Using a Local Encrypted Configuration

This page covers how to deliver a Local Encrypted Configuration to an enclave running as a Pod in the Anjuna Kubernetes Toolset for AWS EKS. The Local type of Encrypted Configuration is a file that should be present on the Pod’s filesystem at runtime so the launcher Pod can pass it to the enclave.

The full Local Encrypted Configuration workflow has steps that happen before the Pod is deployed (creating the cleartext secrets, encrypting them, declaring encryptedConfig.type: local in the Anjuna Nitro Enclave Configuration file, building the EIF, and authorizing the EIF’s measurements in the AWS KMS key policy). Those steps are covered in Providing secrets to the AWS Nitro Enclave. This page picks up after those steps and focuses on the EKS-specific work. See the Example section below for relevant links to the Providing secrets section.

Configuring the Pod to use a Local Encrypted Configuration

To tell the launcher Pod where the Local Encrypted Configuration is, use the nitro.k8s.anjuna.io/encryptedConfigLocation annotation. See the Example section below for a detailed example.

The following shows an example annotation:

annotations:
   nitro.k8s.anjuna.io/encryptedConfigLocation: "/anjuna/files/confs/encrypted-config.bin"
This path must be an absolute filesystem path on the Pod, and it must point to the specific Local Encrypted Configuration that should be provided to the enclave.

Providing the Local Encrypted Configuration to the Pod

The Local Encrypted Configuration must be present on the Pod’s filesystem in order for the launcher Pod to serve it to the enclave. There are several ways to do this:

  • Create a Kubernetes Secret or ConfigMap containing the Encrypted Configuration.

  • Create a PersistentVolume containing the Encrypted Configuration, and expose it to the Pod using a PersistentVolumeClaim.

  • Upload the Encrypted Configuration to a file store (such as S3), and add an init container that downloads it and makes it available to the launcher Pod.

To prevent the volume from being forwarded into the enclave, name the volume with the anjuna-system- prefix (for example, anjuna-system-encrypted-conf). This prefix tells the Anjuna Kubernetes Toolset for AWS EKS to mount the volume directly on the launcher Pod and not forward it to the enclave.

The same anjuna-system- prefix rule applies regardless of which delivery mechanism you use (Secret, ConfigMap, PersistentVolumeClaim, or init container output).

Example

Below is an end-to-end example of how to provide and use a Local Encrypted Configuration with the Anjuna Kubernetes Toolset for AWS EKS. This example uses a Kubernetes Secret to deliver the file to the launcher Pod, but any of the alternatives listed above will work.

As stated above, this example relies on the example in Providing secrets to the AWS Nitro Enclave, specifically the examples for Local Encrypted Configurations. Before continuing, follow those instructions to:

This should produce two files: an EIF and an Encrypted Configuration.

Declare the following environment variables:

$ export EIF_PATH=<path to EIF>
$ export ENCRYPTED_CONFIG_PATH=<path to Local Encrypted Configuration>
$ export EIF_S3_DIRECTORY=<s3://... s3 directory where the EIF can be uploaded to>

First, upload the EIF to the S3 directory:

$ aws s3 cp ${EIF_PATH} ${EIF_S3_DIRECTORY}/example.eif

Second, create a Kubernetes Secret from the Local Encrypted Configuration:

$ kubectl create secret generic example-encrypted-conf \
    --from-file=encrypted-config.bin=${ENCRYPTED_CONFIG_PATH}

Finally, deploy the Pod:

$ cat > pod_deployment.yaml <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: encrypted-conf-env-pod
  labels:
    name: encrypted-conf-env-pod
    nitro.k8s.anjuna.io/managed: "yes"
  annotations:
    nitro.k8s.anjuna.io/imageLocation: "${EIF_S3_DIRECTORY}/example.eif"
    nitro.k8s.anjuna.io/encryptedConfigLocation: "/anjuna/files/confs/encrypted-config.bin"
spec:
  containers:
  - name: encrypted-conf-env
    image: DOES-NOT-MATTER
    imagePullPolicy: Always
    resources:
      limits:
        memory: "2048Mi"
        cpu: "2"
    volumeMounts:
    - name: anjuna-system-encrypted-conf
      mountPath: "/anjuna/files/confs"
      readOnly: true
  volumes:
  - name: anjuna-system-encrypted-conf
    secret:
      secretName: example-encrypted-conf
EOF
$ kubectl apply -f pod_deployment.yaml

Notice that the volume name has the required anjuna-system- prefix, and that the mountPath plus the filename from the Secret together produce the absolute path declared in the nitro.k8s.anjuna.io/encryptedConfigLocation annotation.

You can confirm that the Pod launched correctly and that the enclave received the configuration by running the following:

$ kubectl logs encrypted-conf-env-pod

Teardown

To tear down this example, run the following:

$ kubectl delete -f pod_deployment.yaml
$ kubectl delete secret example-encrypted-conf
$ aws s3 rm ${EIF_S3_DIRECTORY}/example.eif