Installation Guide - On-premises

1.0 Introduction

This article describes how to deploy Fortanix Confidential Computing Manager (CCM) in a customer-managed Kubernetes environment (on-premises or cloud-hosted).

Fortanix CCM on-premises is deployed on a customer-managed Kubernetes cluster using a Fortanix-provided Helm chart and Kubernetes operator. The operator manages the lifecycle of all Fortanix CCM components, which are deployed as containerized services within the cluster.

The article assumes that the required infrastructure and prerequisites described in Prerequisites are already in place.

1.1 Fortanix CCM Overview

Fortanix CCM enables an application to run in a confidential environment. The solution orchestrates critical security policies such as identity verification, data access control, and code attestation for enclaves that are required for confidential computing.

2.0 Key Components

For information on Fortanix CCM key components, refer to Key Components.

3.0 Prerequisites

For prerequisites to install and deploy Fortanix CCM on-premises, refer to Prerequisites.

4.0 Certificate Management Overview

Each Fortanix CCM deployment requires a public-facing API certificate.

During deployment:

• The operator reads the certificate domains specified in the Ingress Configuration of the ArmorPlatform resource as described in Section 7.5: Ingress Configuration.

• Based on this configuration:

  • In the manual method, the operator generates a Certificate Signing Request (CSR) and creates a Kubernetes CertificateSigningRequest resource, which must be signed by your organization’s Certificate Authority (CA).

  • In the automated method, the operator creates a certificate request that is processed and signed by cert-manager using the configured issuer (Certificate Authority).

You can provision the certificate using one of the following methods:

• Manual certificate installation (CSR extraction and signing). For more information, refer to Section 8.0: Install Certificates.

• Automated provisioning using cert-manager (using a ClusterIssuer). For more information, refer to Section 4.1: Automated Certificate Provisioning (cert-manager).

4.1 Automated Certificate Provisioning (cert-manager)

A ClusterIssuer is a resource created by cert-manager that defines how certificates should be issued for the cluster. Fortanix CCM can use cert-manager to issue this TLS certificate automatically.

To enable this, you must create a ClusterIssuer.

NOTE

In this example, a self-signed ClusterIssuer is used to generate certificates within the cluster. For production environments, configure cert-manager to use an external or trusted CA.

1. To create the ClusterIssuer resource, create a file named cluster-issuer.yaml with the following content:

   apiVersion: cert-manager.io/v1
   kind: ClusterIssuer
   metadata:
     name: selfsigned-cluster-issuer
   spec:
     selfSigned: {}

2. Run the following command to create the ClusterIssuer and apply the configuration:

   kubectl apply -f cluster-issuer.yaml

3. Apply the following configuration snippet to the ArmorPlatform resource ingress.certConfig as described in Section 7.5: Ingress Configuration:

   spec:
     ingress: 
       certConfig: 
         useCertManager: 
           kind: clusterIssuer
           issuer: selfsigned-cluster-issuer

5.0 Deploy Fortanix Armor Kubernetes Operator

The following example demonstrates how to authenticate to Fortanix OCI registry, create required namespaces and image pull secrets, and deploy the Fortanix Armor Kubernetes Operator using a Helm chart.

NOTE

• This example assumes that Fortanix container images and Helm charts are pulled directly from the Fortanix-managed registry.

• If your organization mirrors these images to an internal container registry, the registry URL, credentials, and Helm chart location will differ.

• The Helm chart location and configuration values are provided below.

