User's Guide: Run the Workflow - Web Interface - AWS Nitro Applications

1.0 Introduction

This article describes how to execute an AWS Nitro application in a Workflow using the Workflow RUN button that allows users to start the application job and monitor it.

2.0 Execute the AWS Nitro Application on Amazon EKS

2.1 Prerequisites

Ensure that the Compute Clusters are configured in Fortanix Confidential Computing Manager. A compute cluster is a set of nodes that run containerized applications. Compute clusters are used to run Fortanix Confidential Computing Manager workflows. For more information on how to configure a compute cluster in Fortanix CCM and access the cluster, refer to Section 3.0: Configure the Cluster using Amazon EKS.

2.2 Create an Amazon EKS Cluster

Ensure that you have set up a cluster on Amazon EKS as a worker node and install the Nitro node agent in the Fortanix CCM. For more information, refer to the Administration Guide: Amazon EKS with Fortanix Confidential Computing Manager.

2.3 Obtain the kubeconfig YAML file

A Kubeconfig YAML file is used to configure the EKS compute cluster. For more details on how to get the EKS credentials, refer to Administration Guide: Amazon Elastic Kubernetes Service with Fortanix CCM.

3.0 Configure the Cluster using Amazon EKS

Perform the following steps to configure the Amazon EKS credentials in Fortanix CCM:

1. Click the Infrastructure → Compute Clusters menu item in the Fortanix CCM UI left navigation bar and click the + ADD COMPUTE CLUSTER button to configure a new compute cluster.

   

2. On the Add Cluster page, enter the following details:

   • Name: Enter the required name of the cluster.

   • Description: Enter the optional details about the cluster.

   • Type: Select the Kubernetes option from the drop down menu.

   • Kubernetes Configuration: Upload the YAML file containing the EKS configuration details. For more information refer to the Section 2.3: Obtain the Kubeconfig YAML File.

     

3. Click the ADD CLUSTER button to save the cluster configuration.

   

The compute cluster is now successfully created.

4.0 Configure the Amazon EKS Application Workflow

Ensure that you have created a workflow using EKS app in the Fortanix CCM UI. For more information, refer to the User's Guide: Create, Update, Clone, and Delete Workflows.

Perform the following steps to configure the workflow:

1. Navigate to the Workflows → Approved menu item in the Fortanix CCM UI left navigation bar.

2. From the list of approved workflows, select a workflow that has a single application since Fortanix CCM supports only single job deployments.

   

3. In the detailed view of the selected workflow, you will notice the disabled RUN button. The RUN button will be disabled if you have not configured the Kubernetes job specification. Click the   icon to configure these details and enable the RUN button.

   

4. In the RUN WORKFLOW window, enter the following details:

   • Deployment Type: The workflow deployment type, that is, Kubernetes (Single Job). Currently, Fortanix CCM supports only a single job deployment.

   • Namespace: The Kubernetes namespace

   • Cluster: The EKS cluster that you configured in Fortanix CCM.

   • Deployment Type: The deployment type for the application, that is, Kubernetes.

   • Job Specification: The Kubernetes job specification YAML file that is required by the cluster and the application to run the application job.

     apiVersion: batch/v1
     kind: Job
     metadata:
       labels:
         app: my-pod
         fortanix.cloud/app-id: huzme3phs
         fortanix.cloud/workflow: 4388e54b-5862-4efc-93f7-dbfc172951608
       name: my-pod
     spec:
       template:
         metadata:
           labels:
             app: my-pod
         spec:
           restartPolicy: Never
           imagePullSecrets:
           - name: regcred
           containers:
             - env:
                 - name: NODE_IP
                   valueFrom:
                     fieldRef:
                       fieldPath: status.hostIP
                 - name: NODE_AGENT
                   value: http://$(NODE_IP):9092/v1
                 - name: APPCONFIG_ID
                   value: fee3378f765271f6902a4123e331ab3afa2b0d88638a97ef5f76ca70ffc31181
                 - name: CCM_BACKEND
                   value: ccm.test.fortanix.com:443
                 - name: RUST_LOG
                   value: debug
                 - name: IS_EKS
                   value: 'true'
                 - name: MEM_SIZE
                   value: '2048'
                 - name: NODE_AGENT_IP
                   valueFrom:
                     fieldRef:
                       fieldPath: status.hostIP
                 - name: NODE_AGENT_BASE_URL
                   value: http://$(NODE_AGENT_IP):9092/v1
               image: 513076507034.dkr.ecr.us-west-1.amazonaws.com/development-images/ccm-automation-output-images:python-generic-app-dec20
               imagePullPolicy: Always
               name: nginx
               ports:
                 - containerPort: 80
                   name: http
                 - containerPort: 22
                   name: ssh
               resources:
                 limits:
                   cpu: 500m
                   hugepages-1Gi: 2Gi
                   memory: 2Gi
                   smarter-devices/nitro_enclaves: '1'
                 requests:
                   hugepages-1Gi: 2Gi
                   smarter-devices/nitro_enclaves: '1'
               securityContext:
                 privileged: true
               volumeMounts:
                 - mountPath: /dev/hugepages
                   name: hugepage
                   readOnly: false
                 - mountPath: /var/log/nitro_enclaves
                   name: log
                 - mountPath: /run/nitro_enclaves
                   name: socket-path
           volumes:
             - emptyDir:
                 medium: HugePages
               name: hugepage
             - hostPath:
                 path: /var/log/nitro_enclaves
               name: log
             - emptyDir: {}
               name: socket-path
     

     NOTE

     • Refer to the Kubernetes job specification at https://kubernetes.io/docs/concepts/workloads/controllers/job/. 

     • Fortanix CCM incorporates the necessary environment variables into the provided Kubernetes job specification.

     • When hosting the Docker image in a password-protected repository, include imagePullSecrets.

     • Fortanix CCM does not push any secrets stored in it; it is the user’s responsibility to configure these in Kubernetes.

     

5. Click the SAVE CONFIGURATION button to save the changes.

5.0 Run the Amazon EKS Application Workflow

Perform the following steps to run the EKS workflow application:

1. Click the RUN button in the detailed view of an approved workflow enabled in Section 4.0: Configure the Amazon EKS Application Workflow.

   

2. In the RUN WORKFLOW window, confirm the values of each parameter and click the RUN button to run the workflow.

   

   Observe the running indicator at the bottom of the workflow.
   If there is a need to halt the execution at any point, click the STOP button. This action will re-enable the RUN button.

3. The Execution Log will display the execution status if the application executes successfully.

   

   The EXECUTION LOG window provides a detailed log of the run. You can also download the log using the DOWNLOAD button.