Disclaimer: The Fortanix CCM Workflows feature will only be enabled for Customers with an "Enterprise" license.
Deploy the Workflow - UI
After a workflow is approved by all the users, you can execute the application in the workflow using the workflow RUN button that allows users to start the application job and monitor them.
NOTE
- Currently, the RUN button works only for single job deployments, that is, workflows that only contain a single application will run using the RUN. In future releases of CCM, multiple jobs will be supported.
- The application execution will be performed on the Azure Kubernetes Service (AKS) runtime environment. In future releases of CCM, other runtime environments will also be supported for workflow deployment.
Execute the Application on Azure Kubernetes Service
Prerequisites
- Compute Clusters: A compute cluster is a set of nodes that run containerized applications. Compute clusters are used to run CCM workflows. Refer to Section: Configure the AKS Compute Cluster in Fortanix CCM for steps to configure a compute cluster in Fortanix CCM and access the cluster.
- Job specification: A Kubernetes job spec is a YAML file. A skeleton is provided as input to Fortanix CCM with user parameters. This is then updated by Fortanix CCM with relevant environment variables. Please see the example for expected inputs.
Refer to Section: Configure Workflow for steps to configure the Kubernetes job specification.
Create an AKS Cluster
To set up an AKS Cluster, refer to the article how to set up an AKS cluster as worker nodes in Fortanix CCM. The article shows you how to:
- Create a cluster
- Configure Fortanix Node Agent
- Use the cluster to deploy applications manually
Obtain the Kubectl Config File
A kubectl YAML file is used to configure the compute cluster. This file stores the following:
- The client certificates, token, and cluster CA certificate. This is the only authentication mechanism for AKS. We do not yet support username/password or other authentication options.
- The server address.
- Metadata like cluster name and user name.
The following are the usual steps for Azure Kubernetes Service to obtain a kubectl config file. For more information refer to official documentation from Microsoft.
- Log in on the command line.
az login - Get a list of all the available subscriptions.
az account list - Select a subscription.
az account set --subscription subscription-id - Get the AKS credentials.
The config is now available in
az aks get-credentials --name (cluster-name) --resource-group (cluster-resource-group)~/.kube/configfolder.
NOTEThe credentials can be revoked if needed using the command:az aks rotate-certificatesbut this will incur downtime, for more information, check Microsoft Azure Kubernetes Service documentation.
Configure the AKS Compute Cluster in Fortanix CCM
In order to start applications using the RUN button, you must configure the AKS credentials in Fortanix CCM.
NOTE
Only the Azure Kubernetes Service is available at the moment.
To configure the AKS cluster in Fortanix CCM:
- Click the Infrastructure tab in the Fortanix CCM left panel and select the Compute Clusters tab.
- In the Compute Clusters page, click ADD COMPUTE CLUSTER to configure a new compute cluster.
Figure 1: Create compute cluster - In the “Add Cluster” form, enter the following details:
- Name: The AKS cluster name.
- Type: The runtime environment, that is, Kubernetes.
- Kubernetes Configuration: The YAML file obtained in Section Obtain the Kubectl File that has the AKS configuration details.
Figure 2: Configure the compute cluster - Click ADD CLUSTER to save the cluster configuration. The cluster is successfully configured.
Figure 3: Cluster configured
Configure Workflow
To run a workflow application, you need to configure the workflow by following the steps below:
- Click the Workflows tab and on the Workflows page, select the Approved workflows tab.
- In the list of approved workflows, select a workflow that has a single application since Fortanix CCM 3.5 supports only single job deployments.
Figure 4: Select approved workflow - In the detailed view of the selected workflow, you will notice a RUN button in the disabled state. The RUN button will be disabled if you have not configured the job specification. To enable the RUN button, configure the Kubernetes job specification using the Configuration
icon next to the RUN button. 
Figure 5: Configure job spec - In the RUN WORKFLOW window, enter the following details:
- Deployment Type: The workflow deployment type, that is, Kubernetes (Single Job). Currently, Fortanix CCM supports only a single job deployment.
- Namespace: The Kubernetes namespace
- Cluster: The cluster that you configured in Fortanix CCM. Currently, Fortanix CCM supports only the AKS cluster as the runtime environment for deploying the workflow.
- Deployment Type: The deployment type for the application, that is, Kubernetes.
- Job Specification: The Kubernetes job specification YAML file that is required by the cluster and the application to run the application job.
apiVersion: batch/v1
kind: Job
metadata:
name: job-name
spec:
backoffLimit: 0
template:
spec:
containers:
- name: containername
resources:
limits:
kubernetes.azure.com/sgx_epc_mem_in_MiB: 1
imagePullSecrets:
- name: dockerhub
restartPolicy: NeverNOTE- This is a Kubernetes job spec: https://kubernetes.io/docs/concepts/workloads/controllers/job/
- Fortanix CCM will update it with relevant environment variables.
- We need to provide
imagePullSecretsif the docker image is behind a password-protected docker repository. - Fortanix CCM does not push any secrets stored in it, it is the user’s responsibility to configure these in Kubernetes.
Figure 6: Configure job spec 
Figure 7: Configure job spec - Configure secret in Kubernetes.
- This is a subset of: https://kubernetes.io/docs/concepts/configuration/secret/
- For any information, please refer to the official documentation above.
To configure the secret: - If you are using a docker hub, generate a token as in this example.
- If you are using ECR - get a token using the CLI.
- Using the docker server, for the docker hub, it is the URL used in this example.
NOTETokens usually expire, so the following step needs to be refreshed.kubectl delete secret dockerhub
kubectl create secret docker-registry dockerhub --docker-server=https://index.docker.io/v1/ --docker-username=username --docker-password=password - Click CONFIGURE to configure the Kubernetes job specification.
- If the job spec is configured successfully, you will see the
RUNbutton enabled.
Figure 8: Run enabled
Run the Workflow Application
To run the Workflow application,
- Configure the image pull secret.
- Click the RUN button in the detailed view of an approved workflow that you enabled in the previous section.
Figure 9: Run the application - In the RUN WORKFLOW modal window, the Cluster, Job Type, and Job Spec that you configured in the previous section will be selected.
- Click RUN to run the workflow.
Figure 10: Run workflow - You will notice the Running indication at the bottom of the workflow.
NOTEThe workflow execution status is not updated live as it must be fetched from the cluster manually. Hence click the Refresh icon to get the latest execution status.
- At any point, if there is a need to stop the execution, click STOP. This will re-enable the RUN button.
- If the application is executed successfully, you will see the status of the execution under the Execution Log. Click the View detail link to view the log details.
Figure 11: Running workflow - The EXECUTION LOG modal window shows the detailed logs of the run. You can also download the log using the DOWNLOAD link.
Figure 12: Log details
NOTEIf you try to run a workflow that has more than one application, you will see the following error. The Fortanix CCM 3.5 release only supports running a workflow with a single application.
Figure 13: Workflow execution not allowed for multiple applications
Comments
Please sign in to leave a comment.