This example is a slightly modified variant of the Gramine Redis example. Instead of running a single Redis server instance, MarbleRun unleashes the full potential of Redis and takes care of distributing the Redis server in replication mode.
Prerequisite:
- Ensure you have access to a Kubernetes cluster with SGX-enabled nodes and kubectl installed and configured. Probably the easiest way to get started is to run Kubernetes on an Azure Kubernetes Service (AKS), which offers SGX-enabled nodes.
- Ensure you have the MarbleRun CLI installed.
We are now installing a distributed Redis server in primary/subordinate replication mode on your cluster.
First, we are installing MarbleRun on your cluster.
-
Install the MarbleRun Coordinator on the Cluster
marblerun install
-
Wait for the Coordinator to be ready
marblerun check
-
Port-forward the client API service to localhost
kubectl -n marblerun port-forward svc/coordinator-client-api 4433:4433 --address localhost >/dev/null & export MARBLERUN=localhost:4433
-
Check Coordinator's status, this should return status
2: ready to accept manifest.marblerun status $MARBLERUN --insecure -
Set the manifest
marblerun manifest set manifest.json $MARBLERUN
-
Deploy Redis using helm
helm install -f ./kubernetes/values.yaml redis ./kubernetes --create-namespace -n redis
-
Wait for the Redis server to start, this might take a moment. The output shoud look like this:
kubectl logs redis-main-0 -n redis ... 7:M 29 Mar 2021 12:25:40.076 # Server initialized 7:M 29 Mar 2021 12:25:40.108 * Ready to accept connections
-
Port-forward the Redis service to localhost
kubectl -n redis port-forward svc/redis-main 6379:6379 --address localhost >/dev/null &
You can now securely connect to the Redis server using the redis-cli and the MarbleRun CA certificate for authentication.
-
Make sure you have the latest Redis-CLI with TLS support:
wget http://download.redis.io/redis-stable.tar.gz tar xzf redis-stable.tar.gz && cd redis-stable make BUILD_TLS=yes && cp src/redis-cli /usr/local/bin
-
Obtain the Coordinator's CA certificate
marblerun certificate chain $MARBLERUN -o marblerun.crt -
Connect via the Redis-CLI
redis-cli -h localhost -p 6379 --tls --cacert marblerun.crt localhost:6379> set mykey somevalue OK localhost:6379> get mykey "somevalue"
To marbleize the example we edited redis-server.manifest.template. See comments starting with MARBLERUN for explanations of the required changes.
Build the Docker image:
DOCKER_BUILDKIT=1 docker build --secret id=signingkey,src=<path to private.pem> --tag ghcr.io/edgelesssys/redis-gramine-marble -f ./Dockerfile .