confidential-containers · portersrc · Jun 1, 2025 · Jun 1, 2025 · Jun 1, 2025 · Jun 2, 2025
@@ -78,7 +78,10 @@ jobs:
     - name: Build Container Image KBS (${{ matrix.name }})
       run: |
         commit_sha=${{ github.sha }}
-        docker buildx build --platform "${{ matrix.target_platform }}" --provenance false \
+        docker buildx build \
+          --platform "${{ matrix.target_platform }}" \
+          --provenance false \
+          --build-arg NEBULA_CA_PLUGIN=true \
           -f "${{ matrix.docker_file }}" ${{ inputs.build_option }} \
           -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${{ matrix.target_arch }}" \
           -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${{ matrix.target_arch }}" \

@@ -16,3 +16,6 @@ auth_public_key = "/opt/confidential-containers/kbs/user-keys/public.pub"
 name = "resource"
 type = "LocalFs"
 dir_path = "/opt/confidential-containers/kbs/repository"
+
+[[plugins]]
+name = "nebula-ca"
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Deployment
+metadata:
+  name: lighthouse
+spec:
+  containers:
+  - name: lighthouse
+    image: lighthouse-container-image
+    command:
+    - "bin/sh"
+    - "-c"
+    - "while (true); do sleep 10000; done"
+    securityContext:
+      privileged: true 
@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: coco-tenant
+
+images:
+- name: lighthouse
+  newName: ghcr.io/portersrc/lighthouse
+  newTag: latest
+
+resources:
+- deployment.yaml
+- service.yaml
@@ -0,0 +1,12 @@
+# Service to expose the lighthouse
+apiVersion: v1
+kind: Service
+metadata:
+  name: lighthouse
+spec:
+  selector:
+    app: lighthouse
+  ports:
+  - protocol: UDP
+    port: 4242
+    targetPort: 4242
@@ -4,6 +4,7 @@ namespace: coco-tenant
 
 resources:
 - ../base
+- ../lighthouse
 
 patches:
 - path: patch.yaml

@@ -0,0 +1,38 @@
+# Create an image with kbs-client
+# Based on kbs/docker/kbs-client-image/Dockerfile
+FROM docker.io/library/rust:1.80.0 AS builder
+
+WORKDIR /usr/src/kbs
+COPY . .
+
+RUN apt-get update && apt-get install -y pkg-config libssl-dev git sudo
+RUN cd kbs && make cli-static-linux && \
+    cp ../target/$(uname -m)-unknown-linux-gnu/release/kbs-client /
+
+
+# Create a 2nd image. The other will be discarded.
+# Copy in the kbs-client that we just built, add some utilities and nebula
+FROM ubuntu:22.04
+COPY --from=builder /kbs-client /usr/local/bin/kbs-client
+
+ARG BUILDPLATFORM=linux/amd64
+ARG NEBULA_VERSION=v1.9.5
+
+# install some useful tools
+RUN apt-get update
+RUN apt install -y \
+  curl \
+  jq \
+  iputils-ping \
+  iproute2
+RUN echo no | apt-get install -y iperf3
+
+# Download and install Nebula
+RUN \
+  curl -fSLO https://github.com/slackhq/nebula/releases/download/${NEBULA_VERSION}/nebula-$(echo ${BUILDPLATFORM} | sed 's/\//-/').tar.gz && \
+  tar -C /usr/local/bin -xzf nebula-$(echo "${BUILDPLATFORM}" | sed 's/\//-/').tar.gz
+
+RUN mkdir -p /opt/nebula/config
+RUN mkdir -p /opt/nebula/creds
+COPY kbs/docker/lighthouse/assets/lighthouse-config.yaml /opt/nebula/config
+COPY kbs/docker/lighthouse/assets/start-lighthouse.sh /usr/local/bin