Deploy the Anjuna Policy Manager and create secrets
Start the Confidential Container
The final step in the Anjuna Policy Manager Server deployment is to create the server instance by running the following command:
$ anjuna-gcp-cli instance create "${APM_SERVER_INSTANCE}" \
--image "${APM_SERVER_IMAGE}" \
--machine "n2d-standard-2" \
--network "${NETWORK_NAME}" \
--subnet "${SUBNET_NAME}" \
--zone "${GCP_ZONE}" \
--service-account "${SERVICE_ACCOUNT_EMAIL}" \
--scopes https://www.googleapis.com/auth/compute,https://www.googleapis.com/auth/devstorage.read_write,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/cloudkms
Once the server instance has been created, the public IP address can be stored to an environment variable on the admin host and displayed using the following commands:
$ export APM_SERVER_IP=$(gcloud compute instances describe "${APM_SERVER_INSTANCE}" \
--format='get(networkInterfaces[0].accessConfigs[0].natIP)' --zone "${GCP_ZONE}")
$ echo "${APM_SERVER_IP}"
Server hostname resolution
If you are using a fully-qualified domain name for your Anjuna Policy Manager (APM) Server,
update the DNS A record for the domain name to point to the public IP (the value of $APM_SERVER_IP
)
of the APM server instance that you created in the previous step.
If you are not using a fully-qualified domain name for your APM Server,
add an entry to your administration computer /etc/hosts
file,
which resolves the GCP Internal DNS hostname to the public IP of your server.
Run the following command, which will add the line to your /etc/hosts
file:
$ echo "${APM_SERVER_IP} ${APM_SERVER_HOST}" | sudo tee -a /etc/hosts
Set up the CLI tools for managing the Anjuna Policy Manager
The Anjuna CLI for SEV on GCP includes two programs, anjuna-policy-manager-server
and anjuna-policy-manager
,
which are used to manage the APM.
The anjuna-policy-manager-server
program will be used for one-time initialization of
the APM Server.
The anjuna-policy-manager
program is used for managing secrets and authorization policies
for enclaves.
anjuna-policy-manager-server
CLI Settings
The anjuna-policy-manager-server
program is used for one time initialization of auto-unsealing
and GCP storage.
This requires that the TLS certificate that was used for the
TLS Configuration
section be copied to apm-on-gcp/tls-cert.pem
and that some connection settings are defined.
These can be set as environment variables with the following commands from within
the apm-on-gcp
directory:
$ export VAULT_ADDR="https://${APM_SERVER_HOST}:8200"
$ export VAULT_CACERT="$(pwd)/tls-cert.pem"
Initialize the APM Server
The first time the APM boots, the unsealing key, client enclave authentication, and key-value storage need to be initialized from the administration computer. These operations only need to be performed once.
Initialize unsealing key
Run the following command to initialize the encrypted storage bucket and unsealing key, and generate the root token:
$ anjuna-policy-manager-server operator init
The output from this command should be saved in a secure manner. It contains the recovery keys and root token.
The root token is required in subsequent administration commands for creating and managing secrets
and should be assigned to an environment variable with this command
(replace <ROOT_TOKEN>
with the value output from the previous command):
$ export VAULT_TOKEN="<ROOT_TOKEN>"
Create secrets
Configure anjuna-policy-manager CLI Settings
The anjuna-policy-manager-server
program is used for managing secrets and authorization policies
for enclaves.
Run the following commands to define additional environment variables required to connect to the server:
$ export ANJUNA_ADDR="https://${APM_SERVER_HOST}:8200"
$ export ANJUNA_CACERT="$(pwd)/tls-cert.pem"
$ export ANJUNA_TOKEN="${VAULT_TOKEN}"
Creating secrets
The example commands below will create the two secrets needed for the Client enclave config file. Replace the following fields with the desired values:
-
apm-path/to/secret-env
- The path to an example environment variable secret (the key portion of the key-value pair) -
SecretEnvValue
- The value of the environment variable -
apm-path/to/secret-file
- The path to an example file secret (the key portion of the key-value pair) -
SecretFileValue
- The path to the secrets file to store in the APM
anjuna-policy-manager secret create \
apm-path/to/secret-env \
--value=SecretEnvValue
anjuna-policy-manager secret create \
apm-path/to/secret-file \
--value="$(cat SecretFileValue)"
The secret file should be in ASCII/base64 format. |