Home
Technology
Try CC!

MongoDB in cK8s

Confidential Kubernetes

Use the following kubernetes yaml file to deploy a MongoDB SGX instance inside kubernetes:

apiVersion: v1
kind: Pod
metadata:
  name: enclaive-mongodb-sgx
  namespace: default
  labels:
    service: enclaive-mongodb-sgx
spec:
  initContainers:
    - name: init-vault-sgx
      image: busybox
      command: ['sh', '-c', 'until wget -O /dev/null --no-check-certificate -q -T 5 https://enclaive-vault-sgx:8200/v1/sys/health?standbyok=true;do echo "waiting for vault"; sleep 2; done']
  containers:
  - name: mongodb
    image: docker.io/enclaive/mongodb-sgx
    env:
      - name: ENCLAIVE_SERVER
        value: "https://enclaive-vault-sgx:8200"
    volumeMounts:
    - mountPath: /etc/sgx_default_qcnl.conf
      subPath: sgx_default_qcnl.conf
      name: qcnl-conf
    - mountPath: /dev/sgx/enclave
      name: dev-sgx-enclave
    - mountPath: /dev/sgx_enclave
      name: dev-sgx-enclave
    - mountPath: /dev/sgx_provision
      name: dev-sgx-provision
    - mountPath: "/data/"
      name: enclaive-docker-mongodb-sgx-data
    - mountPath: "/logs/"
      name: enclaive-docker-mongodb-sgx-logs
    securityContext:
      privileged: true
    ports:
      - containerPort: 27017
    imagePullPolicy: Always
  volumes:
  - name: qcnl-conf
    configMap:
      name: enclaive-sgx-pccs-config
  - name: dev-sgx-provision
    hostPath:
      path: /dev/sgx_provision
  - name: dev-sgx-enclave
    hostPath:
      path: /dev/sgx_enclave
  - name: enclaive-docker-mongodb-sgx-data
    hostPath:
      path: /etc/enclaive/enclaive-docker-mongodb-sgx/data
  - name: enclaive-docker-mongodb-sgx-logs
    hostPath:
      path: /etc/enclaive/enclaive-docker-mongodb-sgx/logs

---

apiVersion: v1
kind: Service
metadata:
  name: enclaive-mongodb-sgx
  namespace: default
spec:
  ports:
  - port: 27017
    protocol: TCP
    targetPort: 27017
  selector:
    service: enclaive-mongodb-sgx

Save the file as mongodb.yaml, then we can deploy it using kubectl apply -f mongodb.yaml

If you want to manage your database locally, you can first install mongosh locally by following the instructions here.

Then run kubectl port-forward svc/enclaive-mongodb-sgx 27017:27017 to forward the mongoDB port locally to the host machine.

Finally run mongosh to manage your database.

Use MongoDB Community Kubernetes Operator

Follow the instructions in their README. There are 3 things to note:

  1. When install or upgrade the Community Kubernetes Operator, remember to install using kubectl instead Helm so that you have the chance to configure using our container solution.

  2. You can configure the MongoDB Docker image or container registry with the following value to use our container solution:

    spec:
      containers:
        - name: mongodb-kubernetes-operator
          image: quay.io/mongodb/mongodb-kubernetes-operator:0.5.1
          command:
            - mongodb-kubernetes-operator
          imagePullPolicy: Always
          env:
            - name: MONGODB_IMAGE
              value:mongodb-sgx
            - name: MONGODB_REPO_URL
              value: docker.io/enclaive

  1. When you start to deploy a Replica Set, change the version number in config/samples/mongodb.com_v1_mongodbcommunity_cr.yaml

    into 6.0.0(our current mongoDB image version number), run the following command so that it can use the right image:

 docker pull enclaive/mongodb-sgx
 docker tag enclaive/mongodb-sgx:latest enclaive/mongodb-sgx:6.0.0

Last updated