Container Image and Lua Plugins
- HAProxy Lua plugins and configuration:
s3://oblv-deploy/dev/attestation-proxy/0.1.0 - Attestation Proxy container image:
494148202604.dkr.ecr.us-east-2.amazonaws.com/oblv-attestation-proxy:0.1.0
The Attestation Proxy enables secure, attested mTLS tunnels between enclaves and external services like AWS KMS or Azure Key Vault. Follow the steps below to deploy it in your infrastructure.
Artifacts:
1
2
Environment Variables
Configure the following variables based on your setup:
| Variable | Description |
|---|---|
ATTESTATION_SERVER_CERT_DIR | Directory for the server certificate. |
ATTESTATION_CLIENT_CA_DIR | Directory for the CA certificate bundle (use @system-ca for public CAs). |
ATTESTATION_PROXY_BACKEND_HOST | Hostname of the attestation backend. |
ATTESTATION_PROXY_BACKEND_PORT | Port of the attestation backend. |
ATTESTATION_UPSTREAM_DOMAIN | Domain of the upstream service (e.g., kms.us-east-2.amazonaws.com). |
ATTESTATION_UPSTREAM_PORT | Port of the upstream service (e.g., 443). |
1
Kubernetes Deployment
-
Prepare Resources
- Create a Kubernetes TLS Secret (
ingress-tls) for HAProxy certificate - Setup the service account (
attestation-proxy-sa) with permission to pull from AWS s3 bucket
- Create a Kubernetes TLS Secret (
-
Apply the Deployment Manifest: Use the following Kubernetes Manifest to deploy the Attestation Proxy
apiVersion: apps/v1
kind: Deployment
metadata:
name: attestation-proxy-deployment
spec:
replicas: 1
selector:
matchLabels:
app: attestation-proxy
template:
metadata:
labels:
app: attestation-proxy
spec:
serviceAccountName: attestation-proxy-sa
initContainers:
- name: init-s3-config
image: amazon/aws-cli
env:
- name: S3_BUCKET
value: "oblv-deploy"
- name: S3_KEY
value: "dev/attestation-proxy/0.1.0"
command:
[
"sh",
"-c",
"aws s3 cp s3://$S3_BUCKET/$S3_KEY /tmp/haproxy/configs",
]
volumeMounts:
- name: haproxy-config
mountPath: /tmp/haproxy/configs
containers:
- name: attestation-haproxy
image: haproxytech/haproxy-debian:2.7
ports:
- containerPort: 443
- containerPort: 12008
env:
- name: ATTESTATION_UPSTREAM_DOMAIN
value: "kms.us-east-2.amazonaws.com"
- name: ATTESTATION_UPSTREAM_PORT
value: "443"
- name: ATTESTATION_CLIENT_CA_DIR
value: "@system-ca"
- name: ATTESTATION_SELF_SIGNED_IGNORE_ERROR
value: "all"
- name: ATTESTATION_SERVER_CERT_DIR
value: "/tmp/haproxy/certs/server/"
- name: ATTESTATION_PROXY_BACKEND_HOST
value: "localhost"
- name: ATTESTATION_PROXY_BACKEND_PORT
value: "8000"
volumeMounts:
- name: haproxy-configs
mountPath: /usr/local/etc/haproxy/
- name: server-cert
mountPath: /tmp/haproxy/certs/server/
- name: allowed-thumbprints-vol
mountPath: /etc/haproxy/enclaves
- name: attestation-proxy-backend
image: 494148202604.dkr.ecr.us-east-2.amazonaws.com/oblv-attestation-proxy:0.2.1
env:
- name: RUST_LOG
value: "info"
volumeMounts:
- name: server-cert
mountPath: /oblv/cert.pem
subPath: tls.crt
- name: allowed-thumbprints-vol
mountPath: /oblv/enclaves/
command:
[
"oblv_attestation_proxy",
"--tls-cert",
"/oblv/cert.pem",
"--enclaves-json",
"/oblv/enclaves/allowed_sha2.txt",
"--enclave-config-dir",
"/oblv/configs",
"--invalidation-interval",
"100",
]
volumes:
- name: haproxy-configs
emptyDir: {}
- name: allowed-thumbprints-vol
emptyDir: {}
- name: server-cert
secret:
secretName: ingress-tls
items:
- key: tls.crt
path: server.pem
- key: tls.key
path: server.pem.key