trusted-execution-clusters · iroykaufman · May 4, 2026
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -16,7 +16,7 @@ anyhow = "1.0.102"
 chrono = "0.4.44"
 clap = { version = "4.6.0", features = ["derive"] }
 clevis-pin-trustee-lib = { git = "https://github.com/latchset/clevis-pin-trustee" }
-compute-pcrs-lib = { git = "https://github.com/trusted-execution-clusters/compute-pcrs" }
+compute-pcrs-lib = { git = "https://github.com/trusted-execution-clusters/compute-pcrs", rev = "1e7b9f74206e436d1426c335e30b2f1a6bd1681e"}
 env_logger = { version = "0.11.10", default-features = false }
 http = "1.4.0"
 ignition-config = "0.6.1"

diff --git a/Containerfile b/Containerfile
@@ -23,6 +23,8 @@ RUN sed -i 's/members = .*/members = ["lib", "operator"]/' Cargo.toml && \
 # In debug builds, build dependencies to avoid full rebuild.
 RUN if [ "$build_type" = debug ]; then cargo build -p operator; fi
 
+RUN dnf install -y perl-FindBin perl-core
+
 # Target build stage
 COPY operator/src operator/src
 RUN cargo build -p operator $(if [ "$build_type" = release ]; then echo --release; fi)

diff --git a/lib/src/endpoints.rs b/lib/src/endpoints.rs
@@ -4,6 +4,7 @@
 
 pub const TRUSTEE_SERVICE: &str = "kbs-service";
 pub const TRUSTEE_DEPLOYMENT: &str = "trustee-deployment";
+pub const KBS_LABEL_SELECTOR: &str = "kbs";
 pub const TRUSTEE_PORT: i32 = 8080;
 pub const REGISTER_SERVER_SERVICE: &str = "register-server";
 pub const REGISTER_SERVER_DEPLOYMENT: &str = "register-server";

diff --git a/operator/Cargo.toml b/operator/Cargo.toml
@@ -30,6 +30,7 @@ serde.workspace = true
 serde_json.workspace = true
 thiserror = "2.0.18"
 tokio.workspace = true
+kbs-client = {git = "https://github.com/confidential-containers/trustee.git", rev="54d10fdb80ce249b56d5b15bd0f6e44746fd3e20"}
 
 [dev-dependencies]
 http.workspace = true

diff --git a/operator/src/kbs-config.toml b/operator/src/kbs-config.toml
@@ -4,6 +4,7 @@ insecure_http = true
 
 [admin]
 insecure_api = true
+auth_public_key="/key/public.pub"
 type = "InsecureAllowAll"
 
 [attestation_token]
@@ -32,8 +33,7 @@ policy_engine = "opa"
 
 [[plugins]]
 name = "resource"
-type = "LocalFs"
-dir_path = "/opt/trustee/kbs-repository"
+type = "kvstorage"
 
 [policy_engine]
 policy_path = "/opt/trustee/policy.rego"
diff --git a/operator/src/main.rs b/operator/src/main.rs
@@ -179,6 +179,12 @@ async fn install_trustee_configuration(
         Err(e) => error!("Failed to create the attestation policy configmap: {e}"),
     }
 
+    match trustee::generate_trustee_auth_keys_secret(client.clone(), owner_reference.clone()).await
+    {
+        Ok(_) => info!("Generate auth keys for the KBS API",),
+        Err(e) => error!("Failed to create the auth keys: {e}"),
+    }
+
     let kbs_port = cluster.spec.trustee_kbs_port;
     match trustee::generate_kbs_service(client.clone(), owner_reference.clone(), kbs_port).await {
         Ok(_) => info!("Generate the KBS service"),
@@ -190,7 +196,7 @@ async fn install_trustee_configuration(
         "RELATED_IMAGE_TRUSTEE",
         "quay.io/trusted-execution-clusters/key-broker-service:20260106",
     );
-    match trustee::generate_kbs_deployment(client, owner_reference, &trustee_image).await {
+    match trustee::generate_kbs_deployment(client.clone(), owner_reference, &trustee_image).await {
         Ok(_) => info!("Generate the KBS deployment"),
         Err(e) => error!("Failed to create the KBS deployment: {e}"),
     }
@@ -278,6 +284,7 @@ async fn main() -> Result<()> {
     attestation_key_register::launch_ak_controller(kube_client.clone()).await;
     attestation_key_register::launch_machine_ak_controller(kube_client.clone()).await;
     attestation_key_register::launch_secret_ak_controller(kube_client.clone()).await;
+    trustee::launch_trustee_sync_controller(kube_client.clone()).await;
 
     let ctx = Arc::new(ClusterContext {
         client: kube_client,

diff --git a/operator/src/register_server.rs b/operator/src/register_server.rs
@@ -132,7 +132,7 @@ async fn keygen_reconcile(
                 async {
                     let owner_reference = generate_owner_reference(&Arc::unwrap_or_clone(machine))?;
                     trustee::generate_secret(kube_client.clone(), id, owner_reference).await?;
-                    trustee::mount_secret(kube_client, id).await
+                    trustee::send_secret(kube_client, id).await
                 }
                 .await
                 .map(|_| Action::await_change())
@@ -178,10 +178,12 @@ async fn keygen_reconcile(
                     }
                 }
 
-                trustee::unmount_secret(kube_client, id)
-                    .await
-                    .map(|_| Action::await_change())
-                    .map_err(|e| finalizer::Error::<ControllerError>::CleanupFailed(e.into()))
+                trustee::delete_secret(kube_client, id).await.map_err(|e| {
+                    finalizer::Error::<ControllerError>::CleanupFailed(
+                        anyhow!("failed to delete secret for machine {id}: {e}").into(),
+                    )
+                })?;
+                Ok(Action::await_change())
             }
         }
     })