Skip to content

Deploying SGX Use Cases Using Helm

Combined Helm charts provided to deploy an entire use case using a single configuration file, rather than deploying each individual service. This is the recommended method for deployment.

Available use case deployments include:

  • SGX Infrastructure (This deploys SGX Attestation infrastructure with Key transfer validation)
  • SGX Orchestration (This deploys SGX services including SGX Host Verification service and provide facility to update SGX information on a Kubernete's Custom Resource Definition with the help of IHUB)
  • SGX Infrastructure and Orchestration (This deploys both SGX Infrastructure and Orchestration Use case combinely)

Deployment Steps

Configure the values.yaml answer file. Each values.yaml file will contain <user input> prompts and a comment describing the information required.

Use Case charts Deployment

Pull the Helm charts from the Helm repository and then deploy.

Set the release version

export VERSION=v5.1.0

SGX-Infrastructure:

Prerequisites

Pykmip should be installed and running.

Pykmip Installation

Steps to run KMIP Server

NOTE: Below mentioned steps are provided as script (install_pykmip.sh and pykmip.service) as part of kbs_script folder which will install KMIP Server as daemon. Refer to ‘Install KMIP Server as daemon’ section.

1. Install python3 and vim-common
   For RHEL 8.4
   # dnf -y install python3-pip vim-common  
   For Ubuntu 20.04    
   # apt -y install python3-pip vim-common    
   ln -s /usr/bin/python3 /usr/bin/python  > /dev/null 2>&1
   ln -s /usr/bin/pip3 /usr/bin/pip  > /dev/null 2>&1

2. Install pykmip
   # pip3 install pykmip==0.9.1

3. In the /etc/ directory create pykmip and policies folders
   mkdir -p /etc/pykmip/policies

4. Configure pykmip server using server.conf
   Update hostname in the server.conf

5. Copy the following to /etc/pykmip/ from kbs_script folder available under binaries directory
   create_certificates.py, run_server.py, server.conf

6. Create certificates
   > cd /etc/pykmip
   > python3 create_certificates.py <KMIP Host IP/KMIP Host FQDN>

7. Kill running KMIP Server processes and wait for 10 seconds until all the KMIP Server processes are killed.
   > ps -ef | grep run_server.py | grep -v grep | awk '{print $2}' | xargs kill

8. Run pykmip server using run_server.py script
   > python3 run_server.py &

Install KMIP Server as daemon

1. cd into /root/binaries/kbs_script folder

2. Configure pykmip server using server.conf
   Update hostname in the server.conf

3. Run the install_pykmip.sh script and KMIP server will be installed as daemon process
   ./install_pykmip.sh

KBS KMIP certificate secret is required for SGX Infrastructue usecase.

Create Secrets for KBS KMIP Certificates

Copy KMIP Client Certificate, Client Key and Root Certificate from KMIP Server (/etc/pykmip/) to Node where KMIP secrets needs to be generated.

kubectl create secret generic kbs-kmip-certs -n isecl --from-file=client_certificate.pem=<KMIP Client Certificate Path> --from-file=client_key.pem=<KMIP Client Key Path> --from-file=root_certificate.pem=<KMIP Root Certificate Path>

SQVS Trusted RootCA secret is required for SGX Infrastructue usecase.

Create Secrets for SQVS Trusted RootCA Certificates

Copy appropriate Trusted Root CA Certificate based on the CPU type, to the Kubernetes master node. Trusted Root CA certificates can be taken from SGX verification service source repository,

kubectl create secret generic sqvs-trusted-rootca --from-file=trusted_rootca.pem=<Path to trusted root ca certificate> -n isecl

Installation

helm pull isecl-helm/SGX-Infrastructure --version $VERSION && tar -xzf SGX-Infrastructure-$VERSION.tgz SGX-Infrastructure/values.yaml

Fill the values.yaml file with appropriate values by following the instructions provided for each key.

helm install sgx-infrastructure isecl-helm/SGX-Infrastructure --version $VERSION -f SGX-Infrastructure/values.yaml -n <namespace>

SGX-Orchestration:

Prerequisites

ISecL Scheduler secret is required for SGX Orchestration usecase.

