This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Installation

Installing Trustee

Trustee can be deployed in several different configurations. Either way, Trustee should be deployed in a trusted environment. This could be a local server, some trusted third party, or even another enclave. Official support for deploying Trustee inside of Confidential Containers is being developed.

1 - Trustee Operator

Installing Trustee on Kubernetes

Trustee can be installed on Kubernetes using the Trustee operator. When running Trustee in Kubernetes with the operator, the cluster must be Trusted.

Install the operator

The operator (release v0.17.0 at the time of writing) is available in the Operator Hub.

Please follow the installation steps detailed here.

Verify that the controller is running.

kubectl get pods -n operators --watch

The operator controller should be running.

NAME                                                   READY   STATUS    RESTARTS   AGE
trustee-operator-controller-manager-77cb448dc-7vxck    1/1     Running   0          11m

How to override the Trustee image

First of all we need to know which Trustee image is running:

kubectl get csv -n operators trustee-operator.v0.17.0 -o json | jq '.spec.install.spec.deployments[0].spec.template.spec.containers[0].env[1].value'
"ghcr.io/confidential-containers/key-broker-service:built-in-as-v0.16.0"

The default image can be replaced with an updated version, for example Trustee v0.17.0:

NEW_IMAGE=ghcr.io/confidential-containers/key-broker-service:built-in-as-v0.17.0
kubectl patch csv -n operators trustee-operator.v0.17.0 --type='json' -p="[{'op': 'replace', 'path': '/spec/install/spec/deployments/0/spec/template/spec/containers/0/env/1/value', 'value':$NEW_IMAGE}]"

Deploy Trustee

An example on how to configure Trustee is provided in this blog.

After the last configuration step, check that the Trustee deployment is running.

kubectl get pods -n operators --selector=app=kbs

The Trustee deployment should be running.

NAME                                  READY   STATUS    RESTARTS   AGE
trustee-deployment-f97fb74d6-w5qsm    1/1     Running   0          25m

Uninstall

Remove the Trustee CRD.

CR_NAME=$(kubectl get kbsconfig -n operators -o=jsonpath='{.items[0].metadata.name}') && kubectl delete KbsConfig $CR_NAME -n operators

Remove the controller.

kubectl delete Subscription -n operators my-trustee-operator
kubectl delete csv -n operators trustee-operator.v0.3.0

2 - Trustee in Docker

Installing Trustee on Docker compose

Trustee can be installed using Docker Compose.

Installation

Clone the Trustee repo.

git clone https://github.com/confidential-containers/trustee.git

Run Trustee.

docker compose up -d

Admin Setup (Optional)

Trustee admin APIs are protected. An admin keypair is required to use them. Trustee in Docker Compose will automatically generate an admin keypair. The private key, which an admin should provide to the KBS client, will be located at kbs/config/private.key.

You can replace the randomly generated admin keypair with the following commands.

openssl genpkey -algorithm ed25519 > kbs/config/private.key
openssl pkey -in kbs/config/private.key -pubout -out kbs/config/public.pub

Debug Mode (Optional)

To enable additional debug information, you can set the RUST_LOG environment variable.

First, create a file called debug.env.

RUST_LOG=debug

Then, you can run Trustee with an additional argument.

docker compose --env-file debug.env up

Advanced Setup

Docker Compose mounts Trustee configuration files from the Trustee repository itself. Specifically, the KBS configuration file is located in kbs/config/docker-compose/kbs-config.toml, the Attestation Service configuration is in /kbs/config/as-config.json, and the RVPS configuration is in /kbs/config/rvps.json.

These configuration files are read at Trustee startup. If you edit them, restart Trustee (docker compose restart). The configuration options are described here and here.

Advanced Settings

Some advanced settings that you may want to enable include:

  • HTTPS HTTPS can be enabled via the KBS configuration file. HTTPS provides an additional level of security on top of the KBS protocol and should be enabled in production environments.
  • Slim Attestation Token Guests with many devices can create large attestation tokens. In some cases this will outgrow HTTP header limits. When attesting guests with many devices (such as NVIDIA PPCIE), set verbose_token to false in the AS config file.
  • Token Duration The lifetime/duration of the attestation token can be set via the duration_min field of the AS config.

Uninstall

Stop Trustee.

docker compose down