Step 0: Setup

Set up a Kubernetes cluster and install kubectl. Probably the easiest way to get started is to run Kubernetes on your local machine using Minikube. Another easy way is to use Azure Kubernetes Service (AKS), which offers SGX-enabled nodes.

Please also install Helm (“the package manager for Kubernetes”).

Step 1: Install the Coordinator onto the cluster

Add the Edgeless Systems chart repository to Helm.

helm repo add edgeless
helm repo update

Install Marblerun’s Coordinator using Helm. Update the hostname with your cluster’s FQDN or use localhost for local testing.

  • For a cluster with SGX support:

    helm install marblerun-coordinator edgeless/marblerun-coordinator \
        --create-namespace \
        -n marblerun \
  • For a cluster without SGX support:

    helm install marblerun-coordinator edgeless/marblerun-coordinator \
        --create-namespace \
        -n marblerun \
        --set coordinator.resources=null \
        --set coordinator.simulation=1 \
        --set tolerations=null \

Step 2: Pull the demo application

git clone && cd emojivoto

Step 3: Initialize and verify the Coordinator

  1. Pull the remote attestation configuration

  2. Get the Coordinator’s address and set the DNS

    • If you’re running on AKS:

    • If you’re running on minikube

      kubectl -n marblerun port-forward svc/coordinator-client-api 25555:25555 --address localhost >/dev/null &
      export MARBLERUN=localhost:25555
  3. Install the Edgeless Remote Attestation Tool

    1. Check requirements
    2. See install
  4. Verify the Quote and get the Coordinator’s Root-Certificate

    • If you’re running on a cluster with nodes that support SGX1+FLC

      era -c coordinator-era.json -h $MARBLERUN -o marblerun.crt
    • Otherwise

      era -skip-quote -c coordinator-era.json -h $MARBLERUN -o marblerun.crt

Step 4: Set the Manifest

curl --cacert marblerun.crt --data-binary @tools/manifest.json "https://$MARBLERUN/manifest"
  • If you’re running emojivoto on a custom domain, you can set the certificate’s CN accordingly

    manifest=$(cat "tools/manifest.json" | sed "s/localhost/<your-domain>/g")
    curl --cacert marblerun.crt --data-binary "$manifest" https://$MARBLERUN/manifest

Step 5: Deploy the demo application

  • If you’re deploying on a cluster with nodes that support SGX1+FLC (e.g. AKS or minikube + Azure Standard_DC*s)

    helm install -f ./kubernetes/sgx_values.yaml emojivoto ./kubernetes -n emojivoto
  • Otherwise

    helm install -f ./kubernetes/nosgx_values.yaml emojivoto ./kubernetes -n emojivoto

Step 6: Watch it run

  • If you’re running on AKS

    • You need to expose the web-svc in the emojivoto namespace. This works similar to how we expose the client-API
    • Get the public IP with: kubectl -n emojivoto get svc web-svc -o wide
    • If you’re using ingress/gateway-controllers make sure you enable SNI-passthrough
  • If you’re running on minikube

    sudo kubectl -n emojivoto port-forward svc/web-svc 443:443 --address
  • Install Marblerun-Certificate in your browser

    • Warning Be careful when adding certificates to your browser. We only do this temporarily for the sake of this demo. Make sure you don’t use your browser for other activities in the meanwhile and remove the certificate afterward.
    • Chrome:
      • Go to chrome://settings/security
      • Go to "Manage certificates" > "Import..."
      • Follow the “Certificate Import Wizard” and import the marblerun.crt of the previous step as a “Personal” certificate
    • Firefox:
      • Go to Tools > Options > Advanced > Certificates: View Certificates
      • Go to Import... and select the marblerun.crt of the previous step
  • Browse to https://localhost or https://your-clusters-fqdn:port depending on your type of deployment.