trusted-execution-clusters
diff --git a/‎Cargo.lock‎
Lines changed: 18 additions & 0 deletions b/‎Cargo.lock‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎Cargo.toml‎
Lines changed: 2 additions & 1 deletion b/‎Cargo.toml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎Makefile‎
Lines changed: 11 additions & 5 deletions b/‎Makefile‎
Lines changed: 11 additions & 5 deletions
diff --git a/‎api/trusted-cluster-gen.go‎
Lines changed: 17 additions & 13 deletions b/‎api/trusted-cluster-gen.go‎
Lines changed: 17 additions & 13 deletions
diff --git a/‎api/v1alpha1/conditions.go‎
Lines changed: 5 additions & 0 deletions b/‎api/v1alpha1/conditions.go‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎api/v1alpha1/crds.go‎
Lines changed: 59 additions & 2 deletions b/‎api/v1alpha1/crds.go‎
Lines changed: 59 additions & 2 deletions
diff --git a/‎attestation-key-register/Cargo.toml‎
Lines changed: 23 additions & 0 deletions b/‎attestation-key-register/Cargo.toml‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎attestation-key-register/Containerfile‎
Lines changed: 33 additions & 0 deletions b/‎attestation-key-register/Containerfile‎
Lines changed: 33 additions & 0 deletions
diff --git a/‎attestation-key-register/src/lib.rs‎
Lines changed: 6 additions & 0 deletions b/‎attestation-key-register/src/lib.rs‎
Lines changed: 6 additions & 0 deletions
@@ -4,7 +4,7 @@
 # SPDX-License-Identifier: CC0-1.0
 
 [workspace]
-members = ["compute-pcrs", "lib", "operator", "register-server", "test_utils", "tests"]
+members = ["attestation-key-register", "compute-pcrs", "lib", "operator", "register-server", "test_utils", "tests"]
 resolver = "3"
 
 [workspace.package]
@@ -27,3 +27,4 @@ serde_json = "1.0.148"
 serde_yaml = "0.9"
 tokio = { version = "1.49.0", features = ["macros", "rt-multi-thread"] }
 uuid = { version = "1.19", features = ["v4", "serde"] }
+warp = "0.3"
@@ -26,14 +26,14 @@ PUSH_FLAGS ?=
 OPERATOR_IMAGE=$(REGISTRY)/trusted-cluster-operator:$(TAG)
 COMPUTE_PCRS_IMAGE=$(REGISTRY)/compute-pcrs:$(TAG)
 REG_SERVER_IMAGE=$(REGISTRY)/registration-server:$(TAG)
-# TODO add support for TPM AK verification, then move to a KBS with implemented verifier
-TRUSTEE_IMAGE ?= quay.io/trusted-execution-clusters/key-broker-service:tpm-verifier-built-in-as-20250711
+ATTESTATION_KEY_REGISTER_IMAGE=$(REGISTRY)/attestation-key-register:$(TAG)
+TRUSTEE_IMAGE ?= quay.io/trusted-execution-clusters/key-broker-service:20260106
 # tagged as 42.20250705.3.0
-APPROVED_IMAGE ?= quay.io/trusted-execution-clusters/fedora-coreos@sha256:e71dad00aa0e3d70540e726a0c66407e3004d96e045ab6c253186e327a2419e5
+APPROVED_IMAGE ?= quay.io/fedora/fedora-coreos@sha256:8f11c87187dfe83145001e9571948f9ab466e9f4a8b1e092a4798e5db1030dc3
 
 BUILD_TYPE ?= release
 
-all: build trusted-cluster-gen reg-server
+all: build trusted-cluster-gen reg-server attestation-key-register
 
 build: crds-rs
 	cargo build -p compute-pcrs
@@ -42,6 +42,9 @@ build: crds-rs
 reg-server: crds-rs
 	cargo build -p register-server
 
