Build an Nginx Anjuna Confidential Pod image

The first step to deploy an Anjuna Confidential Pod is to build its disk image. In this example, you will use the official Nginx Docker image from Docker Hub.

When you build an Anjuna Confidential Pod image, anjuna-k8s-cli builds and measures a VM disk image that contains your target application. Creating and storing VM disks in Azure requires a few extra resources, such as a storage container, an image definition, and an image version. The following sections guide you step-by-step in this process.

Before creating the needed resources, generate a random suffix that will be used to ensure that resource names are unique. It will also help to quickly identify related resources (i.e., if they share the same suffix):

$ export SUFFIX="${RANDOM}"

Create a storage container

Before building the Anjuna Confidential Pod image, create a storage container to store the measured disk image.

$ export AZURE_STORAGE_CONTAINER="nginx-${SUFFIX}"
$ az storage container create \
  --name "${AZURE_STORAGE_CONTAINER}" \
  --account-name "${AZURE_STORAGE_ACC_NAME}" \
  --resource-group "${AZURE_RESOURCE_GROUP}"

Create an image definition

Create a new image definition within a Shared Image Gallery. The commands below create a new image definition for your Nginx container.

$ export AZURE_IMAGE_DEFINITION="nginx-${SUFFIX}"
$ az sig image-definition create \
  --resource-group "${AZURE_RESOURCE_GROUP}" \
  --gallery-name "${AZURE_GALLERY_NAME}" \
  --gallery-image-definition "${AZURE_IMAGE_DEFINITION}" \
  --publisher Anjuna \
  --offer CVMGA \
  --os-type Linux \
  --sku AnjGALinuxNginx \
  --os-state specialized \
  --features SecurityType=ConfidentialVMSupported \
  --hyper-v-generation V2 \
  --architecture x64

Every time you build and upload a measured VM disk for this image definition, a new "version" of the image definition will be created.

Build and upload the Anjuna Confidential Pod disk image

Now, build the Anjuna Confidential Pod image. This process will pull and unpack the provided container image and bundle it with the Anjuna Kubernetes Enclave Services needed to run confidential workloads on Kubernetes.

Note that the target container image is not modified by this process. Once the Anjuna Confidential Pod image is built, the output will include its measurements, which are the "identity" of your enclave. These measurements can be used later to verify that the Pod is running in an enclave, and that it is running a trusted version of the application container. After the Pod identity is verified, secrets can be securely provided to the application.

In the command below, you must always specify the fully-qualified container image reference, i.e., including the registry, the repository, and a tag, as in <registry>/<repository>:<tag>.

To build the Anjuna Confidential Pod image, run:

$ cd "${WORKSPACE}"
$ docker load -i ${WORKSPACE}/anjuna-k8s-sev-services-image.tar
$ ./anjuna-k8s-cli/anjuna-k8s-cli build azure \
  --docker-uri docker.io/library/nginx:latest \
  --disk-size 2G

Once the image is built, it is time to upload it to Azure as a new version of the Nginx image definition that you created earlier. Note that on line 9 below, the version is set to 0.0.1. Make sure to change the version number on subsequent uploads, because the command will fail if the version number already exists.

$ anjuna-azure-cli disk upload \
  --disk disk.vhd \
  --image-name nginx-disk.vhd \
  --storage-account "${AZURE_STORAGE_ACC_NAME}" \
  --storage-container "${AZURE_STORAGE_CONTAINER}" \
  --resource-group "${AZURE_RESOURCE_GROUP}" \
  --image-gallery "${AZURE_GALLERY_NAME}" \
  --image-definition "${AZURE_IMAGE_DEFINITION}" \
  --image-version 0.0.1 \
  --location "${AZURE_LOCATION}" \
  --subscription-id "${AZURE_SUBSCRIPTION}"

Finally, retrieve the image ID, which will be used in your Pod specification when deploying the confidential workload to Kubernetes.

$ export AZURE_IMAGE_ID=$(az sig image-version show \
   -i "${AZURE_IMAGE_DEFINITION}" \
   -e 0.0.1 \
   -r "${AZURE_GALLERY_NAME}" \
   -g "${AZURE_RESOURCE_GROUP}" \
   --subscription "${AZURE_SUBSCRIPTION_ID}" \
   --query id | tr -d '"')

Once you have the image ID exported to your environment, you are ready to deploy Nginx as an Anjuna Confidential Pod, as shown in the next section of this guide.