From 1a6982d472a2b4e22cfaf69690b2e2ae064b6138 Mon Sep 17 00:00:00 2001 From: Li Tian Date: Sat, 7 Mar 2026 09:36:41 +0800 Subject: [PATCH 1/5] feat(trustee_quadlet): add Trustee quadlet deployment The deployment of Trustee server includes quadlet and associated configurations. Signed-off-by: Li Tian --- README.md | 27 ++-- defaults/main.yml | 23 +++- examples/simple.yml | 12 +- handlers/main.yml | 4 +- meta/main.yml | 12 +- plans/README-plans.md | 4 + tasks/main.yml | 25 +--- tasks/secret_registration_service.yml | 2 + tasks/set_vars.yml | 8 +- tasks/trustee_quadlet.yml | 124 ++++++++++++++++++ templates/foo.conf.j2 | 9 -- .../defaults | 0 .../handlers | 0 .../meta | 0 .../tasks | 0 .../templates | 0 .../vars | 0 tests/setup-snapshot.yml | 4 +- tests/tests_default.yml | 4 +- tests/tests_include_vars_from_parent.yml | 2 +- tests/vars/rh_distros_vars.yml | 2 +- vars/Fedora.yml | 4 +- vars/RedHat_10.yml | 4 +- vars/RedHat_7.yml | 4 +- vars/RedHat_8.yml | 4 +- vars/RedHat_9.yml | 4 +- vars/main.yml | 22 ++-- 27 files changed, 213 insertions(+), 91 deletions(-) create mode 100644 tasks/secret_registration_service.yml create mode 100644 tasks/trustee_quadlet.yml delete mode 100644 templates/foo.conf.j2 rename tests/roles/{linux-system-roles.template => linux-system-roles.trustee_server}/defaults (100%) rename tests/roles/{linux-system-roles.template => linux-system-roles.trustee_server}/handlers (100%) rename tests/roles/{linux-system-roles.template => linux-system-roles.trustee_server}/meta (100%) rename tests/roles/{linux-system-roles.template => linux-system-roles.trustee_server}/tasks (100%) rename tests/roles/{linux-system-roles.template => linux-system-roles.trustee_server}/templates (100%) rename tests/roles/{linux-system-roles.template => linux-system-roles.trustee_server}/vars (100%) diff --git a/README.md b/README.md index 0e7803c..5fa8964 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,9 @@ -# Role Name +# trustee_server [![ansible-lint.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-lint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-lint.yml) [![ansible-test.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-test.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-test.yml) [![codespell.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/codespell.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/codespell.yml) [![markdownlint.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/markdownlint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/markdownlint.yml) [![qemu-kvm-integration-tests.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/qemu-kvm-integration-tests.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/qemu-kvm-integration-tests.yml) [![shellcheck.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/shellcheck.yml) [![tft.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft.yml) [![tft_citest_bad.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft_citest_bad.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft_citest_bad.yml) [![woke.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/woke.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/woke.yml) +![trustee_server](https://github.com/linux-system-roles/trustee_server/workflows/tox/badge.svg) -![template](https://github.com/linux-system-roles/template/workflows/tox/badge.svg) - -A template for an ansible role that configures some GNU/Linux subsystem or +A trustee_server for an ansible role that configures some GNU/Linux subsystem or service. A brief description of the role goes here. ## Requirements @@ -34,12 +33,12 @@ A description of all input variables (i.e. variables that are defined in `defaults/main.yml`) for the role should go here as these form an API of the role. Each variable should have its own section e.g. -### template_foo +### trustee_server_foo This variable is required. It is a string that lists the foo of the role. There is no default value. -### template_bar +### trustee_server_bar This variable is optional. It is a boolean that tells the role to disable bar. The default value is `true`. @@ -53,8 +52,8 @@ the lifetime. Example of setting the variables: ```yaml -template_foo: "oof" -template_bar: false +trustee_server_foo: "oof" +trustee_server_bar: false ``` ## Variables Exported by the Role @@ -63,12 +62,12 @@ This section is optional. Some roles may export variables for playbooks to use later. These are analogous to "return values" in Ansible modules. For example, if a role performs some action that will require a system reboot, but the user wants to defer the reboot, the role might set a variable like -`template_reboot_needed: true` that the playbook can use to reboot at a more +`trustee_server_reboot_needed: true` that the playbook can use to reboot at a more convenient time. Example: -### template_reboot_needed +### trustee_server_reboot_needed Default `false` - if `true`, this means a reboot is needed to apply the changes made by the role @@ -79,13 +78,13 @@ Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: ```yaml -- name: Manage the template subsystem +- name: Manage the trustee_server subsystem hosts: all vars: - template_foo: "foo foo!" - template_bar: false + trustee_server_foo: "foo foo!" + trustee_server_bar: false roles: - - linux-system-roles.template + - linux-system-roles.trustee_server ``` More