Add design document for the operator architecture #158
Conversation
Signed-off-by: Alice Frosi <[email protected]>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: alicefr The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Jakob-Naucke
left a comment
Jakob-Naucke
left a comment
There was a problem hiding this comment.
Thank you for the write-up. A couple of comments.
|
|
||
| ## Key Components | ||
|
|
||
| The operator consists of several interconnected components: |
There was a problem hiding this comment.
Should these be grouped by pod?
|
|
||
| ## Architecture Components | ||
|
|
||
| ### 1. Registration Server Deployment |
There was a problem hiding this comment.
1. but no 2.. IMO you can just drop the number.
|
|
||
| #### Secret Provisioning Process | ||
|
|
||
| - Creates Kubernetes owner reference linking the secret to the Machine object |
There was a problem hiding this comment.
Could mention the endpoint here too like you do for AK reg further below. I think it makes it clearer what happens technically.
| **During First Boot (handled by Ignition)** | ||
| 1. Ignition checks if `/var/tpm/ak.pub` exists | ||
| 2. If not present, generates a new AK in the TPM | ||
| 3. Contacts the operator's AK registration endpoint (e.g., `https://register-server:8000/register-ak`) |
There was a problem hiding this comment.
In this example, maybe pick a domain that makes it clear it's AK registration, not key registration. Also the port is usually 8001 I think?
| 3. Contacts the operator's AK registration endpoint (e.g., `https://register-server:8000/register-ak`) | ||
| 4. Submits the AK public key in PEM format along with platform information | ||
|
|
||
| **Operator Processing (in `operator/src/attestation_key_register.rs`)** |
There was a problem hiding this comment.
Please be consistent in mentioning the file for all parts (no strong preference between always/never)
|
|
||
| **Operator Processing (in `operator/src/attestation_key_register.rs`)** | ||
| 1. **AK Registration Service**: Receives and stores the AK public key | ||
| 2. **Machine Matching**: Associates the AK with the corresponding Machine object based on registration correlation. If no machine machine exist, the AK isn't approved |
There was a problem hiding this comment.
nit
| 2. **Machine Matching**: Associates the AK with the corresponding Machine object based on registration correlation. If no machine machine exist, the AK isn't approved | |
| 2. **Machine Matching**: Associates the AK with the corresponding Machine object based on registration correlation. If no Machine exists, the AK isn't approved |
| - The Trustee deployment is updated with the new AK secret | ||
| - Triggers a pod restart to load the new attestation key | ||
| - After restart, Trustee can verify attestation reports signed by the registered AK | ||
| - At machine deletion, the AK is also garbage collected and removed from the trustee deployment. |
There was a problem hiding this comment.
nit
| - At machine deletion, the AK is also garbage collected and removed from the trustee deployment. | |
| - At machine deletion, the AK is also garbage collected and removed from the Trustee deployment. |
|
/test operator-lifecycle-verify |
|
@alicefr: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Please ignore the test-related messages. I had planned to test concurrent runs, but I forgot that the fix hasn’t been merged yet. The latest fix now skips tests for documentation changes. |
3 participants
No description provided.