Merge pull request #40 from Jakob-Naucke/trustee-self-deploy

Self-deploy Trustee

Author: alicefr

Makefile

@@ -5,12 +5,16 @@
 
 .PHONY: all build tools manifests-dir manifests cluster-up cluster-down image push install-trustee install clean fmt-check clippy lint test test-release
 
+NAMESPACE ?= confidential-clusters
+
 KUBECTL=kubectl
 
 REGISTRY ?= quay.io
 OPERATOR_IMAGE=$(REGISTRY)/confidential-clusters/cocl-operator:latest
 COMPUTE_PCRS_IMAGE=$(REGISTRY)/confidential-clusters/compute-pcrs:latest
 REG_SERVER_IMAGE=$(REGISTRY)/confidential-clusters/registration-server:latest
+# TODO add support for TPM AK verification, then move to a KBS with implemented verifier
+TRUSTEE_IMAGE ?= quay.io/confidential-clusters/key-broker-service:tpm-verifier-built-in-as-20250711
 
 BUILD_TYPE ?= release
 
@@ -34,11 +38,13 @@ ifndef TRUSTEE_ADDR
 	$(error TRUSTEE_ADDR is undefined)
 endif
 	target/debug/manifest-gen --output-dir manifests \
+		--namespace $(NAMESPACE) \
 		--image $(OPERATOR_IMAGE) \
-		--trustee-namespace operators \
+		--trustee-image $(TRUSTEE_IMAGE) \
 		--pcrs-compute-image $(COMPUTE_PCRS_IMAGE) \
 		--register-server-image $(REG_SERVER_IMAGE) \
-		--trustee-addr $(TRUSTEE_ADDR):8080
+		--trustee-addr $(TRUSTEE_ADDR):8080 \
+		--register-server-port 8000
 
 cluster-up:
 	scripts/create-cluster-kind.sh
@@ -57,15 +63,13 @@ push: image
 	podman push $(COMPUTE_PCRS_IMAGE) --tls-verify=false
 	podman push $(REG_SERVER_IMAGE) --tls-verify=false
 
-install-trustee:
-	scripts/install-trustee.sh
-
 install:
 	scripts/clean-cluster-kind.sh $(OPERATOR_IMAGE) $(COMPUTE_PCRS_IMAGE) $(REG_SERVER_IMAGE)
 	$(KUBECTL) apply -f manifests/operator.yaml
 	$(KUBECTL) apply -f manifests/confidential_cluster_crd.yaml
 	$(KUBECTL) apply -f manifests/confidential_cluster_cr.yaml
 	$(KUBECTL) apply -f kind/register-forward.yaml
+	$(KUBECTL) apply -f kind/kbs-forward.yaml
 
 clean:
 	cargo clean

README.md

@@ -13,6 +13,8 @@ within the cluster.
 -   `/operator`: Contains the source code for the Kubernetes operator itself.
 -   `/crds`: Defines the `ConfidentialCluster` Custom Resource Definition (CRD) in Rust.
 -   `/register-server`: A server that provides Clevis PINs for key retrieval with random UUIDs.
+-   `/compute-pcrs`: A program to compute PCR reference values using the [compute-pcrs library](https://github.com/confidential-clusters/compute-pcrs) and insert them into a ConfigMap, run as a Job.
+-   `/rv-store`: Shared reference value definitions.
 -   `/manifest-gen`: A tool for generating all the necessary Kubernetes manifests (Operator Deployment, CRD, RBAC rules, etc.).
 -   `/scripts`: Helper scripts for managing a local `kind` development cluster.
 -   `/manifests`: The default output directory for generated manifests. This directory is not checked into source control.
@@ -28,28 +30,27 @@ within the cluster.
 
 ### Quick Start
 
-Create the cluster, install [trustee operator](https://github.com/confidential-containers/trustee-operator) and deploy 
-the operator.
+Create the cluster and deploy the operator.
 
