refactor: copy external files to role, copy containers to quay.io linux-system-roles

Copy quadlet files and configs into the role
Copy container images to quay.io/linux-system-roles

Signed-off-by: Rich Megginson <rmeggins@redhat.com>

Author: richm

files/configs/as/config.json

@@ -0,0 +1,20 @@
+{
+    "_comment": "Attestation Service Configuration for Quadlet Deployment",
+    "work_dir": "/var/lib/as",
+    "policy_engine": "opa",
+    "rvps_config": {
+        "_comment": "Connect to RVPS via gRPC on the container network",
+        "type": "GrpcRemote",
+        "address": "http://127.0.0.1:50003"
+    },
+
+    "attestation_token_broker": {
+        "duration_min": 5,
+        "type": "Ear",
+        "_comment_signer": "Attestation result token signing configuration",
+        "signer": {
+            "key_path": "/etc/as/token.key",
+            "cert_path": "/etc/as/token.crt"
+        }
+    }
+}

files/configs/kbs/config.toml

@@ -0,0 +1,43 @@
+# KBS Configuration for Quadlet Deployment
+# This configuration runs KBS with an external (gRPC) Attestation Service
+
+[http_server]
+sockets = ["0.0.0.0:8080"]
+insecure_http = false
+private_key = "/etc/kbs/server.key"
+certificate = "/etc/kbs/server.crt"
+worker_count = 4
+
+[admin]
+insecure_api = false
+auth_public_key = "/etc/kbs/auth.pub"
+
+[attestation_token]
+insecure_key = false
+attestataion_token_type = "CoCo"
+trusted_certs_paths = ["/etc/kbs/trusted_certs/token0.crt"]
+
+[attestation_service]
+# Use gRPC to connect to external Attestation Service
+type = "coco_as_grpc"
+url = "http://127.0.0.1:50004"
+# Timeout for AS communication
+timeout_ms = 10000
+
+[policy_engine]
+policy_path = "/etc/kbs/policy.rego"
+
+# Resource plugin - local filesystem storage
+[[plugins]]
+name = "resource"
+type = "LocalFs"
+dir_path = "/var/lib/kbs/repository"
+
+# Uncomment to add HashiCorp Vault backend
+# [[plugins]]
+# name = "resource"
+# type = "Vault"
+# vault_url = "https://vault.example.com:8200"
+# token = "hvs.your-vault-token-here"
+# mount_path = "secret"
+# verify_ssl = true

files/configs/kbs/policy.rego

@@ -0,0 +1,13 @@
+# KBS Authorization Policy
+# This policy controls which resources can be accessed based on attestation claims
+
+package policy
+
+# Default deny all requests
+default allow = false
+input_tcb := input["submods"]["cpu0"]["ear.veraison.annotated-evidence"]
+path := split(data["resource-path"], "/")
+
+allow if {
+    input["submods"]["cpu0"]["ear.status"] == "affirming"
+}

files/configs/rvps/config.json

@@ -0,0 +1,14 @@
+{
+    "_comment": "RVPS Configuration for Quadlet Deployment",
+
+    "storage": {
+        "_comment": "Local filesystem storage for reference values",
+        "type": "LocalJson",
+        "file_path": "/var/lib/rvps/reference_values/reference-values.json"
+    },
+
+    "_comment_grpc": "gRPC server configuration",
+    "grpc": {
+        "address": "0.0.0.0:50003"
+    }
+}

files/configs/version.env

@@ -0,0 +1,2 @@
+TRUSTEE_VERSION=0.15.0
+IMAGE_SOURCE=quay.io/linux-system-roles

files/quadlet/as-data.volume

@@ -0,0 +1,6 @@
+# Attestation Service Data Volume
+
+[Volume]
+Label=app=trustee
+Label=component=as
+Label=type=data

files/quadlet/kbs-data.volume

@@ -0,0 +1,12 @@
+# KBS Data Volume
+# Persistent storage for KBS runtime data (keys, resources, etc.)
+
+[Volume]
+Label=app=trustee
+Label=component=kbs
+Label=type=data
+
+# This volume stores:
+# - Registered resources/secrets
+# - Session data
+# - Runtime state

files/quadlet/rvps-data.volume

@@ -0,0 +1,12 @@
+# RVPS Data Volume
+# Persistent storage for reference values and provenance data
+
+[Volume]
+Label=app=trustee
+Label=component=rvps
+Label=type=data
+
+# This volume stores:
+# - Reference values
+# - Provenance records
+# - Runtime state

