Skip to main content

Deployment

Overview

After you have completed the installation and setup process, the next step is to deploy your application into an enclave. On this page, you find the steps to complete the deployment of your application in AWS with everything OBLV Deploy has to offer.

Note

This page content is for administrators who want to deploy an application with OBLV Deploy. If you are a user and want to connect to a deployed application, refer to the Making an Attested Connection guide.

Step 1

Create a TLS secret for ingress

To secure the communication between your clients and the ingress proxy, you need to create a TLS secret. This certificate is used to connect to the ingress proxy. The TLS certificate should be valid for the domain where the user wants the Nitro Enclave application to be available.

Prerequisites

You need to have a TLS certificate and a corresponding private key. If you do not have one, you can generate a self-signed certificate for testing purposes. Ensure that the TLS certificate is valid for the domain where the Nitro Enclave application will be available.

1
Prepare your certificate and key files:

Ensure you have your certificate file (e.g., tls.crt) and your private key file (e.g., tls.key).

2
Create the TLS secret in Kubernetes:

Use the following command to create a TLS secret in your Kubernetes cluster. Replace <namespace> with the namespace where you want to create the secret, and <secret-name> with the desired name for your secret.

kubectl create secret tls <secret-name> --cert=path/to/tls.crt --key=path/to/tls.key -n <namespace>

For example:

kubectl create secret tls my-ingress-tls --cert=path/to/tls.crt --key=path/to/tls.key -n my-namespace
3
Verify the secret:

Ensure that the secret has been created successfully by running:

kubectl get secrets -n <namespace>

You should see your newly created secret in the list.

Example

Here is an example of creating a TLS secret named my-ingress-tls in the default namespace:

kubectl create secret tls my-ingress-tls --cert=/etc/ssl/certs/tls.crt --key=/etc/ssl/private/tls.key -n default
tip

This TLS secret is later used in the ingress section of the manifest in Step 2

Step 2

Create Your Manifest

A manifest is a YAML or JSON file that defines one or more resources to be created and managed by Kubernetes. These files serve as the blueprint for the system to understand what the user wishes to create, modify, or delete.

In our case, to do a deployment in OBLV Deploy, we create a NitroEnclaveDeployment resource, using a manifest file.

Below you find an example of a manifest.yaml file that creates a NitroEnclaveDeployment named hello-fastapi:

Warning

Any references made to Configmaps or Secrets requires that those resources exist in the namespace where the NitroEnclaveDeployment resource is created.

Manifest file
apiVersion: k8s.oblv.com/v1alpha1
kind: NitroEnclaveDeployment
metadata:
  name: hello-fastapi
  namespace: default
spec:
  userPlugins:
  - name: fastapi
    image: public.ecr.aws/oblivious-ai/oblv-sample-fastapi:latest
    ports:
    - containerPort: 8001
      hostPort: 4455
    command:
    - "python"
    - "/app/uvicorn_runner.py"
  replicas: 1
  serviceAccount: enclave-pod
  hugepages-1Gi: 12Gi
  enclaveCpuCount: 2
  ingress:
    enabled: true
    internetFacing: true
    dnsHostName: fastapi-hello.oblv.com
    ingressTlsCertificate: my-ingress-tls
    ports:
    - port: 4455
      targetPort: 4455
  caCertDetails:
    enclaveCertType: ENCLAVE_GENERATED
Reference

To learn more about manifest files, refer to the Kubernetes API Reference where the configurations are described in detail.

Step 3

Apply the Deployment

With your manifest.yaml file created, you can apply this configuration to the cluster. Run the following kubectl command to apply the Kubernetes resources:

kubectl apply -f manifest.yaml
nitroenclavedeployment.k8s.oblv.com/hello-fastapi created
Command Breakdown

When you run the kubectl apply -f <your_manifest_file_name>.yaml command, the following process will take place:

  1. Read the YAML file and check the resources listed.
  2. The required resources are shared with the server, which checks if the file follows the schema and resource requirements.
  3. The Kubernetes server checks if the resources already exist. Otherwise, it creates the resources.
  4. Kubernetes continually works towards ensuring that the actual state of all resources in the cluster matches the desired state specified by the YAML files.
  5. kubectl receives feedback from the API server about the success or failure of the application operation.
Step 4

Check the status of the Deployment

After applying the manifest.yaml file, you can check the status of your deployment to ensure that the resources have been created and are running as expected. Use the following commands to verify the status:

kubectl get ned -w
NAME            READY   AGE     STATUS
hello-fastapi   0/1     3s      PENDING
hello-fastapi   1/1     1m12s   SCHEDULED
NitroEnclaveDeployment status

Currently the NitroEnclaveDeployment supports following status:

  1. PENDING
  2. SCHEDULED
  3. ERROR

Additionally, we can check the status of the pod

kubectl get po -w
NAME                                                   READY   STATUS           RESTARTS    AGE
oblv-proxy-hello-fastapi-93ee72d1f9-56847c97f8-ksjrk   2/2     Running           0          14s
hello-fastapi-b8dcf1e27d-6d9d8c9c88-kcpqf              0/4     Init:1/2          0          1m6s
hello-fastapi-b8dcf1e27d-6d9d8c9c88-kcpqf              0/4     PodInitializing   0          1m33s
hello-fastapi-b8dcf1e27d-6d9d8c9c88-kcpqf              3/4     Running           0          1m47s
hello-fastapi-b8dcf1e27d-6d9d8c9c88-kcpqf              3/4     Running           0          2m49s
hello-fastapi-b8dcf1e27d-6d9d8c9c88-kcpqf              4/4     Running           0          3m16s
Step 5

Create the Configuration File

When your enclaves are up and running, the NitroEnclaveDeployment updates its status to:

  • SCHEDULED: 1/1
Auxiliary commands

You can find helpful commands to assist you in checking these statuses in the Auxiliary commands page.

Once the NitroEnclaveDeployment is scheduled, the controller pushed a config file to a configmap from where it can be fetched. This config file is required for the user to connect to the Enclave.

kubectl get configmap hello-fastapi-oblv-cli-config  -o jsonpath='{.data.config\.yaml}'

Save the output of the above command to a YAML file to be used in the next step.

This is a configuration file containing information regarding the application running on the enclave. It will present a cryptographic attestation for everything running, giving you the enclave's measurements to attest that everything is running as expected. It is needed to give users access to the application and will be used to connect to the system. Without the configuration file, the system will be unreachable.

AWS reference

Learn more about AWS Nitro Enclaves and Cryptographic attestation.

What's Next?

Once your enclave is deployed, you can interact with it using OBLV Client. Refer to the Making an Attested Connection page to learn how to install OBLV Client and connect to your enclave.