Installing the Workload Policy Manager
Installing the Workload Policy Manager
The Workload Policy Manager is a lightweight application that assists in encrypting workload images. Because of the way this utility is used, it is not part of the Helm deployment for the rest of the ISecL application, and can be deployed on any machine with a supported OS for authoring encrypted workload images.
Required For
The WPM is REQUIRED for the following use cases.
- Workload Confidentiality (both VMs and Containers)
Supported Operating Systems
The Intel® Security Libraries Workload Policy Manager supports:
-
Red Hat Enterprise Linux 8.4
-
Ubuntu 20.04
Recommended Hardware
-
2 vCPUs
-
RAM: 8 GB
-
100 GB
-
One network interface with network access to the Key Broker and Workload Service
-
Additional memory and disk space may be required depending on the size of images to be encrypted
Installation
-
Copy the WPM installer to the
/rootdirectory -
Create the
wpm.envanswer file:
KBS_BASE_URL=https://<IP address or hostname of the KBS>:<KBS port>/kbs/v1/
WPM_SERVICE_USERNAME=<WPM_Service username mentioned in values.yaml>
WPM_SERVICE_PASSWORD=<WPM Service password mentioned in values.yaml>
CMS_TLS_CERT_SHA384=<Sha384 hash of the CMS TLS certificate>
CMS_BASE_URL=https://<IP address or hostname for CMS>:<CMS port>/cms/v1/
AAS_API_URL=https://<Hostname or IP address of the AAS>:<AAS port>/aas/v1
WPM_WITH_CONTAINER_SECURITY_CRIO=yes
- Steps to get sha384 hash of cms tls certificate
kubectl exec -it <cms_pod_name> -n <namespace> -- cms tlscertsha384
- Execute the WPM installer:
./wpm-v5.1.0.bin