Provide a test docker image for quick start

Junxian.Xiao · Junxian.Xiao · commit eb70e035922d · 2023-02-21T18:54:55.000+08:00
diff --git a/README.md b/README.md
@@ -3,34 +3,63 @@
 Attestation based Enclave Configuration service
 
 
-## Introduction to KubeTEE AECS
-KubeTEE AECS is based on KubeTEE Trusted Function Framework, and provide the
-secret generation, management, storage and dispatch service to TEE applications.
-After bidirectional authentication based on remote attestation between AECS and
-all TEE-based application service, each service enclave instance will get the secrets
-from AECS server, and use the secrets for later data encryption or decryption.
+## 1 Introduction to KubeTEE AECS
+
+KubeTEE AECS provides the secret generation, management, storage and dispatch
+service to TEE applications. After bidirectional authentication based on
+remote attestation between AECS and all TEE-based application service,
+each service enclave instance will share the secrets from AECS server,
+and use the secrets for later use cases.
 
 ![AECS](docs/aecs.jpg)
 
+As far as now, we support the following type of secrets:
+
+- AES-GCM 256 key
+- RSA key pair
+- SM2 key pair
+- Self-signed certificate and key
+- Secret imported by user (Bring your own seret)
+- Application sensitive configurations as key-value pair
+
+
+## 2 Quick Start
 
-## Quick Start
 
-## Update sub-modules
+### 2.1 Run prebuild AECS server for test only
+
+We provide a public docker image for AECS server test only. It's runing in
+simulation mode and also has debug log messages. Try it simply like this:
+
+```
+./deployment/start.sh start  # stop command to stop it
+```
+
+
+### 2.2 Build the test AECS server from source code
+
+In case you want to build the AECS and create the docker image by your self,
+please follow the steps (2.2.1 ~ 2.2.4) below.
+
+
+#### 2.2.1 Update sub-modules
 
 If it's the first time you build the project after clone the source code,
 please update the sub-modules like the this.
 
 ```
-$ git submodule update --init --recursive
+git submodule update --init --recursive
 ```
 
-### Build Project in Docker Environment
+
+#### 2.2.2 Build Project in Docker Environment
 
 ```
 ./deployment/dockerbuild.sh [--build Debug]
 ```
 
-## Create the Docker Image
+
+#### 2.2.3 Create the Docker Image
 
 You need to generate the test certificates like this (for development and test only, should use formal certificates in product environment):
 
@@ -44,13 +73,13 @@ Then create the image with test certificates and configurations.
 ./deployment/create_image.sh
 ```
 
-### To Start the AECS server
+#### 2.2.4 Start the AECS server
 
 ```
 ./deployment/run_image.sh ./aecs_server
 ```
 
-### Manage the Enclave Service
+### 2.3 Manage the Enclave Service
 
 ```
 # Save the AECS identity key into storage for backup for the first time to start the aecs server
@@ -62,22 +91,22 @@ Then create the image with test certificates and configurations.
 ./deployment/run_image.sh ./aecsadmin --config /etc/kubetee/aecs_admin_test.kubeconfig --action list
 ```
 
-### Manage the Enclave Service Secrets
+### 2.4 Manage the Enclave Service Secrets
 
