feat(test): add integration tests

Integration tests for trustee_quadlet and secret_registration_server.

Signed-off-by: Li Tian <litian@redhat.com>

Author: litian1992

.ansible-lint

@@ -21,6 +21,6 @@ exclude_paths:
   - .markdownlint.yaml
   - examples/roles/
 mock_roles:
-  - linux-system-roles.trustee_server
+  - linux-system-roles.trustee_attestation_server
 supported_ansible_also:
   - "2.14.0"

README.md

@@ -1,10 +1,10 @@
-# trustee_server
+# trustee_attestation_server
 
-[![ansible-lint.yml](https://github.com/linux-system-roles/trustee_server/actions/workflows/ansible-lint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_server/actions/workflows/ansible-lint.yml) [![ansible-test.yml](https://github.com/linux-system-roles/trustee_server/actions/workflows/ansible-test.yml/badge.svg)](https://github.com/linux-system-roles/trustee_server/actions/workflows/ansible-test.yml) [![codespell.yml](https://github.com/linux-system-roles/trustee_server/actions/workflows/codespell.yml/badge.svg)](https://github.com/linux-system-roles/trustee_server/actions/workflows/codespell.yml) [![markdownlint.yml](https://github.com/linux-system-roles/trustee_server/actions/workflows/markdownlint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_server/actions/workflows/markdownlint.yml) [![qemu-kvm-integration-tests.yml](https://github.com/linux-system-roles/trustee_server/actions/workflows/qemu-kvm-integration-tests.yml/badge.svg)](https://github.com/linux-system-roles/trustee_server/actions/workflows/qemu-kvm-integration-tests.yml) [![shellcheck.yml](https://github.com/linux-system-roles/trustee_server/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/linux-system-roles/trustee_server/actions/workflows/shellcheck.yml) [![tft.yml](https://github.com/linux-system-roles/trustee_server/actions/workflows/tft.yml/badge.svg)](https://github.com/linux-system-roles/trustee_server/actions/workflows/tft.yml) [![tft_citest_bad.yml](https://github.com/linux-system-roles/trustee_server/actions/workflows/tft_citest_bad.yml/badge.svg)](https://github.com/linux-system-roles/trustee_server/actions/workflows/tft_citest_bad.yml) [![woke.yml](https://github.com/linux-system-roles/trustee_server/actions/workflows/woke.yml/badge.svg)](https://github.com/linux-system-roles/trustee_server/actions/workflows/woke.yml)
+[![ansible-lint.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-lint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-lint.yml) [![ansible-test.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-test.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-test.yml) [![codespell.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/codespell.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/codespell.yml) [![markdownlint.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/markdownlint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/markdownlint.yml) [![qemu-kvm-integration-tests.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/qemu-kvm-integration-tests.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/qemu-kvm-integration-tests.yml) [![shellcheck.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/shellcheck.yml) [![tft.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft.yml) [![tft_citest_bad.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft_citest_bad.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft_citest_bad.yml) [![woke.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/woke.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/woke.yml)
 
-![trustee_server](https://github.com/linux-system-roles/trustee_server/workflows/tox/badge.svg)
+![trustee_attestation_server](https://github.com/linux-system-roles/trustee_attestation_server/workflows/tox/badge.svg)
 
-An Ansible role that deploys [Trustee](https://confidentialcontainers.org/docs/attestation/) server components for confidential computing. Trustee provides attestation and secret delivery services (KBS, Attestation Service) for workloads running in Trusted Execution Environments (TEEs).
+An Ansible role that deploys [Trustee](https://confidentialcontainers.org/docs/attestation/) server components for confidential computing. Trustee provides attestation and secret delivery services (KBS, AS, RVPS) for workloads running in Trusted Execution Environments (TEEs).
 
 ## Features
 
@@ -22,27 +22,21 @@ An Ansible role that deploys [Trustee](https://confidentialcontainers.org/docs/a
 ansible-galaxy collection install -r meta/collection-requirements.yml
 ```
 
-### Managed node
-
-- Fedora or RHEL 9+
-- Podman
-- Python 3
-
 ## Example Playbook
 
