Expand description
§Phala TEE Deploy - Rust Client
A Rust client library for deploying Docker containers to the Phala TEE Cloud platform. This library provides secure, efficient tools for managing containerized applications within Trusted Execution Environments.
§Key Features
- Secure Deployment: Environment variables are encrypted using industry-standard cryptography
- Flexible API: Both high-level (TeeDeployer) and low-level (TeeClient) interfaces
- Docker Compose Integration: Direct integration with Docker Compose configurations
- TEEPod Management: Discovery and selection of available TEE environments
- Robust Error Handling: Comprehensive error types with detailed diagnostics
- Secure Workflows: Support for separated operator/user deployment patterns
§Quick Start
use phala_tee_deploy_rs::{Result, TeeDeployerBuilder};
use std::collections::HashMap;
#[tokio::main]
async fn main() -> Result<()> {
// Create a deployer with your API key
let mut deployer = TeeDeployerBuilder::new()
.with_api_key("your-api-key")
.build()?;
// Discover available TEEPods
let teepods = deployer.discover_teepod().await?;
// Define environment variables (will be encrypted)
let mut env_vars = HashMap::new();
env_vars.insert("PORT".to_string(), "8080".to_string());
env_vars.insert("NODE_ENV".to_string(), "production".to_string());
// Deploy a simple NGINX service
let result = deployer.deploy_simple_service(
"nginx:latest",
"web",
"my-webapp",
env_vars,
Some(vec!["80:80".to_string()]),
None,
None,
None,
None,
None,
).await?;
println!("Deployment successful: {:?}", result);
Ok(())
}§Security
This library implements several security best practices:
- X25519 key exchange for secure key distribution
- AES-GCM for authenticated encryption of sensitive data
- TLS for all API communications
- Sensitive data is never logged in plaintext
§Secure Operator/User Workflow
This library supports a secure workflow pattern that separates infrastructure management from sensitive data:
use phala_tee_deploy_rs::{Encryptor, Result, TeeDeployerBuilder, PubkeyResponse};
// OPERATOR PHASE 1: Setup infrastructure and get public key
async fn operator_setup() -> Result<(serde_json::Value, String, String)> {
let mut deployer = TeeDeployerBuilder::new()
.with_api_key("operator-api-key")
.build()?;
let teepods = deployer.discover_teepod().await?;
// Create VM configuration
let vm_config = deployer.create_vm_config(
"version: '3'\nservices:\n app:\n image: nginx:alpine",
"secure-app",
None, None, None
)?;
// Get encryption public key
let vm_config_value = serde_json::to_value(&vm_config).unwrap();
let pubkey_response: PubkeyResponse = deployer.get_pubkey_for_config(&vm_config_value).await?;
let pubkey = pubkey_response.app_env_encrypt_pubkey;
let salt = pubkey_response.app_id_salt;
// Return VM config and encryption keys (to be sent to user)
Ok((vm_config_value, pubkey, salt))
}
// USER: Encrypt sensitive data
fn user_encrypt_secrets(pubkey: &str) -> Result<String> {
let secrets = vec![
("DB_PASSWORD".to_string(), "super-secret-password".to_string()),
("API_KEY".to_string(), "secret-api-key".to_string()),
];
// Encrypt with public key
let encrypted_env = Encryptor::encrypt_env_vars(&secrets, pubkey)?;
// Return encrypted data (to be sent back to operator)
Ok(encrypted_env)
}
// OPERATOR PHASE 2: Deploy with encrypted environment variables
async fn operator_deploy(
vm_config: serde_json::Value,
encrypted_env: String,
pubkey: &str,
salt: &str
) -> Result<()> {
let mut deployer = TeeDeployerBuilder::new()
.with_api_key("operator-api-key")
.build()?;
// Deploy with encrypted environment variables
let deployment = deployer.deploy_with_encrypted_env(
vm_config, encrypted_env, &pubkey, &salt
).await?;
println!("Deployed successfully: {}", deployment.id);
Ok(())
}§Documentation
For more advanced usage, see:
TeeDeployer: High-level API for most deployment scenariosTeeClient: Low-level API for direct control over deployment detailsDeploymentConfig: Configuration options for the deployment process
§Error Handling
The library uses a comprehensive Error type with variants for different
failure scenarios, making error diagnosis and handling straightforward.
Structs§
- Advanced
Features - Advanced features configuration for TEE deployments.
- Attestation
Response - TEE attestation from
GET /api/v1/cvms/{cvm_id}/attestation. - Compose
Manifest - Docker Compose manifest configuration.
- Compose
Manifest Response - Compose manifest configuration.
- Compose
Response - Response when retrieving a compose configuration.
- CvmInfo
- Full CVM info from
GET /api/v1/cvms/{cvm_id}. - CvmState
Response - CVM state from
GET /api/v1/cvms/{cvm_id}/state. - Deployment
Config - Configuration for deploying applications to the Phala TEE Cloud.
- Deployment
Response - Response from a deployment operation.
- Disk
Info - System information for a disk in a virtual machine.
- Docker
Config - Docker registry authentication configuration.
- Encrypted
Env - Encrypted environment variable entry.
- Encryptor
- Cryptographic utilities for secure data transmission.
- Network
Info Response - Response containing network information for a deployment.
- Pubkey
Response - Response from a pubkey request.
- Public
Urls - Public URLs for accessing a deployment.
- System
Info - Detailed system information for a virtual machine.
- System
Stats Response - Response containing system statistics for a container VM.
- TeeClient
- Client for interacting with the Phala TEE Cloud API.
- TeeDeployer
TeeDeployerprovides a high-level interface for deploying Docker Compose applications to the Phala TEE Cloud platform.- TeeDeployer
Builder - Builder for creating a
TeeDeployerwith a fluent interface. - TeePod
Capacity - Capacity configuration for a TEEPod cluster.
- TeePod
Discovery Response - Response from the TEEPod discovery API endpoint.
- TeePod
Image - VM image configuration for a TEEPod.
- TeePod
Node - Information about a TEEPod node.
- VmConfig
- Virtual Machine configuration for a TEE deployment.
Enums§
- Error
- Error types for the Phala TEE deployment library.
Type Aliases§
- Result
- Result type for Phala TEE deployment operations.