Validated Patterns

Deploying the Intel SGX protected application in Multicloud GitOps pattern

Prerequisites
  • An OpenShift cluster

    • To create an OpenShift cluster, go to the Red Hat Hybrid Cloud console and select Services -> Containers -> Create cluster.

    • The cluster must have a dynamic StorageClass to provision PersistentVolumes.

    • Cluster sizing requirements.

  • Intel SGX must be enabled in BIOS (Basic Input Output System) on at least one worker machines - specific steps depends on platform.

  • Install the tooling dependencies.

  • Optional: Machine with the Ubuntu 22.04 (for image conversion purposes - doesn’t need to have SGX feature enabled) and git.

    • Gramine Shielded Containers (GSC) application requires a machine with the same OS as an input image which will be conversed.

    • Install the GSC prerequisites.

  • Optional: A second OpenShift cluster for multicloud demonstration.

The use of this pattern depends on having at least one running Red Hat OpenShift cluster. However, consider creating a cluster for deploying the GitOps management hub assets and a separate cluster for the managed cluster.

If you do not have a running Red Hat OpenShift cluster, you can start one on a public or private cloud by using Red Hat Hybrid Cloud Console.

Procedure
  1. Fork the multicloud-gitops-sgx-hello-world repository on GitHub.

  2. Clone the forked copy of this repository.

    git clone git@github.com:your-username/multicloud-gitops-sgx-hello-world.git
  3. Create a local copy of the secret values file that can safely include credentials for the config-demo application and edit it if you want to customize the secret. If not, the framework generates a random password.

    cp values-secret.yaml.template ~/values-secret-multicloud-gitops.yaml

    Do not commit this file. You do not want to push personal credentials to GitHub.

  4. (Optional) You may customize the deployment for your cluster depending on your needs by editing values-global.yaml and values-hub.yaml. To do this run the following commands:

    git checkout -b my-branch
    vi values-global.yaml
    git add values-global.yaml
    git commit values-global.yaml
    git push origin my-branch
  5. (Optional) Prepare and build hello-world docker image and convert it to secure version using GSC - described below. The sample image is available on Red Hat container registry (quay.io/hybridcloudpatterns/hello-world-sgx:3.12) and is pulled automatically during pattern installation process with default variables.

  6. Deploy the pattern by running ./pattern.sh make install or by using the Validated Patterns Operator - both methods are described below.

Optional: Prepare docker image and convert it to use Intel SGX

To build docker image and convert it to secure version with SGX, complete the following steps using machine dedicated for GSC conversion:

  1. Create an empty file named Dockerfile:

    $ touch Dockerfile
  2. Using a text editor, copy the following contents to the Dockerfile:

    FROM python:3.12
    RUN apt update
    RUN rm /usr/bin/X11
    ENTRYPOINT ["python3", "-c", "print('HelloWorld!')"]
  3. Build the docker image using the following command:

    $ docker build -t hello-world .
  4. Clone GSC repo:

    $ git clone https://github.com/gramineproject/gsc.git
  5. Copy configuration file from sample template:

    $ cd gsc
    $ cp config.yaml.template config.yaml

    (Optional) This file can be adjusted if needed.

  6. Create a new hello-world.manifest file containing parameters of conversion:

    loader.pal_internal_mem_size = "1G"
    sgx.enclave_size = "1G"
    sgx.thread_num = 1024
  7. Generate the signing key:

    $ openssl genrsa -3 -out enclave-key.pem 3072
  8. Build secure image using gsc command:

    $ ./gsc build hello-world hello-world.manifest
  9. Sign the graminized docker image:

    $ ./gsc sign-image hello-world enclave-key.pem
  10. Push secured container image to the registry which is available on the cluster:

    1. Tag secured container image with appropriate tag and push it to the registry:

      $ docker tag gsc-hello-world <DOCKER_REPOSITORY>:<TAG>

      <DOCKER_REPOSITORY> is name a docker repository, <TAG> is a version of an image

    2. Login to Docker Hub:

      $ docker login -u=<DOCKER_ID> docker.io

      <DOCKER_ID> is your login to Docker Hub

    3. Push the image to registry:

      $ docker push <DOCKER_REPOSITORY>:<TAG>
  11. Update the file charts/all/hello-world-sgx/values.yaml with the information about your image in your forked repo with pattern.