 ```yaml
 - name: Deploy Trustee Server
   hosts: all
   vars:
-    trustee_server_trustee: true
-    trustee_server_quadlet_repo_url: "https://github.com/litian1992/trustee-quadlet-rhel.git"
-    trustee_server_quadlet_repo_path: "quadlet"
-    trustee_server_quadlet_repo_branch: "main"
-    trustee_server_quadlet_install_dir: "/etc/containers/systemd"
-    trustee_server_secret_registration_server_enabled: true
-    trustee_server_secret_registration_listen_port: 8081
+    trustee_attestation_server_trustee: true
+    trustee_attestation_server_quadlet_repo_url: "https://github.com/litian1992/trustee-quadlet-rhel.git"
+    trustee_attestation_server_quadlet_repo_path: "quadlet"
+    trustee_attestation_server_quadlet_repo_branch: "main"
+    trustee_attestation_server_quadlet_install_dir: "/etc/containers/systemd"
+    trustee_attestation_server_secret_registration_enabled: true
+    trustee_attestation_server_secret_registration_listen_port: 8081
   roles:
-    - linux-system-roles.trustee_server
+    - linux-system-roles.trustee_attestation_server
 ```
 
 More examples are in the [`examples/`](examples) directory.
@@ -52,9 +46,9 @@ More examples are in the [`examples/`](examples) directory.
 When enabled, the role:
 
 1. Downloads the Podman Quadlets from designated repo
-2. Generates all required certficates of Trustee server components
+2. Generates all required certificates of Trustee server components
 3. Add KBS port 8080 to firewalld
-3. Enables the services by default
+4. Enables the services by default
 
 Note that KBS listens on port 8080 which may require additional network security allowance depending on your environment.
 

contributing.md

@@ -1,4 +1,4 @@
-# Contributing to the trustee_server Linux System Role
+# Contributing to the trustee_attestation_server Linux System Role
 
 ## Where to start
 
@@ -12,12 +12,12 @@ This has all of the common information that all role developers need:
 * How to create git commits and submit pull requests
 
 **Bugs and needed implementations** are listed on
-[Github Issues](https://github.com/linux-system-roles/trustee_server/issues).
+[Github Issues](https://github.com/linux-system-roles/trustee_attestation_server/issues).
 Issues labeled with
-[**help wanted**](https://github.com/linux-system-roles/trustee_server/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22)
+[**help wanted**](https://github.com/linux-system-roles/trustee_attestation_server/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22)
 are likely to be suitable for new contributors!
 
-**Code** is managed on [Github](https://github.com/linux-system-roles/trustee_server), using
+**Code** is managed on [Github](https://github.com/linux-system-roles/trustee_attestation_server), using
 [Pull Requests](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/about-pull-requests).
 
 ## Running CI Tests Locally

defaults/main.yml

@@ -4,12 +4,12 @@
 # This file also serves as a documentation for such a variables.
 
 # Trustee Server Components Quadlet repository configuration
-trustee_server_trustee: true
-trustee_server_quadlet_repo_url: "https://github.com/litian1992/trustee-quadlet-rhel.git"
-trustee_server_quadlet_repo_path: "quadlet"
-trustee_server_quadlet_repo_branch: "main"
-trustee_server_quadlet_install_dir: "/etc/containers/systemd"
+trustee_attestation_server_trustee: true
+trustee_attestation_server_quadlet_repo_url: "https://github.com/litian1992/trustee-quadlet-rhel.git"
+trustee_attestation_server_quadlet_repo_path: "quadlet"
+trustee_attestation_server_quadlet_repo_branch: "main"
+trustee_attestation_server_quadlet_install_dir: "/etc/containers/systemd"
 
 # Secret registration server service configuration
-trustee_server_secret_registration_server_enabled: false
-trustee_server_secret_registration_listen_port: 8081
+trustee_attestation_server_secret_registration_enabled: false
+trustee_attestation_server_secret_registration_listen_port: 8081

examples/simple.yml

@@ -3,11 +3,11 @@
 - name: Deploy Trustee Server Components using Podman Quadlets from GitHub repository
   hosts: all
   vars:
-    trustee_server_trustee: true
-    trustee_server_quadlet_repo_url: "https://github.com/litian1992/trustee-quadlet-rhel.git"
-    trustee_server_quadlet_repo_path: "quadlet"
-    trustee_server_quadlet_repo_branch: "main"
-    trustee_server_quadlet_install_dir: "/etc/containers/systemd"
