Skip to content

Local deployment with Trustee and AK registration #50

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Nov 12, 2025
Merged

Local deployment with Trustee and AK registration #50

merged 11 commits into from
Nov 12, 2025

Conversation

@alicefr
Copy link
Contributor

@alicefr alicefr commented Oct 29, 2025

Setup to create a Trustee deployment with podman kube play and the AK registration for testing

Jakob-Naucke
Jakob-Naucke reviewed Oct 30, 2025
View reviewed changes
Copy link
Contributor

@Jakob-Naucke Jakob-Naucke left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your work, both here and in repositories referenced here! I got it to work but I think it has a couple of rough edges. Boot was also 110s on my machine which is a little rough but maybe it is the only way.

edit: testing again, was 45 seconds. don't know what that was.

test-server-ak/Containerfile Outdated

COPY server.py .

EXPOSE 5000
Copy link
Contributor

@Jakob-Naucke Jakob-Naucke Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what about one that isn't also the Kind container registry?

trustee.yaml Outdated
type: Directory
containers:
- name: register-ak
image: quay.io/confidential-clusters/test-sever-ak:latest
Copy link
Contributor

@Jakob-Naucke Jakob-Naucke Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know it's just test but perhaps

Suggested change
image: quay.io/confidential-clusters/test-sever-ak:latest
image: quay.io/confidential-clusters/test-server-ak:latest

scripts/populate-local-kbs.sh
Copy link
Contributor

@Jakob-Naucke Jakob-Naucke Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

populate-trustee-kbs.sh regenerates the PIN Ignition config, which you probably want to share? I had an outdated one which has some very subtle implications (Ignition used old protocol version when the Clevis PIN is only implemented for v3.6).

Copy link
Contributor Author

@alicefr alicefr Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I put it in a common script to be sourced

alicefr added 10 commits November 11, 2025 12:12
@alicefr
Bump fedora coreos tag
4c04c06 
Signed-off-by: Alice Frosi <[email protected]>
@alicefr
Build trustee-attester with tpm attester enabled
ca26ec6 
Signed-off-by: Alice Frosi <[email protected]>
@alicefr
Build coreos with the trustee-agent and ignition with the attesation …
80e9fe7 
…support

Signed-off-by: Alice Frosi <[email protected]>
@alicefr
Improve install_vm.sh
a3fb606 
 - Increase the memory to 4GB otherwise, the VM might fails with LUKS.
 - Use the ignition with the attestation support
 - Specify the trustee address in the script. This helps if trustee is
   deployed on the host for example

Signed-off-by: Alice Frosi <[email protected]>
@alicefr
Use latest butane and ignition config
771573a 
Signed-off-by: Alice Frosi <[email protected]>
@alicefr
Server for the AK registration
7132e07 
Signed-off-by: Alice Frosi <[email protected]>
@alicefr
Setup to create local trustee
a04ab80 
Signed-off-by: Alice Frosi <[email protected]>
@alicefr
Example of butane with AK registration
f777f4c 
Signed-off-by: Alice Frosi <[email protected]>
@alicefr
Add dracut module to install the tpm tools
f722849 
Signed-off-by: Alice Frosi <[email protected]>
@alicefr
Generate the remote ignition configuration
1e40ebf 
Signed-off-by: Alice Frosi <[email protected]>
@Jakob-Naucke
Copy link
Contributor

Jakob-Naucke commented Nov 12, 2025

LGTM, I'll leave it up to you if the CI is blocking

@alicefr
Copy link
Contributor Author

alicefr commented Nov 12, 2025

Not sure why the ci is still pulling the old coreos tag, I have bumped it to the new one

@alicefr
Copy link
Contributor Author

alicefr commented Nov 12, 2025
edited
Loading

This commit should hopefully solve the CI issue: 82ad862

@alicefr
Copy link
Contributor Author

alicefr commented Nov 12, 2025

Merging since the CI is green now

@alicefr alicefr merged commit 602cbdf into trusted-execution-clusters:main Nov 12, 2025
2 checks passed
@Jakob-Naucke Jakob-Naucke mentioned this pull request Nov 14, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jakob-Naucke Jakob-Naucke Jakob-Naucke approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alicefr @Jakob-Naucke