Deploying the cluster by using the pattern.sh file

To deploy the cluster by using the pattern.sh file, complete the following steps:

  1. Login to your cluster by running the following command:

    oc login

    Optional: Set the KUBECONFIG variable for the kubeconfig file path:

    export KUBECONFIG=~/<path_to_kubeconfig>
  2. Deploy the pattern to your cluster. Run the following command:

    ./pattern.sh make install

Verify that the Operators have been installed.

  1. To verify, in the OpenShift Container Platform web console, navigate to Operators → Installed Operators page.

  2. Check that the following Operators are installed with Succeeded status (Figure 1):

    • Advanced Cluster Management for Kubernetes

    • Intel Device Plugins Operator

    • multicluster engine for Kubernetes

    • Node Feature Discovery Operator

    • Red Hat Openshift GitOps

    • Validated Patterns Operator

Deploying the cluster by using the Validated Patterns Operator

To install the Validated Patterns Operator:

  1. Log in to the Openshift Container Platform web console and select Operators > OperatorHub.

  2. Search for Validated Patterns Operator, open it and click Install.

    Install Validated Patterns Operator
    Figure 2. Install Validated Patterns Operator
  3. Choose default settings for the installation mode, namespaces and update strategy and confirm it by clicking Install.

  4. Select Operators > Installed Operators.

  5. Ensure that Validated Patterns Operator is listed in the openshift-operators project with a status Succeeded.

After a successful installation open the Validated Patterns Operator page. Next, go to Pattern tab and click Create Pattern.

  1. Set the Name field to multicloud-gitops-sgx-hello-world, and the Cluster Group Name to hub. Values must be the same as in the values-global.yaml file (Figure 3).

  2. As a Git Config > Target Repo value, paste the link to your fork. Under Git Config > Target Revision write the name of your branch (Figure 3).

  3. Click the Create button to create the pattern.

    Create Pattern Form
    Figure 3. Create Pattern Form

Verify that the rest of Operators have been installed:

  1. To verify, in the OpenShift Container Platform web console, navigate to Operators → Installed Operators page.

  2. Check that the following Operators are installed with Succeeded status (Figure 1):

    • Advanced Cluster Management for Kubernetes

    • Intel Device Plugins Operator

    • multicluster engine for Kubernetes

    • Node Feature Discovery Operator

    • Red Hat Openshift GitOps

Add a secret for config-demo application (from values-secret-multicloud-gitops.yaml) to Vault manually:

  1. Go to Vault service route. URL can be found:

    1. by running command:

      oc -n vault get route vault -ojsonpath='{.spec.host}'
    2. in Openshift Container Platform web console under Networking > Routes for vault project.

  2. Log into the Vault using root token. Root token can be found by executing command:

    oc -n imperative get secrets vaultkeys -ojsonpath='{.data.vault_data_json}' | base64 -d
  3. After login go to secret catalog and clik Create secret and fill all the fields manually (Figure 4):

    1. Put global/config-demo value in the Path for this secret field (the value cames from values-secret-multicloud-gitops.yaml file).

    2. Add one Secret data key-value pair. Put secret as a key (left field). Click Add button to confirm.

    3. Click Save to save changes.

    Create secret
    Figure 4. Create secret

Verification

Go to the Hub ArgoCD and verify that all applications are synchronized. The URL can be found in Openshift Container Platform web console under Networking > Routes for the project multicloud-gitops-sgx-hello-world-hub or use command:

oc -n multicloud-gitops-sgx-hello-world-hub get route hub-gitops-server -ojsonpath='{.spec.host}'

All applications should be Healthy and Synced:

ArgoCD panel with hello-world-sgx app
Figure 5. ArgoCD panel with hello-world-sgx app

Check the logs of a pod hello-world-sgx to verify if it uses Intel SGX. In the OpenShift Container Platform web console, navigate to Workloads > Pods. Change project to hello-world-sgx and open the Logs tab in the pod details. The Gramine output confirms that Intel SGX is used.

In case of pod hello-world-sgx crashing, delete it manually to be recreated - not restarted.

As part of this pattern, HashiCorp Vault has been installed. Refer to the section on Vault.

Next steps

After the management hub is set up and works correctly, attach one or more managed clusters to the architecture.

For instructions on deploying the edge, refer to Attach a managed cluster (edge) to the management hub.