Quickstart
Step 0: Setup
Set up a Kubernetes cluster and install kubectl. Probably the easiest way to get started is to run Kubernetes on your local machine using Minikube. Another easy way is to use Azure Kubernetes Service (AKS), which offers SGX-enabled nodes.
Please also install Helm (“the package manager for Kubernetes”).
Step 1: Install the Coordinator onto the cluster
Add the Edgeless Systems chart repository to Helm.
helm repo add edgeless https://helm.edgeless.systems/stable
helm repo update
Install Marblerun’s Coordinator using Helm. Update the hostname with your cluster’s FQDN or use localhost for local testing.
For a cluster with SGX support:
helm install marblerun-coordinator edgeless/marblerun-coordinator \ --create-namespace \ -n marblerun \ --set coordinator.hostname=mycluster.uksouth.cloudapp.azure.comFor a cluster without SGX support:
helm install marblerun-coordinator edgeless/marblerun-coordinator \ --create-namespace \ -n marblerun \ --set coordinator.resources=null \ --set coordinator.simulation=1 \ --set tolerations=null \ --set coordinator.hostname=mycluster.uksouth.cloudapp.azure.com
Step 2: Pull the demo application
git clone https://github.com/edgelesssys/emojivoto.git && cd emojivoto
Step 3: Initialize and verify the Coordinator
Pull the remote attestation configuration
wget https://github.com/edgelesssys/marblerun/releases/latest/download/coordinator-era.jsonGet the Coordinator’s address and set the DNS
If you’re running on AKS:
Check our docs on how to set the DNS for the Client-API
export MARBLERUN=mycluster.uksouth.cloudapp.azure.com
If you’re running on minikube
kubectl -n marblerun port-forward svc/coordinator-client-api 25555:25555 --address localhost >/dev/null & export MARBLERUN=localhost:25555
Install the Edgeless Remote Attestation Tool
- Check requirements
- See install
Verify the Quote and get the Coordinator’s Root-Certificate
If you’re running on a cluster with nodes that support SGX1+FLC
era -c coordinator-era.json -h $MARBLERUN -o marblerun.crtOtherwise
era -skip-quote -c coordinator-era.json -h $MARBLERUN -o marblerun.crt
Step 4: Set the Manifest
curl --cacert marblerun.crt --data-binary @tools/manifest.json "https://$MARBLERUN/manifest"
If you’re running emojivoto on a custom domain, you can set the certificate’s CN accordingly
manifest=$(cat "tools/manifest.json" | sed "s/localhost/<your-domain>/g") curl --cacert marblerun.crt --data-binary "$manifest" https://$MARBLERUN/manifest
Step 5: Deploy the demo application
If you’re deploying on a cluster with nodes that support SGX1+FLC (e.g. AKS or minikube + Azure Standard_DC*s)
helm install -f ./kubernetes/sgx_values.yaml emojivoto ./kubernetes -n emojivotoOtherwise
helm install -f ./kubernetes/nosgx_values.yaml emojivoto ./kubernetes -n emojivoto
Step 6: Watch it run
If you’re running on AKS
- You need to expose the
web-svcin theemojivotonamespace. This works similar to how we expose the client-API - Get the public IP with:
kubectl -n emojivoto get svc web-svc -o wide - If you’re using ingress/gateway-controllers make sure you enable SNI-passthrough
- You need to expose the
If you’re running on minikube
sudo kubectl -n emojivoto port-forward svc/web-svc 443:443 --address 0.0.0.0Install Marblerun-Certificate in your browser
- Warning Be careful when adding certificates to your browser. We only do this temporarily for the sake of this demo. Make sure you don’t use your browser for other activities in the meanwhile and remove the certificate afterward.
- Chrome:
- Go to chrome://settings/security
- Go to
"Manage certificates" > "Import..." - Follow the “Certificate Import Wizard” and import the
marblerun.crtof the previous step as a “Personal” certificate
- Firefox:
- Go to
Tools > Options > Advanced > Certificates: View Certificates - Go to
Import...and select themarblerun.crtof the previous step
- Go to
Browse to https://localhost or https://your-clusters-fqdn:port depending on your type of deployment.