A secure service for interacting with TEE platforms inside confidential containers, running in Kata containers on AMD SEV SNP and Intel TDX.
- Fetches and hashes derived keys from TEE platform
- Exposes hash via web interface and JSON API
- Runs in confidential containers
- Supports AMD SEV SNP and Intel TDX
- Follows security best practices and 12-factor app principles
- Rust 1.73 or later
- Docker
- Kubernetes cluster with Kata Containers support
- AMD SEV SNP or Intel TDX capable hardware
- Build the application:
cargo build --release- Build the Docker image:
docker build -t reporteer .- Deploy to Kubernetes:
kubectl apply -f k8s/deployment.yamlConfiguration is done via environment variables:
REPORTEER_SERVER_PORT: Web server port (default: 3000)REPORTEER_ENDPOINT_URL: TEE platform endpoint (default: http://127.0.0.1:8006/derived_key)REPORTEER_LOG_LEVEL: Logging level (default: info)
See .env.example for all available options.
GET /: HTML page showing the derived key hashGET /api/hash: JSON endpoint returning the hashGET /health: Health check endpoint
- Clone the repository:
git clone https://github.com/yourusername/reporteer.git- Copy environment file:
cp .env.example .env- Run tests:
cargo test- Run locally:
cargo run- Runs as non-root user
- Uses confidential computing features
- Implements secure coding practices
- Regular security updates
The application runs in a minimal Debian-based container with:
- Non-root user
- Minimal dependencies
- Security hardening
- Multi-stage build
Includes:
- Kata Containers runtime
- Resource limits
- Health checks
- ConfigMap for configuration
- Security context
MIT License - see LICENSE file for details
- Fork the repository
- Create your feature branch
- Commit your changes
- Push to the branch
- Create a Pull Requestwift TEE measurement Reporter