REGISTRY_USERNAME="my_username" #replace
REGISTRY_PASSWORD="password" #replace
OPERATOR_NAMESPACE="my-namespace" #replace
VERSION_TO_DEPLOY="x.y.z" #replace with fortanix provided version

REGISTRY_URL="cr.download.fortanix.com"
#creates the secret that will allow the operator pulling the images from cr.download.fortanix.com
kubectl create namespace "$OPERATOR_NAMESPACE" --dry-run=client -o yaml | kubectl apply -f -
kubectl create secret docker-registry oci-registry-secret \
      --docker-server="$REGISTRY_URL" \
      --docker-username="$REGISTRY_USERNAME" \
      --docker-password="$REGISTRY_PASSWORD" \
      --docker-email="user@fortanix.net" \
      --dry-run=client -o yaml | kubectl apply -n "$OPERATOR_NAMESPACE" -f -
 
#login to our registry, to pull the helm chart
echo "$REGISTRY_PASSWORD" | helm registry login "$REGISTRY_URL" -u "$REGISTRY_USERNAME" --password-stdin

helm upgrade --install armor-platform-operator-chart \
   oci://cr.download.fortanix.com/charts/armor-platform-operator \
   --namespace "$OPERATOR_NAMESPACE" \
   --no-hooks \
   --version "$VERSION_TO_DEPLOY"

Where,

• REGISTRY_URL: The OCI (Oracle Cloud Infrastructure) registry endpoint that hosts the Fortanix CCM container images and Helm charts (cr.download.fortanix.com).

• REGISTRY_USERNAME: Username used to authenticate to the Fortanix OCI registry.

• REGISTRY_PASSWORD: Password or token used to authenticate to the Fortanix OCI registry.

• OPERATOR_NAMESPACE: The Kubernetes namespace where the Fortanix Armor Kubernetes Operator is installed (for example, armor).

• oci-registry-secret: Kubernetes image pull secret created in each namespace to allow access to the Fortanix OCI registry.

• VERSION_TO_DEPLOY: The version of the Fortanix Armor Kubernetes Operator Helm chart to be deployed.

6.0 Verify Deployment

This section describes how to verify that the Fortanix Armor Kubernetes Operator is successfully deployed and is running correctly within the Kubernetes cluster.

Run the following command to verify the deployment:

kubectl get pods -n <operator-namespace>

Ensure all pods are in the Running state.

7.0 Create ArmorPlatform Resource

This section describes how to create an ArmorPlatform custom resource to define the Fortanix CCM platform configuration and trigger deployment of CCM components by the operator.

NOTE

The following configuration is a single YAML file. It is presented in multiple sections below for readability. Use the following sample configuration as a reference and update values as required for your environment.

Contact the Fortanix Support Team to create the correct configuration file.

7.1 Base Configuration

Define the core configuration for the ArmorPlatform resource, including platform identity, replica settings, and container image configuration.

apiVersion: fortanix.com/v1
kind: ArmorPlatform
metadata:
  name: platform-test
spec:
  # Immutable once created
  name: platform-test

  # Confidential computing infrastructure configuration
  ccInfrastructure: # see Section 8.2

  # Optional configurations (can be omitted if defaults are sufficient)
  enrollment: # see Section 8.3
  database: # see Section 8.4

  # Number of replicas for services and database
  replicas: 3

  # Default image configuration
  imageDefaults:
    pullSecretRef: "oci-registry-secret"
    registry: "513076507034.dkr.ecr.us-west-1.amazonaws.com"

  # Optional image overrides for specific services
  imageOverrides:
    - service: alhambra
      repository: "alhambra-backend-unsigned"

  # External access and certificate configuration
  ingress: # see Section 8.5

  # Internal cluster network ranges (pod CIDR, service CIDR, etc.)
  internalSubnets:
    - "<pod-subnet-cidr>"
    - "<service-subnet-cidr>"      

Where,

• replicas: Specifies the number of instances for Fortanix CCM services and Cassandra nodes. Default value is 3.

• imageDefaults: Defines default container image registry and pull configurations for all components.

  • registry: Specifies the container registry URL hosting Fortanix CCM images.

  • pullSecretRef: Specifies the Kubernetes secret for registry authentication.

• imageOverrides (optional): Defines overrides for container image settings for specific services.

• internalSubnets: Defines the internal network ranges considered part of the Kubernetes cluster (for example, pod CIDR and service CIDR ranges). Multiple CIDRs can be specified based on the cluster configuration.

