📃
Confidential Computing 101
HomeTechnologyTry CC!
  • Welcome
  • Confidential Computing
    • What is Confidential Computing
    • What problems Confidential Computing solves
      • Bare Metal
      • Docker
      • Kubernetes
      • Knative
    • Why Confidential Computing
    • How Confidential Computing works
      • Memory Encryption
      • Workload Attestation
      • Confidential Boot
      • Sealing / Binding
      • Secret Provisioning
    • Technology Overview
    • Cloud Service Providers
  • Technology in depth
    • Intel SGX
      • Getting Started
        • Bare Metal Server Installation
        • Enclave Development Environment
        • Intel SGX SDK Setup
      • Technology
        • 🎭Features
        • 💂Threat Model
        • 🆚Versions
        • 🟦Concepts
          • 🏦Memory Encryption
          • 👮Local and Remote Attestation
          • 🖼️DCAP-Attestation Framework
          • 🔑Secret Key Provisioning
      • enclaive Development Kit
        • 🏢Architecture
        • 🌪️Workflow
        • 🌍Tutorials
          • Azure DCdsv3, DCsv2, or DCsv3 Setup
          • Redis in cK8s
          • MongoDB in cK8s
          • K8s + HashiCorp Vault on Azure DCsv3
      • Vault Remote Attestation Plug-In
        • 🏃‍♂️Initialization
        • 👮Attestation
        • ⚙️Configuration
    • Intel TDX
      • Getting Started
        • Azure
        • AWS
        • GCP
      • Technology
        • History
          • VT
          • TME/MKTME
          • SGX
        • Features
        • Threat Model
        • Concepts
          • Architecture
            • TDX Module
          • Memory Encryption
            • Confidentiality and Integrity
            • Keys and Key Management
          • TD Partitioning
          • DCAP-Attestation
            • Overview
            • Platform Registration
            • Attestation Report
    • AMD SEV
      • Getting Started
        • Azure
        • AWS
        • GCP
      • Technology
        • History
        • Threat Model
        • SME Concepts
          • Use Models
        • SEV-SNP Concepts
          • Features
            • Integrity Threats
            • Reverse Map Table
            • Page Validation
            • Page States
            • Virtual Machine Privilege Levels
            • Interrupt/Exception Protection
            • Trusted Platform Information
            • TCB Versioning
            • VM Launch & Attestation
            • VM Migration
            • Side Channels
          • Use Cases
          • Architecture
            • Encrypted Memory
            • Key Management
          • Software Implications
    • ARM CC
      • Technology
        • Introduction
        • Threat Model
        • Design
        • Comparison
    • Attestation Methods
      • Raw Attestation
      • Raw Attestation with Secure-Boot
      • Raw Attestation with a vTPM
        • AMD Secure VM Service Module and vTPMs
      • Raw Attestation with paravirtualized TPM
  • Resources
    • Youtube
    • Github
    • Products
Powered by GitBook
On this page
  • Confidential Kubernetes
  • Use MongoDB Community Kubernetes Operator

Was this helpful?

  1. Technology in depth
  2. Intel SGX
  3. enclaive Development Kit
  4. Tutorials

MongoDB in cK8s

Confidential Kubernetes

Use the following kubernetes yaml file to deploy a MongoDB SGX instance inside kubernetes:

apiVersion: v1
kind: Pod
metadata:
  name: enclaive-mongodb-sgx
  namespace: default
  labels:
    service: enclaive-mongodb-sgx
spec:
  initContainers:
    - name: init-vault-sgx
      image: busybox
      command: ['sh', '-c', 'until wget -O /dev/null --no-check-certificate -q -T 5 https://enclaive-vault-sgx:8200/v1/sys/health?standbyok=true;do echo "waiting for vault"; sleep 2; done']
  containers:
  - name: mongodb
    image: docker.io/enclaive/mongodb-sgx
    env:
      - name: ENCLAIVE_SERVER
        value: "https://enclaive-vault-sgx:8200"
    volumeMounts:
    - mountPath: /etc/sgx_default_qcnl.conf
      subPath: sgx_default_qcnl.conf
      name: qcnl-conf
    - mountPath: /dev/sgx/enclave
      name: dev-sgx-enclave
    - mountPath: /dev/sgx_enclave
      name: dev-sgx-enclave
    - mountPath: /dev/sgx_provision
      name: dev-sgx-provision
    - mountPath: "/data/"
      name: enclaive-docker-mongodb-sgx-data
    - mountPath: "/logs/"
      name: enclaive-docker-mongodb-sgx-logs
    securityContext:
      privileged: true
    ports:
      - containerPort: 27017
    imagePullPolicy: Always
  volumes:
  - name: qcnl-conf
    configMap:
      name: enclaive-sgx-pccs-config
  - name: dev-sgx-provision
    hostPath:
      path: /dev/sgx_provision
  - name: dev-sgx-enclave
    hostPath:
      path: /dev/sgx_enclave
  - name: enclaive-docker-mongodb-sgx-data
    hostPath:
      path: /etc/enclaive/enclaive-docker-mongodb-sgx/data
  - name: enclaive-docker-mongodb-sgx-logs
    hostPath:
      path: /etc/enclaive/enclaive-docker-mongodb-sgx/logs

---

apiVersion: v1
kind: Service
metadata:
  name: enclaive-mongodb-sgx
  namespace: default
spec:
  ports:
  - port: 27017
    protocol: TCP
    targetPort: 27017
  selector:
    service: enclaive-mongodb-sgx

Save the file as mongodb.yaml, then we can deploy it using kubectl apply -f mongodb.yaml

Then run kubectl port-forward svc/enclaive-mongodb-sgx 27017:27017 to forward the mongoDB port locally to the host machine.

Finally run mongosh to manage your database.

  1. When install or upgrade the Community Kubernetes Operator, remember to install using kubectl instead Helm so that you have the chance to configure using our container solution.

    spec:
      containers:
        - name: mongodb-kubernetes-operator
          image: quay.io/mongodb/mongodb-kubernetes-operator:0.5.1
          command:
            - mongodb-kubernetes-operator
          imagePullPolicy: Always
          env:
            - name: MONGODB_IMAGE
              value:mongodb-sgx
            - name: MONGODB_REPO_URL
              value: docker.io/enclaive
  1. When you start to deploy a Replica Set, change the version number in config/samples/mongodb.com_v1_mongodbcommunity_cr.yaml

    into 6.0.0(our current mongoDB image version number), run the following command so that it can use the right image:

 docker pull enclaive/mongodb-sgx
 docker tag enclaive/mongodb-sgx:latest enclaive/mongodb-sgx:6.0.0

Last updated 1 year ago

Was this helpful?

If you want to manage your database locally, you can first install mongosh locally by following the .

Use

Follow the instructions in their . There are 3 things to note:

You can with the following value to use our container solution:

🌍
instructions here
MongoDB Community Kubernetes Operator
README
configure the MongoDB Docker image or container registry