Build the client enclave

When you run an Anjuna Confidential Container, you provide a container image for your application code. In this section, you will define an example application that will access secrets from the Anjuna Policy Manager server. This document refers to this application as the “client”, since it is a client of the Anjuna Policy Manager (APM).

Environment variables for building the client

The subsequent APM client sections use several environment variable settings defined below.

When creating multiple client images, set the CLIENT_PREFIX environment variable to a unique value among your client images.

To use the default, which is suitable for a single client, run the following command, which will set it to the $PREFIX value defined from the Set environment variables section followed by “-apm-client”:

$ export CLIENT_PREFIX="${PREFIX}-apm-client"

Run the following commands to define additional environment variables that will be used to name resources created in the following sections:

$ export APM_CLIENT_BUCKET="${CLIENT_PREFIX}"
$ export APM_CLIENT_IMAGE="${CLIENT_PREFIX}-image"
$ export APM_CLIENT_INSTANCE="${CLIENT_PREFIX}-instance"

Client Docker images

You will now build a Docker image to run in an Anjuna Confidential Container. Several steps are required for creating the image and are documented in the following sections. The files should be created in the apm-on-gcp/client directory.

The configuration files presented in this section are for testing only and should not be used in production. They are shown as examples and should be tailored to your specific client application.

Client Dockerfile

The following Dockerfile will output all environment variables (including any secret environment variables and their values!), print the contents of /secret-file.txt, and then wait forever, so that the enclave is not terminated. This is useful for testing only and should be adapted to your particular application for production.

Create a file named apm-on-gcp/client/Dockerfile with the following content:

# Ubuntu 20.04
FROM ubuntu@sha256:8eb87f3d6c9f2feee114ff0eff93ea9dfd20b294df0a0353bd6a4abf403336fe

CMD export;cat /secret_file.txt;sleep infinity

Build client Docker image

A client Docker image named apm-on-gcp-test-client can now be built with the following command, executed in the apm-on-gcp directory:

$ docker build -t apm-on-gcp-test-client ./client

Build the Anjuna Confidential Container for the client

Once the desired client Docker image has either been created or selected from existing images, an enclave image can be created. An enclave image is created from the Docker image and uploaded to the cloud using the Anjuna CLI (anjuna-gcp-cli).

Client enclave config file

An enclave config file is used to define the settings for connecting to the APM server. It also specifies the secret values to access, which are made available to the enclave as environment variables or files.

The following command outputs a file named apm-on-gcp/client-config.yaml, which can be used as a template. It contains a secret value as an environment variable, and another secret value as a file. Change, add, or remove these YAML sections depending on your application:

  • SECRET_ENV - An example environment variable name. Change this to a value used by your application, or remove the entire envs YAML section if no environment variable secrets are needed.

  • apm-path/to/secret-env - Path in the APM server of a key-value secret to assign to the environment variable.

  • /secret_file.txt - The path and name of a file in which to save a secret. Change this to a value used by your application, or remove the entire files section if no file secrets are needed.

  • apm-path/to/secret-file - Path in the APM server of a key-value secret to assign to the secret file.

cat << EOF >client-config.yaml
version: 1.7
apmConfig:
  url: https://${APM_SERVER_HOST}:8200
  envs:
  - name: SECRET_ENV
    engine: anjuna
    apmPath: apm-path/to/secret-env
  files:
  - path: /secret_file.txt
    engine: anjuna
    apmPath: apm-path/to/secret-file
  caCert: |
$(cat tls-cert.pem | sed 's/^/    /g')
EOF

Build client disk image

To build the client enclave disk image, run the command below within the top level apm-on-gcp directory. Make sure to replace the following parameters with the desired values for this client:

  • client-disk.raw - The client disk image output file name.

    • If you are creating multiple client images, you should change this filename to be unique. Otherwise, each client disk image will overwrite the last disk image file.

  • apm-on-gcp-test-client - The name of the client Docker image to use.

$ anjuna-gcp-cli disk create \
    --config client-config.yaml \
    --disk client-disk.raw \
    --docker-uri apm-on-gcp-test-client | tee pcr.log

$ export SIGNER_ID=$(grep "PCR16" pcr.log | grep -Eo "[A-F0-9]{64}")
$ export ENCLAVE_ID=$(grep "ENCLAVE ID" pcr.log | grep -Eo "[A-F0-9]{64}")
You can also sign the enclave disk image with an RSA private key using the --signing-key option with the path to the private key. This provides a common verification method across multiple different enclave images. See anjuna-gcp-cli disk create for example usage. When there is no signing key, like the above example, PCR16 will be all zeros.

Disk image PCR values

When executing the command from the previous step, the enclave PCR values will be output, including the ENCLAVE ID and signer key PCR16. These values will be needed in the Managing secrets section when authorizing access to APM secrets and should be saved for later use. Alternatively, the following command can be run on the disk image to display the values again (replace client-disk.raw with the name of the client disk image used in the previous command):

$ anjuna-gcp-cli disk pcr --disk client-disk.raw

Upload client disk image

To upload the client disk image to the cloud, run the command below from within the top level apm-on-gcp directory. Make sure to replace the following parameters with the desired values for this client:

  • client-disk.raw - The client disk image file name that was used in the Build client disk image step.

  • APM_CLIENT_IMAGE - Change the value of this environment variable if you want to use a different client image name from the one that was defined in the Set environment variables section; for example, if you have multiple images in the same GCP project.

$ anjuna-gcp-cli disk upload \
    --disk client-disk.raw \
    --bucket "${APM_CLIENT_BUCKET}" \
    --image "${APM_CLIENT_IMAGE}" \
    --project "${GCP_PROJECT}"