Build the Anjuna Policy Manager server

Project directory structure

The following commands create a top level directory for this deployment project named apm-on-gcp and two additional subdirectories named server and client, which will contain files for the Docker images:

$ mkdir -p apm-on-gcp/{server,client}
$ cd apm-on-gcp

The resulting directory structure should look like this:

apm-on-gcp
  +- client
  +- server

Prepare server Docker image

The Anjuna Policy Manager (APM) server Docker image will be used for the APM server compute instance. Several steps are required for creating this image, which are documented in the following sections. These files should be created in the apm-on-gcp/server directory.

apm-start.sh

Run the command below from the apm-on-gcp directory to create a file named apm-on-gcp/server/apm-start.sh, which is the server startup script. The environment variables defined in Set environment variables will be substituted in the file content. You may want to verify the content of the file before proceeding.

This file defines a few steps:

  1. Fetch TLS cert and key from GCP Secrets Manager

  2. Set up the Anjuna GCP CLI

  3. Start the server using config.hcl (to be defined in the next section)

cat << EOF >server/apm-start.sh
#!/bin/bash

# Exit on failure
set -ex

# Access TLS key and cert from Google Cloud Secret Manager and store to files
gcloud secrets versions access latest \
    --secret "${APM_SERVER_TLS_KEY_SECRET}" \
    >/opt/anjuna/policy-manager/tls-key.pem
gcloud secrets versions access latest \
    --secret "${APM_SERVER_TLS_CERT_SECRET}" \
    >/opt/anjuna/policy-manager/tls-cert.pem

source /opt/anjuna/gcp/env.sh

anjuna-policy-manager-server server \
    -config /opt/anjuna/policy-manager/config.hcl \
    2>&1 >&/opt/anjuna/policy-manager/apm.log
EOF

config.hcl

Run the command below from the apm-on-gcp directory to create a file named apm-on-gcp/server/config.hcl, which is the APM server configuration file. The environment variables defined in Set environment variables will be substituted in the file content. You may want to verify the content of the file before proceeding.

This file configures the behavior of the APM:

  1. Listen on port 8200

  2. Read TLS cert and key from filesystem (which was fetched from Secret Manager by the startup script)

  3. Use Google Cloud Storage as storage backend

  4. Auto-unseal using Google Cloud KMS

cat << EOF >server/config.hcl
api_addr = "https://${APM_SERVER_HOST}:8200"

listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_cert_file = "/opt/anjuna/policy-manager/tls-cert.pem"
  tls_key_file = "/opt/anjuna/policy-manager/tls-key.pem"
}

storage "gcs" {
  bucket = "${APM_SERVER_STORAGE}"
}

seal "gcpckms" {
  project     = "${GCP_PROJECT}"
  region      = "${KMS_LOCATION}"
  key_ring    = "${KMS_KEYRING}"
  crypto_key  = "${KMS_KEY}"
}
EOF

Server Dockerfile

Now to put it all together, you will create a Dockerfile to set up the image and then run the startup script.

This Dockerfile expects that the Anjuna CLI installer, anjuna-gcp-installer.release-1.9.0008.bin, is present in apm-on-gcp/server. If it is not, you can copy it to this directory, or download it again from the Anjuna Resource Center.

Create a file named apm-on-gcp/server/Dockerfile with the following content:

# Ubuntu 20.04
FROM ubuntu@sha256:8eb87f3d6c9f2feee114ff0eff93ea9dfd20b294df0a0353bd6a4abf403336fe

# Install Anjuna GCP
COPY anjuna-gcp-installer.release-1.9.0008.bin /tmp/
RUN /bin/bash /tmp/anjuna-gcp-installer.release-1.9.0008.bin --extract
RUN rm /tmp/anjuna-gcp-installer.release-1.9.0008.bin

FROM ubuntu@sha256:8eb87f3d6c9f2feee114ff0eff93ea9dfd20b294df0a0353bd6a4abf403336fe

# Install gcloud-cli
RUN apt update
RUN apt -y install gnupg wget
RUN echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
RUN wget -q -O- https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key --keyring /usr/share/keyrings/cloud.google.gpg add -
RUN apt update && apt -y install google-cloud-cli=413.0.0-0

# Copy the APM artifacts from the previous stage
COPY --from=0 /opt/anjuna/gcp/env.sh /opt/anjuna/gcp/
COPY --from=0 /opt/anjuna/gcp/bin/anjuna-policy-manager /opt/anjuna/gcp/bin/
COPY --from=0 /opt/anjuna/gcp/bin/anjuna-policy-manager-server /opt/anjuna/gcp/bin/

# Copy APM config file and start script
COPY config.hcl /opt/anjuna/policy-manager/
COPY apm-start.sh /opt/anjuna/policy-manager/
RUN chmod +x /opt/anjuna/policy-manager/apm-start.sh

CMD /opt/anjuna/policy-manager/apm-start.sh

Build server Docker image

The APM server Docker image can now be built with the following command executed in the apm-on-gcp directory:

$ docker build -t apm-on-gcp-server ./server

Build the Anjuna Confidential Container image

The Anjuna Confidential Container image is created from the Docker server image and uploaded to the cloud using the Anjuna CLI (anjuna-gcp-cli).

Build server disk image

To build the server disk image, run the following command from within the top level apm-on-gcp directory:

$ anjuna-gcp-cli disk create --disk server-disk.raw --docker-uri apm-on-gcp-server

Create a custom image

To upload the server disk image to GCP and create a custom image, run the following command from within the top level apm-on-gcp directory:

$ anjuna-gcp-cli disk upload \
    --disk server-disk.raw \
    --bucket "${APM_SERVER_BUCKET}" \
    --image "${APM_SERVER_IMAGE}" \
    --project "${GCP_PROJECT}"