feat: PEP-3172 update scripts to support KAS

[dillonthompson]

No description provided.

[nwilliamsgit]

Proposed script updates for KAS KEY_ID support, let me know your thoughts

1. In setup-cks-latest.sh, add a default KEY_ID variable near the KAS defaults:

# KAS defaults
KAS_ENABLED=false
KEY_ID=""

2. In setup-cks-latest.sh, when KAS is enabled, prompt for the Virtru SaaS DSP-provisioned KEY_ID:

if prompt "Do you want to enable KAS [yes/no]?"; then
  KAS_ENABLED=true

  KAS_AUTH_ISSUER="https://login.virtru.com/oauth2/default"
  KAS_AUTH_AUDIENCE="https://api.virtru.com"
  KAS_URI="https://${CKS_FQDN}"

  while [ -z "$KEY_ID" ]; do
    read -p "Enter the Virtru SaaS DSP Key ID for this KAS deployment: " KEY_ID

    if [ -z "$KEY_ID" ]; then
      printf "KEY_ID is required for KAS deployments.\n"
    fi
  done
fi

3. In setup-cks-latest.sh, write KEY_ID into env/cks.env with the other KAS env vars:

printf "KAS_ROOT_KEY=%s\n" "$KAS_ROOT_KEY" >> ./env/cks.env
printf "KEY_ID=%s\n" "$KEY_ID" >> ./env/cks.env
printf "ORG_ID=%s\n" "$JWT_AUTH_AUDIENCE" >> ./env/cks.env

4. In setup-cks-latest.sh, keep PORT at 9000:

printf "PORT=9000\n" >> ./env/cks.env

5. In update.sh, when enabling KAS, preserve an existing KEY_ID if present; otherwise require the user to enter it:

EXISTING_KEY_ID=$(grep '^KEY_ID=' "$WORKING_DIR"/env/cks.env 2>/dev/null | cut -d "=" -f2-)

if [ -z "$EXISTING_KEY_ID" ]; then
  KEY_ID=""
  while [ -z "$KEY_ID" ]; do
    read -p "Enter the Virtru SaaS DSP Key ID for this KAS deployment: " KEY_ID

    if [ -z "$KEY_ID" ]; then
      printf "KEY_ID is required for KAS deployments.\n"
    fi
  done
else
  KEY_ID="$EXISTING_KEY_ID"
fi

6. In update.sh, write/preserve KEY_ID with the other KAS env vars:

updateEnvVariable "KAS_ROOT_KEY" "$KAS_ROOT_KEY"
updateEnvVariable "KEY_ID" "$KEY_ID"
updateEnvVariable "ORG_ID" "$EXISTING_ORG_ID"

7. In update.sh, keep PORT at 9000:

updateEnvVariable "PORT" "9000"

Rationale: KEY_ID is required for KAS deployments because it is the key identifier provisioned in Virtru SaaS DSP. Without it, the generated KAS env file is incomplete. Current deployments use
PORT=9000, so the update path should preserve that expectation.

[Copilot]

Pull request overview

This PR updates the CKS setup/update scripts to support optionally enabling Key Access Service (KAS) for DSP integration, and aligns the generated runtime configuration with the new container/image/port assumptions (Caddy on 9000, supervisord-managed processes).

Changes:

• Add KAS enablement flow (new prompts + environment variables) to both initial setup and updates.
• Update image/tag validation and generated run.sh commands to use containers.virtru.com/cks:v{VERSION} and fixed port behavior.
• Expand README documentation with KAS enablement guidance and architecture/troubleshooting details.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 7 comments.

File	Description
update.sh	Adds KAS migration/enablement during update, switches image validation and generated run.sh to the new registry/image and port model.
setup-cks-latest.sh	Adds KAS enablement during initial setup, writes KAS env vars, and updates generated run.sh and PORT handling.
README.md	Documents KAS support, enablement steps, and architecture/troubleshooting.

Comments suppressed due to low confidence (1)

update.sh:63

• STATUS is parsed as a number and then compared with -ne, but if curl fails (network error, DNS, TLS, etc.) STATUS can be empty, causing [ $STATUS -ne 200 ] to emit "unary operator expected" and the script may continue as if the version is valid. Consider using a string comparison (e.g., != "200") and explicitly handling an empty/failed response as invalid (or exiting with a clearer error).

STATUS=$(curl -sI https://containers.virtru.com/v2/cks/manifests/"v$CKS_VERSION" | head -n 1 | cut -d$' ' -f2)

if [ $STATUS -ne 200 ]; then
  echo "Invalid CKS Version"
  exit
fi

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.