Build an Nginx Anjuna Confidential Pod image

The first step to deploy an Anjuna Confidential Pod is to build its disk image. In this example, you will use the official Nginx Docker image from Docker Hub.

When you build an Anjuna Confidential Pod image, anjuna-k8s-cli builds and measures a VM disk image that contains your target application. Creating and storing VM disks in GCP requires a storage bucket. The following sections guide you step-by-step in this process.

Before creating the needed resources, generate a random suffix that will be used to ensure that resource names are unique. It will also help to quickly identify related resources (i.e., if they share the same suffix):

$ export SUFFIX="${RANDOM}"

Create a storage bucket

Before building the Anjuna Confidential Pod image, create a storage bucket to store the measured disk image.

$ export GCP_STORAGE_BUCKET="nginx-${SUFFIX}"
$ gcloud storage buckets create gs://${GCP_STORAGE_BUCKET}

Build and upload the Anjuna Confidential Pod disk image

Now, build the Anjuna Confidential Pod image. This process will pull and unpack the provided container image and bundle it with the Anjuna Kubernetes Enclave Services needed to run confidential workloads on Kubernetes.

Note that the target container image is not modified by this process. Once the Anjuna Confidential Pod image is built, the output will include its measurements, which are the "identity" of your enclave. These measurements can be used later to verify that the Pod is running in an enclave, and that it is running a trusted version of the application container. After the Pod identity is verified, secrets can be securely provided to the application.

In the command below, you must always specify the fully-qualified container image reference, i.e., including the registry, the repository, and a tag, as in <registry>/<repository>:<tag>.

To build the Anjuna Confidential Pod image, run:

$ cat > nginx-cpod-config.yaml <<EOF
pod:
  containers:
  - name: nginx                              # This should match the name of the container in the Pod/Deployment.
    image: "docker.io/library/nginx:latest"
EOF
$ ${ANJ_K8S_TOOLSET_DIR}/anjuna-k8s-cli/anjuna-k8s-cli build gcp \
  --disk-size 2G \
  --cpod-config nginx-cpod-config.yaml

Once the image is built, it is time to upload it to the GCP bucket you created previously. Notice that a suffix is used in the image name to differentiate between versions. Make sure to change the version number on subsequent uploads, to avoid inadvertently replacing a pre-existing image.

$ VERSION=0001
$ export ANJUNA_NGINX_IMAGE_NAME=nginx-image-${VERSION}
$ anjuna-gcp-cli disk upload \
  --bucket ${GCP_STORAGE_BUCKET} \
  --disk disk.raw \
  --image ${ANJUNA_NGINX_IMAGE_NAME}

Note the ANJUNA_NGINX_IMAGE_NAME variable exported here. It will be used when configuring the Kubernetes Deployment manifest on the next page of this guide to deploy Nginx as an Anjuna Confidential Pod.