7.2 Confidential Computing Infrastructure Configuration

Define the confidential computing infrastructure for Fortanix CCM. This section specifies the hardware-backed security technology (for example, Intel SGX) and its required configuration for enabling enclave-based workloads.

ccInfrastructure:
  sgx:
    aesmd: {}

Where,

• ccInfrastructure: Defines the confidential computing infrastructure configuration.

• sgx: Specifies the use of Intel SGX for confidential workloads.

• aesmd: Enables the AESM daemon required for SGX functionality within the cluster.

7.3 Enrollment Configuration

Define the enrollment configuration for compute nodes joining the Fortanix CCM platform. This section controls the supported SGX types and the policies used to verify and authorize nodes during the enrollment process.

enrollment:
  allowedSgxTypes:
    - standard
    - scalableWithIntegrity
  joinPolicy:
    - node-ca
    - sgx

Where,

• allowedSgxTypes: Defines supported SGX enclave types.

• joinPolicy: Defines node enrollment validation mechanisms.

7.4 Database Configuration

Define the storage and backup configuration for the Cassandra database used by Fortanix CCM.

database:
  datacenters:
    - name: dc1
      size: 3
      racks:
        - name: rack1
          nodeAffinityLabels: {}

  replicationStrategy:
    dc1: 3

  storageConfig:
    storageClassName: "managed-csi-retain"
    storageSize: "100Gi"

  backup:
    secret: medusa-azure-key-test
    bucketName: medusa
    prefix: platform
    schedule: "30 1 * * *"
    backupStorageProvider:
      kind: "azureBlobs"

Where,

• datacenters: Defines the Cassandra cluster topology, including the number of nodes and rack configuration.

• racks: Defines logical grouping of nodes within a datacenter.

  • nodeAffinityLabels (optional): Specifies node selection constraints for Cassandra pods. If not provided, pods are scheduled on any available nodes in the cluster.

• replicationStrategy (optional): Defines the replication factor per datacenter. Defaults to the datacenter topology if not explicitly specified.

• storageConfig:  Defines storage settings for Cassandra.

  • storageClassName: Specifies the Kubernetes storage class used for persistent volumes.

  • storageSize: Specifies the size of the persistent volume allocated for Cassandra.

• backup (optional): Defines backup configuration for Cassandra.

  • secret: Specifies the credentials for backup storage.

  • bucketName: Specifies the storage bucket or container.

  • prefix: Specifies the prefix used for organizing backups.

  • schedule: Specifies the cron schedule for backups.

  • backupStorageProvider.kind: Specifies the backup storage provider (currently supports azureBlobs).

7.5 Ingress Configuration

Define the external access configuration for Fortanix CCM, including domain settings for generating the API certificate and CCM UI endpoint exposure. Depending on the certificate provisioning method:

• For manual certificate installation, these values are used to generate a CSR as described in Section 8.0: Install Certificates.

• For automated provisioning using cert-manager, additional fields (useCertManager) must be specified as described in Section 4.1: Automated Certificate Provisioning (cert-manager).

ingress:
  api:
    certConfig:
      subject: "ccm.onprem.fortanix.com"
      sans:
        - "ccm.onprem.fortanix.com"
        - "armor.onprem.fortanix.com"
        - "api.ccm.onprem.fortanix.com"

      # Optional (for cert-manager)
      # useCertManager:
      #   kind: issuer or clusterIssuer
      #   issuer: <issuer_name>
      #   duration: 2160h

      # Optional
      # signerName: "<signer-name>"
      # expirationSeconds: 7776000
      # extraAnnotations:
      #   key: "value"

    # Optional: Proxy Protocol configuration (advanced)
    # proxyProtocolConfig:
    #   mode: disabled or maybeFrom or requiredFrom
    #   subnets:
    #     - "1.2.3.0/24"

  staticAssets:
    baseUrl: "https://static.onprem.fortanix.com"

    # Optional
    ingress:
      ingressKind: "Ingress"  # or "Gateway"
      # tlsSecretName:
      # extraAnnotations:
      #   key: "value"

Where,

• certConfig: Defines the certificate configuration for the Fortanix CCM API domain.

  • subject: Specifies the primary domain used for the Fortanix CCM API certificate.