 ```
 # Create three test secrets for service1 and list all of them
 ./deployment/run_image.sh ./serviceadmin --config /etc/kubetee/service_admin_test.kubeconfig --action create --policy /etc/kubetee/service_secret_policy.yaml
 ./deployment/run_image.sh ./serviceadmin --config /etc/kubetee/service_admin_test.kubeconfig --action list
 ```
 
-## Contributing
+## 3 Contributing
 
 KubeTEE AECS is not final stable at this moment. There will be some improvements or new feature updates later.
 Anyone is also welcome to provide any form of contribution, please see CONTRIBUTING.md for details.
 
 For any security vulnerabilities or other problems, please contact us by [email](mailto:SOFAEnclaveSecurity@list.alibaba-inc.com).
 
 
-## License
+## 4 License
 KubeTEE AECS is released by Ant Group under Apache 2.0 License and also used some other opensource code.
 See the license information [here](LICENSE) for detail.
diff --git a/deployment/aecs_test.sh b/deployment/aecs_test.sh
@@ -0,0 +1,83 @@
+#!/usr/bin/env bash
+
+THISDIR="$(readlink -f $(dirname $0))"
+
+IMAGE="antkubetee/kubetee-aecs-test:2.0"
+CONTAINERNAME="kubetee-aecs-service-test"
+
+check_aecs_image() {
+    if sudo docker images | grep "antkubetee\/kubetee-aecs-test[\ ]*2.0" ; then
+        echo "The aecs v2.0 test image is already existing!"
+    else
+        echo "Pulling aecs v2.0 test image ..."
+        sudo docker pull antkubetee/kubetee-aecs-test:2.0 
+    fi
+}
+
+start_aecs_server() {
+    # Run aecs_server in background
+    # Have not remove storage directory here to save history secrets
+    echo "Create the aecs test container ..."
+    sudo docker run -td \
+        --name $CONTAINERNAME \
+        --privileged \
+        --net=host \
+        --cap-add=SYS_PTRACE \
+        --security-opt seccomp=unconfined \
+        --env LD_LIBRARY_PATH=/opt/intel/sgxsdk/lib64/ \
+        -v $THISDIR/storage:/root/storage \
+        $IMAGE "./aecs_server"
+
+    echo "Waiting for aecs start ..."
+    sleep 3
+}
+
+stop_aecs_test() {
+    echo "Destroy the aecs test container ..."
+    sudo docker rm -f $CONTAINERNAME
+}
+
+do_aecs_provison() {
+    # Provison
+    $THISDIR/run_image.sh ./aecsadmin \
+        --config /etc/kubetee/aecs_admin_test.kubeconfig \
+        --action provision \
+        --hostname localtest
+}
+
+register_aecs_test_service() {
+    # Create the test service
+    $THISDIR/run_image.sh ./aecsadmin \
+        --config /etc/kubetee/aecs_admin_test.kubeconfig \
+        --action register \
+        --service service1 \
+        --pubkey /etc/certs/service_admin_public.pem
+    $THISDIR/run_image.sh ./aecsadmin \
+        --config /etc/kubetee/aecs_admin_test.kubeconfig \
+        --action list
+}
+
+create_aecs_test_secrets() {
+    # Create the test secrets for test service
+    $THISDIR/run_image.sh ./serviceadmin \
+        --config /etc/kubetee/service_admin_test.kubeconfig \
+        --action create \
+        --policy /etc/kubetee/service_secret_policy.yaml
+    $THISDIR/run_image.sh ./serviceadmin \
+        --config /etc/kubetee/service_admin_test.kubeconfig \
+        --action list
+}
+
+start_aecs_test() {
+    check_aecs_image && \
+    start_aecs_server && \
+    do_aecs_provison && \
+    register_aecs_test_service && \
+    create_aecs_test_secrets
+}
+
+case $1 in
+    start) start_aecs_test ;;
+    stop)  stop_aecs_test ;;
+    *) echo "Usage: $0 [start|stop]"
+esac
diff --git a/deployment/create_image.sh b/deployment/create_image.sh
@@ -2,7 +2,7 @@
 
 THISDIR="$(readlink -f $(dirname $0))"
 DOCKERFILE="${1:-${THISDIR}/dockerfile/Dockerfile}"
-IMAGENAME="${2:-kubetee-aecs-service:1.0}"
+IMAGENAME="${2:-antkubetee/kubetee-aecs-test:2.0}"
 #IMAGETAG="$(date +%F-%H%M%S)"
 
 if [ ! -f "$DOCKERFILE" ] ; then
diff --git a/deployment/run_image.sh b/deployment/run_image.sh
@@ -3,7 +3,7 @@
 SCRIPTNAME="$(basename $0)"
 THISDIR="$(dirname $(readlink -f $0))"
 
-IMAGE="kubetee-aecs-service:1.0"
+IMAGE="antkubetee/kubetee-aecs-test:2.0"
 CONTAINERNAME="kubetee-aecs-service-$$"
 if [ -z "$IMAGE" ] ; then
     echo "Usage: $SCRIPTNAME <image:tag> [container-name]"
