kms: Build prod image

Author: kvinwang

kms/dstack-app/builder/Dockerfile

@@ -53,8 +53,5 @@ RUN git clone https://github.com/kvinwang/qemu-tdx.git --depth 1 --branch passth
     install -m 644 pc-bios/linuxboot_dma.bin /usr/local/share/qemu/ && \
     cd .. && rm -rf qemu-tdx
 COPY --from=kms-builder /build/dstack/target/x86_64-unknown-linux-musl/release/dstack-kms /usr/local/bin/dstack-kms
-COPY entrypoint.sh /entrypoint.sh
 COPY .GIT_REV /etc/.GIT_REV
-RUN chmod +x /entrypoint.sh
-ENTRYPOINT ["/entrypoint.sh"]
 CMD ["dstack-kms"]

kms/dstack-app/builder/build-image.sh

@@ -46,7 +46,8 @@ fi
 
 touch shared/kms-pinned-packages.txt
 touch shared/qemu-pinned-packages.txt
-GIT_REV=$(git rev-parse HEAD)
+GIT_REV=${GIT_REV:-HEAD}
+GIT_REV=$(git rev-parse $GIT_REV)
 echo $GIT_REV > .GIT_REV
 
 # First build the qemu-builder stage and extract package list

kms/dstack-app/builder/entrypoint.sh

@@ -24,54 +24,57 @@ services:
       - 8001:8000
 
   kms:
-    build:
-      context: .
-      dockerfile_inline: |
-        FROM golang:1.22-alpine@sha256:1699c10032ca2582ec89a24a1312d986a3f094aed3d5c1147b19880afe40e052 AS dstack-mr-builder
-        WORKDIR /app
-        RUN apk add --no-cache git
-        RUN git clone https://github.com/kvinwang/dstack-mr.git
-        WORKDIR /app/dstack-mr
-        RUN git checkout 5cf6d917e076f3624eab1b6b662f222ece15600f
-        RUN CGO_ENABLED=0 go build -ldflags="-extldflags -static" -o /usr/local/bin/dstack-mr
-
-        FROM rust:1.86.0@sha256:300ec56abce8cc9448ddea2172747d048ed902a3090e6b57babb2bf19f754081 AS kms-builder
-        WORKDIR /app
-        RUN apt-get update && apt-get install -y \
-            git \
-            build-essential \
-            musl-tools \
-            libssl-dev \
-            protobuf-compiler \
-            libprotobuf-dev \
-            clang \
-            libclang-dev \
-            --no-install-recommends \
-            && rm -rf /var/lib/apt/lists/*
-        RUN git clone https://github.com/Dstack-TEE/dstack.git && \
-            cd dstack && \
-            git checkout ${GIT_REV}
-        WORKDIR /app/dstack
-        RUN rustup target add x86_64-unknown-linux-musl
-        RUN cargo build --release -p dstack-kms --target x86_64-unknown-linux-musl
-
-        FROM alpine:latest
-        COPY --from=kms-builder /app/dstack/target/x86_64-unknown-linux-musl/release/dstack-kms /usr/local/bin/dstack-kms
-        COPY --from=kms-builder /app/dstack/kms/dstack-app/entrypoint.sh /entrypoint.sh
-        COPY --from=dstack-mr-builder /usr/local/bin/dstack-mr /usr/local/bin/dstack-mr
-        WORKDIR /app/kms
-        CMD ["/entrypoint.sh"]
+    image: kvin/kms:latest
     volumes:
-      - kms-volume:/etc/kms
+      - kms-volume:/kms
       - /var/run/dstack.sock:/var/run/dstack.sock
-    environment:
-      - IMAGE_DOWNLOAD_URL=${IMAGE_DOWNLOAD_URL}
-      - ADMIN_TOKEN_HASH=${ADMIN_TOKEN_HASH}
     ports:
       - 8000:8000
     depends_on:
       - auth-api
     restart: unless-stopped
+    configs:
+      - source: kms_config
+        target: /kms/kms.toml
+    command: sh -c 'mkdir -p /kms/certs /kms/images && exec dstack-kms -c /kms/kms.toml'
 
 volumes:
   kms-volume:
+
+configs:
+  kms_config:
+    content: |
+      [rpc]
+      address = "0.0.0.0"
+      port = 8000
+
+      [rpc.tls]
+      key = "/kms/certs/rpc.key"
+      certs = "/kms/certs/rpc.crt"
+
+      [rpc.tls.mutual]
+      ca_certs = "/kms/certs/tmp-ca.crt"
+      mandatory = false
+
+      [core]
+      cert_dir = "/kms/certs"
+      admin_token_hash = "${ADMIN_TOKEN_HASH}"
+
+      [core.image]
+      verify = true
+      cache_dir = "/kms/images"
+      download_url = "${IMAGE_DOWNLOAD_URL}"
+      download_timeout = "2m"
+
+      [core.auth_api]
+      type = "webhook"
+
+      [core.auth_api.webhook]
+      url = "http://auth-api:8000"
+
+      [core.onboard]
+      enabled = true
+      auto_bootstrap_domain = ""
+      quote_enabled = true
+      address = "0.0.0.0"
+      port = 8000