Configuring and deploying the Anjuna Kubernetes Toolset

In the previous section, you uploaded the Anjuna Nitro Kubernetes containers to AWS ECR. In this section, you will deploy the Anjuna Nitro Device Manager and Webhook.

The Webhook is a MutatingWebhookConfiguration that intercepts AWS Nitro Pod creation requests and creates a launcher Pod to deploy the customer image inside an AWS Nitro enclave.

First, you may want to look at the helm-charts/anjuna-tools/values.yaml file which was generated by Terraform. It will have the following values:

caBundle

CA certificate that signed the Webhook’s TLS certificate encoded using a one-line base64 encoding of the original multi-line PEM certificate.

nitroReservedCPU

The default number of cores the webhook should assign to an AWS Nitro enclave if not specified for the specific Pod. You normally want to match this to the nitro_reserved_cpu variable in Terraform, which is the number of CPU cores reserved on AWS Nitro worker Nodes for enclaves. Up to four AWS Nitro Enclaves can run on one worker Node at a time (the current AWS Nitro limitation), and each enclave requires at least 2 vCPUs. Any reserved cores that are not used by enclaves are wasted, as these cores are not available to the parent VM.

nitroReservedMemMB

The default amount of memory in megabytes that the webhook should assign to an AWS Nitro enclave if not specified for the specific container. You normally want to match this to the nitro_reserved_mem_mb variable in Terraform which is the amount of memory reserved on AWS Nitro worker Nodes for enclaves. Up to four AWS Nitro Enclaves can run on one worker Node at a time (the current AWS Nitro limitation), and each enclave requires at least 1024 MB of memory. Any reserved memory that is not used by enclaves is wasted, as this memory is not available to the parent VM.

launcherRepo

The registry and repository where Anjuna Launcher image(s) are stored. For example: account.dkr.ecr.region.amazonaws.com/anjuna-nitro-launcher

webhookRepo

The registry and repository where Anjuna Nitro Webhook image(s) are stored. For example: account.dkr.ecr.region.amazonaws.com/anjuna-nitro-webhook

deviceManagerRepo

The registry and repository where Anjuna Device Manager image(s) are stored. For example: account.dkr.ecr.region.amazonaws.com/anjuna-device-manager

Now let’s deploy the Anjuna Device Manager and Anjuna Webhook into the cluster:

$ helm install anjuna-tools helm-charts/anjuna-tools

Use the following command to verify that the Anjuna Tools are deployed:

$ helm list
NAME          NAMESPACE  REVISION  UPDATED              STATUS    CHART           APP VERSION
anjuna-tools  default    1         2022-04-29 13:52:16  deployed  anjuna-tools-1  ...

To see the list of running Pods, execute the following command:

$ kubectl get pods

The output will be similar to the following, depending on the number of nodes in the cluster. There will be one anjuna-nitro-device-manager-xxx Pod for each node in the cluster:

NAME                                READY   STATUS              RESTARTS   AGE
anjuna-nitro-device-manager-7wvkp   1/1     Running             0          2s
anjuna-nitro-device-manager-bq6fw   0/1     ContainerCreating   0          2s
anjuna-nitro-device-manager-kx5bv   0/1     ContainerCreating   0          2s
anjuna-nitro-webhook-app            1/1     Running             0          7s

Congratulations, the Anjuna Toolset is installed in your cluster, and the Webhook is ready to intercept Pod creation events to automatically create AWS Nitro Enclaves.