Add design for the boostrap phase

[alicefr]

No description provided.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: alicefr

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[patrickdillon]

Can we identify what details (at a high-level) the user will need to pass to the installer? Perhaps just the address of the external attestation server and key?

[patrickdillon]

Is the external cluster attesting only the control plane or also the compute nodes specified at install time?

In either case, how do we pivot after installation from using the external cluster to using the in-cluster operator? Specifically, we need to update the ignition stubs to point to the operator rather than the external cluster.

I can help iron out these details.

[alicefr]

I'm not quite sure about this. I hope there is a moment where we can detect that the bootstrap phase has finished and that we can migrate the object in cluster. I think there might be 2 approaches:

1. Where the k8s API is up, we can started deploying the in-cluster operator and we can mirror every changes and objects that comes up in the external one to have it always in sync. When there is the pivoting when the bootstrap phase has finished, then we start using the in-cluster operator.
2. Otherwise, we can do only once when there is the pivoting from the boostraphase from the regular and finished installation.

@patrickdillon if you could help identify when this "pivot" phas happen , it will be great!

[alicefr]

Can we identify what details (at a high-level) the user will need to pass to the installer? Perhaps just the address of the external attestation server and key?

They are the end points for the registration and the attestation server (trustee), but you are right, it can be mentioned more explicitly.

UPDATE: I added a paragraph with more details about this, PTAL

[openshift-ci]

@alicefr: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/infra-provision-verify	2de56be	link	true	/test infra-provision-verify
ci/prow/operator-lifecycle-verify	2de56be	link	true	/test operator-lifecycle-verify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.