 Provide an address where the VM you will attest from can access the cluster.
-In many cases, this will be your gateway address (`arp -a`).
-For an existing VM on system libvirt, you can also find this address via `virsh net-dhcp-leases`.
+When using a local kind & libvirt VM, this may be your gateway address (`default via …` in `ip route`) for user libvirt or bridge (`virbr0` in `ip route`) for system libvirt.
 
 ```bash
-$ arp -a
-_gateway (192.168.178.1) at 34:2c:c4:de:fc:52 [ether] on wlp0s20f3
-$ ip=192.168.178.1
+$ ip route
+...
+192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
+...
+$ ip=192.168.122.1
 ``
 
 ```bash
 make cluster-up
 make REGISTRY=localhost:5000 image push # optional: use BUILD_TYPE=debug
 make REGISTRY=localhost:5000 TRUSTEE_ADDR=$ip manifests
-make install-trustee
 make install
 ```
 
-The KBS port will be forwarded to `8080` on your machine; the node register server to `3030`, where new Ignition configs are served at `/register`.
+The KBS port will be forwarded to `8080` on your machine; the node register server to `8000`, where new Ignition configs are served at `/register`.
 
 ### Test
 

crds/src/lib.rs

@@ -17,42 +17,11 @@ use serde::{Deserialize, Serialize};
 )]
 #[serde(rename_all = "camelCase")]
 pub struct ConfidentialClusterSpec {
-    pub trustee: Trustee,
+    pub trustee_image: String,
     pub pcrs_compute_image: String,
     pub register_server_image: String,
     pub trustee_addr: String,
-}
-
-#[derive(Debug, Clone, Deserialize, Serialize, JsonSchema)]
-pub struct Trustee {
-    pub namespace: String,
-    pub kbs_configuration: String,
-    pub attestation_policy: String,
-    pub resource_policy: String,
-    pub reference_values: String,
-    pub kbs_auth_key: String,
-    pub kbs_config_name: String,
-}
-
-#[derive(CustomResource, Debug, Clone, Deserialize, Serialize, JsonSchema)]
-#[kube(
-    group = "confidentialcontainers.org",
-    version = "v1alpha1",
-    kind = "KbsConfig",
-    namespaced,
-    plural = "kbsconfigs"
-)]
-#[serde(rename_all = "camelCase")]
-pub struct KbsConfigSpec {
-    pub kbs_config_map_name: String,
-    pub kbs_auth_secret_name: String,
-    pub kbs_deployment_type: String,
-    pub kbs_rvps_ref_values_config_map_name: String,
-    pub kbs_secret_resources: Vec<String>,
-    pub kbs_https_key_secret_name: String,
-    pub kbs_https_cert_secret_name: String,
-    pub kbs_resource_policy_config_map_name: String,
-    pub kbs_attestation_policy_config_map_name: String,
+    pub register_server_port: i32,
 }
 
 #[derive(CustomResource, Debug, Clone, Deserialize, Serialize, JsonSchema)]

kind/config.yaml

@@ -15,6 +15,6 @@ nodes:
   - containerPort: 31000
     hostPort: 8080
   - containerPort: 31001
-    hostPort: 3030
+    hostPort: 8000
 featureGates:
   "ImageVolume": true

kind/kbs-forward.yaml

@@ -0,0 +1,17 @@
+# SPDX-FileCopyrightText: Jakob Naucke <jnaucke@redhat.com>
+#
+# SPDX-License-Identifier: CC0-1.0
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: kbs-forward
+  namespace: confidential-clusters
+spec:
+  type: NodePort
+  ports:
+  - name: http
+    nodePort: 31000
+    port: 8080
+  selector:
+    app: kbs

kind/register-forward.yaml

@@ -12,6 +12,6 @@ spec:
   ports:
   - name: http
     nodePort: 31001
-    port: 3030
+    port: 8000
   selector:
     app: register-server