Skip to main content

The Attestation Proxy enables secure, attested mTLS tunnels between enclaves and external services like AWS KMS or Azure Key Vault. Follow the steps below to deploy it in your infrastructure.

Artifacts:

1
Container Image and Lua Plugins
  • HAProxy Lua plugins and configuration: s3://oblv-deploy/dev/attestation-proxy/0.1.0
  • Attestation Proxy container image: 494148202604.dkr.ecr.us-east-2.amazonaws.com/oblv-attestation-proxy:0.1.0
2
Environment Variables

Configure the following variables based on your setup:

VariableDescription
ATTESTATION_SERVER_CERT_DIRDirectory for the server certificate.
ATTESTATION_CLIENT_CA_DIRDirectory for the CA certificate bundle (use @system-ca for public CAs).
ATTESTATION_PROXY_BACKEND_HOSTHostname of the attestation backend.
ATTESTATION_PROXY_BACKEND_PORTPort of the attestation backend.
ATTESTATION_UPSTREAM_DOMAINDomain of the upstream service (e.g., kms.us-east-2.amazonaws.com).
ATTESTATION_UPSTREAM_PORTPort of the upstream service (e.g., 443).
1
Kubernetes Deployment
  1. Prepare Resources

    • Create a Kubernetes TLS Secret (ingress-tls) for HAProxy certificate
    • Setup the service account (attestation-proxy-sa) with permission to pull from AWS s3 bucket
  2. Apply the Deployment Manifest: Use the following Kubernetes Manifest to deploy the Attestation Proxy

    apiVersion: apps/v1
    kind: Deployment
    metadata:
    name: attestation-proxy-deployment
    spec:
    replicas: 1
    selector:
    matchLabels:
    app: attestation-proxy
    template:
    metadata:
    labels:
    app: attestation-proxy
    spec:
    serviceAccountName: attestation-proxy-sa
    initContainers:
    - name: init-s3-config
    image: amazon/aws-cli
    env:
    - name: S3_BUCKET
    value: "oblv-deploy"
    - name: S3_KEY
    value: "dev/attestation-proxy/0.1.0"
    command:
    [
    "sh",
    "-c",
    "aws s3 cp s3://$S3_BUCKET/$S3_KEY /tmp/haproxy/configs",
    ]
    volumeMounts:
    - name: haproxy-config
    mountPath: /tmp/haproxy/configs

    containers:
    - name: attestation-haproxy
    image: haproxytech/haproxy-debian:2.7
    ports:
    - containerPort: 443
    - containerPort: 12008
    env:
    - name: ATTESTATION_UPSTREAM_DOMAIN
    value: "kms.us-east-2.amazonaws.com"
    - name: ATTESTATION_UPSTREAM_PORT
    value: "443"
    - name: ATTESTATION_CLIENT_CA_DIR
    value: "@system-ca"
    - name: ATTESTATION_SELF_SIGNED_IGNORE_ERROR
    value: "all"
    - name: ATTESTATION_SERVER_CERT_DIR
    value: "/tmp/haproxy/certs/server/"
    - name: ATTESTATION_PROXY_BACKEND_HOST
    value: "localhost"
    - name: ATTESTATION_PROXY_BACKEND_PORT
    value: "8000"
    volumeMounts:
    - name: haproxy-configs
    mountPath: /usr/local/etc/haproxy/
    - name: server-cert
    mountPath: /tmp/haproxy/certs/server/
    - name: allowed-thumbprints-vol
    mountPath: /etc/haproxy/enclaves

    - name: attestation-proxy-backend
    image: 494148202604.dkr.ecr.us-east-2.amazonaws.com/oblv-attestation-proxy:0.2.1
    env:
    - name: RUST_LOG
    value: "info"
    volumeMounts:
    - name: server-cert
    mountPath: /oblv/cert.pem
    subPath: tls.crt
    - name: allowed-thumbprints-vol
    mountPath: /oblv/enclaves/
    command:
    [
    "oblv_attestation_proxy",
    "--tls-cert",
    "/oblv/cert.pem",
    "--enclaves-json",
    "/oblv/enclaves/allowed_sha2.txt",
    "--enclave-config-dir",
    "/oblv/configs",
    "--invalidation-interval",
    "100",
    ]

    volumes:
    - name: haproxy-configs
    emptyDir: {}
    - name: allowed-thumbprints-vol
    emptyDir: {}
    - name: server-cert
    secret:
    secretName: ingress-tls
    items:
    - key: tls.crt
    path: server.pem
    - key: tls.key
    path: server.pem.key