examples can be provided in the [`examples/`](examples) directory. These diff --git a/defaults/main.yml b/defaults/main.yml index 6944529..240e5e6 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -3,6 +3,23 @@ # Here is the right place to put the role's input variables. # This file also serves as a documentation for such a variables. -# Examples of role input variables: -template_foo: foo -template_bar: true +# Trustee Server Components Quadlet repository configuration +trustee_server_trustee: true +trustee_server_quadlet_repo_url: "https://github.com/litian1992/trustee-quadlet-rhel.git" +trustee_server_quadlet_repo_path: "quadlet" +trustee_server_quadlet_repo_branch: "main" +trustee_server_quadlet_install_dir: "/etc/containers/systemd" +trustee_attestation_server_config_dir: "/etc/trustee" + +# Secret registration service configuration +trustee_server_secret_registration_service_enabled: false + +# SSL certificate generation (used with -config trustee_server.conf) +trustee_server_ssl_bits: 4096 +trustee_server_ssl_md: sha256 +trustee_server_ssl_days: 3650 +trustee_server_ssl_cn: trustee-server +trustee_server_ssl_org: Trustee +trustee_server_ssl_country: US +trustee_server_ssl_cert_path: /etc/trustee/kbs/server.crt +trustee_server_ssl_key_path: /etc/trustee/kbs/server.key \ No newline at end of file diff --git a/examples/simple.yml b/examples/simple.yml index 4f1456e..539bb93 100644 --- a/examples/simple.yml +++ b/examples/simple.yml @@ -1,9 +1,13 @@ # SPDX-License-Identifier: MIT --- -- name: Example template role invocation +- name: Deploy Trustee Server Components using Podman Quadlets from GitHub repository hosts: all vars: - template_foo: example variable value - template_bar: false + trustee_server_trustee: true + trustee_server_quadlet_repo_url: "https://github.com/litian1992/trustee-quadlet-rhel.git" + trustee_server_quadlet_repo_path: "quadlet" + trustee_server_quadlet_repo_branch: "main" + trustee_server_quadlet_install_dir: "/etc/containers/systemd" + trustee_server_secret_registration_service_enabled: false roles: - - linux-system-roles.template + - linux-system-roles.trustee-server diff --git a/handlers/main.yml b/handlers/main.yml index 726022e..15d4bb3 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,7 +1,7 @@ # SPDX-License-Identifier: MIT --- -- name: Handler for template to restart services +- name: Handler for trustee_server to restart services service: name: "{{ item }}" state: restarted - loop: "{{ __template_services }}" + loop: "{{ __trustee_server_services }}" diff --git a/meta/main.yml b/meta/main.yml index c80d1e0..e0f4056 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,9 +1,9 @@ # SPDX-License-Identifier: MIT --- galaxy_info: - author: John Doe - description: Basic template for Linux system roles - company: John Doe, Inc. + author: Li Tian + description: Deploy Trustee Server Components using Podman Quadlets from GitHub repository + company: Red Hat, Inc. license: MIT min_ansible_version: "2.9" platforms: @@ -14,13 +14,15 @@ galaxy_info: versions: - "9" galaxy_tags: + - trustee + - attestation - el9 - el10 - fedora # Support running this role in system container environments, and enable # tests. Remove if not applicable. - - container + # - container # Support running this role during container builds (mostly useful for # bootc), and enable tests. Remove if not applicable. - - containerbuild + # - containerbuild dependencies: [] diff --git a/plans/README-plans.md b/plans/README-plans.md index d6d732a..70ef2c2 100644 --- a/plans/README-plans.md +++ b/plans/README-plans.md @@ -47,7 +47,11 @@ You can run tests locally with the `tmt try` cli or remotely in Testing Farm. $ TESTING_FARM_API_TOKEN= \ testing-farm request --pipeline-type="tmt-multihost" \ --plan-filter="tag:playbooks_parallel" \ +<<<<<<< HEAD --git-url "https://github.com//trustee_attestation_server" \ +======= + --git-url "https://github.com//trustee_server" \ +>>>>>>> 4efcd62 (feat(trustee_quadlet): add Trustee quadlet deployment) --git-ref "" \ --compose CentOS-Stream-9 \ -e "SYSTEM_ROLES_ONLY_TESTS=tests_default.yml" \ diff --git a/tasks/main.yml b/tasks/main.yml index 6eb72a5..f6ff8a9 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -4,24 +4,11 @@ include_tasks: tasks/set_vars.yml # Examples of some tasks: -- name: Ensure required packages are installed - package: - name: "{{ __template_packages }}" - state: present - use: "{{ (__template_is_ostree | d(false)) | - ternary('ansible.posix.rhel_rpm_ostree', omit) }}" +- name: Deploy Trustee Server Components using Podman Quadlets + include_tasks: trustee_quadlet.yml + when: trustee_server_trustee | bool -- name: Ensure required services are enabled and started - service: - name: "{{ item }}" - state: started - enabled: true - loop: "{{ __template_services }}" +- name: Create Secret Registration Service + include_tasks: secret_registration_service.yml + when: trustee_server_secret_registration_service_enabled | bool -- name: Generate /etc/{{ __template_foo_config }} - template: - src: "{{ __template_foo_config }}.j2" - dest: /etc/{{ __template_foo_config }} - backup: true - mode: "0400" - notify: Handler for template to restart services diff --git a/tasks/secret_registration_service.yml b/tasks/secret_registration_service.yml new file mode 100644 index 0000000..496fcc3 --- /dev/null +++ b/tasks/secret_registration_service.yml @@ -0,0 +1,2 @@ +# SPDX-License-Identifier: MIT +--- \ No newline at end of file diff --git a/tasks/set_vars.yml b/tasks/set_vars.yml index c1ef3f6..641c518 100644 --- a/tasks/set_vars.yml +++ b/tasks/set_vars.yml @@ -1,12 +1,12 @@ --- - name: Ensure ansible_facts used by role setup: - gather_subset: "{{ __template_required_facts_subsets }}" - when: __template_required_facts | + gather_subset: "{{ __trustee_server_required_facts_subsets }}" + when: __trustee_server_required_facts | difference(ansible_facts.keys() | list) | length > 0 - name: Determine if system is ostree and set flag - when: not __template_is_ostree is defined + when: not __trustee_server_is_ostree is defined block: - name: Check if system is ostree stat: @@ -15,7 +15,7 @@ - name: Set flag to indicate system is ostree set_fact: - __template_is_ostree: "{{ __ostree_booted_stat.stat.exists }}" + __trustee_server_is_ostree: "{{ __ostree_booted_stat.stat.exists }}" - name: Set platform/version specific variables include_vars: "{{ __vars_file }}" diff --git a/tasks/trustee_quadlet.yml b/tasks/trustee_quadlet.yml new file mode 100644 index 0000000..b473cca --- /dev/null +++ b/tasks/trustee_quadlet.yml @@ -0,0 +1,124 @@ +# SPDX-License-Identifier: MIT +--- +- name: Ensure required packages are installed + ansible.builtin.package: + name: "{{ __trustee_server_trustee_packages }}" + state: present + use: "{{ (__trustee_server_is_ostree | d(false)) | + ternary('ansible.posix.rhel_rpm_ostree', omit) }}" + +- name: Ensure quadlet install directory exists + ansible.builtin.file: + path: "{{ trustee_server_quadlet_install_dir }}" + state: directory + mode: "0755" + +- name: Create a temporary directory for the quadlet repository + ansible.builtin.tempfile: + state: directory + register: __trustee_server_quadlet_repo_dir + +- name: Download Trustee Server quadlet files from GitHub repository + ansible.builtin.git: + repo: "{{ trustee_server_quadlet_repo_url }}" + dest: "{{ __trustee_server_quadlet_repo_dir.path }}" + version: "{{ trustee_server_quadlet_repo_branch }}" + depth: 1 + force: true + register: quadlet_repo_download + +- name: Find Trustee Server quadlet files in repository + ansible.builtin.find: + paths: "{{ __trustee_server_quadlet_repo_dir.path }}/{{ trustee_server_quadlet_repo_path }}" + patterns: + - "*.container" + - "*.volume" + - "*.network" + - "*.pod" + recurse: false + register: quadlet_files_found + +- name: Fail if no Trustee Server quadlet files found + ansible.builtin.fail: + msg: "No quadlet files found in {{ trustee_server_quadlet_repo_url }}/{{ trustee_server_quadlet_repo_path }}" + when: quadlet_files_found.files | length == 0 + +- name: Copy Trustee Server quadlet files to install directory + ansible.builtin.copy: + src: "{{ item.path }}" + dest: "{{ trustee_server_quadlet_install_dir }}/{{ item.path | basename }}" + mode: "0644" + remote_src: true + force: true + loop: "{{ quadlet_files_found.files }}" + register: quadlet_files_copied + +- name: Stat repository configs directory + ansible.builtin.stat: + path: "{{ __trustee_server_quadlet_repo_dir.path }}/configs" + register: __repo_configs_dir + +- name: Copy Trustee Server config files to config directory + ansible.builtin.copy: + src: "{{ __trustee_server_quadlet_repo_dir.path }}/configs/" + dest: "{{ trustee_attestation_server_config_dir }}/" + mode: "0644" + remote_src: true + force: true + when: __repo_configs_dir.stat.exists + +- name: Generate certificates for all components + ansible.builtin.shell: | + # Trustee Server SSL + if [ ! -f {{ trustee_attestation_server_config_dir }}/kbs/server.crt ] || [ ! -f {{ trustee_attestation_server_config_dir }}/kbs/server.key ]; then + openssl req -new -x509 -nodes -sha256 -days 3550 \ + -subj "/CN=$(hostname -f)/O=Red Hat" \ + -out {{ trustee_attestation_server_config_dir }}/kbs/server.crt -keyout {{ trustee_attestation_server_config_dir }}/kbs/server.key + fi + # KBS authentication key pair + if [ ! -f {{ trustee_attestation_server_config_dir }}/kbs/auth.key ] || [ ! -f {{ trustee_attestation_server_config_dir }}/kbs/auth.pub ]; then + openssl genpkey -algorithm ed25519 -out {{ trustee_attestation_server_config_dir }}/kbs/auth.key + openssl pkey -in {{ trustee_attestation_server_config_dir }}/kbs/auth.key -pubout -out {{ trustee_attestation_server_config_dir }}/kbs/auth.pub + fi + # Attestation Service token signer key pair + if [ ! -f {{ trustee_attestation_server_config_dir }}/as/token.key ] || [ ! -f {{ trustee_attestation_server_config_dir }}/as/token.crt ]; then + openssl ecparam -name prime256v1 -genkey -noout -out {{ trustee_attestation_server_config_dir }}/as/token.key + openssl req -new -x509 -key {{ trustee_attestation_server_config_dir }}/as/token.key \ + -out {{ trustee_attestation_server_config_dir }}/as/token.crt -days 3550 \ + -subj "/CN=as-token-signer/O=Red Hat" + mkdir -p {{ trustee_attestation_server_config_dir }}/kbs/trusted_certs + cp {{ trustee_attestation_server_config_dir }}/as/token.crt {{ trustee_attestation_server_config_dir }}/kbs/trusted_certs/token0.crt + fi + +- name: Gather service facts + ansible.builtin.service_facts: + +- name: Allow port 8080 in firewall + ansible.posix.firewalld: + port: "8080/tcp" + permanent: true + immediate: true + state: enabled + when: ansible_facts.services['firewalld.service'].state == 'running' + +- name: Get the installed Trustee Server pod name + ansible.builtin.find: + paths: "{{ trustee_server_quadlet_install_dir }}" + patterns: "*.pod" + register: trustee_server_pod_name + +- name: Enable and start Trustee Server services + ansible.builtin.systemd: + name: "{{ trustee_server_pod_name.files[0].path | basename | regex_replace('\\.pod$', '') }}-pod.service" + enabled: true + state: restarted + daemon_reload: true + when: trustee_server_pod_name.files | length > 0 + failed_when: false + +# TODO keep the server.crt and DNS names in the role variables + +- name: Clean up temporary repository directory + ansible.builtin.file: + path: "{{ __trustee_server_quadlet_repo_dir.path }}" + state: absent \ No newline at end of file diff --git a/templates/foo.conf.j2 b/templates/foo.conf.j2 deleted file mode 100644 index 5fc204b..0000000 --- a/templates/foo.conf.j2 +++ /dev/null @@ -1,9 +0,0 @@ -# SPDX-License-Identifier: MIT -# -# Example of a template of configuration file -# -{{ ansible_managed | comment }} -{{ "system_role:template" | comment(prefix="", postfix="") }} -[foo] -foo = {{ template_foo }} -bar = {{ template_bar }} diff --git a/tests/roles/linux-system-roles.template/defaults b/tests/roles/linux-system-roles.trustee_server/defaults similarity index 100% rename from tests/roles/linux-system-roles.template/defaults rename to tests/roles/linux-system-roles.trustee_server/defaults diff --git a/tests/roles/linux-system-roles.template/handlers b/tests/roles/linux-system-roles.trustee_server/handlers similarity index 100% rename from tests/roles/linux-system-roles.template/handlers rename to tests/roles/linux-system-roles.trustee_server/handlers diff --git a/tests/roles/linux-system-roles.template/meta b/tests/roles/linux-system-roles.trustee_server/meta similarity index 100% rename from tests/roles/linux-system-roles.template/meta rename to tests/roles/linux-system-roles.trustee_server/meta diff --git a/tests/roles/linux-system-roles.template/tasks b/tests/roles/linux-system-roles.trustee_server/tasks similarity index 100% rename from tests/roles/linux-system-roles.template/tasks rename to tests/roles/linux-system-roles.trustee_server/tasks diff --git a/tests/roles/linux-system-roles.template/templates b/tests/roles/linux-system-roles.trustee_server/templates similarity index 100% rename from tests/roles/linux-system-roles.template/templates rename to tests/roles/linux-system-roles.trustee_server/templates diff --git a/tests/roles/linux-system-roles.template/vars b/tests/roles/linux-system-roles.trustee_server/vars similarity index 100% rename from tests/roles/linux-system-roles.template/vars rename to tests/roles/linux-system-roles.trustee_server/vars diff --git a/tests/setup-snapshot.yml b/tests/setup-snapshot.yml index a7704df..9c7629e 100644 --- a/tests/setup-snapshot.yml +++ b/tests/setup-snapshot.yml @@ -4,11 +4,11 @@ tasks: - name: Set platform/version specific variables include_role: - name: linux-system-roles.template + name: linux-system-roles.trustee_server tasks_from: set_vars.yml public: true - name: Install test packages package: - name: "{{ __template_packages }}" + name: "{{ __trustee_server_packages }}" state: present diff --git a/tests/tests_default.yml b/tests/tests_default.yml index 4457422..1a64cfd 100644 --- a/tests/tests_default.yml +++ b/tests/tests_default.yml @@ -4,10 +4,10 @@ hosts: all gather_facts: false # test that role works in this case roles: - - linux-system-roles.template + - linux-system-roles.trustee_server tasks: - name: Check header for ansible_managed, fingerprint include_tasks: tasks/check_header.yml vars: __file: /etc/foo.conf - __fingerprint: system_role:template + __fingerprint: system_role:trustee_server diff --git a/tests/tests_include_vars_from_parent.yml b/tests/tests_include_vars_from_parent.yml index 02b7831..f91ef14 100644 --- a/tests/tests_include_vars_from_parent.yml +++ b/tests/tests_include_vars_from_parent.yml @@ -44,7 +44,7 @@ import_role: name: caller vars: - roletoinclude: linux-system-roles.template + roletoinclude: linux-system-roles.trustee_server - name: Cleanup file: diff --git a/tests/vars/rh_distros_vars.yml b/tests/vars/rh_distros_vars.yml index 4347b7e..9113bd7 100644 --- a/tests/vars/rh_distros_vars.yml +++ b/tests/vars/rh_distros_vars.yml @@ -1,7 +1,7 @@ # vars for handling conditionals for RedHat and clones # DO NOT EDIT - file is auto-generated # repo is https://github.com/linux-system-roles/.github -# file is playbooks/templates/tests/vars/rh_distros_vars.yml +# file is playbooks/trustee_servers/tests/vars/rh_distros_vars.yml --- # Ansible distribution identifiers that the role treats like RHEL __trustee_attestation_server_rh_distros: diff --git a/vars/Fedora.yml b/vars/Fedora.yml index a783f79..c483078 100644 --- a/vars/Fedora.yml +++ b/vars/Fedora.yml @@ -2,6 +2,4 @@ --- # Put internal variables here with Fedora specific values. -# Example: -__template_packages: [] -__template_services: [] +__trustee_server_services: [] diff --git a/vars/RedHat_10.yml b/vars/RedHat_10.yml index c1a73a0..72ba4f9 100644 --- a/vars/RedHat_10.yml +++ b/vars/RedHat_10.yml @@ -2,6 +2,4 @@ --- # Put internal variables here with Red Hat Enterprise Linux 10 specific values. -# Example: -__template_packages: [] -__template_services: [] +__trustee_server_services: [] diff --git a/vars/RedHat_7.yml