Create Secrets for ISecL Scheduler TLS Key-pair

ISecl Scheduler runs as https service, therefore it needs TLS Keypair and tls certificate needs to be signed by K8s CA, inorder to have secure communication between K8s base scheduler and ISecl K8s Scheduler. The creation of TLS keypair is a manual step, which has to be done prior deplolying the helm for Trusted Workload Placement usecase. Following are the steps involved in creating tls cert signed by K8s CA.

mkdir -p /tmp/k8s-certs/tls-certs && cd /tmp/k8s-certs/tls-certs
openssl req -new -days 365 -newkey rsa:4096 -addext "subjectAltName = DNS:<Controlplane hostname>" -nodes -text -out server.csr -keyout server.key -sha384 -subj "/CN=ISecl Scheduler TLS Certificate"

cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: isecl-scheduler.isecl
spec:
  request: $(cat server.csr | base64 | tr -d '\n')
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - client auth
EOF

kubectl certificate approve isecl-scheduler.isecl
kubectl get csr isecl-scheduler.isecl -o jsonpath='{.status.certificate}' \
  | base64 --decode > server.crt
kubectl create secret tls isecl-scheduler-certs --cert=/tmp/k8s-certs/tls-certs/server.crt --key=/tmp/k8s-certs/tls-certs/server.key -n isecl

NOTE: CSR needs to be deleted if we want to regenerate isecl-scheduler-certs secret with command kubectl delete csr isecl-scheduler.isecl

Installation

helm pull isecl-helm/SGX-Orchestration --version $VERSION && tar -xzf SGX-Orchestration-$VERSION.tgz SGX-Orchestration/values.yaml

Fill the values.yaml file with appropriate values by following the instructions provided for each key.

helm install sgx-orchestration isecl-helm/SGX-Orchestration --version $VERSION -f SGX-Orchestration/values.yaml -n <namespace>

SGX-Infrastructure-Orchestration

Prerequisites

As it is a combination of SGX-Infrastructure and SGX-Orchestration usecases deployment, pre-requisites of both the usecases mentioned above should be followed.

Installation

helm pull isecl-helm/SGX-Infrastructure-Orchestration --version $VERSION && tar -xzf SGX-Infrastructure-Orchestration-$VERSION.tgz SGX-Infrastructure-Orchestration/values.yaml

Fill the values.yaml file with appropriate values by following the instructions provided for each key.

helm install sgx-infrastructure-orchestration isecl-helm/SGX-Infrastructure-Orchestration --version $VERSION -f SGX-Infrastructure-Orchestration/values.yaml -n <namespace>

SGX-VMWare

Installation

helm pull isecl-helm/SGX-VMWare --version $VERSION && tar -xzf SGX-VMWare-$VERSION.tgz SGX-VMWare/values.yaml

Fill the values.yaml file with appropriate values by following the instructions provided for each key.

helm install sgx-vmware isecl-helm/SGX-VMWare --version $VERSION -f SGX-VMware/values.yaml -n <namespace>

PostInstallation

After ISecl services - cms,aas and scs installation completed, follow the steps mentioned in VMware Caching Service Integration for bringing up tcs-client.

Bringing Up SGX Agent

Pre-Reqs:
  • Once TCS client is installed,it will request VCenter to register its host in case of TCB recovery or if the host is not yet registered.
  • Upon successfull registration, a vm needs be spawned on registred host.
  • Once vm is ready, it needs to be installed and configured to act as k8s worker nodes which will be added to exisitng k8s cluster where ISecL services like cms, aas and scs are running as part of above SGX-VMWare installation.
  • Post attaching the vm as worker node, the node needs to be labeled as SGX-ENABLED.(eg:kubectl label node <vm_hostname> node.type=SGX-ENABLED)
Installation:
  • Once the worker node is labeled, sgx-agent will be deployed because sgx agent deployment is running as daemon-set and it was waiting for worker node with SGX-ENABLED label.
Post SGX Agent Installation:
  • SGX Agent gathers platform collateral and push them to SCS. Please note that since registration of platform has already been taken place hence when SGX Agent pushes data no registration takes place.
  • Upon second iteration when TCS Client runs, for hosts(irrespective of status) not present in its database/newly registered it makes a REST Call to SCS and download/update PCK Certs. Since platform data is pushed by SGX Agent, pck certs are also refreshed.

Usecase Workflows API Collections

The below allow to get started with workflows within SGX Infrastructure and Orchestration Usecases. More details available in API Collections repository

Pre-requisites

  • Postman client should be downloaded on supported platforms or on the web to get started with the usecase collections.

NOTE: The Postman API Network will always have the latest released version of the API Collections. For all releases, refer the github repository for API Collections

Use Case Collections

Use case API Collection
SGX-Infrastructure ✔️
SGX-Orchestration ✔️
SGX-Infrastructure-Orchestration ✔️

Downloading API Collections

or

  • Github repo for all releases
#Clone the github repo for api-collections
git clone https://github.com/intel-secl/utils.git

#Switch to specific release-version of choice
cd utils/
git checkout v5.1/develop

#Import Collections from
cd tools/api-collections

NOTE:
The postman-collections are also available when cloning the repos via build manifest under utils/tools/api-collections