bundle: add attestation key registration support

Update bundle to include the attestation-key-register service and
AttestationKey CRD introduced in commit 2ea74dc.

- Add attestation-key-register to CSV relatedImages and alm-examples
- Update bundle generation script to handle ATTESTATION_KEY_REGISTER_IMAGE
- Add AttestationKey RBAC viewer and admin roles
- Update README with new component documentation

Signed-off-by: Yalan Zhang <[email protected]>

Author: yalzhang

README.md

@@ -13,6 +13,7 @@ within the cluster.
 -   `/api`: Defines the `TrustedExecutionCluster` Custom Resource Definition (CRD) and associated CRDs and RBAC definitions in Go. Also contains a program to generate a `TrustedExecutionCluster` CR and associated deployment.
 -   `/operator`: Contains the source code for the Kubernetes operator itself.
 -   `/register-server`: A server that provides Clevis PINs for key retrieval with random UUIDs.
+-   `/attestation-key-register`: A server that accepts attestation key registrations from VMs and creates AttestationKey resources.
 -   `/compute-pcrs`: A program to compute PCR reference values using the [compute-pcrs library](https://github.com/trusted-execution-clusters/compute-pcrs) and insert them into a ConfigMap, run as a Job.
 -   `/lib`: Shared Rust definitions, including translated CRDs
 -   `/scripts`: Helper scripts for managing a local `kind` development cluster.
@@ -63,7 +64,7 @@ make REGISTRY=localhost:5000 manifests
 make TRUSTEE_ADDR=$ip install
 ```
 
-The KBS port will be forwarded to `8080` on your machine; the node register server to `8000`, where new Ignition configs are served at `/register`.
+The KBS port will be forwarded to `8080` on your machine; the node register server to `8000`, where new Ignition configs are served at `/register`. The attestation-key-register service runs on port `8001` within the cluster for VM attestation key registration.
 
 ### Test
 
@@ -108,7 +109,7 @@ make push-all
 
 **4. Deploy the Bundle**
 
-Deploy the bundle to your cluster. You can install it in any namespace. This guide uses `trusted-execution-clusters` as the example namespace.
+Deploy the bundle to your cluster. You can install it in any namespace.
 