b/vars/RedHat_7.yml index 3815df4..f14c4dc 100644 --- a/vars/RedHat_7.yml +++ b/vars/RedHat_7.yml @@ -2,6 +2,4 @@ --- # Put internal variables here with Red Hat Enterprise Linux 7 specific values. -# Example: -__template_packages: [] -__template_services: [] +__trustee_server_services: [] diff --git a/vars/RedHat_8.yml b/vars/RedHat_8.yml index 954bf90..cb1472c 100644 --- a/vars/RedHat_8.yml +++ b/vars/RedHat_8.yml @@ -2,6 +2,4 @@ --- # Put internal variables here with Red Hat Enterprise Linux 8 specific values. -# Example: -__template_packages: [] -__template_services: [] +__trustee_server_services: [] diff --git a/vars/RedHat_9.yml b/vars/RedHat_9.yml index b367bff..c105b57 100644 --- a/vars/RedHat_9.yml +++ b/vars/RedHat_9.yml @@ -2,6 +2,4 @@ --- # Put internal variables here with Red Hat Enterprise Linux 9 specific values. -# Example: -__template_packages: [] -__template_services: [] +__trustee_server_services: [] diff --git a/vars/main.yml b/vars/main.yml index 9de2f49..b47291b 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -5,11 +5,13 @@ # value in a platform/version specific file in vars/ # Examples of non-distribution specific (generic) internal variables: -__template_foo_config: foo.conf -__template_packages: [] -__template_services: [] +__trustee_server_foo_config: foo.conf +__trustee_server_trustee_packages: + - podman + - git +__trustee_server_services: [] # ansible_facts required by the role -__template_required_facts: +__trustee_server_required_facts: - distribution - distribution_major_version - distribution_version @@ -17,23 +19,23 @@ __template_required_facts: # the subsets of ansible_facts that need to be gathered in case any of the # facts in required_facts is missing; see the documentation of # the 'gather_subset' parameter of the 'setup' module -__template_required_facts_subsets: "{{ ['!all', '!min'] + - __template_required_facts }}" +__trustee_server_required_facts_subsets: "{{ ['!all', '!min'] + + __trustee_server_required_facts }}" # BEGIN - DO NOT EDIT THIS BLOCK - rh distros variables # Ansible distribution identifiers that the role treats like RHEL -__template_rh_distros: +__trustee_server_rh_distros: - AlmaLinux - CentOS - RedHat - Rocky # Same as above but includes Fedora -__template_rh_distros_fedora: "{{ __template_rh_distros + ['Fedora'] }}" +__trustee_server_rh_distros_fedora: "{{ __trustee_server_rh_distros + ['Fedora'] }}" # Use this in conditionals to check if distro is Red Hat or clone -__template_is_rh_distro: "{{ ansible_facts['distribution'] in __template_rh_distros }}" +__trustee_server_is_rh_distro: "{{ ansible_facts['distribution'] in __trustee_server_rh_distros }}" # Use this in conditionals to check if distro is Red Hat or clone, or Fedora -__template_is_rh_distro_fedora: "{{ ansible_facts['distribution'] in __template_rh_distros_fedora }}" +__trustee_server_is_rh_distro_fedora: "{{ ansible_facts['distribution'] in __trustee_server_rh_distros_fedora }}" # END - DO NOT EDIT THIS BLOCK - rh distros variables From 769f335bfde142bb7a1db27b96c361d058b19372 Mon Sep 17 00:00:00 2001 From: Li Tian Date: Mon, 9 Mar 2026 15:14:15 +0800 Subject: [PATCH 2/5] feat(secret_registration_server): add secret registration server service The secret registration server service is an HTTPS server. It receives only request from the counterpart secret registration client service. It creates a disk encryption key along with resource policy tied to PCR15 of the client. Signed-off-by: Li Tian --- README.md | 114 +++++------ defaults/main.yml | 15 +- examples/simple.yml | 2 +- handlers/main.yml | 13 +- tasks/main.yml | 9 +- tasks/secret_registration_server.yml | 44 +++++ tasks/secret_registration_service.yml | 2 - tasks/trustee_quadlet.yml | 32 +-- templates/secret_registration_server.py.j2 | 185 ++++++++++++++++++ .../secret_registration_server.service.j2 | 28 +++ vars/main.yml | 2 + 11 files changed, 340 insertions(+), 106 deletions(-) create mode 100644 tasks/secret_registration_server.yml delete mode 100644 tasks/secret_registration_service.yml create mode 100644 templates/secret_registration_server.py.j2 create mode 100644 templates/secret_registration_server.service.j2 diff --git a/README.md b/README.md index 5fa8964..2241b8e 100644 --- a/README.md +++ b/README.md @@ -3,102 +3,76 @@ [![ansible-lint.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-lint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-lint.yml) [![ansible-test.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-test.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-test.yml) [![codespell.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/codespell.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/codespell.yml) [![markdownlint.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/markdownlint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/markdownlint.yml) [![qemu-kvm-integration-tests.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/qemu-kvm-integration-tests.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/qemu-kvm-integration-tests.yml) [![shellcheck.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/shellcheck.yml) [![tft.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft.yml) [![tft_citest_bad.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft_citest_bad.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft_citest_bad.yml) [![woke.