Creating the podman-play file for Trustee
You must create the podman-play file for Trustee to facilitate the deployment.
- Create a
podman.yamlfile.cat << EOF > podman.yaml apiVersion: v1 kind: Pod metadata: name: kbs-pod spec: restartPolicy: Always containers: - name: kbs image: ghcr.io/confidential-containers/staged-images/kbs@sha256:d0b2a9a9253ea3bc749b2be51e8a0366198a70fd239a931394a581885aa83dd9 command: - sh - -c - | mkdir -p /run/confidential-containers/ibmse/certs \\ && mkdir -p /run/confidential-containers/ibmse/crls \\ && curl -o /run/confidential-containers/ibmse/certs/ibm-z-host-key-signing-gen2.crt https://www.ibm.com/support/resourcelink/api/content/public/ibm-z-host-key-signing-gen2.crt \\ && curl -o /run/confidential-containers/ibmse/certs/DigiCertCA.crt https://www.ibm.com/support/resourcelink/api/content/public/DigiCertCA.crt \\ && curl -o /run/confidential-containers/ibmse/crls/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl \\ && curl -o /run/confidential-containers/ibmse/crls/ibm-z-host-key-gen2.crl https://www.ibm.com/support/resourcelink/api/content/public/ibm-z-host-key-gen2.crl \\ && curl -o /run/confidential-containers/ibmse/crls/DigiCertTrustedRootG4.crl http://crl3.digicert.com/DigiCertTrustedRootG4.crl \\ && exec /usr/local/bin/kbs --config-file /etc/kbs-config.toml ports: - containerPort: 8080 hostPort: 8080 volumeMounts: - name: policy-volume mountPath: /opt/confidential-containers/opa/policy.rego readOnly: true - name: attest-volume mountPath: /opt/confidential-containers/attestation-service - name: kbs-key mountPath: /opt/confidential-containers/kbs/repository/default/busybox/key readOnly: true - name: localhost-key mountPath: /etc/key.pem readOnly: true - name: localhost-crt mountPath: /etc/cert.pem readOnly: true - name: kbs-pem mountPath: /etc/auth-secret/publicKey readOnly: true - name: kbs-config mountPath: /etc/kbs-config.toml readOnly: true - name: hkds mountPath: /run/confidential-containers/ibmse/hkds readOnly: true - name: hdrbin mountPath: /run/confidential-containers/ibmse/hdr/hdr.bin readOnly: true - name: encryptkeypem mountPath: /run/confidential-containers/ibmse/rsa/encrypt_key.pem readOnly: true - name: encryptkeypub mountPath: /run/confidential-containers/ibmse/rsa/encrypt_key.pub readOnly: true - name: osc mountPath: /opt/confidential-containers/kbs/repository/default/security-policy/osc readOnly: true - name: cosignpub mountPath: /opt/confidential-containers/kbs/repository/default/img-sig/pub-key readOnly: true volumes: - name: policy-volume hostPath: path: ./kbs/data/policy.rego type: File - name: attest-volume hostPath: path: ./kbs/data/attestation-service type: Directory - name: kbs-key hostPath: path: ./kbs/data/kbs-storage/key type: File - name: localhost-key hostPath: path: ./kbs/localhost.key type: File - name: localhost-crt hostPath: path: ./kbs/localhost.crt type: File - name: kbs-pem hostPath: path: ./kbs/kbs.pem type: File - name: kbs-config hostPath: path: ./kbs/kbs-config.toml type: File - name: hkds hostPath: path: ./kbs/data/hkds type: Directory - name: hdrbin hostPath: path: ./kbs/data/hdr/hdr.bin type: File - name: encryptkeypem hostPath: path: ./kbs/data/rsa/encrypt_key.pem type: File - name: encryptkeypub hostPath: path: ./kbs/data/rsa/encrypt_key.pub type: File - name: osc hostPath: path: ./kbs/osc type: File - name: cosignpub hostPath: path: ./kbs/cosign.pub type: File EOF - For the development HKDs (those not signed by a trusted authority), include the
