Home
Technology
Try CC!

Redis in cK8s

To deploy the SGX application and access it using the Redis CLI in Kubernetes, follow these steps:

  1. Apply the YAML file for the Redis service application:

kubectl apply -f apps/redis/redis.yaml

This will deploy the actual SGX application that you want to use.

  1. Apply the YAML file for the Redis CLI demonstration client:

kubectl apply -f apps/redis/redis-cli.yaml

This will deploy a client container that allows easy access to the Redis CLI with attested CA.

  1. Copy the certs directory to the enclaive-redis-cli container:

kubectl cp certs/ enclaive-redis-cli:/data/

  1. Access the enclaive-redis-cli container's shell:

kubectl exec -it enclaive-redis-cli -- bash

  1. Connect to the Redis service using the Redis CLI command:

redis-cli -h enclaive-redis-sgx --tls --cacert certs/sgx-ca.pem --cert certs/sgx-cert.pem --key certs/sgx-key.pem

If everything goes as expected, the Redis CLI should connect to the attested and provisioned Redis service application through the Vault.

Configuration of enclaive Redis-SGX Container

Additionally, if you want to enclave your own applications using Gramine and achieve compatibility with the enclaive attestation infrastructure using Vault, you need to configure the enclaive Redis-SGX container as follows:

The container manifest should include at least the following values:

libos.entrypoint = "/app/premain"
loader.argv = [ "/usr/bin/redis-server", "/etc/redis.conf" ]
loader.env.ENCLAIVE_NAME = "enclaive-redis-sgx"
loader.env.ENCLAIVE_SERVER = { passthrough = true }
fs.mounts = [ { path = "/secrets/tmp", type = "tmpfs" } ]
sgx.enclave_size = "1G"
sgx.remote_attestation = "dcap"

Ideally, the memory size of the enclave should be set to 2G for better startup stability.

The TLS configuration is stored in the following paths within the container:

  • Public Certificate: /secrets/tmp/cert.pem

  • Private Key: /secrets/tmp/key.pem

  • Cluster CA: /secrets/tmp/ca.pem

You can use these paths for your application configuration.

Please note that forked processes do not share temporary filesystems and therefore cannot access the TLS credentials.

Last updated