Example code and end to end test cases for confidential ACI. Contains infrastructure for deploying Confidential Azure Container Instances based on AMD SEV-SNP.
Hello world server running in a confidential container.
Deploys two containers in the same container group and demostrates communication between the two.
Simplest possible example to demonstrate how resources are managed by this repo.
Fetches and validates an SNP Attestation report, locally as well as using the Attestation sidecar.
Uses attestation to perform a secure key release from an Azure HSM.
Uses the Encrypted Filesystem sidecar to demonstrate using attestation to perform a secure key release from an Azure HSM which is then used to decrypt a simple filesystem.
There are three main ways to run examples:
Every example has a corresponding github action which runs against all security policies in the examples manifest as well as one generated by the ACI Policy Generation tool.
See all workflows here.
Certain workflows are run regularly as an indicator for the health of confidential ACI. You can find them here.
It is also possible to manually run steps in the example testing process with the following workflows:
The simplest way to run the tests locally is to use Github Codespaces.
This will set up a full development environment with everything needed to run examples.
CREDENTIALS: If you do not have write permissions on this project or you checkout manually i.e. without using Codespaces, you will need to provide your own credentials by modifying the Environment file and re-running setup.sh
MANUAL SETUP: To checkout and setup manually, please refer to the Dev Container to follow the setup process.
Then you can open VS Code's testing view, where examples can be run with or without a debugger.
If a particular step of an example needs debugging, they can be run manually through VS Codes Run and Debug View. Most examples follow these steps:
- Build and Push Images
- Generate ARM Template for ACI deployment
- Generate a security policy based on that ARM template (optional)
- Add a security policy to the ARM template
- Deploy ARM Template
Once the deployment is complete, you can run an example via unittest against the static deployment by setting the DEPLOYMENT_NAME environment variable in the env file.
You can currently run the following examples against Container Platform.
- Simple Server
- Remote Image
To do so, log into Azure with an account which has access to both the Azure DevOps repository for ContainerPlatform, and the Atlas Image on which it runs. To do this, either set the environment variable BACKEND=VM, or when running each step manually, use the following steps:
- Build and Push Images
- Generate VM ARM Template
- Deploy Container Platform
- Run Container Platform
- Must contain an __init__.py file.
- Must be directly under your new directory and named
manifest.json
- At least one container image is needed, so create a Dockerfile and mention it in the manifest
- Manifest files are automatically validated if running in codespaces, otherwise refer to the schema in .devcontainer.json
- Add python code which uses the unittest module to declare tests, inherit TestCase to deploy containers during the setup of tests.
- Contains a single job which uses the
test_example.yml
workflow - Add a workflow for pushing the latest image to the registry
- If the example requires new repository secrets, they need to be added to local_workflow.yml and _resolve_manifest.yml. Adding new secrets requires Administrative access on this repository.
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.