Configuring volumes in the workload section

About workload volume configuration

The workload section of the contract defines how volumes are mounted and encrypted within the container. You must specify the mount point, filesystem type, and a workload seed for each volume. The workload seed is combined with the data seed (provided by the Data Owner) to encrypt the volume data.

Prerequisites

• You have the encryption certificate files downloaded from the installation package.
• You have the device name and PVC name from the Data Owner.
• You have created the SamplePolicyPermissiveRules.rego file as described in Creating the workload section of the contract.

Procedure

1. Set the device name received from the Data Owner:

   export DEVICE_NAME="pvb_storage"

2. Generate a workload seed for volume encryption:

   export WORKLOAD_SEED="$(openssl rand -base64 32)"

   Important: Store this seed securely. The workload seed is required for every pod restart with the same storage. Losing this seed will result in permanent data loss, as the data in the block volume is encrypted using this seed.
3. Encode the Rego policy in Base64 format:

   For macOS:

   export encoded_policy=$(cat SamplePolicyPermissiveRules.rego | gbase64 -w 0)

   For Linux:

   export encoded_policy=$(cat SamplePolicyPermissiveRules.rego | base64 -w 0)

4. Create the workload.yaml file with volume configuration:

   cat << EOF > workload.yaml
   type: workload
   confidential-containers:
     regoValidator:
       policy: ${encoded_policy}
   volumes:
     ${DEVICE_NAME}:
       mount: "/mnt/data1"
       seed: "${WORKLOAD_SEED}"
       filesystem: "ext4"
   EOF

   Important: If you are using persistent storage for the first time, the specified volume will be automatically formatted using the defined filesystem (for example, ext4). Ensure that the volume does not contain any required data, as formatting will erase existing contents.
   Note:

   • The mount parameter specifies where the volume will be mounted inside the container (for example, /mnt/data1).
   • The filesystem parameter supports ext4 and xfs filesystem types.
   • The seed parameter contains the workload seed for encryption.
5. For multiple volumes, add additional volume entries:

   cat << EOF > workload.yaml
   type: workload
   confidential-containers:
     regoValidator:
       policy: ${encoded_policy}
   volumes:
     ${DEVICE_NAME}:
       mount: "/mnt/data1"
       seed: "${WORKLOAD_SEED}"
       filesystem: "ext4"
     pvb_storage2:
       mount: "/mnt/data2"
       seed: "${WORKLOAD_SEED_2}"
       filesystem: "xfs"
   EOF

6. Set the contract key variable:

   export CONTRACT_KEY="ibm-confidential-computing-container-encrypt.crt"

7. Encrypt the workload section:

   export WORKLOAD="workload.yaml"
   export PASSWORD="$(openssl rand 32 | base64 -w0)"
   export ENCRYPTED_PASSWORD="$(echo -n "$PASSWORD" | base64 -d | openssl rsautl -encrypt -inkey $CONTRACT_KEY -certin | base64 -w0 )"
   export ENCRYPTED_WORKLOAD="$(echo -n "$PASSWORD" | base64 -d | openssl enc -aes-256-cbc -pbkdf2 -pass stdin -in "$WORKLOAD" | base64 -w0)"
   echo "workload: hyper-protect-basic.${ENCRYPTED_PASSWORD}.${ENCRYPTED_WORKLOAD}" > encrypted-workload.yaml

8. Verify the encrypted workload file was created:

   cat encrypted-workload.yaml

   Example output:

   workload: hyper-protect-basic.d458ARMC89mB0ymq3we6LDHFaF8oWVB6Nn5fvbFhJvMm2xFDnF
   MTHEL3KR/+KsazFxTRpBab/M+R8ocT9mfenYyRj6L6n8T/FWgjnaT..............

9. Share the encrypted-workload.yaml file with the Data Owner.

Volume configuration parameters

The following table describes the volume configuration parameters:

Next steps

After configuring volumes in the workload section, the Data Owner must configure volumes in the environment section of the contract.