+attestation-key-register: crds-rs
+	cargo build -p attestation-key-register
+
 CRD_YAML_PATH = config/crd
 RBAC_YAML_PATH = config/rbac/base
 API_PATH = api/v1alpha1
@@ -75,6 +78,7 @@ manifests: trusted-cluster-gen generate
 		-trustee-image $(TRUSTEE_IMAGE) \
 		-pcrs-compute-image $(COMPUTE_PCRS_IMAGE) \
 		-register-server-image $(REG_SERVER_IMAGE) \
+		-attestation-key-register-image $(ATTESTATION_KEY_REGISTER_IMAGE) \
 		-approved-image $(APPROVED_IMAGE)
 
 cluster-up:
@@ -96,11 +100,13 @@ image:
 	$(CONTAINER_CLI) build --build-arg build_type=$(BUILD_TYPE) -t $(OPERATOR_IMAGE) -f Containerfile .
 	$(CONTAINER_CLI) build --build-arg build_type=$(BUILD_TYPE) -t $(COMPUTE_PCRS_IMAGE) -f compute-pcrs/Containerfile .
 	$(CONTAINER_CLI) build --build-arg build_type=$(BUILD_TYPE) -t $(REG_SERVER_IMAGE) -f register-server/Containerfile .
+	$(CONTAINER_CLI) build --build-arg build_type=$(BUILD_TYPE) -t $(ATTESTATION_KEY_REGISTER_IMAGE) -f attestation-key-register/Containerfile .
 
 push: image
 	$(CONTAINER_CLI) push $(OPERATOR_IMAGE) $(PUSH_FLAGS)
 	$(CONTAINER_CLI) push $(COMPUTE_PCRS_IMAGE) $(PUSH_FLAGS)
 	$(CONTAINER_CLI) push $(REG_SERVER_IMAGE) $(PUSH_FLAGS)
+	$(CONTAINER_CLI) push $(ATTESTATION_KEY_REGISTER_IMAGE) $(PUSH_FLAGS)
 
 release-tarball: manifests
 	tar -cf trusted-execution-operator-$(TAG).tar config
@@ -134,7 +140,7 @@ install: $(YQ)
 ifndef TRUSTEE_ADDR
 	$(error TRUSTEE_ADDR is undefined)
 endif
-	scripts/clean-cluster-kind.sh $(OPERATOR_IMAGE) $(COMPUTE_PCRS_IMAGE) $(REG_SERVER_IMAGE)
+	scripts/clean-cluster-kind.sh $(OPERATOR_IMAGE) $(COMPUTE_PCRS_IMAGE) $(REG_SERVER_IMAGE) $(ATTESTATION_KEY_REGISTER_IMAGE)
 	$(YQ) '.spec.publicTrusteeAddr = "$(TRUSTEE_ADDR):8080"' \
 		-i $(DEPLOY_PATH)/trusted_execution_cluster_cr.yaml
 	$(YQ) '.namespace = "$(NAMESPACE)"' -i config/rbac/base/kustomization.yaml
 
@@ -22,13 +22,14 @@ import (
 )
 
 type Args struct {
-	outputDir           string
-	image               string
-	namespace           string
-	trusteeImage        string
-	pcrsComputeImage    string
-	registerServerImage string
-	approvedImage       string
+	outputDir                   string
+	image                       string
+	namespace                   string
+	trusteeImage                string
+	pcrsComputeImage            string
+	registerServerImage         string
+	attestationKeyRegisterImage string
+	approvedImage               string
 }
 
 func main() {
@@ -39,6 +40,7 @@ func main() {
 	flag.StringVar(&args.trusteeImage, "trustee-image", "operators", "Container image with all-in-one Trustee")
 	flag.StringVar(&args.pcrsComputeImage, "pcrs-compute-image", "quay.io/trusted-execution-clusters/compute-pcrs:latest", "Container image with the Trusted Execution Clusters compute-pcrs binary")
 	flag.StringVar(&args.registerServerImage, "register-server-image", "quay.io/trusted-execution-clusters/register-server:latest", "Register server image to use in the deployment")
+	flag.StringVar(&args.attestationKeyRegisterImage, "attestation-key-register-image", "quay.io/trusted-execution-clusters/attestation-key-register:latest", "Attestation key register image to use in the deployment")
 	flag.StringVar(&args.approvedImage, "approved-image", "", "When set, defines an initial approved image. Must be a bootable container image with SHA reference.")
 	flag.Parse()
 
