Build an Anjuna Confidential Pod image

If you have not already done so, follow the guide Example 1 - Deploy Nginx as an Anjuna Confidential Pod. It goes into more detail on the process of building Anjuna Confidential Pod images.

In this example, you will build a custom application from scratch that uses some of the features of the Anjuna Enclave Configuration File.

Build a container

Start by building a simple Docker container. First, cd into a new temporary directory.

$ cd $(mktemp -d)

Then, run the following command to create the Dockerfile, which defines an image that prints the environment using the env command:

$ cat <<EOF > Dockerfile
FROM ubuntu:22.04

CMD [ "bash", "-c", "env && sleep infinity" ]
EOF

In this example, the container image is stored in the Docker Artifact Registry of GCP, identified by the environment variable ANJ_IMAGE_REGISTRY and path ANJ_IMAGE_PATH.

$ export CONTAINER_IMAGE="${ANJ_IMAGE_REGISTRY}/${ANJ_IMAGE_PATH}/env"
$ docker build . -t "${CONTAINER_IMAGE}"
$ docker push "${CONTAINER_IMAGE}"

Build the Anjuna Confidential Pod image

Building an Anjuna Confidential Pod image builds and measures a VM disk image that contains your target application. Creating and storing VM disks in GCP requires a storage bucket. The following sections will guide you step by step in this process.

Before creating the needed resources, generate a random suffix that will be used to ensure that resource names are unique. It also helps to quickly identify related resources (i.e., if they share the same suffix):

$ export SUFFIX="${RANDOM}"

Create a storage bucket

Before building the Anjuna Confidential Pod image, create a storage bucket to store the measured disk image.

$ export GCP_STORAGE_BUCKET="env-${SUFFIX}"
$ gcloud storage buckets create gs://${GCP_STORAGE_BUCKET}

Build and upload the Anjuna Confidential Pod image

Before building the Anjuna Confidential Pod image, create an enclave configuration file.

The configuration file enclave-config.yaml below does two things:

  • It sets the value of the environment variable DB_USERNAME to user

  • It allows the environment variable LOG_LEVEL to be set in the Pod specification

Refer to Configuration reference to learn more about the enclave configuration file and all the features that it supports.

$ cat > env-cpod-config.yaml <<EOF
pod:
  containers:
  - name: env                              # This should match the name of the container in the Pod/Deployment.
    image: "${CONTAINER_IMAGE}:latest"
    env:
    - name: DB_USERNAME
      value: user
    untrusted:
      env:
        allow:
        - LOG_LEVEL
EOF

To build the Anjuna Confidential Pod image, run the following command:

In the command below, you must always specify the fully-qualified container image reference, i.e., including the registry, the repository, and a tag, as in <registry>/<repository>:<tag>. 
$ ${ANJ_K8S_TOOLSET_DIR}/anjuna-k8s-cli/anjuna-k8s-cli build gcp \
  --disk-size 2G \
  --cpod-config env-cpod-config.yaml

Once the image is built, it is time to upload it to the GCP bucket you created previously. Notice that a suffix is used in the image name to differentiate between versions. Make sure to change the version number on subsequent uploads, because the command will fail if the version number already exists.

$ VERSION=0001
$ export ANJUNA_ENV_IMAGE_NAME=env-image-${VERSION}
$ anjuna-gcp-cli disk upload \
  --bucket ${GCP_STORAGE_BUCKET} \
  --disk disk.raw \
  --image ${ANJUNA_ENV_IMAGE_NAME}

Note the ANJUNA_ENV_IMAGE_NAME variable exported here. It will be used when configuring the Kubernetes Deployment manifest on the next page of this guide to deploy the env-image-${VERSION} as an Anjuna Confidential Pod.