  • sans: Specifies the Subject Alternative Names (SANs) for the certificate. For mutual TLS configurations, ensure that the certificate includes a SAN prefixed with api. as described in the Section 10.3: Certificate Requirement for Mutual TLS.

  • useCertManager (optional): Specifies whether automated certificate provisioning using cert-manager is enabled.

    • kind: Specifies the issuer type (issuer or clusterIssuer).

    • issuer: Specifies the name of the configured issuer resource.

    • duration (optional): Specifies the validity duration (The default value is 2160 hours).

  • signerName (optional): Specifies the certificate signer to be used.

  • extraAnnotations (optional): Specifies additional annotations applied to the certificate resource.

  • expirationSeconds (optional): Specifies the validity period of the issued certificate.

• proxyProtocolConfig (optional): Defines proxy protocol handling for incoming connections.

  • mode: Specifies how Proxy Protocol headers are handled (disabled, maybeFrom, or requiredFrom).

  • subnets: Specifies the list of CIDR ranges from which Proxy Protocol headers are accepted.

• staticAssets: Defines the configuration for serving Fortanix CCM UI static content.

  • baseUrl: Specifies the public URL used to access static UI assets.

  • Ingress:/ gatewayAPI: Defines how static assets are exposed using Kubernetes Ingress or Gateway API.

    • ingressKind: Specifies the type of resource used to expose static assets (for example, Ingress or Gateway).

    • tlsSecretName (optional): Specifies an existing TLS secret for the static assets endpoint.

    • extraAnnotations (optional): Specifies the annotations applied to the Ingress resource (for example, for NGINX configuration).

NOTE

• The values defined in certConfig are used by the operator to generate a CSR.

• After applying the ArmorPlatform resource, depending on the certificate provisioning method:

  • For manual installation, wait until the operator generates a CSR for the configured domain. Then proceed to Section 8.0: Install Certificates to complete certificate installation.

  • For automated provisioning using cert-manager, the certificate request is processed automatically as described in Section 4.1: Automated Certificate Provisioning (cert-manager).

7.6 Apply the Configuration

Perform the following steps to apply the ArmorPlatform configuration to the Kubernetes cluster to initiate Fortanix CCM deployment:

1. Download the YAML file armor-platform.yaml .

2. Run the following command to apply the custom resource:

   kubectl apply -f armor-platform.yaml

8.0 Install Certificates (Manual Method)

This section describes the manual process for installing the Fortanix CCM API certificate by processing the CSR generated by the operator for the domain configuration in Section 7.5: Ingress Configuration and uploading the signed certificate chain. It applies only when using manual certificate installation.

NOTE

If you are using cert-manager for automated certificate provisioning, skip this section and refer to Section 4.1: Automated Certificate Provisioning (cert-manager).

1. Run the following command to list the CSR objects generated by the operator for Fortanix CCM:

   kubectl -n <namespace> get csr

   Where, <namespace> is the namespace where the Fortanix CCM platform components are deployed (for example, armor).

2. Identify the CSR generated for Fortanix CCM. Run the following command to extract the CSR content generated for the CCM API certificate from Kubernetes for signing by a CA.

   The certificate chain must include:

   • The signed certificate

   • Intermediate CA certificates (if applicable)

   • Root CA certificate

   The CSR name typically follows the format: fortanix-ccm-csr-<timestamp>

   CSR_NAME=<csr-name>
   
   kubectl get csr "$CSR_NAME" -o jsonpath='{.spec.request}' | base64 -d > "$CSR_NAME.csr"
   

   Where, <csr-name> is the name of the CSR generated for the Fortanix CCM API certificate.

3. Sign the extracted CSR using your organization’s CA and prepare the certificate chain.

   NOTE

   The exact steps for signing the certificate depend on your organization’s CA and security policies.