@@ -138,12 +140,14 @@ func generateTrustedExecutionClusterCR(args *Args) error {
 			Namespace: args.namespace,
 		},
 		Spec: v1alpha1.TrustedExecutionClusterSpec{
-			TrusteeImage:        args.trusteeImage,
-			PcrsComputeImage:    args.pcrsComputeImage,
-			RegisterServerImage: args.registerServerImage,
-			PublicTrusteeAddr:   nil,
-			TrusteeKbsPort:      0,
-			RegisterServerPort:  0,
+			TrusteeImage:                args.trusteeImage,
+			PcrsComputeImage:            args.pcrsComputeImage,
+			RegisterServerImage:         args.registerServerImage,
+			AttestationKeyRegisterImage: &args.attestationKeyRegisterImage,
+			PublicTrusteeAddr:           nil,
+			TrusteeKbsPort:              0,
+			RegisterServerPort:          0,
+			AttestationKeyRegisterPort:  0,
 		},
 	}
 
 
@@ -20,4 +20,9 @@ const (
 	NotCommittedReasonComputing string = "Computing"
 	NotCommittedReasonNoDigest  string = "NoDigestGiven"
 	NotCommittedReasonFailed    string = "ComputationFailed"
+
+	// Conditions for the AttestationKey
+	AttestationKeyApprovedCondition     string = "Approved"
+	AttestationKeyRegistrationReason    string = "Registration"
+	AttestationKeyMachineApprovedReason string = "MachineCreated"
 )
@@ -28,10 +28,10 @@ var (
 // +kubebuilder:rbac:groups="",resources=configmaps;services;secrets,verbs=create;get;list;watch
 // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=create;delete;get;list;patch;update;watch
 // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=create;delete;get;list;patch;update;watch
-// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=trustedexecutionclusters;machines;approvedimages,verbs=create;delete;get;list;patch;update;watch
+// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=trustedexecutionclusters;machines;approvedimages;attestationkeys,verbs=create;delete;get;list;patch;update;watch
 // +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=trustedexecutionclusters/finalizers,verbs=update
 // +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=machines/finalizers,verbs=update
-// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=trustedexecutionclusters/status;machines/status;approvedimages/status,verbs=get;patch;update
+// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=trustedexecutionclusters/status;machines/status;approvedimages/status;attestationkeys/status,verbs=get;patch;update
 
 // TrustedExecutionClusterSpec defines the desired state of TrustedExecutionCluster
 // +kubebuilder:validation:XValidation:rule="!has(oldSelf.publicTrusteeAddr) || has(self.publicTrusteeAddr)", message="Value is required once set"
@@ -48,6 +48,10 @@ type TrustedExecutionClusterSpec struct {
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
 	RegisterServerImage string `json:"registerServerImage"`
 
+	// Image reference to trusted-cluster-operator's attestation-key-register image
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
+	AttestationKeyRegisterImage *string `json:"attestationKeyRegisterImage"`
+
 	// Address where attester can connect to Trustee
 	// +optional
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
@@ -62,6 +66,11 @@ type TrustedExecutionClusterSpec struct {
 	// +optional
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
 	RegisterServerPort int32 `json:"registerServerPort,omitempty"`
+
+	// Port that trusted-cluster-operator's attestation-key-register serves on
+	// +optional
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
+	AttestationKeyRegisterPort int32 `json:"attestationKeyRegisterPort,omitempty"`
 }
 
