Skip to content

Implement KBS API integration for LUKS key and AK management #242

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
iroykaufman wants to merge 5 commits into from
Closed

Implement KBS API integration for LUKS key and AK management #242

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
1d2bffc
add auth keys for trustee
iroykaufman Mar 26, 2026
f86c22e
Add send secret function
iroykaufman Mar 30, 2026
dd076ab
Add delete secret
iroykaufman Apr 15, 2026
b8f18ac
Migrate the AK registartion to use KBS API
iroykaufman Apr 16, 2026
c4b9d73
Add trustee sync logic and tests
iroykaufman Apr 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2,132 changes: 1,702 additions & 430 deletions Cargo.lock
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ anyhow = "1.0.102"
chrono = "0.4.44"
clap = { version = "4.6.0", features = ["derive"] }
clevis-pin-trustee-lib = { git = "https://github.com/latchset/clevis-pin-trustee" }
compute-pcrs-lib = { git = "https://github.com/trusted-execution-clusters/compute-pcrs" }
compute-pcrs-lib = { git = "https://github.com/trusted-execution-clusters/compute-pcrs", rev = "1e7b9f74206e436d1426c335e30b2f1a6bd1681e"}
env_logger = { version = "0.11.9", default-features = false }
http = "1.4.0"
ignition-config = "0.6.1"
Expand Down
2 changes: 2 additions & 0 deletions Containerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ RUN sed -i 's/members = .*/members = ["lib", "operator"]/' Cargo.toml && \
# In debug builds, build dependencies to avoid full rebuild.
RUN if [ "$build_type" = debug ]; then cargo build -p operator; fi

RUN dnf install -y perl-FindBin perl-core
Copy link
Copy Markdown
Contributor

@alicefr alicefr Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need these dependecies?

Copy link
Copy Markdown
Contributor Author

@iroykaufman iroykaufman Apr 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The openssl-sys fails when this dependency is missing. This is because I bumped all the dependency versions, the upstream uses openssl-sys 0.9.112, and here it is openssl-sys 0.9.113. This is the error message:

cargo:warning=configuring OpenSSL build: 'perl' reported failure with exit status: 2
  cargo:warning=openssl-src: failed to build OpenSSL from source

  --- stderr
  Can't locate FindBin.pm in @INC (you may need to install the FindBin module) (@INC entries checked: /usr/local/lib64/perl5/5.42 /usr/local/share/perl5/5.42 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5) at ./Configure line 15.
  BEGIN failed--compilation aborted at ./Configure line 15.


# Target build stage
COPY operator/src operator/src
RUN cargo build -p operator $(if [ "$build_type" = release ]; then echo --release; fi)
Expand Down
1 change: 1 addition & 0 deletions operator/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ serde.workspace = true
serde_json.workspace = true
thiserror = "2.0.18"
tokio.workspace = true
kbs-client = {git = "https://github.com/iroykaufman/trustee/", branch = "ak-registration"}
Copy link
Copy Markdown
Contributor

@alicefr alicefr Apr 30, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason for using your fork?

Copy link
Copy Markdown
Contributor Author

@iroykaufman iroykaufman Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, currently registering AK using the KBS API is not supported. I created this PR#1306 to include support.


[dev-dependencies]
http.workspace = true
Expand Down
4 changes: 2 additions & 2 deletions operator/src/kbs-config.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ insecure_http = true

[admin]
insecure_api = true
auth_public_key="/key/public.pub"
Copy link
Copy Markdown
Contributor

@alicefr alicefr Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: space between the 2 string and the =

type = "InsecureAllowAll"

[attestation_token]
Expand Down Expand Up @@ -32,8 +33,7 @@ policy_engine = "opa"

[[plugins]]
name = "resource"
type = "LocalFs"
dir_path = "/opt/trustee/kbs-repository"
type = "kvstorage"

[policy_engine]
policy_path = "/opt/trustee/policy.rego"
9 changes: 7 additions & 2 deletions operator/src/main.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -179,6 +179,11 @@ async fn install_trustee_configuration(
Err(e) => error!("Failed to create the attestation policy configmap: {e}"),
}

match trustee::generate_trustee_auth_keys_secret(client.clone(), owner_reference.clone()).await {
Ok(_) => info!("Generate auth keys for the KBS API",),
Err(e) => error!("Failed to create the auth keys: {e}"),
}

let kbs_port = cluster.spec.trustee_kbs_port;
match trustee::generate_kbs_service(client.clone(), owner_reference.clone(), kbs_port).await {
Ok(_) => info!("Generate the KBS service"),
Expand All @@ -190,11 +195,10 @@ async fn install_trustee_configuration(
"RELATED_IMAGE_TRUSTEE",
"quay.io/trusted-execution-clusters/key-broker-service:20260106",
);
match trustee::generate_kbs_deployment(client, owner_reference, &trustee_image).await {
match trustee::generate_kbs_deployment(client.clone(), owner_reference, &trustee_image).await {
Ok(_) => info!("Generate the KBS deployment"),
Err(e) => error!("Failed to create the KBS deployment: {e}"),
}

Ok(())
}

Expand Down Expand Up @@ -278,6 +282,7 @@ async fn main() -> Result<()> {
attestation_key_register::launch_ak_controller(kube_client.clone()).await;
attestation_key_register::launch_machine_ak_controller(kube_client.clone()).await;
attestation_key_register::launch_secret_ak_controller(kube_client.clone()).await;
trustee::launch_trustee_sync_controller(kube_client.clone()).await;

let ctx = Arc::new(ClusterContext {
client: kube_client,
Expand Down
13 changes: 8 additions & 5 deletions operator/src/register_server.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,7 +132,7 @@ async fn keygen_reconcile(
async {
let owner_reference = generate_owner_reference(&Arc::unwrap_or_clone(machine))?;
trustee::generate_secret(kube_client.clone(), id, owner_reference).await?;
trustee::mount_secret(kube_client, id).await
trustee::send_secret(kube_client, id).await
}
.await
.map(|_| Action::await_change())
Expand Down Expand Up @@ -178,10 +178,13 @@ async fn keygen_reconcile(
}
}

trustee::unmount_secret(kube_client, id)
.await
.map(|_| Action::await_change())
.map_err(|e| finalizer::Error::<ControllerError>::CleanupFailed(e.into()))
trustee::delete_secret(kube_client, id).await.map_err(|e| {
finalizer::Error::<ControllerError>::CleanupFailed(anyhow!(
"failed to delete secret for machine {id}: {e}"
)
.into())
})?;
Ok(Action::await_change())
}
}
})
Expand Down
Loading