Skip to main content

Getting Started

Deployment

After you have completed the installation and setup process, the next step is to deploy your application into an enclave. On this page, you find the steps to complete the deployment of your application in AWS with everything OBLV Deploy has to offer.

Users guide

This page content is for administrators who want to deploy an application with OBLV Deploy. If you are a user and want to connect to a deployed application, refer to the Making an Attested Connection guide.

Step 1: Create a TLS secret for ingress

To secure the communication between your clients and the ingress proxy, you need to create a TLS secret. This certificate is used to connect to the ingress proxy. The TLS certificate should be valid for the domain where the user wants the Nitro Enclave application to be available.

Prerequisites

  • You need to have a TLS certificate and a corresponding private key. If you do not have one, you can generate a self-signed certificate for testing purposes. Ensure that the TLS certificate is valid for the domain where the Nitro Enclave application will be available.

Steps to Create a TLS Secret

  1. Prepare your certificate and key files:

    • Ensure you have your certificate file (e.g., tls.crt) and your private key file (e.g., tls.key).
  2. Create the TLS secret in Kubernetes:

    • Use the following command to create a TLS secret in your Kubernetes cluster. Replace <namespace> with the namespace where you want to create the secret, and <secret-name> with the desired name for your secret.
    kubectl create secret tls <secret-name> --cert=path/to/tls.crt --key=path/to/tls.key -n <namespace>

    For example:

    kubectl create secret tls my-ingress-tls --cert=path/to/tls.crt --key=path/to/tls.key -n my-namespace
  3. Verify the secret:

    • Ensure that the secret has been created successfully by running:
    kubectl get secrets -n <namespace>

    You should see your newly created secret in the list.

Example

Here is an example of creating a TLS secret named my-ingress-tls in the default namespace:

kubectl create secret tls my-ingress-tls --cert=/etc/ssl/certs/tls.crt --key=/etc/ssl/private/tls.key -n default
tip

This TLS secret is later used in the ingress section of the manifest in Step 2

Step 2: Create Your Manifest

A manifest is a YAML or JSON file that defines one or more resources to be created and managed by Kubernetes. These files serve as the blueprint for the system to understand what the user wishes to create, modify, or delete.

In our case, to do a deployment in OBLV Deploy, we create a NitroEnclaveDeployment resource, using a manifest file.

Below you find an example of a manifest.yaml file that creates a NitroEnclaveDeployment named hello-fastapi-deployment:

Users guide

Any references made to Configmaps or Secrets requires that those resources exist in the namespace where the NitroEnclaveDeployment resource is created.

Manifest schema
apiVersion: k8s.oblv.com/v1alpha1
kind: NitroEnclaveDeployment
metadata:
name: hello-fastapi-deployment
namespace: default
spec:
enclaveSpec:
containers:
- name: fastapi
image: public.ecr.aws/oblivious-ai/oblv-sample-fastapi:latest
imagePullSecret: myregistrykey
ports:
- containerPort: 8001
hostPort: 8001
command:
- "python"
- "/app/uvicorn_runner.py"
plugins:
auth:
image: oryd/oathkeeper:v0.38.6
kind: Auth
name: oauthkeeper-auth-plugin
proxyPort: 4455
spec:
command:
- oathkeeper
- serve
- --config
- /auth/config.yaml
volumes:
- containerPath: /auth
name: auth-plugin-vol
readOnly: true
source:
configMap:
items:
- key: config.yaml
path: config.yaml
- key: rules.json
path: rules.json
name: authconfigmap
outboundConnections:
- fqdn:
value: ec2-18-222-109-15.us-east-2.compute.amazonaws.com
port: 4444
redirects: false
tls: false
tags:
- key: Purpose
value: TestEnclave
instanceType: r5.4xlarge
internetFacing: true
keyName: admin-keypair
replicaCount: 1
securityGroupIDs:
- sg-0b2baf9fa5c0831ec
serviceDomainName: fastapi-test.oblivious.com
subnetID: subnet-04c91bee7f6825745
amiId: ami-0e9a4f3e2867eb0df
iamInstanceProfile:
arn: arn:aws:iam::494148202604:instance-profile/oblv_ec2_enclave_kms_role
tags:
- key: Environment
value: Test
- key: creator
value: eks_admin
tlsCertificate:
secretKey: dummy_cert.pem
secretName: tls-cert
caCertDetails:
bucket: oblv-deploy
caCertS3Key: "dev/certs/ca.crt"
caEncryptedS3Key: "dev/certs/ca.key"
awsRegion: us-east-2
kmsKeyId: "arn:aws:kms:us-east-2:494148202604:key/c2c1fcf9-a819-4a9a-8072-47b51eb52840"
encryptionAlgorithm: "SYMMETRIC_DEFAULT"
Reference

To learn more about manifest files, refer to the Manifest Reference page where the configurations are described in detail.

Step 3: Apply the Deployment

With your manifest.yaml file created, you can apply this configuration to the cluster. Run the following kubectl command to apply the Kubernetes resources:

kubeclt apply -f manifest.yaml
Command Breakdown

When you run the kubeclt apply -f <your_manifest_file_name>.yaml command, the following process will take place:

  1. Read the YAML file and check the resources listed.
  2. The required resources are shared with the server, which checks if the file follows the schema and resource requirements.
  3. The Kubernetes server checks if the resources already exist. Otherwise, it creates the resources.
  4. Kubernetes continually works towards ensuring that the actual state of all resources in the cluster matches the desired state specified by the YAML files.
  5. kubectl receives feedback from the API server about the success or failure of the application operation.
Multiple manifests

If deploying multiple applications, you need to run the command above once for each respective manifest file.

Step 3: Create the Configuration File

When your enclaves are up and running, they need to present the following statuses:

  • NITROENCLAVESTATUS: Running
  • MANIFESTSYNCSTATUS: Successful
Auxiliary commands

You can find helpful commands to assist you in checking these statuses in the Auxiliary commands page.

Once the NitroEnclaveDeployment is scheduled, the controller pushed a config file to a configmap from where it can be fetched. This config file is required for the user to connect to the Enclave.

kubectl describe configmap <nitro_enclave_deployment_name>-oblv-cli-config -n <namespace>

The configuration file contains information regarding the application running on the enclave. It will present a cryptographic attestation for everything running, giving you the enclave's measurements to attest that everything is running as expected. It is needed to give users access to the application and will be used to connect to the system. Without the configuration file, the system will be unreachable.

AWS reference

What's Next?

Once your enclave is deployed, you can interact with it using OBLV CLI. Refer to the Making an Attested Connection page to learn how to install OBLV CLI and connect to your enclave.