Confidential Container configuration

An enclave configuration file is required to retrieve secrets from the APM based on enclave identity, and the configuration file must be provided to the anjuna-metal disk create command.

Example configuration

An example enclave configuration file is shown below:

version: 1.9
apmConfig:
  url: https://192.168.122.1:8200  # Replace with your APM server's IP address
  caCert: |
    -----BEGIN CERTIFICATE-----
    ... APM's certificate content (required for HTTPS connections) ...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ... Optional additional certificate(s)
    -----END CERTIFICATE-----
  envs:
  - apmPath: cvm/app/EXAMPLE_ENV                # Vault path to the secret to be retrieved
    engine: anjuna                              # Name of the engine holding apmPath
    name: EXAMPLE_API_KEY                       # Name of the environment variable to create

The APM configuration is used to retrieve secrets from the APM and make them available to your application running within the Anjuna Confidential Container, either as environment variables or as files.

TLS configuration

For HTTPS connections, you must specify a PEM-encoded CA certificate (or bundle) in the .apmConfig.caCert field, which will then create a trusted connection to the APM. At least one of the certificates specified must be valid for the APM server for a connection to be established successfully.

HTTP connections without a CA certificate are also supported but not recommended.

APM URL configuration

The APM connection URL can be configured either at build time, by specifying it in the enclave configuration file, or at runtime, by passing it into the instance create command via the --policy-manager-url flag. If both are provided, the runtime value takes precedence.

If an APM URL is specified in the Anjuna Confidential Container configuration file at build time, this value is excluded from the Enclave ID computed for that disk image.

For example, to set the APM URL to https://192.168.122.2:8200, use the following command when starting an Anjuna Confidential Container that has been configured for attestation:

$ anjuna-metal instance create hello \
    --disk=disk.tar.gz \
    --policy-manager-url=https://192.168.122.2:8200

Providing the APM URL at runtime allows the same Anjuna Confidential Container disk image to be used across different environments (e.g., Test and Production) while connecting to a different APM server in each case.

For more information on enclave configuration, please refer to the enclave configuration file documentation.

Certificate provisioning warning

You may see the following warning in your Anjuna Confidential Container log file during attestation:

Warning: Neither VCEK nor VLEK certificate found in data pages

This message can be safely ignored; however, it does indicate that the per-chip VCEK and/or platform VLEK certificates have not been provisioned for your host machine. In this case, the Anjuna Policy Manager will fall back to downloading the certificates it needs from AMD’s KDS service, which would require it to have internet access.