Configuring and Deploying the Anjuna Kubernetes Toolset
In the previous section, you uploaded the Anjuna Nitro Kubernetes containers to AWS ECR. In this section, you will deploy the Anjuna Nitro Device Manager and Webhook.
The Webhook is a MutatingWebhookConfiguration that intercepts AWS Nitro Pod creation requests and creates a launcher Pod to deploy the customer image inside an AWS Nitro enclave.
First, you may want to look at the helm-charts/anjuna-tools/values.yaml
file which was generated by
terraform. It will have the following values:
caBundle
-
CA certificate that signed the Webhook’s TLS certificate encoded using a one-line base64 encoding of the original multi-line PEM certificate.
nitroReservedCPU
-
The default number of cores the webhook should assign to an AWS Nitro enclave if not specified for the specific Pod. You normally want to match this to the
nitro_reserved_cpu
variable in terraform, which is the number of CPU cores reserved on AWS Nitro worker nodes for enclaves. At the current time, only one AWS Nitro enclave can run on a worker node at a time, so any reserved cores that are not used by the enclave are wasted as these cores are not available to the parent VM. nitroReservedMemMB
-
The default amount of memory in megabytes that the webhook should assign to an AWS Nitro enclave if not specified for the specific container. You normally want to match this to the
nitro_reserved_mem_mb
variable in terraform which is the amount of memory reserved on AWS Nitro worker nodes for enclaves. At the current time, only one AWS Nitro enclave can run on a worker node at a time, so any reserved memory that is not used by the enclave is wasted as this memory is not available to the parent VM. launcherRepo
-
The registry and repository where Anjuna Launcher image(s) are stored. For example:
account.dkr.ecr.region.amazonaws.com/anjuna-nitro-launcher
webhookRepo
-
The registry and repository where Anjuna Nitro Webhook image(s) are stored. For example:
account.dkr.ecr.region.amazonaws.com/anjuna-nitro-webhook
deviceManagerRepo
-
The registry and repository where Anjuna Device Manager image(s) are stored. For example:
account.dkr.ecr.region.amazonaws.com/anjuna-device-manager
Now let’s deploy the Anjuna Device Manager and Anjuna Webhook into the cluster:
$ helm install anjuna-tools helm-charts/anjuna-tools
Use the following command to verify that the Anjuna Tools are deployed:
$ helm list
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
anjuna-tools default 1 2022-04-29 13:52:16 deployed anjuna-tools-1 ...
To see the list of running Pods, execute the following command:
$ kubectl get pods
The output will be similar to the following, depending on the number of nodes in the cluster. There
will be one anjuna-nitro-device-manager-xxx
Pod for each node in the cluster:
NAME READY STATUS RESTARTS AGE anjuna-nitro-device-manager-7wvkp 1/1 Running 0 2s anjuna-nitro-device-manager-bq6fw 0/1 ContainerCreating 0 2s anjuna-nitro-device-manager-kx5bv 0/1 ContainerCreating 0 2s anjuna-nitro-webhook-app 1/1 Running 0 7s
Congratulations, the Anjuna Toolset is installed in your cluster, and the Webhook is ready to intercept Pod creation events to automatically create AWS Nitro Enclaves.