Creating the docker-compose file for Trustee

You must create the docker-compose file for Trustee to facilitate the deployment.

1. Create a docker-compose.yaml file.

   $ cat << EOF > docker-compose.yaml
   version: '3.2'
   services:
     kbs:
       image: ghcr.io/confidential-containers/staged-images/kbs@sha256:b41d3dbea8b42ee0b7cab18c7f45a764639e8b3c49819ee5dda0da7a6abc9599
       command: [
         "sh", "-c",
         "mkdir -p /run/confidential-containers/ibmse/certs && mkdir -p /run/confidential-containers/ibmse/crls && curl -o /run/confidential-containers/ibmse/certs/ibm-z-host-key-signing-gen2.crt https://www.ibm.com/support/resourcelink/api/content/public/ibm-z-host-key-signing-gen2.crt && curl -o /run/confidential-containers/ibmse/certs/DigiCertCA.crt https://www.ibm.com/support/resourcelink/api/content/public/DigiCertCA.crt && curl -o /run/confidential-containers/ibmse/crls/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl && curl -o /run/confidential-containers/ibmse/crls/ibm-z-host-key-gen2.crl https://www.ibm.com/support/resourcelink/api/content/public/ibm-z-host-key-gen2.crl && curl -o /run/confidential-containers/ibmse/crls/DigiCertTrustedRootG4.crl http://crl3.digicert.com/DigiCertTrustedRootG4.crl && exec /usr/local/bin/kbs --config-file /etc/kbs-config.toml"]
       restart: always
       ports:
         - "8080:8080"
       volumes:
         - ./kbs/data/policy.rego:/opa/confidential-containers/kbs/policy.rego
         - ./kbs/data/attestation-service:/opt/confidential-containers/attestation-service:rw
         - ./kbs/data/kbs-storage/key:/opt/confidential-containers/kbs/repository/default/busybox/key
         - ./kbs/localhost.key:/etc/key.pem
         - ./kbs/localhost.crt:/etc/cert.pem
         - ./kbs/kbs.pem:/kbs/kbs.pem
         - ./kbs/kbs-config.toml:/etc/kbs-config.toml
         - ./kbs/data/hkds:/run/confidential-containers/ibmse/hkds
         - ./kbs/data/hdr/hdr.bin:/run/confidential-containers/ibmse/hdr/hdr.bin
         - ./kbs/data/rsa/encrypt_key.pem:/run/confidential-containers/ibmse/rsa/encrypt_key.pem
         - ./kbs/data/rsa/encrypt_key.pub:/run/confidential-containers/ibmse/rsa/encrypt_key.pub
         - ./kbs/osc:/opt/confidential-containers/kbs/repository/default/security-policy/osc
         - ./kbs/cosign.pub:/opt/confidential-containers/kbs/repository/default/img-sig/pub-key
   EOF

2. For the development HKDs (those not signed by a trusted authority), include the following environmental section in the docker-compose.yaml file:

   environment:
     - RUST_LOG=debug
     - SE_SKIP_CERTS_VERIFICATION=true

   Example

   $ cat << EOF > docker-compose.yaml
   version: '3.2'
   services:
     kbs:
       image: ghcr.io/confidential-containers/staged-images/kbs@sha256:b41d3dbea8b42ee0b7cab18c7f45a764639e8b3c49819ee5dda0da7a6abc9599
       command: [
         "sh", "-c",
         "mkdir -p /run/confidential-containers/ibmse/certs && mkdir -p /run/confidential-containers/ibmse/crls && curl -o /run/confidential-containers/ibmse/certs/ibm-z-host-key-signing-gen2.crt https://www.ibm.com/support/resourcelink/api/content/public/ibm-z-host-key-signing-gen2.crt && curl -o /run/confidential-containers/ibmse/certs/DigiCertCA.crt https://www.ibm.com/support/resourcelink/api/content/public/DigiCertCA.crt && curl -o /run/confidential-containers/ibmse/crls/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl && curl -o /run/confidential-containers/ibmse/crls/ibm-z-host-key-gen2.crl https://www.ibm.com/support/resourcelink/api/content/public/ibm-z-host-key-gen2.crl && curl -o /run/confidential-containers/ibmse/crls/DigiCertTrustedRootG4.crl http://crl3.digicert.com/DigiCertTrustedRootG4.crl && exec /usr/local/bin/kbs --config-file /etc/kbs-config.toml"]
       restart: always
       environment:
        - RUST_LOG=debug
        - SE_SKIP_CERTS_VERIFICATION=true
       ports:
         - "8080:8080"
       volumes:
         - ./kbs/data/policy.rego:/opa/confidential-containers/kbs/policy.rego
         - ./kbs/data/attestation-service:/opt/confidential-containers/attestation-service:rw
         - ./kbs/data/kbs-storage/key:/opt/confidential-containers/kbs/repository/default/busybox/key
         - ./kbs/localhost.key:/etc/key.pem
         - ./kbs/localhost.crt:/etc/cert.pem
         - ./kbs/kbs.pem:/kbs/kbs.pem
         - ./kbs/kbs-config.toml:/etc/kbs-config.toml
         - ./kbs/data/hkds:/run/confidential-containers/ibmse/hkds
         - ./kbs/data/hdr/hdr.bin:/run/confidential-containers/ibmse/hdr/hdr.bin
         - ./kbs/data/rsa/encrypt_key.pem:/run/confidential-containers/ibmse/rsa/encrypt_key.pem
         - ./kbs/data/rsa/encrypt_key.pub:/run/confidential-containers/ibmse/rsa/encrypt_key.pub
         - ./kbs/osc:/opt/confidential-containers/kbs/repository/default/security-policy/osc
         - ./kbs/cosign.pub:/opt/confidential-containers/kbs/repository/default/img-sig/pub-key
   EOF