demo: kustomize sgx sample deployments

adding kustomization to deploy sample jobs that demonstrate

1. launching of plain sample enclave application
2. SGX ECDSA quote generation "out-of-proc" using aesmd
3. SGX ECDSA quote generation "in-proc"

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>

deployments/sgx_enclave_apps/base/intelsgx-job.yaml

@@ -16,11 +16,12 @@ spec:
           name: intelsgx-demo-job-1
           image: intel/sgx-sdk-demo:devel
           imagePullPolicy: IfNotPresent
+          workingDir: "/opt/intel/sgx-sample-app/"
+          command: ["/opt/intel/sgx-sample-app/sgx-sample-app"]
           securityContext:
             readOnlyRootFilesystem: true
             capabilities:
               add: ["IPC_LOCK"]
           resources:
             limits:
-              sgx.intel.com/enclave: 1
-              sgx.intel.com/epc: 1234 # TODO: update
+              sgx.intel.com/epc: "512Ki"

deployments/sgx_enclave_apps/base/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - intelsgx-job.yaml

deployments/sgx_enclave_apps/overlays/sgx_ecdsa_aesmd_quote/change_workingdir_and_command.json

@@ -0,0 +1,4 @@
+[
+  {"op": "replace", "path": "/spec/template/spec/containers/0/workingDir", "value": "/opt/intel/sgx-quote-generation/"},
+  {"op": "replace", "path": "/spec/template/spec/containers/0/command", "value": ["/opt/intel/sgx-quote-generation/sgx-quote-generation"]}
+]

deployments/sgx_enclave_apps/overlays/sgx_ecdsa_aesmd_quote/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namePrefix: "ecdsa-quote-"
+bases:
+  - ../../base
+commonAnnotations:
+  sgx.intel.com/quote-provider: "aesmd"
+patchesJson6902:
+- target:
+    group: batch
+    version: v1
+    kind: Job
+    name: intelsgx-demo-job
+  path: change_workingdir_and_command.json

deployments/sgx_enclave_apps/overlays/sgx_ecdsa_inproc_quote/add_hostnetwork.yaml

@@ -0,0 +1,11 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: intelsgx-demo-job
+spec:
+  template:
+    spec:
+      hostNetwork: true
+      containers:
+      - name: intelsgx-demo-job-1
+        image: intel/sgx-sdk-demo:devel

deployments/sgx_enclave_apps/overlays/sgx_ecdsa_inproc_quote/add_sgx_default_qcnl_conf.yaml

@@ -0,0 +1,21 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: intelsgx-demo-job
+spec:
+  template:
+    spec:
+      containers:
+      - name: intelsgx-demo-job-1
+        image: intel/sgx-sdk-demo:devel
+        volumeMounts:
+        - name: qplconf
+          mountPath: /etc/sgx_default_qcnl.conf
+          subPath: sgx_default_qcnl.conf
+      volumes:
+      - name: qplconf
+        configMap:
+          name: sgx-attestation-conf
+          items:
+          - key: sgx_default_qcnl.conf
+            path: sgx_default_qcnl.conf

deployments/sgx_enclave_apps/overlays/sgx_ecdsa_inproc_quote/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namePrefix: "inproc-"
+bases:
+- ../sgx_ecdsa_aesmd_quote
+commonAnnotations:
+  sgx.intel.com/quote-provider: "intelsgx-demo-job-1"
+configMapGenerator:
+- name: sgx-attestation-conf
+  files:
+  - sgx_default_qcnl.conf
+patchesStrategicMerge:
+- add_hostnetwork.yaml
+- add_sgx_default_qcnl_conf.yaml

deployments/sgx_enclave_apps/overlays/sgx_ecdsa_inproc_quote/sgx_default_qcnl.conf

@@ -0,0 +1,2 @@
+PCCS_URL=https://localhost:8081/sgx/certification/v2/
+USE_SECURE_CERT=FALSE