search

opentdf / platform

OpenTDF Platform monorepo enabling the development and integration of _forever control_ of data into new and existing applications. The concept of forever control stems from an increasingly common concept known as zero trust.
BSD 3-Clause Clear License
18 stars 8 forks source link

Enable SoftHSM in default images #316

Closed dmihalcik-virtru closed 5 months ago

dmihalcik-virtru commented 7 months ago

We need to access HSMs for the key access service (KAS). For now, we will emulate the behavior with SoftHSM. Since we are using chain guard images, we will have to do the folliwing:

  1. build a custom image with apko that includes what is in the go image
  2. Publish this image on a schedule I guess to GitHub container registry? a. alternatively we can build it locally when needed and use `docker load
  3. Update our Dockerfile to use the image
  4. Update server.StartHSM to use the correct .so path depending on if alpine (/usr/lib/softhsm/libsofthsm2.so), ubuntu (/lib/softhsm/libsofthsm2.so) or homebrew ($(brew --prefix)/lib/softhsm/libsofthsm2.so)
  5. wire in access to use hsm
dmihalcik-virtru commented 7 months ago

Suggestion: Try using wolfio image instead

jrschumacher commented 6 months ago

@dmihalcik-virtru is it possible to delay this or use an image that already has this to meet our milestone?

jrschumacher commented 6 months ago

@biscoe916 and @dmihalcik-virtru met and decided to not implement this currently since it will require a base image. SoftHSM was a means to support real HSM, but caused delay.

The decision was to pull this out and resolve when we better understand the downstream (DSP) customer needs.

strantalis commented 5 months ago

Softhsm won't be included in the platform build and only used within ci for testing.