⚙️
Morphisms: Confidential Serverless Containers
  • Introduction
  • Preliminaries
    • What is Confidential Computing?
      • Threat Model
      • Intel SGX
        • Threat Model
        • Memory Layout
        • Memory encryption
        • Enclave Lifecycle
        • Entering and Exiting an Enclave
        • Measurement
        • Certificate
        • Key Derivation
        • Attestation
        • Gramine
        • SGX2
        • Secret Key Provisioning
      • AMD SEV-SNP
        • Encrypted CPU Registers
        • Memory encryption
        • Secure Nested Paging
        • Virtual Machine Privilege Levels (VMPL's)
        • Cryptographic Keys
        • Secret Key Provisioning
        • Guest Deployment
    • Serverless (FaaS)
      • Knative
  • Confidential Serverless Containers
    • Introduction
    • Intel SGX
      • Threat Model
      • Remote attestation verification
      • Secure Storage
        • HashiCorp's Vault
      • Architecture
        • Confidential Knative
        • Certificates
        • Session Management
      • Confidential Container Configuration
    • AMD SEV-SNP
      • Threat Model
      • Architecture
        • Network communication
        • KMS
        • Updates
        • Key rotation
      • Design Decision
  • Benchmarks
    • Hardware
    • Results
    • Architecture Comparison
  • Getting Started
    • FAQ
    • Intel SGX
    • AMD SEV-SNP
  • Glossary
    • SGX Glossary
    • AMD SEV-SNP Glossary
Powered by GitBook
On this page
  • What does the development variable do?
  • Which IP should I use?
  • How can I deploy the example without using a domain?
  1. Getting Started

FAQ

What does the development variable do?

It decides if a wildcard-certificate is being mounted at the gateway automatically. If set to true use to mount it and adjust the path to your certificate and key.

kubectl create --namespace istio-system secret tls wildcard-cert --key path/to/wildcard-key.pem --cert path/to/wildcard-cert.pem

Which IP should I use?

Knative requires a load balancer to function. Which IP to use depends on your settings. If you are using a domain, the load balancer will need to fetch either the public IP on bare metal associated with the domain, or the private IP that the public IP translates to if you are in the cloud.

Option 1: External Load-Balancer

If you want to use an external load balancer, to avoid installing an additional load balancer, set load_balancer=false in the next command. The ip parameter will then be ignored and does not need to be set. Refer to your cloud provider's documentation. This must be pre-configured before issuing the next command, as the next command will wait and block until the load balancer receives an ip.

Option 2: Internal Load-Balancer

However, you do not need to use an external load balancer, and you can even use a metallb on a VM. Set load_balancer=true and specify an ip address for the load balancer to receive. As your cloud provider internally translates the public ip to the private ip of your VM, you should use the private ip of your VM here and use the public ip to reach the load balancer outside the cloud provider's network. (The domain should still be mapped to the public IP).

Then use any public ip on any of your interfaces. Private IPs will also work, but will not be reachable from outside your network.

How can I deploy the example without using a domain?

Option 1: /etc/hosts

Edit your /etc/hosts file to map vault.{{your-domain }}, actix-sgx.default.{{your-domain }} and flask-sgx.default.{{your-domain }} to the ip you specified the load-balancer with. /etc/hosts does not support wildcard entries and must be edited for each deployed service.

Option 2: dnsmasq

The following steps should be done on the device that will be calling the web server.

3.1 Install dnsmasq. For Ubuntu use:

sudo apt-get install dnsmasq

3.2 Edit /etc/resolv.conf to use the dnsmasq DNS server, then add nameserver 127.0.0.1 to the first line.

3.3 Choose a domain and replace it with example.com here: address=/example.com/0.0.0.0 Replace 0.0.0.0 with the IP address you configured in the Metallb Pool.

3.4 Restart dnsmasq

sudo systemctl restart dnsmasq

Knative always appends *.default as a prefix to the domain. If you enter example.com as the domain, Knative will create routes with the following format *.default.example.com, then you need to add a wildcard DNS entry for that exact format. For test.example.com this would be *.default.test.example.com.

PreviousArchitecture ComparisonNextIntel SGX

Last updated 1 year ago