files/quadlet/trustee-as.container

@@ -0,0 +1,66 @@
+# Trustee Attestation Service (AS)
+# Verifies TEE evidence and generates attestation tokens
+#
+# AS depends on RVPS for reference values and is required by KBS for attestation.
+# It acts as the "Verifier" in the RATS architecture.
+
+[Unit]
+Description=Trustee Attestation Service
+Documentation=https://docs.redhat.com/en/documentation/openshift_sandboxed_containers/1.10/html/deploying_trustee/
+
+# Start after RVPS is available
+After=network-online.target trustee-rvps.service
+Wants=network-online.target
+Requires=trustee-rvps.service
+
+[Container]
+# Container image - uses Red Hat registry
+# For development/testing, override with: Image=quay.io/confidential-containers/as:latest
+Image=quay.io/linux-system-roles/trustee-as:0.15.0
+Pod=trustee.pod
+
+# Container name for DNS resolution on the trustee network
+ContainerName=trustee-as
+
+# Configuration mount (read-only)
+Volume=/etc/trustee/as:/etc/as:ro,Z
+
+# Data persistence
+Volume=as-data.volume:/var/lib/as:Z
+
+# Environment variables
+Environment=RUST_LOG=info
+Environment=AS_CONFIG_FILE=/etc/as/config.json
+
+# Security hardening
+NoNewPrivileges=true
+
+# Drop all capabilities
+DropCapability=ALL
+
+# Health check
+HealthCmd=sh -c 'ss -tlnp | grep -q 50004 || exit 1'
+HealthInterval=30s
+HealthTimeout=10s
+HealthRetries=3
+HealthStartPeriod=15s
+
+# Resource limits (adjust based on workload)
+# Memory=512M
+
+[Service]
+# Restart policy
+Restart=on-failure
+RestartSec=10s
+
+# Startup/shutdown timeouts
+TimeoutStartSec=90s
+TimeoutStopSec=30s
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=trustee-as
+
+[Install]
+WantedBy=multi-user.target default.target

files/quadlet/trustee-kbs.container

@@ -0,0 +1,77 @@
+# Trustee Key Broker Service (KBS)
+# The main entry point for confidential workloads to retrieve secrets
+#
+# KBS implements the RCAR protocol (Request-Challenge-Attestation-Response)
+# and acts as the "Relying Party" in the RATS architecture.
+# It depends on AS for attestation verification.
+
+[Unit]
+Description=Trustee Key Broker Service
+Documentation=https://docs.redhat.com/en/documentation/openshift_sandboxed_containers/1.10/html/deploying_trustee/
+
+# Start after AS is available (which implies RVPS is also ready)
+After=network-online.target trustee-as.service
+Wants=network-online.target
+Requires=trustee-as.service
+
+[Container]
+# Container image - uses Red Hat registry
+# For development/testing, override with: Image=quay.io/confidential-containers/kbs:latest
+Image=quay.io/linux-system-roles/trustee-kbs:0.15.0
+Pod=trustee.pod
+
+# Container name for DNS resolution
+ContainerName=trustee-kbs
+
+# Configuration mount (read-only)
+Volume=/etc/trustee/kbs:/etc/kbs:ro,Z
+
+# Data persistence for resources/secrets
+Volume=kbs-data.volume:/var/lib/kbs:Z
+
+# Environment variables
+Environment=RUST_LOG=info
+Environment=KBS_CONFIG_FILE=/etc/kbs/config.toml
+
+# Optional: set the policy path (can also be set in config.toml)
+Environment=KBS_POLICY_PATH=/etc/kbs/policy.rego
+
+# Security hardening
+NoNewPrivileges=true
+
+# Drop all capabilities
+DropCapability=ALL
+
+# If binding to port < 1024, uncomment:
+# AddCapability=CAP_NET_BIND_SERVICE
+
+# Health check - HTTP endpoint
+HealthCmd=curl -sk https://localhost:8080/ || exit 1
+HealthInterval=30s
+HealthTimeout=10s
+HealthRetries=3
+HealthStartPeriod=20s
+
+# Resource limits (adjust based on workload)
+# Memory=512M
+
+# Enable auto-update from registry (optional)
+# AutoUpdate=registry
+
+[Service]
+# Restart policy
+Restart=on-failure
+RestartSec=10s
+
+# Startup/shutdown timeouts
+TimeoutStartSec=120s
+TimeoutStopSec=30s
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=trustee-kbs
+
+[Install]
+# This is the main service users will enable/start
+WantedBy=multi-user.target default.target