Run trustee as non-privileged container

1) the paths /opt/confidential-container and
/opt/confidential-container/kbs/repository/default are mounted
as RW volumes in memory to allow trustee components
to have full access to the filesystem

2) some refactoring around the volumes creation

Signed-off-by: Leonardo Milleri <[email protected]>

Author: lmilleri

config/samples/all-in-one/kbs-config.yaml

@@ -31,6 +31,6 @@ data:
           }
         },
         "policy_engine_config": {
-          "policy_path": "/opa/confidential-containers/kbs/policy.rego"
+          "policy_path": "/opt/confidential-containers/opa/policy.rego"
         }
     }

internal/controller/common.go

@@ -39,8 +39,19 @@ const (
 	// KBS service name
 	KbsServiceName = "kbs-service"
 
+	// Root path for KBS file system
+	rootPath = "/opt"
+
+	confidentialContainers = "confidential-containers"
+
+	defaultRepository = "default"
+
+	confidentialContainersPath = rootPath + "/" + confidentialContainers
+
+	repositoryPath = confidentialContainersPath + "/kbs/repository"
+
 	// Default KBS Resources Path
-	kbsResourcesPath = "/opt/confidential-containers/kbs/repository/default"
+	kbsResourcesPath = repositoryPath + "/" + defaultRepository
 
 	// Default KBS config path
 	kbsDefaultConfigPath = "/etc"
@@ -52,7 +63,7 @@ const (
 	rvpsDefaultConfigPath = "/etc"
 
 	// Default RVPS reference values Path
-	rvpsReferenceValuesPath = "/opt/confidential-containers/rvps"
+	rvpsReferenceValuesPath = confidentialContainersPath + "/rvps"
 )
 
 func contains(list []string, s string) bool {