zama-ai · fegmorte · Oct 3, 2025 · Oct 7, 2025 · Oct 7, 2025 · Oct 9, 2025
@@ -97,6 +97,12 @@
       # ======================================================================
       # DOCKER BUILD STATUS HANDLING
       # ======================================================================
+      - name: Checkout Project KMS
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          token: ${{ secrets.BLOCKCHAIN_ACTIONS_TOKEN }}
+          persist-credentials: false
+
       - name: Login to zws GitHub Container Registry
         uses: ./.github/actions/docker-login
         with:
@@ -222,13 +228,6 @@
             -n "${NAMESPACE}" \
             --dry-run=client -o yaml | kubectl apply -f -
 
-      - name: Checkout Project KMS
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          token: ${{ secrets.BLOCKCHAIN_ACTIONS_TOKEN }}
-          persist-credentials: false
-
-
       - name: Unified Deployment
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # For registry creds if needed

@@ -10,7 +10,14 @@ ARG APP_CACHE_DIR=kms-core-client
 WORKDIR /app/kms-core-client
 
 # Copy entire project for workspace support
-COPY . .
+COPY ./backward-compatibility/ /app/kms-core-client/backward-compatibility
+COPY ./bc2wrap /app/kms-core-client/bc2wrap
+COPY ./core /app/kms-core-client/core
+COPY ./core-client /app/kms-core-client/core-client
+COPY ./observability /app/kms-core-client/observability
+COPY ./tools /app/kms-core-client/tools
+COPY ./Cargo.lock /app/kms-core-client/Cargo.lock
+COPY ./Cargo.toml /app/kms-core-client/Cargo.toml
 
 # Build using cargo install with caching
 RUN --mount=type=cache,target=/root/.cargo/registry,sharing=locked \

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 
 ################################################################
-## Second stage builds the kms-core binaries
+## First stage: Build the kms-core binaries
 FROM --platform=$BUILDPLATFORM ghcr.io/zama-ai/kms/rust-golden-image:latest AS kms-core
 
 # By default, cargo build --release.
@@ -28,8 +28,8 @@ RUN --mount=type=cache,target=/root/.cargo/registry,sharing=locked \
     cargo fetch --locked
 RUN --mount=type=cache,target=/root/.cargo/registry,sharing=locked \
     --mount=type=cache,target=/app/${APP_CACHE_DIR}/target,sharing=locked \
-    cargo build --locked --profile=${LTO_RELEASE} -p kms --bin kms-server --bin kms-gen-tls-certs --bin kms-init --bin kms-custodian -F insecure && \
-    cargo build --locked --profile=${LTO_RELEASE} -p kms --bin kms-gen-keys -F testing -F threshold-fhe/testing -F insecure && \
+    cargo build  --locked --profile=${LTO_RELEASE} -p kms --bin kms-server --bin kms-gen-tls-certs --bin kms-init --bin kms-custodian && \
+    cargo build --locked --profile=${LTO_RELEASE} -p kms --bin kms-gen-keys -F testing -F threshold-fhe/testing && \
     cp /app/kms/target/${LTO_RELEASE}/kms-server \
        /app/kms/target/${LTO_RELEASE}/kms-gen-tls-certs \
        /app/kms/target/${LTO_RELEASE}/kms-init \
@@ -44,10 +44,55 @@ ARG TARGETARCH=amd64
 RUN wget -qO/usr/bin/yq https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_${TARGETARCH} && \
     chmod +x /usr/bin/yq
 
