Set manifest
Setting the manifest enables the Contrast Coordinator to verify the deployment.
Applicability
This step is mandatory for all Contrast deployments. Workloads won't start until a valid manifest has been configured.
Prerequisites
- Set up cluster
- Install CLI
- Deploy the Contrast runtime
- Add Coordinator to resources
- Prepare deployment files
- Configure TLS (optional)
- Enable GPU support (optional)
- Generate annotations and manifest
- Deploy application
- Connect to Coordinator
How-to
Attest the Coordinator and set the manifest:
contrast set -c "${coordinator}:1313" resources/
This will use the reference values from the manifest file to attest the Coordinator. After this step, the Coordinator will start issuing TLS certificates to the workloads. The init container will fetch a certificate for the workload and the workload is started.
Atomic manifest updates
Setting the manifest won't consider the previous state of the Coordinator.
This means that after a manifest update, you may have accidentally overwritten a previous Coordinator state set by another party.
To prevent this, use the --atomic flag:
contrast set -c "${coordinator}:1313" --atomic resources/
This will only update the manifest if the manifest history at the Coordinator matches the expected history.
When setting the manifest on an already initialized Coordinator, the latest transition hash has to be obtained by running contrast verify.
An atomic manifest update will then automatically read the hash from verify/latest-transition.
When setting the manifest for the first time, the expected transition hash is 00...00 (32 zero bytes, hex-encoded) and will be set automatically if the verify/latest-transition file doesn't exist.
Optionally, you can specify a transition hash using the --latest-transition flag:
contrast set -c "${coordinator}:1313" --atomic --latest-transition ab...cd resources/