Ensure you have your certificate file (e.g., tls.crt
) and your private key file (e.g., tls.key
).
Deployment
Overview
After you have completed the installation and setup process, the next step is to deploy your application into an enclave. On this page, you find the steps to complete the deployment of your application in AWS with everything OBLV Deploy has to offer.
This page content is for administrators who want to deploy an application with OBLV Deploy. If you are a user and want to connect to a deployed application, refer to the Making an Attested Connection guide.
Create a TLS secret for ingress
To secure the communication between your clients and the ingress proxy, you need to create a TLS secret. This certificate is used to connect to the ingress proxy. The TLS certificate should be valid for the domain where the user wants the Nitro Enclave application to be available.
You need to have a TLS certificate and a corresponding private key. If you do not have one, you can generate a self-signed certificate for testing purposes. Ensure that the TLS certificate is valid for the domain where the Nitro Enclave application will be available.
Use the following command to create a TLS secret in your Kubernetes cluster. Replace <namespace>
with the namespace where you want to create the secret, and <secret-name>
with the desired name for your secret.
kubectl create secret tls <secret-name> --cert=path/to/tls.crt --key=path/to/tls.key -n <namespace>
For example:
kubectl create secret tls my-ingress-tls --cert=path/to/tls.crt --key=path/to/tls.key -n my-namespace
Ensure that the secret has been created successfully by running:
kubectl get secrets -n <namespace>
You should see your newly created secret in the list.
Example
Here is an example of creating a TLS secret named my-ingress-tls
in the default
namespace:
kubectl create secret tls my-ingress-tls --cert=/etc/ssl/certs/tls.crt --key=/etc/ssl/private/tls.key -n default
This TLS secret is later used in the ingress
section of the manifest in Step 2
Create Your Manifest
A manifest is a YAML or JSON file that defines one or more resources to be created and managed by Kubernetes. These files serve as the blueprint for the system to understand what the user wishes to create, modify, or delete.
In our case, to do a deployment in OBLV Deploy, we create a NitroEnclaveDeployment
resource, using a manifest file.
Below you find an example of a manifest.yaml
file that creates a NitroEnclaveDeployment
named hello-fastapi
:
Any references made to Configmaps or Secrets requires that those resources exist in the namespace where the NitroEnclaveDeployment
resource is created.
Manifest file
apiVersion: k8s.oblv.com/v1alpha1
kind: NitroEnclaveDeployment
metadata:
name: hello-fastapi
namespace: default
spec:
userPlugins:
- name: fastapi
image: public.ecr.aws/oblivious-ai/oblv-sample-fastapi:latest
ports:
- containerPort: 8001
hostPort: 4455
command:
- "python"
- "/app/uvicorn_runner.py"
replicas: 1
serviceAccount: enclave-pod
hugepages-1Gi: 12Gi
enclaveCpuCount: 2
ingress:
enabled: true
internetFacing: true
dnsHostName: fastapi-hello.oblv.com
ingressTlsCertificate: my-ingress-tls
ports:
- port: 4455
targetPort: 4455
caCertDetails:
enclaveCertType: ENCLAVE_GENERATED
To learn more about manifest files, refer to the Kubernetes API Reference where the configurations are described in detail.
Apply the Deployment
With your manifest.yaml
file created, you can apply this configuration to the cluster. Run the following kubectl
command to apply the Kubernetes resources:
kubectl apply -f manifest.yaml
nitroenclavedeployment.k8s.oblv.com/hello-fastapi created
When you run the kubectl apply -f <your_manifest_file_name>.yaml
command, the following process will take place:
- Read the YAML file and check the resources listed.
- The required resources are shared with the server, which checks if the file follows the schema and resource requirements.
- The Kubernetes server checks if the resources already exist. Otherwise, it creates the resources.
- Kubernetes continually works towards ensuring that the actual state of all resources in the cluster matches the desired state specified by the YAML files.
kubectl
receives feedback from the API server about the success or failure of the application operation.
Check the status of the Deployment
After applying the manifest.yaml
file, you can check the status of your deployment to ensure that the resources have been created and are running as expected. Use the following commands to verify the status:
kubectl get ned -w
NAME READY AGE STATUS
hello-fastapi 0/1 3s PENDING
hello-fastapi 1/1 1m12s SCHEDULED
Currently the NitroEnclaveDeployment supports following status:
PENDING
SCHEDULED
ERROR
Additionally, we can check the status of the pod
kubectl get po -w
NAME READY STATUS RESTARTS AGE
oblv-proxy-hello-fastapi-93ee72d1f9-56847c97f8-ksjrk 2/2 Running 0 14s
hello-fastapi-b8dcf1e27d-6d9d8c9c88-kcpqf 0/4 Init:1/2 0 1m6s
hello-fastapi-b8dcf1e27d-6d9d8c9c88-kcpqf 0/4 PodInitializing 0 1m33s
hello-fastapi-b8dcf1e27d-6d9d8c9c88-kcpqf 3/4 Running 0 1m47s
hello-fastapi-b8dcf1e27d-6d9d8c9c88-kcpqf 3/4 Running 0 2m49s
hello-fastapi-b8dcf1e27d-6d9d8c9c88-kcpqf 4/4 Running 0 3m16s
Create the Configuration File
When your enclaves are up and running, the NitroEnclaveDeployment updates its status to:
SCHEDULED
: 1/1
You can find helpful commands to assist you in checking these statuses in the Auxiliary commands page.
Once the NitroEnclaveDeployment is scheduled, the controller pushed a config file to a configmap from where it can be fetched. This config file is required for the user to connect to the Enclave.
kubectl get configmap hello-fastapi-oblv-cli-config -o jsonpath='{.data.config\.yaml}'
Save the output of the above command to a YAML file to be used in the next step.
This is a configuration file containing information regarding the application running on the enclave. It will present a cryptographic attestation for everything running, giving you the enclave's measurements to attest that everything is running as expected. It is needed to give users access to the application and will be used to connect to the system. Without the configuration file, the system will be unreachable.
Learn more about AWS Nitro Enclaves and Cryptographic attestation.
What's Next?
Once your enclave is deployed, you can interact with it using OBLV Client. Refer to the Making an Attested Connection page to learn how to install OBLV Client and connect to your enclave.