+#############################################################
+#### INSECURE
+## Second stage: Build the kms-core binaries for insecure mode
+FROM --platform=$BUILDPLATFORM ghcr.io/zama-ai/kms/rust-golden-image:latest AS kms-core-insecure
+
+# By default, cargo build --release.
+# But you can provide --build-arg LTO_RELEASE="--profile release-lto-off" locally to build locally
+ARG LTO_RELEASE=release
+ARG APP_CACHE_DIR=kms
+
+# Fetch dependencies and build binaries
+WORKDIR /app/kms
+# Copy only what is needed to build kms binaries
+COPY Cargo.toml Cargo.lock rust-toolchain.toml ./
+COPY backward-compatibility ./backward-compatibility
+COPY bc2wrap ./bc2wrap
+COPY core ./core
+COPY core-client ./core-client
+COPY observability ./observability
+COPY tools ./tools
+COPY docker ./docker
+
+RUN mkdir -p /app/kms/core/service/bin
+
+RUN --mount=type=cache,target=/root/.cargo/registry,sharing=locked \
+    --mount=type=cache,target=/app/${APP_CACHE_DIR}/target,sharing=locked \
+    cargo fetch --locked
+RUN --mount=type=cache,target=/root/.cargo/registry,sharing=locked \
+    --mount=type=cache,target=/app/${APP_CACHE_DIR}/target,sharing=locked \
+    cargo build  --locked --profile=${LTO_RELEASE} -p kms --bin kms-server --bin kms-gen-tls-certs --bin kms-init --bin kms-custodian -F insecure && \
+    cargo build --locked --profile=${LTO_RELEASE} -p kms --bin kms-gen-keys -F testing -F insecure -F threshold-fhe/testing && \
+    cp /app/kms/target/${LTO_RELEASE}/kms-server \
+       /app/kms/target/${LTO_RELEASE}/kms-gen-tls-certs \
+       /app/kms/target/${LTO_RELEASE}/kms-init \
+       /app/kms/target/${LTO_RELEASE}/kms-gen-keys \
+       /app/kms/target/${LTO_RELEASE}/kms-custodian \
+    ./core/service/bin
+
+
+ARG YQ_VERSION=v4.47.2
+# Overridable arg to allow building for different architectures
+ARG TARGETARCH=amd64
+RUN wget -qO/usr/bin/yq https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_${TARGETARCH} && \
+    chmod +x /usr/bin/yq
+
+
 ################################################################
-## Third stage: Copy the binaries from preceding stages
-# This stage will be the final image
-FROM --platform=$BUILDPLATFORM cgr.dev/zama.ai/glibc-dynamic:15.2.0-dev AS prod
+## Third stage: Base image for prod and dev images
+FROM --platform=$BUILDPLATFORM cgr.dev/zama.ai/glibc-dynamic:15.2.0-dev AS base
 
 USER root
 # Install required runtime dependencies
@@ -65,6 +110,10 @@ RUN chmod +x /usr/bin/yq
 
 COPY ./core/service/config/ /app/kms/core/service/config
 
+################################################################
+## Fourth stage: Copy the kms-core binaries for prod image
+FROM base AS prod
+
 # Set the path to include the binaries and not just the default /usr/local/bin
 ENV PATH="/app/kms/core/service/bin:$PATH"
 # Copy the binaries from the kms-core and go-runtime stages
@@ -102,10 +151,27 @@ RUN git clone https://github.com/grpc-ecosystem/grpc-health-probe && \
 
 
 ################################################################
-## Fourth stage: Build and install grpc_health_probe -- For development only with extra tools
-FROM --platform=$BUILDPLATFORM prod AS dev
+## Fifth stage: Copy the kms-core binaries for dev image -- For development only with extra tools
+FROM base AS dev
+
+# Set the path to include the binaries and not just the default /usr/local/bin
+ENV PATH="/app/kms/core/service/bin:$PATH"
+# Copy the binaries from the kms-core and go-runtime stages
+COPY --from=kms-core-insecure /app/kms/core/service/bin/ ./bin/
+
+# Copy parent-side and enclave-side init scripts
+COPY ./docker/core/service/start_parent_proxies.sh ./bin/
+COPY ./docker/core/service/init_enclave.sh ./bin/
 
-USER root
 COPY --from=go-builder /out/grpc_health_probe /bin/grpc_health_probe
 
-CMD ["kms-server", "centralized"]
+# Change user to limit root access
+RUN addgroup -S kms --gid 10002 && \
+    adduser -D -s /bin/sh --uid 10003 -G kms kms
+# pre-create mount points for rights
+RUN mkdir -p /app/kms/core/service/certs /app/kms/core/service/config
+
+# This is only meaningful when the image is used to build the EIF that runs
+# inside of a Nitro enclave. During deployment on k8s, containers are started
+# with commands defined in Helm charts.
+CMD ["/bin/bash", "/app/kms/core/service/bin/init_enclave.sh"]