 ```bash
 # Example: Install in namespace 'trusted-execution-clusters'
@@ -141,8 +142,6 @@ yq -i '.spec.publicTrusteeAddr = "'$TRUSTEE_ADDR':8080"' \
 # Apply the configured CRs
 kubectl apply -f config/deploy/trusted_execution_cluster_cr.yaml
 kubectl apply -f config/deploy/approved_image_cr.yaml
-sed 's/<NAMESPACE>/trusted-execution-clusters/g' kind/kbs-forward.yaml | kubectl apply -f -
-sed 's/<NAMESPACE>/trusted-execution-clusters/g' kind/register-forward.yaml | kubectl apply -f -
 ```
 
 #### **Cleaning Up the Bundle Deployment**

bundle/static/manifests/trusted-cluster-operator.clusterserviceversion.yaml

@@ -15,10 +15,11 @@ metadata:
             "name": "example-trustedexecutioncluster"
           },
           "spec": {
-            "trusteeImage": "quay.io/trusted-execution-clusters/key-broker-service:tpm-verifier-built-in-as-20250711",
+            "trusteeImage": "quay.io/trusted-execution-clusters/key-broker-service:20260106",
             "pcrsComputeImage": "quay.io/trusted-execution-clusters/compute-pcrs:0.1.0",
             "registerServerImage": "quay.io/trusted-execution-clusters/registration-server:0.1.0",
-            "publicTrusteeAddr": "<trustee-address>"
+            "attestationKeyRegisterImage": "quay.io/trusted-execution-clusters/attestation-key-register:0.1.0",
+            "publicTrusteeAddr": "kbs-service.trusted-execution-clusters.svc.cluster.local:8080"
           }
         },
         {
@@ -28,7 +29,7 @@ metadata:
             "name": "example-approvedimage"
           },
           "spec": {
-            "image": "quay.io/fedora/fedora-coreos@sha256:e71dad00aa0e3d70540e726a0c66407e3004d96e045ab6c253186e327a2419e5"
+            "image": "quay.io/fedora/fedora-coreos@sha256:8f11c87187dfe83145001e9571948f9ab466e9f4a8b1e092a4798e5db1030dc3"
           }
         }
       ]
@@ -65,8 +66,10 @@ spec:
       image: quay.io/trusted-execution-clusters/compute-pcrs:0.1.0
     - name: registration-server
       image: quay.io/trusted-execution-clusters/registration-server:0.1.0
+    - name: attestation-key-register
+      image: quay.io/trusted-execution-clusters/attestation-key-register:0.1.0
     - name: trustee
-      image: quay.io/trusted-execution-clusters/key-broker-service:tpm-verifier-built-in-as-20250711
+      image: quay.io/trusted-execution-clusters/key-broker-service:20260106
   install:
     strategy: deployment
     spec:
@@ -151,3 +154,8 @@ spec:
         kind: ApprovedImage
         displayName: Approved Image
         description: Represents a container image approved for execution.
+      - name: attestationkeys.trusted-execution-clusters.io
+        version: v1alpha1
+        kind: AttestationKey
+        displayName: Attestation Key
+        description: Represents an attestation key to be registered with the trustee.

config/rbac/attestationkey_admin_role.yaml

@@ -0,0 +1,31 @@
+# SPDX-FileCopyrightText: Generated by kubebuilder
+#
+# SPDX-License-Identifier: CC0-1.0
+
+# This rule is not used by the project trusted-cluster-operator itself.
+# It is provided to allow the cluster admin to help manage permissions for users.
+#
+# Grants full permissions ('*') over trusted-execution-clusters.io.
+# This role is intended for users authorized to modify roles and bindings within the cluster,
+# enabling them to delegate specific permissions to other users or groups as needed.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: trusted-cluster-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: attestationkey-admin-role
+rules:
+- apiGroups:
+  - trusted-execution-clusters.io
+  resources:
+  - attestationkeys
+  verbs:
+  - '*'
+- apiGroups:
+  - trusted-execution-clusters.io
+  resources:
+  - attestationkeys/status
+  verbs:
+  - get

config/rbac/attestationkey_viewer_role.yaml

@@ -0,0 +1,33 @@
+# SPDX-FileCopyrightText: Generated by kubebuilder
+#
+# SPDX-License-Identifier: CC0-1.0
+
+# This rule is not used by the project trusted-cluster-operator itself.
+# It is provided to allow the cluster admin to help manage permissions for users.
+#
+# Grants read-only access to trusted-execution-clusters.io resources.
+# This role is intended for users who need visibility into these resources
+# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: trusted-cluster-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: attestationkey-viewer-role
+rules:
+- apiGroups:
+  - trusted-execution-clusters.io
+  resources:
+  - attestationkeys
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - trusted-execution-clusters.io
+  resources:
+  - attestationkeys/status
+  verbs:
+  - get

scripts/generate-bundle-prod.sh

@@ -22,7 +22,7 @@ done
 [[ -z "$BUNDLE_VERSION" ]] && { echo "Error: bundle version cannot be empty"; exit 1; }
 
 # Required environment variables
-for var in OPERATOR_IMAGE COMPUTE_PCRS_IMAGE REG_SERVER_IMAGE TRUSTEE_IMAGE; do
+for var in OPERATOR_IMAGE COMPUTE_PCRS_IMAGE REG_SERVER_IMAGE ATTESTATION_KEY_REGISTER_IMAGE TRUSTEE_IMAGE; do
     : "${!var:?Please export $var}"
 done
 
@@ -67,6 +67,7 @@ yq -i ".spec.install.spec.deployments[0].spec.template.spec.containers[0].image
 yq -i "(.spec.relatedImages[] | select(.name == \"trusted-cluster-operator\")).image = \"${OPERATOR_IMAGE}\"" "$CSV_FILE"
 yq -i "(.spec.relatedImages[] | select(.name == \"compute-pcrs\")).image = \"${COMPUTE_PCRS_IMAGE}\"" "$CSV_FILE"
 yq -i "(.spec.relatedImages[] | select(.name == \"registration-server\")).image = \"${REG_SERVER_IMAGE}\"" "$CSV_FILE"
+yq -i "(.spec.relatedImages[] | select(.name == \"attestation-key-register\")).image = \"${ATTESTATION_KEY_REGISTER_IMAGE}\"" "$CSV_FILE"
 yq -i "(.spec.relatedImages[] | select(.name == \"trustee\")).image = \"${TRUSTEE_IMAGE}\"" "$CSV_FILE"
 
 # Patch RBAC rules