 // TrustedExecutionClusterStatus defines the observed state of TrustedExecutionCluster.
@@ -192,3 +201,51 @@ type ApprovedImageList struct {
 	metav1.ListMeta `json:"metadata,omitempty"`
 	Items           []ApprovedImage `json:"items"`
 }
+
+// AttestationKeySpec
+type AttestationKeySpec struct {
+	// PublicKey defines the attestation public key to be registered as trusted key.
+	// +required
+	PublicKey string `json:"publicKey"`
+
+	// Address defines the address of the machine associated to the attestation key.
+	// +optional
+	Address *string `json:"address,omitempty"`
+}
+
+// AttestationKeyStatus defines the observed state of AttestationKey.
+type AttestationKeyStatus struct {
+	// +listType=map
+	// +listMapKey=type
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+
+// AttestationKey represents the Attestation Key to be added as to the trusted key for trustee.
+type AttestationKey struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is a standard object metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty,omitzero"`
+
+	// spec defines the desired state of AttestationKey
+	// +required
+	Spec AttestationKeySpec `json:"spec"`
+
+	// status defines the observed state of AttestationKey
+	// +optional
+	Status AttestationKeyStatus `json:"status,omitempty,omitzero"`
+}
+
+// +kubebuilder:object:root=true
+
+// AttestationKeyList contains a list of AttestationKey
+type AttestationKeyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []AttestationKey `json:"items"`
+}
@@ -0,0 +1,23 @@
+# SPDX-FileCopyrightText: Alice Frosi <[email protected]>
+#
+# SPDX-License-Identifier: CC0-1.0
+
+[package]
+name = "attestation-key-register"
+version = "0.1.0"
+edition = "2021"
+rust-version.workspace = true
+
+[dependencies]
+anyhow.workspace = true
+clap.workspace = true
+trusted-cluster-operator-lib = { path = "../lib" }
+env_logger.workspace = true
+k8s-openapi.workspace = true
+kube.workspace = true
+log.workspace = true
+serde.workspace = true
+serde_json.workspace = true
+tokio.workspace = true
+uuid = { version = "1.0", features = ["v4"] }
+warp.workspace = true
@@ -0,0 +1,33 @@
+# SPDX-FileCopyrightText: Alice Frosi <[email protected]>
+#
+# SPDX-License-Identifier: CC0-1.0
+
+ARG build_type
+FROM ghcr.io/trusted-execution-clusters/buildroot AS builder
+ARG build_type
+WORKDIR /build
+
+COPY Makefile .
+RUN make build-tools
+
+COPY Cargo.toml Cargo.lock go.mod go.sum .
+COPY api api
+COPY lib lib
+RUN make crds-rs
+
+COPY attestation-key-register/Cargo.toml attestation-key-register/
+COPY attestation-key-register/src/lib.rs attestation-key-register/src/
+
+# Set only required crates as members to minimize rebuilds upon changes.
+# In debug builds, build dependencies to avoid full rebuild.
+RUN sed -i 's/members =.*/members = ["lib", "attestation-key-register"]/' Cargo.toml && \
+    if [ "$build_type" = debug ]; then cargo build -p attestation-key-register; fi
+
+COPY attestation-key-register/src attestation-key-register/src
+RUN cargo build -p attestation-key-register $(if [ "$build_type" = release ]; then echo --release; fi)
+
+FROM quay.io/fedora/fedora:42
+ARG build_type
+COPY --from=builder "/build/target/$build_type/attestation-key-register" /usr/bin
+EXPOSE 8001
+ENTRYPOINT ["/usr/bin/attestation-key-register"]
@@ -0,0 +1,6 @@
+// SPDX-FileCopyrightText: Alice Frosi <[email protected]>
+//
+// SPDX-License-Identifier: MIT
+
+// This pseudo-library exists to build dependencies in a lower
+// container image layer, which speeds up development.