Getting Started

Deployment

After you have completed the installation and setup process, the next step is to deploy your application into an enclave. On this page, you find the steps to complete the deployment of your application in AWS with everything OBLV Deploy has to offer.

Users guide

This page content is for administrators who want to deploy an application with OBLV Deploy. If you are a user and want to connect to a deployed application, refer to the Making an Attested Connection guide.

Step 1: Create Your Manifest

A manifest is a YAML or JSON file that defines one or more resources to be created and managed by Kubernetes. These files serve as the blueprint for the system to understand what the user wishes to create, modify, or delete.

In our case, to do a deployment in OBLV Deploy, we create a NitroEnclaveDeployment resource, using a manifest file.

Below you find an example of a manifest.yaml file that creates a NitroEnclaveDeployment named hello-fastapi-deployment:

Users guide

Any references made to Configmaps, Secrets or Plugin resources requires that those resources exist in the namespace where the NitroEnclaveDeployment resource is created.

Manifest schema

apiVersion: k8s.oblv.com/v1alpha1
kind: NitroEnclaveDeployment
metadata:
  name: hello-fastapi-deployment
  namespace: default
spec:
  enclaveSpec:
    containers:
    - name: fastapi
      image: public.ecr.aws/oblivious-ai/oblv-sample-fastapi:latest
      imagePullSecret: myregistrykey
      ports:
        - containerPort: 8001
          hostPort: 8001
      command:
        - "python"
        - "/app/uvicorn_runner.py"
    plugins:
      auth:
        image: oryd/oathkeeper:v0.38.6
        kind: Auth
        name: oauthkeeper-auth-plugin
        proxyPort: 4455
        spec:
          command:
          - oathkeeper
          - serve
          - --config
          - /auth/config.yaml
          volumes:
          - containerPath: /auth
            name: auth-plugin-vol
            readOnly: true
            source:
              configMap:
                items:
                - key: config.yaml
                  path: config.yaml
                - key: rules.json
                  path: rules.json
                name: authconfigmap
          outboundConnections:
          - fqdn:
              value: ec2-18-222-109-15.us-east-2.compute.amazonaws.com
            port: 4444
            redirects: false
            tls: false
    tags:
    - key: Purpose
      value: TestEnclave
  instanceType: r5.4xlarge
  internetFacing: true
  keyName: admin-keypair
  replicaCount: 1
  securityGroupIDs:
  - sg-0b2baf9fa5c0831ec
  serviceDomainName: fastapi-test.oblivious.com
  subnetID: subnet-04c91bee7f6825745
  amiId: ami-0e9a4f3e2867eb0df
  iamInstanceProfile:
    arn: arn:aws:iam::494148202604:instance-profile/oblv_ec2_enclave_kms_role
  tags:
  - key: Environment
    value: Test
  - key: creator
    value: eks_admin
  tlsCertificate:
    secretKey: dummy_cert.pem
    secretName: tls-cert
  caCertDetails:
    bucket: oblv-deploy
    caCertS3Key: "dev/certs/ca.crt"
    caEncryptedS3Key: "dev/certs/ca.key"
    awsRegion: us-east-2
    kmsKeyId: "arn:aws:kms:us-east-2:494148202604:key/c2c1fcf9-a819-4a9a-8072-47b51eb52840"
    encryptionAlgorithm: "SYMMETRIC_DEFAULT"

Reference

To learn more about manifest files, refer to the Manifest Reference page where the configurations are described in detail.

Step 2: Apply the Deployment

With your manifest.yaml file created, you can apply this configuration to the cluster. Run the following kubectl command to apply the Kubernetes resources:

kubeclt apply -f manifest.yaml

Command Breakdown

When you run the kubeclt apply -f <your_manifest_file_name>.yaml command, the following process will take place:

1. Read the YAML file and check the resources listed.
2. The required resources are shared with the server, which checks if the file follows the schema and resource requirements.
3. The Kubernetes server checks if the resources already exist. Otherwise, it creates the resources.
4. Kubernetes continually works towards ensuring that the actual state of all resources in the cluster matches the desired state specified by the YAML files.
5. kubectl receives feedback from the API server about the success or failure of the application operation.

Multiple manifests

If deploying multiple applications, you need to run the command above once for each respective manifest file.

Step 3: Create the Configuration File

When your enclaves are up and running, they need to present the following statuses:

• NITROENCLAVESTATUS: Running
• MANIFESTSYNCSTATUS: Successful

Auxiliary commands

You can find helpful commands to assist you in checking these statuses in the Auxiliary commands page.

Once the NitroEnclaveDeployment is scheduled, the controller pushed a config file to a configmap from where it can be fetched. This config file is required for the user to connect to the Enclave.

kubectl describe configmap <nitro_enclave_deployment_name>-oblv-cli-config -n <namespace>

The configuration file contains information regarding the application running on the enclave. It will present a cryptographic attestation for everything running, giving you the enclave's measurements to attest that everything is running as expected. It is needed to give users access to the application and will be used to connect to the system. Without the configuration file, the system will be unreachable.

AWS reference

Learn more about AWS Nitro Enclaves and Cryptographic attestation.

What's Next?

Once your enclave is deployed, you can interact with it using OBLV CLI. Refer to the Making an Attested Connection page to learn how to install OBLV CLI and connect to your enclave.