following environmental section in the
podman.yamlfile:
Exampleenvironment: - RUST_LOG=debug - SE_SKIP_CERTS_VERIFICATION=truecat << EOF > podman.yaml apiVersion: v1 kind: Pod metadata: name: kbs-pod spec: restartPolicy: Always containers: - name: kbs image: ghcr.io/confidential-containers/staged-images/kbs@sha256:d0b2a9a9253ea3bc749b2be51e8a0366198a70fd239a931394a581885aa83dd9 command: - sh - -c - | mkdir -p /run/confidential-containers/ibmse/certs \\ && mkdir -p /run/confidential-containers/ibmse/crls \\ && curl -o /run/confidential-containers/ibmse/certs/ibm-z-host-key-signing-gen2.crt https://www.ibm.com/support/resourcelink/api/content/public/ibm-z-host-key-signing-gen2.crt \\ && curl -o /run/confidential-containers/ibmse/certs/DigiCertCA.crt https://www.ibm.com/support/resourcelink/api/content/public/DigiCertCA.crt \\ && curl -o /run/confidential-containers/ibmse/crls/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl \\ && curl -o /run/confidential-containers/ibmse/crls/ibm-z-host-key-gen2.crl https://www.ibm.com/support/resourcelink/api/content/public/ibm-z-host-key-gen2.crl \\ && curl -o /run/confidential-containers/ibmse/crls/DigiCertTrustedRootG4.crl http://crl3.digicert.com/DigiCertTrustedRootG4.crl \\ && exec /usr/local/bin/kbs --config-file /etc/kbs-config.toml env: - name: RUST_LOG value: debug - name: SE_SKIP_CERTS_VERIFICATION value: "true" ports: - containerPort: 8080 hostPort: 8080 volumeMounts: - name: policy-volume mountPath: /opt/confidential-containers/opa/policy.rego readOnly: true - name: attest-volume mountPath: /opt/confidential-containers/attestation-service - name: kbs-key mountPath: /opt/confidential-containers/kbs/repository/default/busybox/key readOnly: true - name: localhost-key mountPath: /etc/key.pem readOnly: true - name: localhost-crt mountPath: /etc/cert.pem readOnly: true - name: kbs-pem mountPath: /etc/auth-secret/publicKey readOnly: true - name: kbs-config mountPath: /etc/kbs-config.toml readOnly: true - name: hkds mountPath: /run/confidential-containers/ibmse/hkds readOnly: true - name: hdrbin mountPath: /run/confidential-containers/ibmse/hdr/hdr.bin readOnly: true - name: encryptkeypem mountPath: /run/confidential-containers/ibmse/rsa/encrypt_key.pem readOnly: true - name: encryptkeypub mountPath: /run/confidential-containers/ibmse/rsa/encrypt_key.pub readOnly: true - name: osc mountPath: /opt/confidential-containers/kbs/repository/default/security-policy/osc readOnly: true - name: cosignpub mountPath: /opt/confidential-containers/kbs/repository/default/img-sig/pub-key readOnly: true volumes: - name: policy-volume hostPath: path: ./kbs/data/policy.rego type: File - name: attest-volume hostPath: path: ./kbs/data/attestation-service type: Directory - name: kbs-key hostPath: path: ./kbs/data/kbs-storage/key type: File - name: localhost-key hostPath: path: ./kbs/localhost.key type: File - name: localhost-crt hostPath: path: ./kbs/localhost.crt type: File - name: kbs-pem hostPath: path: ./kbs/kbs.pem type: File - name: kbs-config hostPath: path: ./kbs/kbs-config.toml type: File - name: hkds hostPath: path: ./kbs/data/hkds type: Directory - name: hdrbin hostPath: path: ./kbs/data/hdr/hdr.bin type: File - name: encryptkeypem hostPath: path: ./kbs/data/rsa/encrypt_key.pem type: File - name: encryptkeypub hostPath: path: ./kbs/data/rsa/encrypt_key.pub type: File - name: osc hostPath: path: ./kbs/osc type: File - name: cosignpub hostPath: path: ./kbs/cosign.pub type: File EOF