Using a Local Encrypted Configuration
This page covers how to deliver a Local Encrypted Configuration to an enclave running as a Pod in the Anjuna Kubernetes Toolset for AWS EKS. The Local type of Encrypted Configuration is a file that should be present on the Pod’s filesystem at runtime so the launcher Pod can pass it to the enclave.
The full Local Encrypted Configuration workflow has steps that happen before the Pod is deployed
(creating the cleartext secrets, encrypting them,
declaring encryptedConfig.type: local in the Anjuna Nitro Enclave Configuration file,
building the EIF, and authorizing the EIF’s measurements in the AWS KMS key policy).
Those steps are covered
in Providing secrets to the AWS Nitro Enclave.
This page picks up after those steps and focuses on the EKS-specific work.
See the Example section below for relevant links to the Providing secrets section.
Configuring the Pod to use a Local Encrypted Configuration
To tell the launcher Pod where the Local Encrypted Configuration is,
use the nitro.k8s.anjuna.io/encryptedConfigLocation annotation.
See the Example section below for a detailed example.
The following shows an example annotation:
annotations: nitro.k8s.anjuna.io/encryptedConfigLocation: "/anjuna/files/confs/encrypted-config.bin"
| This path must be an absolute filesystem path on the Pod, and it must point to the specific Local Encrypted Configuration that should be provided to the enclave. |
Providing the Local Encrypted Configuration to the Pod
The Local Encrypted Configuration must be present on the Pod’s filesystem in order for the launcher Pod to serve it to the enclave. There are several ways to do this:
-
Create a Kubernetes
SecretorConfigMapcontaining the Encrypted Configuration. -
Create a
PersistentVolumecontaining the Encrypted Configuration, and expose it to the Pod using aPersistentVolumeClaim. -
Upload the Encrypted Configuration to a file store (such as S3), and add an init container that downloads it and makes it available to the launcher Pod.
To prevent the volume from being forwarded into the enclave,
name the volume with the anjuna-system- prefix (for example, anjuna-system-encrypted-conf).
This prefix tells the Anjuna Kubernetes Toolset for AWS EKS to mount the volume directly on the launcher Pod
and not forward it to the enclave.
The same anjuna-system- prefix rule applies
regardless of which delivery mechanism you use
(Secret, ConfigMap, PersistentVolumeClaim, or init container output).
|
Example
Below is an end-to-end example of how to provide and use a Local Encrypted Configuration with the Anjuna Kubernetes Toolset for AWS EKS. This example uses a Kubernetes Secret to deliver the file to the launcher Pod, but any of the alternatives listed above will work.
As stated above, this example relies on the example in Providing secrets to the AWS Nitro Enclave, specifically the examples for Local Encrypted Configurations. Before continuing, follow those instructions to:
This should produce two files: an EIF and an Encrypted Configuration.
Declare the following environment variables:
$ export EIF_PATH=<path to EIF>
$ export ENCRYPTED_CONFIG_PATH=<path to Local Encrypted Configuration>
$ export EIF_S3_DIRECTORY=<s3://... s3 directory where the EIF can be uploaded to>
First, upload the EIF to the S3 directory:
$ aws s3 cp ${EIF_PATH} ${EIF_S3_DIRECTORY}/example.eif
Second, create a Kubernetes Secret from the Local Encrypted Configuration:
$ kubectl create secret generic example-encrypted-conf \
--from-file=encrypted-config.bin=${ENCRYPTED_CONFIG_PATH}
Finally, deploy the Pod:
$ cat > pod_deployment.yaml <<EOF
apiVersion: v1
kind: Pod
metadata:
name: encrypted-conf-env-pod
labels:
name: encrypted-conf-env-pod
nitro.k8s.anjuna.io/managed: "yes"
annotations:
nitro.k8s.anjuna.io/imageLocation: "${EIF_S3_DIRECTORY}/example.eif"
nitro.k8s.anjuna.io/encryptedConfigLocation: "/anjuna/files/confs/encrypted-config.bin"
spec:
containers:
- name: encrypted-conf-env
image: DOES-NOT-MATTER
imagePullPolicy: Always
resources:
limits:
memory: "2048Mi"
cpu: "2"
volumeMounts:
- name: anjuna-system-encrypted-conf
mountPath: "/anjuna/files/confs"
readOnly: true
volumes:
- name: anjuna-system-encrypted-conf
secret:
secretName: example-encrypted-conf
EOF
$ kubectl apply -f pod_deployment.yaml
Notice that the volume name has the required anjuna-system- prefix,
and that the mountPath plus the filename from the Secret together produce the absolute path
declared in the nitro.k8s.anjuna.io/encryptedConfigLocation annotation.
You can confirm that the Pod launched correctly and that the enclave received the configuration by running the following:
$ kubectl logs encrypted-conf-env-pod