-    trustee_server_secret_registration_server_enabled: false
+    trustee_attestation_server_trustee: true
+    trustee_attestation_server_quadlet_repo_url: "https://github.com/litian1992/trustee-quadlet-rhel.git"
+    trustee_attestation_server_quadlet_repo_path: "quadlet"
+    trustee_attestation_server_quadlet_repo_branch: "main"
+    trustee_attestation_server_quadlet_install_dir: "/etc/containers/systemd"
+    trustee_attestation_server_secret_registration_enabled: false
   roles:
-    - linux-system-roles.trustee-server
+    - linux-system-roles.trustee_attestation_server

plans/README-plans.md

@@ -1,6 +1,6 @@
 # Introduction CI Testing Plans
 
-Linux System Roles CI runs [tmt](https://tmt.readthedocs.io/en/stable/index.html) test plans in [Testing farm](https://docs.testing-farm.io/Testing%20Farm/0.1/index.html) with the [tft.yml](https://github.com/linux-system-roles/trustee_server/blob/main/.github/workflows/tft.yml) GitHub workflow.
+Linux System Roles CI runs [tmt](https://tmt.readthedocs.io/en/stable/index.html) test plans in [Testing farm](https://docs.testing-farm.io/Testing%20Farm/0.1/index.html) with the [tft.yml](https://github.com/linux-system-roles/trustee_attestation_server/blob/main/.github/workflows/tft.yml) GitHub workflow.
 
 The `plans/test_playbooks_parallel.fmf` plan is a test plan that runs test playbooks in parallel on multiple managed nodes.
 `plans/test_playbooks_parallel.fmf` is generated centrally from `https://github.com/linux-system-roles/.github/`.
@@ -16,7 +16,7 @@ The `plans/test_playbooks_parallel.fmf` plan does the following steps:
 2. Does the required preparation on systems.
 3. For the given role and the given PR, runs the general test from [test.sh](https://github.com/linux-system-roles/tft-tests/blob/main/tests/general/test.sh).
 
-The [tft.yml](https://github.com/linux-system-roles/trustee_server/blob/main/.github/workflows/tft.yml) workflow runs the above plan and uploads the results to our Fedora storage for public access.
+The [tft.yml](https://github.com/linux-system-roles/trustee_attestation_server/blob/main/.github/workflows/tft.yml) workflow runs the above plan and uploads the results to our Fedora storage for public access.
 This workflow uses Testing Farm's Github Action [Schedule tests on Testing Farm](https://github.com/marketplace/actions/schedule-tests-on-testing-farm).
 
 ## Running Tests
@@ -47,7 +47,7 @@ You can run tests locally with the `tmt try` cli or remotely in Testing Farm.
     $ TESTING_FARM_API_TOKEN=<your_api_token> \
         testing-farm request --pipeline-type="tmt-multihost" \
         --plan-filter="tag:playbooks_parallel" \
-        --git-url "https://github.com/<my_user>/trustee_server" \
+        --git-url "https://github.com/<my_user>/trustee_attestation_server" \
         --git-ref "<my_branch>" \
         --compose CentOS-Stream-9 \
         -e "SYSTEM_ROLES_ONLY_TESTS=tests_default.yml" \

tasks/main.yml

@@ -6,7 +6,7 @@
 # Examples of some tasks:
 - name: Deploy Trustee Server Components using Podman Quadlets
   include_tasks: trustee_quadlet.yml
-  when: trustee_server_trustee | bool
+  when: trustee_attestation_server_trustee | bool
 
 - name: Deploy Secret Registration Server Service
   include_tasks: secret_registration_server.yml

tasks/secret_registration_server.yml

@@ -6,9 +6,9 @@
 
 - name: Ensure secret registration server dependencies are installed
   ansible.builtin.package:
-    name: "{{ __trustee_server_secret_registration_packages }}"
+    name: "{{ __trustee_attestation_server_secret_registration_packages }}"
     state: present
-    use: "{{ (__trustee_server_is_ostree | d(false)) |
+    use: "{{ (__trustee_attestation_server_is_ostree | d(false)) |
           ternary('ansible.posix.rhel_rpm_ostree', omit) }}"
 
 - name: Deploy secret registration server script
@@ -30,7 +30,7 @@
 
 - name: Allow secret registration server port in firewall
   ansible.posix.firewalld:
-    port: "{{ trustee_server_secret_registration_listen_port }}/tcp"
+    port: "{{ trustee_attestation_server_secret_registration_listen_port }}/tcp"
     permanent: true
     immediate: true
     state: enabled

tasks/set_vars.yml

@@ -1,12 +1,12 @@
 ---
 - name: Ensure ansible_facts used by role
   setup:
-    gather_subset: "{{ __trustee_server_required_facts_subsets }}"
-  when: __trustee_server_required_facts |
