how to configure image decryption keys

[reclock]

yaml:

apiVersion: v1
kind: Pod
metadata:
  name: enclave-cc-pod-test
spec:
  containers:
  - image: ghcr.io/confidential-containers/test-container-enclave-cc:encrypted
    name: hello-world
    workingDir: "/run/rune/boot_instance/"
    env:
    - name: OCCLUM_RELEASE_ENCLAVE
      value: "1"
    command:
    - /run/rune/boot_instance/build/bin/occlum-run
    - /bin/hello_world
  runtimeClassName: enclave-cc

error:

[mythi]

our CI setup doc should help: https://github.com/confidential-containers/enclave-cc/blob/main/docs/ci-setup.md

[reclock]

1. git clone https://github.com/confidential-containers/kbs.git && cd kbs
2. docker compose up -d then error:

[reclock]

The key and the key id are defined in the test image's Dockerfile

Must the key and keyid be declared in the dockerfile? Do I also need to modify the key here if I want to change it? Shouldn't it be provided by kbs?

[mythi]

2. docker compose up -d
   then error:

you should be able to use the pre-built images instead of getting them built yourself (uncomment the images and pick the latest from https://github.com/orgs/confidential-containers/packages?repo_name=trustee

Must the key and keyid be declared in the dockerfile? Do I also need to modify the key here if I want to change it? Shouldn't it be provided by kbs?

No, the labels are just "notes". The setup doc should use the same "secrets" used for encrypting the test image we use.