K8s + HashiCorp Vault on Azure DCsv3
Last updated
Was this helpful?
Last updated
Was this helpful?
Once your machine is prepared for SGX and you have installed kubernetes related dependencies, you can proceed:
Clone the repository for the Vault SGX Plugin by executing the command:
Navigate to the cloned repository:
Switch to the "workaround" branch:
The pccs/pccs.yaml
YAML file requires an API key from the Intel PCS API. Add this API key to the environment variable APIKEY
in the YAML file.
To subscribe to Intel Provisioning Certificate Service and receive an API key, visit the following link: Intel Provisioning Certificate Service and click on "Subscribe", then log in / create a new account and you will find the key.
Apply the YAML file for the PCCS (Provisioning Certificate Client Service) by running the command:
Apply the YAML file for Vault by executing:
Wait for both of the pods to be ready:
To facilitate easy access to the Vault API for demonstration purposes, open another bash, connect to the control node and create a port forward by running:
Create a directory to store certificates:
This directory will serve as the storage for certificates.
Set the deployment namespace used for certificate setup:
Set the VAULT_CACERT
environment variable to the path of the SGX PKI certificate file:
Set the VAULT_ADDR
environment variable to the address of the Vault API:
The measurement value can be extracted from the SIGSTRUCT
in the Docker container by running:
This measurement value represents the MRENCLAVE
for the current Vault release.
Build client binary from enclaive/vault-sgx-plugin/cmd/client/
:
Use the following command for attestation:
The setup of the PCCS and Vault client is complete. You can now use the Vault client as follows:
Initialize the Vault and keep a note of the Unseal Key
and Initial Root Token
:
Unseal the vault with the key we just noted:
Log in to the Vault with the Initial Root Token
:
The SHA256
parameter is an expected parameter for Vault, providing integrity over the plugin binary. Extract the hash from the Docker container by running:
Register the Vault SGX plugin using the following command:
Enable the secret engines and set up the PKI by running the following command:
This command requires the ENCLAIVE_NAMESPACE
variable to be set and will generate client certificates used for demonstration or external connections to Vault.
Register the Redis-SGX container with a secret using the following command:
The script has example secrets with the expected measurement already hardcoded. It uses only standard Vault commands from the CLI.
With these steps completed, your cluster is now ready to attest an application, check the Use Cases for the specific guidance on the applications you want to deploy.
🌍Tutorials