Use attested-tls-proxy rather than cvm-reverse-proxy on Buildernet

[ameba23]

This almost definitely will not work as-is - but its a rough sketch as a starting point.

[MoeMahhouk]

For the first iteration, they could be running side be side (the previous reverse proxy and the new attested proxy server), right?
This way, we could have a fallback till we verify stability in further iterations, wdyt?

[ameba23]

I was thinking the other way around - for the first iteration we just want to know whether this works, and having a fallback might make us think it works when it doesn't. Once we know it works, add cvm-reverse-proxy as a fallback in case it stops working.

[bakhtin]

Suggested change

	--tls-private-key-path var/lib/persistent/operator-api/key.pem \
	--tls-private-key-path %S/persistent/operator-api/key.pem \

[bakhtin]

The file should probably be renamed to attested-tls-proxy-client.... Also the the main service file in buildernet image

[ameba23]

You mean the name of this file should match the service file it is overriding - in this case attested-tls-proxy-client.service?

[bakhtin]

Should it really point to a Let's Encrypt certificate? If yes, we need to extend acme-le posthook to copy the certificate for this service separately, not re-using the path of operator-api

[ameba23]

Yes, this is the big difference between this and cvm-reverse-proxy - we require CA-signed certs. I agree its better to copy the pem files to a separate location for this service.

[ameba23]

I did this now, but i guess i need to set up a username and group for attested-tls-proxy. I can't see where that is being done for operator-api.