+    gather_subset: "{{ __trustee_attestation_server_required_facts_subsets }}"
+  when: __trustee_attestation_server_required_facts |
     difference(ansible_facts.keys() | list) | length > 0
 
 - name: Determine if system is ostree and set flag
-  when: not __trustee_server_is_ostree is defined
+  when: not __trustee_attestation_server_is_ostree is defined
   block:
     - name: Check if system is ostree
       stat:
@@ -15,7 +15,7 @@
 
     - name: Set flag to indicate system is ostree
       set_fact:
-        __trustee_server_is_ostree: "{{ __ostree_booted_stat.stat.exists }}"
+        __trustee_attestation_server_is_ostree: "{{ __ostree_booted_stat.stat.exists }}"
 
 - name: Set platform/version specific variables
   include_vars: "{{ __vars_file }}"

tasks/trustee_quadlet.yml

@@ -2,34 +2,34 @@
 ---
 - name: Ensure required packages are installed
   ansible.builtin.package:
-    name: "{{ __trustee_server_trustee_packages }}"
+    name: "{{ __trustee_attestation_server_trustee_packages }}"
     state: present
-    use: "{{ (__trustee_server_is_ostree | d(false)) |
+    use: "{{ (__trustee_attestation_server_is_ostree | d(false)) |
           ternary('ansible.posix.rhel_rpm_ostree', omit) }}"
 
 - name: Ensure quadlet install directory exists
   ansible.builtin.file:
-    path: "{{ trustee_server_quadlet_install_dir }}"
+    path: "{{ trustee_attestation_server_quadlet_install_dir }}"
     state: directory
     mode: "0755"
 
 - name: Create a temporary directory for the quadlet repository
   ansible.builtin.tempfile:
     state: directory
-  register: __trustee_server_quadlet_repo_dir
+  register: __trustee_attestation_server_quadlet_repo_dir
 
 - name: Download Trustee Server quadlet files from GitHub repository
   ansible.builtin.git:
-    repo: "{{ trustee_server_quadlet_repo_url }}"
-    dest: "{{ __trustee_server_quadlet_repo_dir.path }}"
-    version: "{{ trustee_server_quadlet_repo_branch }}"
+    repo: "{{ trustee_attestation_server_quadlet_repo_url }}"
+    dest: "{{ __trustee_attestation_server_quadlet_repo_dir.path }}"
+    version: "{{ trustee_attestation_server_quadlet_repo_branch }}"
     depth: 1
     force: true
   register: quadlet_repo_download
 
 - name: Find Trustee Server quadlet files in repository
   ansible.builtin.find:
-    paths: "{{ __trustee_server_quadlet_repo_dir.path }}/{{ trustee_server_quadlet_repo_path }}"
+    paths: "{{ __trustee_attestation_server_quadlet_repo_dir.path }}/{{ trustee_attestation_server_quadlet_repo_path }}"
     patterns:
       - "*.container"
       - "*.volume"
@@ -40,13 +40,13 @@
 
 - name: Fail if no Trustee Server quadlet files found
   ansible.builtin.fail:
-    msg: "No quadlet files found in {{ trustee_server_quadlet_repo_url }}/{{ trustee_server_quadlet_repo_path }}"
+    msg: "No quadlet files found in {{ trustee_attestation_server_quadlet_repo_url }}/{{ trustee_attestation_server_quadlet_repo_path }}"
   when: quadlet_files_found.files | length == 0
 
 - name: Copy Trustee Server quadlet files to install directory
   ansible.builtin.copy:
     src: "{{ item.path }}"
-    dest: "{{ trustee_server_quadlet_install_dir }}/{{ item.path | basename }}"
+    dest: "{{ trustee_attestation_server_quadlet_install_dir }}/{{ item.path | basename }}"
     mode: "0644"
     remote_src: true
     force: true
@@ -55,12 +55,12 @@
 
 - name: Stat repository configs directory
   ansible.builtin.stat:
-    path: "{{ __trustee_server_quadlet_repo_dir.path }}/configs"
+    path: "{{ __trustee_attestation_server_quadlet_repo_dir.path }}/configs"
   register: __repo_configs_dir
 
 - name: Copy Trustee Server config files to /etc/trustee/
   ansible.builtin.copy:
-    src: "{{ __trustee_server_quadlet_repo_dir.path }}/configs/"
+    src: "{{ __trustee_attestation_server_quadlet_repo_dir.path }}/configs/"
     dest: /etc/trustee/
     mode: "0644"
     remote_src: true
@@ -108,7 +108,7 @@
 
 - name: Get the installed Trustee Server pod name
   ansible.builtin.find:
-    paths: "{{ trustee_server_quadlet_install_dir }}"
+    paths: "{{ trustee_attestation_server_quadlet_install_dir }}"
     patterns: "*.pod"
   register: __trustee_attestation_server_pod_name
 
@@ -124,5 +124,5 @@
 
 - name: Clean up temporary repository directory
   ansible.builtin.file:
-    path: "{{ __trustee_server_quadlet_repo_dir.path }}"
+    path: "{{ __trustee_attestation_server_quadlet_repo_dir.path }}"
     state: absent