: | |||
| secret_value = secret_file.read().strip() | |||
| secret_value_json = json.loads(secret_value) | |||
| secret_value_json["environment"] = secret_value_json["environment"].lower() | |||
There was a problem hiding this comment.
Is this needed now? @Ian-Nara
We populate configs after processing in
uid2-operator/scripts/aws/ec2.py
Line 135 in 9b94fd5
There was a problem hiding this comment.
I think the lower() calls to these is still useful, unless I missed that in the ec2.py
There was a problem hiding this comment.
we ensure it is lower as part of validations
abuabraham-ttd
force-pushed
the
abu-UID2-4633-remove-unusued-aws
branch
from
30167dd to
8c08a13
Compare
abuabraham-ttd
force-pushed
the
abu-UID2-4633-remove-unusued-aws
branch
from
4fdd34b to
8192fbc
Compare
| #TODO: Remove below logic after remote config management is implemented | ||
|
|
||
| if [[ "$DEPLOYMENT_ENVIRONMENT" != "prod" ]]; then | ||
| #Allow override of base URL in non-prod environments |
There was a problem hiding this comment.
I tried to remove all configs we pass and keep it simple, but there are lot of intricacies
This bit, can be removed once we complete remote config management, and use optour url returned by core.
abuabraham-ttd
force-pushed
the
abu-UID2-4633-remove-unusued-aws
branch
from
0aa65c2 to
d852887
Compare
abuabraham-ttd
force-pushed
the
abu-UID2-4633-remove-unusued-aws
branch
from
466bff4 to
cf357f8
Compare
Remove unused files, and extra logic that is not needed. To keep startup simple
When enclave starts, get config from flask.
Verify all mandatory params are set.
Ensure only allowed overrides are allowed.
Disable url override in prod.
Ensure debug is not enabled in prod.
NOTE: Tested manually, e2e is broken atm with a bore issue