Converting and Deploying Applications Using IBM Cloud Data Shield

2 min read

By: Eduardo Rodriguez

In the latest installment of my blog series on IBM Cloud Data Shield, I’m going to look at converting and deploying an application in an IBM Cloud Data Shield environment.

Pro tip: You need to have the service installed and a Docker secret configured to follow the steps in this post. Need help? Check out the first blog in this series: Installing IBM Cloud Data Shield.

Prerequisites

Be sure that you have the following permissions before you get started:

  • Access to the cluster where you installed IBM Cloud Data Shield
  • Pull permissions for the input registry
  • Push permissions for the output registry
  • Access to the Enclave Manager UI account

Getting set up

Before I can convert my app, I need to be logged in to my account and able to access the Enclave Manager:

  1. Log in to IBM Cloud. Use the prompts to finish the login process:
    ibmcloud login
  2. Next, I need to grab my IAM token by running the following command. The output will be Bearer . I only need to copy the long string of letters and numbers—not including bearer:
    ibmcloud iam oauth-tokens
  3. I’ll also need to get my Enclave Manager UI host URL. The URL follows the format—https://enclave-manager.<ingress-domain>:
    kubectl get ingress | grep enclave-manager

Converting by using the IBM Cloud Data Shield Enclave Manager UI

  1. I need to log in to the Enclave Manager by using the IAM token from Step 2 in the previous section:
    I need to log in to the Enclave Manager by using the IAM token from Step 2 in the previous section

  2. In the Enclave Manager, go to the Tools tab. As you can see in the following image, I specify my source image and an output image (which is what the converted image is named). Then, click Convert:
    In the Enclave Manager, go to the Tools tab. As you can see in the following image, I specify my source image and an output image (which is what the converted image is named). Then, click Convert

  3. After the tool finishes converting, the following message will show. This means I’m now ready to deploy my application:
    After the tool finishes converting, the following message will show. This means I’m now ready to deploy my application

Converting using IBM Cloud Data Shield Converter API

  1. First, I’ll export my IAM token as “token”:
    export token=<IAM_TOKEN>
  2. Now, in order to execute the conversion, I need to specify the inputImageName and the outputImageName. I also need to replace the ingress-domain with my cluster’s ingress domain. After I have specified all the data in the curl command, I can execute it:
    curl -H 'Content-Type: application/json' -d '{"inputImageName": "us.icr.io/test-registry/backend-app", "outputImageName": "us.icr.io/test-registry/backend-app-sgx"}'  -H "Authorization: Basic $token"  https://enclave-manager.<ingress-domain>/api/v1/tools/converter/convert-app
  3. After the conversion is completed successfully, a message like the following will show up, which means our application has been converted and I’m now ready to deploy:
    {"mrsigner": "7bd24e018dec90fae820a5be9d86b49121ee3c2bd9a7bf5203f607bc2ac65866", "mrenclave": "00c7f13bf6c2f8527a7f2618f91fdb6128067c69775e66148395bb8bad46a851", "imageSize": 1032074845, "imageSHA": "a70da37b60e7", "newImage": "us.icr.io/test-registry/backend-app-sgx ", "isvsvn": 0, "isvprodid": 0}

Deploying converted applications

After my app is converted, I’m ready to deploy it to my cluster.

  1. I’ll create my deployment.yml file, making sure the image value matches the converted image registry and name:
    apiVersion: v1
     kind: Pod
     metadata:
       name: your-app-sgx
       labels:
         app: your-app-sgx
     spec:
       containers:
       - name: your-app-sgx
         image: us.icr.io/test-registry/backend-app-sgx
         volumeMounts:
         - mountPath: /dev/isgx
           name: isgx
         - mountPath: /dev/gsgx
           name: gsgx
         - mountPath: /var/run/aesmd/aesm.socket
           name: aesm-socket
         env:
         - name: NODE_IP
           valueFrom:
             fieldRef:
               fieldPath: status.hostIP
         - name: NODE_AGENT_BASE_URL
           value: http://$(NODE_IP):9092/v1
       volumes:
       - name: isgx
         hostPath:
           path: /dev/isgx
           type: CharDevice
       - name: gsgx
         hostPath:
           path: /dev/gsgx
           type: CharDevice
       - name: aesm-socket
         hostPath:
           path: /var/run/aesmd/aesm.socket
           type: Socket
  2. Now, I’ll create my deployment:
    kubectl create -f deployment.yml
  3. After a minute or two, I can check if my pod is up and running. When the pod is in a “running” state, it means that it has been deployed successfully and that I’m ready to use my application:
    kubectl get pods

That’s it! The application is now running in an IBM Cloud Data Shield secure enclave.

Feedback

We’d love to hear from you with feedback and questions:

  • If you have technical questions about the service, post your question on Stack Overflow and tag your question with ibm-data-shield.
  • For questions about the service and getting started instructions, use the IBM Developer Answers forum. Include the data-shield tag.
  • Open a support ticket in the IBM Cloud menu.

For more information and options, check out the IBM Cloud Data Shield documentation.

Be the first to hear about news, product updates, and innovation from IBM Cloud