feat: add docker support

[igladun]

hi @ameba23 ,
I added the docker-compose for testing purposes, can remove it
One important note, building on ARM without Azure/TPM features (cross-compilation not supported)

[ameba23]

Great, thank you @igladun

I started adding a Dockerfile in #72 but what you've done here looks much more full featured, and great to have a readme explanation and docker-compose setup.

Re: TPM2 dependency not working on arm, this is good to know. It would be good to find a solution to avoid this dependency but still be able to verify azure tpm attestations. We need some types from az-tdx-vtpm which introduces the requirement from tpm2, but it should be possible to use these without requiring that dependency.

[igladun]

@ameba23 , thanks for reviewing. Sorry, I noticed your draft just after creating my PR. TBH, I just started to actively contribute to open source projects and I am not used to the workflow.
If you have some DevOps or testing related issues, assign plz them to me, I will try to contribute in my free time.

To reproduce the ARM problem simply build this image

FROM rust:1.88.0-slim-bookworm

RUN apt-get update && apt-get install -y
pkg-config clang libclang-dev
openssl libssl-dev libtss2-dev
perl make
&& rm -rf /var/lib/apt/lists/*

WORKDIR /app
COPY . .

RUN cargo build --release --features azure

[ameba23]

For me, this step was not needed - the files produced by generate-cert.sh work as they are.

[igladun]

I got proxy-server-1 | Error: No PKS8 Key if I don't convert to PKS8
By default the generated key is in PKCS#1 format

head server.key
-----BEGIN RSA PRIVATE KEY-----

I debugged a little bit, and as I see here https://github.com/igladun/attested-tls-proxy/blob/310798e582092179e13686cd7fe2a06d68edd83d/src/main.rs#L394

    // Tries to read the key as PKCS#8, PKCS#1, or SEC1
    let pks8_key = rustls_pemfile::pkcs8_private_keys(&mut reader)
        .next()
        .ok_or(anyhow!("No PKS8 Key"))??;

The comment is misleading, the code only uses pkcs8_private_keys()

[ameba23]

Ah this is a very good catch you are right. Rustls only accepts PKCS8 but openssl wont generate them by default - except with newer versions of openssl.

This explains why we are each seeing different behavior (i am using openssl 3.6.0).

[ameba23]

#75

[ameba23]

The docker-compose file is great btw. I think this is very useful for catching bugs which don't show up in the automated tests because they relate to processing command line args, etc.