kms/docker-compose-core-centralized.yml at main · zama-ai/kms · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
name: zama-core-centralized

services:

  # KMS-Core-centralized
  # TODO: move the upload of the pub-key from the validator to the core -> or maybe the connector?
  # anyway where the keys really are
  dev-kms-core:
    image: ghcr.io/zama-ai/kms/core-service:latest-dev
    environment:
      - DOCKER_BUILDKIT=1
    build:
      context: .
      target: dev
      dockerfile: ./docker/core/service/Dockerfile
      cache_from:
        - ghcr.io/zama-ai/kms/core-service:latest-dev
      args:
        LTO_RELEASE: ${LTO_RELEASE}
        RUST_IMAGE_VERSION: ${RUST_IMAGE_VERSION}
    env_file:
      - "docker-compose-kms-core.env"
    ports:
      - "50051:50051"
      - "9646:9646"
    healthcheck:
      test: "grpc_health_probe --addr=localhost:50051"
      interval: 2s
      timeout: 2s
      retries: 15
      start_period: 10s
    volumes:
      - minio_secrets:/minio_secrets
      - ./core/service/config/:/app/kms/core/service/config
    entrypoint: >
      /bin/sh -c "
      export AWS_ACCESS_KEY_ID=$$(cat /minio_secrets/access_key) &&
      export AWS_SECRET_ACCESS_KEY=$$(cat /minio_secrets/secret_key) &&
      echo 'Generating signing keys' &&
      kms-gen-keys --public-storage s3 --public-s3-bucket kms --aws-s3-endpoint http://dev-s3-mock:9000 --aws-region us-east-1 --private-storage file --private-file-path ./keys --cmd signing-keys centralized &&
      echo 'Starting kms service' &&
      if [[ "${KMS_DOCKER_BACKUP_SECRET_SHARING}" = "true" ]]; then
        KMS_CORE__BACKUP_VAULT__KEYCHAIN__SECRET_SHARING__ENABLED=true kms-server --config-file config/compose_centralized.toml
      else
        kms-server --config-file config/compose_centralized.toml
      fi
      "
    depends_on:
      dev-s3-mock-setup:
        condition: service_completed_successfully