4. Run the following command to upload the signed certificate back to the Kubernetes cluster to complete the certificate installation process:

   BASE64=$(base64 -w 0 "${CSR_NAME}-full.crt")
   
   kubectl get csr "${CSR_NAME}" -o json | \
   jq ".status.certificate = \"$BASE64\"" | \
   kubectl replace --raw "/apis/certificates.k8s.io/v1/certificatesigningrequests/${CSR_NAME}/status" -f -
   

   Where, CSR_NAME is the name of the CSR generated for the Fortanix CCM API certificate (for example, fortanix-ccm-csr-<timestamp>). Ensure that this value matches the CSR name used in the previous steps.

9.0 Access Fortanix CCM UI

This section describes how to access the Fortanix CCM user interface (UI) using the configured domain after successful deployment and verify that the platform is reachable.

9.1 Verify Fortanix CCM UI Accessibility

After successful deployment and certificate installation, verify that the Fortanix CCM UI is accessible.

Perform the following steps:

1. Run the following command to access the static assets endpoint:

   https://<static-assets-domain>

   Where, https://<static-assets-domain> corresponds to the staticAssetsBaseUrl configured in Section 7.5: Ingress Configuration.

   For example: https://static.onprem.fortanix.com

2. If prompted, accept the browser warning for the TLS certificate (applicable when using self-signed certificates).

3. Access the Fortanix CCM UI: https://<ccm-domain>. This domain corresponds to the certConfig.subject configured in Section 7.5: Ingress Configuration.

4. Confirm that the login page is displayed successfully.

9.2 Sign Up and Log In

Perform the following steps to sign up for Fortanix CCM:

1. Visit https://<ccm-domain> and sign up.

   NOTE

   The first user who signs up for Fortanix CCM and creates an account automatically assumes the role of system administrator.

2. Once you sign up, enter your email address and password, and click LOG IN.

   

9.3 Create and Select an Account

Perform the following steps to create an account:

1. Once you log in to your account, you will be taken to the Accounts page. Click ADD ACCOUNT to create a new account.  

2. Enter a name for the new account and optionally add a custom logo for the account.

3. Click CREATE ACCOUNT to complete the account creation.

4. Once the account is created, click SELECT ACCOUNT to select the newly created account and start enrolling compute nodes and creating applications.

9.4 Configure System Administration Settings (Using Script)

For configuring the system administration settings using a script, refer to System Management.

9.5 Configure System Administration Settings (Using UI)

For configuring the system administration settings using UI, refer to System Management.

9.6 References

• To know the features available for Fortanix CCM on-premises deployments, refer to Fortanix CCM Feature Support Matrix (SaaS vs On-premises).

10.0 Public API and Supported Interfaces

This section describes the components of the Fortanix CCM on-premises deployment that are considered part of the public API. These interfaces are maintained with backward compatibility across releases.

10.1 Public API Components

The following interfaces are part of the supported public API:

• REST API - The Fortanix CCM REST API is used for programmatic access.

• ArmorPlatform Custom Resource (CRD) - The Kubernetes resource used to configure and manage Fortanix CCM deployments. For more information, refer to Section 7.0: Create ArmorPlatform Resource.

10.2 Kubernetes Service Requirements

You must configure a Kubernetes Service for exposing the Fortanix CCM public API with the following properties:

spec:
  selector:
    fortanix.com/ingress: true
  ports:
    - protocol: TCP
      targetPort: 8443

Where,

• selector: Identifies the set of pods (CCM services) that this Kubernetes Service routes traffic to. This ensures that incoming traffic is routed to the correct CCM API components. The Service looks for pods with the label: fortanix.com/ingress: true. These labels are automatically applied by the Fortanix Armor Kubernetes Operator.

• protocol: Specifies the network protocol used for communication.

• targetPort: The port on the Fortanix CCM container where the API is exposed.

This Kubernetes Service routes traffic to the Fortanix CCM API pods on port 8443 and is used by external access mechanisms such as load balancers.

10.3 Certificate Requirement for Mutual TLS

For connections that require mutual TLS (for example, Node Agent communication), the public certificate must include a SAN that begins with the following:

api.<your-domain>

NOTE

Ensure that the domain defined for mutual TLS aligns with the certificate configuration provided in Section 7.5: Ingress Configuration.