K8s + HashiCorp Vault on Azure DCsv3
Last updated
Last updated
Once your machine is prepared for SGX and you have installed kubernetes related dependencies, you can proceed:
Clone the repository for the Vault SGX Plugin by executing the command:
Navigate to the cloned repository:
Switch to the "workaround" branch:
Note: If you are using Azure DCs_v3, please remove the enclaive-sgx-pccs-config
configMap and the qcnl-conf
volume from all YAML files. This is because Azure DCs_v3 uses the indirect method for platform registration, and the K8S PCCS cannot retrieve certificates from the Intel PCS. Instead, Azure's global PCCS should be used.
Note: Remove nodeName
selector or replace it to the selector that can select SGX available nodes correctly.
The pccs/pccs.yaml
YAML file requires an API key from the Intel PCS API. Add this API key to the environment variable APIKEY
in the YAML file.
To subscribe to Intel Provisioning Certificate Service and receive an API key, visit the following link: Intel Provisioning Certificate Service and click on "Subscribe", then log in / create a new account and you will find the key.
Apply the YAML file for the PCCS (Provisioning Certificate Client Service) by running the command:
Apply the YAML file for Vault by executing:
Wait for both of the pods to be ready:
To facilitate easy access to the Vault API for demonstration purposes, open another bash, connect to the control node and create a port forward by running:
Note: This can also be placed behind a load balancer in a production environment.
Create a directory to store certificates:
This directory will serve as the storage for certificates.
Set the deployment namespace used for certificate setup:
Set the VAULT_CACERT
environment variable to the path of the SGX PKI certificate file:
Note: The SGX PKI certificates will be written by the "client" binary, including the attested temporary Vault certificate.
Set the VAULT_ADDR
environment variable to the address of the Vault API:
The measurement value can be extracted from the SIGSTRUCT
in the Docker container by running:
This measurement value represents the MRENCLAVE
for the current Vault release.
Build client binary from enclaive/vault-sgx-plugin/cmd/client/
:
Use the following command for attestation:
Note: To ensure seamless operation and attestation availability upon restart, it is essential to deploy and configure the vault container before any other containers. To achieve this, enclaved applications utilize initContainers, which wait for the vault's health endpoint to signal an unsealed state. The vault deployment file utilizes an environment variable called ENCLAVE_DEPLOYMENT
, which serves as a unique deployment ID for the domain, equating to the namespace.
The setup of the PCCS and Vault client is complete. You can now use the Vault client as follows:
Initialize the Vault and keep a note of the Unseal Key
and Initial Root Token
:
Unseal the vault with the key we just noted:
Log in to the Vault with the Initial Root Token
:
The SHA256
parameter is an expected parameter for Vault, providing integrity over the plugin binary. Extract the hash from the Docker container by running:
Register the Vault SGX plugin using the following command:
Enable the secret engines and set up the PKI by running the following command:
This command requires the ENCLAIVE_NAMESPACE
variable to be set and will generate client certificates used for demonstration or external connections to Vault.
Register the Redis-SGX container with a secret using the following command:
The script has example secrets with the expected measurement already hardcoded. It uses only standard Vault commands from the CLI.
With these steps completed, your cluster is now ready to attest an application, check the Use Cases for the specific guidance on the applications you want to deploy.
🌍Tutorials