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/woke.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/woke.yml) ![trustee_server](https://github.com/linux-system-roles/trustee_server/workflows/tox/badge.svg) -A trustee_server for an ansible role that configures some GNU/Linux subsystem or -service. A brief description of the role goes here. +An Ansible role that deploys [Trustee](https://confidentialcontainers.org/docs/attestation/) server components for confidential computing. Trustee provides attestation and secret delivery services (KBS, Attestation Service) for workloads running in Trusted Execution Environments (TEEs). -## Requirements +## Features + +- **Trustee Server (Quadlet)**: Deploys Trustee Key Broker Service(KBS), Attestation Service(AS) and Reference Value Provider Service(RVPS) using Podman Quadlets from a GitHub repository +- **Secret Registration Server**: HTTPS service that receives attestation-backed registration requests, verifies attestation, creates disk encryption keys, and stores them in Trustee KBS -Any prerequisites that may not be covered by Ansible itself or the role should -be mentioned here. This includes platform dependencies not managed by the -role, hardware requirements, external collections, etc. There should be a -distinction between *control node* requirements (like collections) and -*managed node* requirements (like special hardware, platform provisioning). +## Requirements -### Collection requirements +### Control node -For instance, if the role depends on some collections and has a -`meta/collection-requirements.yml` file for installing those dependencies, and -in order to manage `rpm-ostree` systems, it should be mentioned here that the - user should run +- Ansible 2.9 or later +- Install collection dependencies: ```bash -ansible-galaxy collection install -vv -r meta/collection-requirements.yml +ansible-galaxy collection install -r meta/collection-requirements.yml ``` -on the *control node* before using the role. - -## Role Variables - -A description of all input variables (i.e. variables that are defined in -`defaults/main.yml`) for the role should go here as these form an API of the -role. Each variable should have its own section e.g. - -### trustee_server_foo +### Managed node -This variable is required. It is a string that lists the foo of the role. -There is no default value. +- Fedora or RHEL 9+ +- Podman +- Python 3 -### trustee_server_bar - -This variable is optional. It is a boolean that tells the role to disable bar. -The default value is `true`. - -Variables that are not intended as input, like variables defined in -`vars/main.yml`, variables that are read from other roles and/or the global -scope (ie. hostvars, group vars, etc.) can be also mentioned here but keep in -mind that as these are probably not part of the role API they may change during -the lifetime. - -Example of setting the variables: +## Example Playbook ```yaml -trustee_server_foo: "oof" -trustee_server_bar: false +- name: Deploy Trustee Server + hosts: all + vars: + trustee_server_trustee: true + trustee_server_quadlet_repo_url: "https://github.com/litian1992/trustee-quadlet-rhel.git" + trustee_server_quadlet_repo_path: "quadlet" + trustee_server_quadlet_repo_branch: "main" + trustee_server_quadlet_install_dir: "/etc/containers/systemd" + trustee_server_secret_registration_server_enabled: true + trustee_server_secret_registration_listen_port: 8081 + roles: + - linux-system-roles.trustee_server ``` -## Variables Exported by the Role - -This section is optional. Some roles may export variables for playbooks to -use later. These are analogous to "return values" in Ansible modules. For -example, if a role performs some action that will require a system reboot, but -the user wants to defer the reboot, the role might set a variable like -`trustee_server_reboot_needed: true` that the playbook can use to reboot at a more -convenient time. +More examples are in the [`examples/`](examples) directory. -Example: +## Trustee Server -### trustee_server_reboot_needed +When enabled, the role: -Default `false` - if `true`, this means a reboot is needed to apply the changes -made by the role +1. Downloads the Podman Quadlets from designated repo +2. Generates all required certficates of Trustee server components +3. Add KBS port 8080 to firewalld +3. Enables the services by default -## Example Playbook - -Including an example of how to use your role (for instance, with variables -passed in as parameters) is always nice for users too: +Note that KBS listens on port 8080 which may require additional network security allowance depending on your environment. -```yaml -- name: Manage the trustee_server subsystem - hosts: all - vars: - trustee_server_foo: "foo foo!" - trustee_server_bar: false - roles: - - linux-system-roles.trustee_server -``` +## Secret Registration Server -More examples can be provided in the [`examples/`](examples) directory. These -can be useful, especially for documentation. +When enabled, the secret registration server: -## rpm-ostree +1. Listens for `POST /register-encryption-key` with `attestation_token` and `client_id` (machine-id) +2. Verifies the attestation token (Azure TPM-based) +3. Creates a disk encryption key and stores it in Trustee KBS +4. Appends resource policy to `/etc/trustee/kbs/policy.rego` -See README-ostree.md +Clients can then fetch the key from Trustee CDH using attestation. ## License -Whenever possible, please prefer MIT. +MIT -## Author Information +## Author An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/defaults/main.yml b/defaults/main.yml index 240e5e6..f8ebab9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -11,15 +11,6 @@ trustee_server_quadlet_repo_branch: "main" trustee_server_quadlet_install_dir: "/etc/containers/systemd" trustee_attestation_server_config_dir: "/etc/trustee" -# Secret registration service configuration -trustee_server_secret_registration_service_enabled: false - -# SSL certificate generation (used with -config trustee_server.conf) -trustee_server_ssl_bits: 4096 -trustee_server_ssl_md: sha256 -trustee_server_ssl_days: 3650 -trustee_server_ssl_cn: trustee-server -trustee_server_ssl_org: Trustee -trustee_server_ssl_country: US -trustee_server_ssl_cert_path: /etc/trustee/kbs/server.crt -trustee_server_ssl_key_path: /etc/trustee/kbs/server.key \ No newline at end of file +# Secret registration server service configuration +trustee_server_secret_registration_server_enabled: false +trustee_server_secret_registration_listen_port: 8081 diff --git a/examples/simple.yml b/examples/simple.yml index 539bb93..ff3cebc 100644 --- a/examples/simple.yml +++ b/examples/simple.yml @@ -8,6 +8,6 @@ trustee_server_quadlet_repo_path: "quadlet" trustee_server_quadlet_repo_branch: "main" trustee_server_quadlet_install_dir: "/etc/containers/systemd" - trustee_server_secret_registration_service_enabled: false + trustee_server_secret_registration_server_enabled: false roles: - linux-system-roles.trustee-server diff --git a/handlers/main.yml b/handlers/main.yml index 15d4bb3..b694c78 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,7 +1,14 @@ # SPDX-License-Identifier: MIT --- -- name: Handler for trustee_server to restart services - service: +- name: Reload systemd daemon for trustee + ansible.builtin.systemd: + daemon_reload: true + listen: "restart trustee services" + +- name: Enable and restart trustee services + ansible.builtin.systemd: name: "{{ item }}" + enabled: true state: restarted - loop: "{{ __trustee_server_services }}" + loop: "{{ __trustee_attestation_server_services | default([]) }}" + listen: "restart trustee services" diff --git a/tasks/main.yml b/tasks/main.yml index f6ff8a9..08a6257 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -8,7 +8,8 @@ include_tasks: trustee_quadlet.yml when: trustee_server_trustee | bool -- name: Create Secret Registration Service - include_tasks: secret_registration_service.yml - when: trustee_server_secret_registration_service_enabled | bool - +- name: Deploy Secret Registration Server Service + include_tasks: secret_registration_server.yml + when: + - trustee_attestation_server_secret_registration_enabled | bool + - trustee_attestation_server_trustee | bool diff --git a/tasks/secret_registration_server.yml b/tasks/secret_registration_server.yml new file mode 100644 index 0000000..2b5edff --- /dev/null +++ b/tasks/secret_registration_server.yml @@ -0,0 +1,44 @@ +# SPDX-License-Identifier: MIT +--- +# Secret registration server: receives client requests with Trustee attestation, +# and client ID (machine-id), creates disk encryption keys and stores them in KBS. +# Requires Trustee (trustee_quadlet) to be deployed. + +- name: Ensure secret registration server dependencies are installed + ansible.builtin.package: + name: "{{ __trustee_server_secret_registration_packages }}" + state: present + use: "{{ (__trustee_server_is_ostree | d(false)) | + ternary('ansible.posix.rhel_rpm_ostree', omit) }}" + +- name: Deploy secret registration server script + ansible.builtin.template: + src: secret_registration_server.py.j2 + dest: "/usr/local/bin/secret_registration_server.py" + mode: "0755" + register: __trustee_attestation_server_secret_reg_script + +- name: Deploy secret registration server systemd unit + ansible.builtin.template: + src: secret_registration_server.service.j2 + dest: /etc/systemd/system/secret_registration_server.service + mode: "0644" + register: __trustee_attestation_server_secret_reg_service + +- name: Gather service facts for firewall check + ansible.builtin.service_facts: + +- name: Allow secret registration server port in firewall + ansible.posix.firewalld: + port: "{{ trustee_server_secret_registration_listen_port }}/tcp" + permanent: true + immediate: true + state: enabled + when: (ansible_facts.services | default({})).get('firewalld.service', {}).get('state', '') == 'running' + +- name: Append secret registration server service to the list of services to restart + set_fact: + __trustee_attestation_server_services: >- + {{ __trustee_attestation_server_services | default([]) + ['secret_registration_server'] }} + changed_when: true + notify: "restart trustee services" \ No newline at end of file diff --git a/tasks/secret_registration_service.yml b/tasks/secret_registration_service.yml deleted file mode 100644 index 496fcc3..0000000 --- a/tasks/secret_registration_service.yml +++ /dev/null @@ -1,2 +0,0 @@ -# SPDX-License-Identifier: MIT ---- \ No newline at end of file diff --git a/tasks/trustee_quadlet.yml b/tasks/trustee_quadlet.yml index b473cca..86183db 100644 --- a/tasks/trustee_quadlet.yml +++ b/tasks/trustee_quadlet.yml @@ -70,10 +70,14 @@ - name: Generate certificates for all components ansible.builtin.shell: | # Trustee Server SSL - if [ ! -f {{ trustee_attestation_server_config_dir }}/kbs/server.crt ] || [ ! -f {{ trustee_attestation_server_config_dir }}/kbs/server.key ]; then - openssl req -new -x509 -nodes -sha256 -days 3550 \ + if [ ! -f {{ trustee_attestation_server_config_dir }}/kbs/server.key ] || [ ! -f {{ trustee_attestation_server_config_dir }}/kbs/server.crt ]; then + openssl req -x509 -newkey rsa:2048 -nodes -keyout {{ trustee_attestation_server_config_dir }}/kbs/server.key \ -subj "/CN=$(hostname -f)/O=Red Hat" \ - -out {{ trustee_attestation_server_config_dir }}/kbs/server.crt -keyout {{ trustee_attestation_server_config_dir }}/kbs/server.key + -addext "basicConstraints=CA:FALSE" \ + -addext "keyUsage=digitalSignature,keyEncipherment" \ + -addext "extendedKeyUsage=serverAuth" \ + -addext "subjectAltName=DNS:$(hostname -f)" \ + -out {{ trustee_attestation_server_config_dir }}/kbs/server.crt fi # KBS authentication key pair if [ ! -f {{ trustee_attestation_server_config_dir }}/kbs/auth.key ] || [ ! -f {{ trustee_attestation_server_config_dir }}/kbs/auth.pub ]; then @@ -89,6 +93,7 @@ mkdir -p {{ trustee_attestation_server_config_dir }}/kbs/trusted_certs cp {{ trustee_attestation_server_config_dir }}/as/token.crt {{ trustee_attestation_server_config_dir }}/kbs/trusted_certs/token0.crt fi + changed_when: true - name: Gather service facts ansible.builtin.service_facts: @@ -99,26 +104,25 @@ permanent: true immediate: true state: enabled - when: ansible_facts.services['firewalld.service'].state == 'running' + when: (ansible_facts.services | default({})).get('firewalld.service', {}).get('state', '') == 'running' - name: Get the installed Trustee Server pod name ansible.builtin.find: paths: "{{ trustee_server_quadlet_install_dir }}" patterns: "*.pod" - register: trustee_server_pod_name + register: __trustee_attestation_server_pod_name -- name: Enable and start Trustee Server services - ansible.builtin.systemd: - name: "{{ trustee_server_pod_name.files[0].path | basename | regex_replace('\\.pod$', '') }}-pod.service" - enabled: true - state: restarted - daemon_reload: true - when: trustee_server_pod_name.files | length > 0 - failed_when: false +- name: Append Trustee Server services to the list of services to restart + set_fact: + __trustee_attestation_server_services: >- + {{ __trustee_attestation_server_services | default([]) + [__trustee_attestation_server_pod_name.files[0].path | basename | replace('.pod', '-pod')] }} + when: __trustee_attestation_server_pod_name.files | length > 0 + changed_when: true + notify: Handler for trustee_attestation_server to restart services # TODO keep the server.crt and DNS names in the role variables - name: Clean up temporary repository directory ansible.builtin.file: path: "{{ __trustee_server_quadlet_repo_dir.path }}" - state: absent \ No newline at end of file + state: absent diff --git a/templates/secret_registration_server.py.j2 b/templates/secret_registration_server.py.j2 new file mode 100644 index 0000000..2fdcd97 --- /dev/null +++ b/templates/secret_registration_server.py.j2 @@ -0,0 +1,185 @@ +{{ ansible_managed | comment }} +{{ "system_role:trustee_attestation_server" | comment(prefix="", postfix="") }} +#!/usr/bin/env python3 +# SPDX-License-Identifier: MIT +""" +Secret Registration Server - receives attestation-backed registration requests, +verifies attestation with Trustee, creates disk encryption keys and stores them in KBS. +""" +import json +import logging +import os +import secrets +import socket +import ssl +import subprocess +import tempfile +import base64 +from http.server import HTTPServer, BaseHTTPRequestHandler +from urllib.parse import urlparse + +logging.basicConfig( + level=logging.INFO, + format="%(asctime)s %(levelname)s: %(message)s", +) +LOG = logging.getLogger(__name__) + +# Configuration from environment or defaults +LISTEN_ADDRESS = "0.0.0.0" +LISTEN_PORT = {{ trustee_server_secret_registration_listen_port }} +KBS_AUTH_KEY = "/etc/trustee/kbs/auth.key" +POLICY_FILE = "/etc/trustee/kbs/policy.rego" +SSL_CERT = "/etc/trustee/kbs/server.crt" +SSL_KEY = "/etc/trustee/kbs/server.key" + + +def get_evidence_from_attestation_token(token: str) -> dict: + """Get PCR15 from attestation token.""" + payload = json.loads(base64.b64decode(token.split('.')[1] + "==").decode('utf-8')) + evidence = payload["submods"]["cpu0"]["ear.veraison.annotated-evidence"] + # Only support Azure TPM-based attestation for now + for tee in ["azsnpvtpm", "aztdxvtpm"]: + if evidence[tee]["tpm"]["pcr15"] is not None: + return evidence + return None + + +def store_key_in_kbs(resource_path: str, key_data: bytes) -> bool: + """Store key in Trustee KBS using kbs-client container or filesystem backend.""" + try: + with tempfile.NamedTemporaryFile(mode="wb", delete=False, suffix=".key") as f: + f.write(key_data) + tmp_path = f.name + # Trustee quadlet places version.env under /etc/trustee/version.env + kbs_client_image = os.getenv("IMAGE_SOURCE", "") + "/trustee-kbs-client:" + os.getenv("TRUSTEE_VERSION", "") + hostname = subprocess.check_output(["hostname", "-f"]).decode("utf-8").strip() + result = subprocess.run( + [ + "podman", "run", "--rm", "--network", "host", + "-v", f"{KBS_AUTH_KEY}:/auth.key:ro,Z", + "-v", f"{tmp_path}:/resource:ro,Z", + "-v", f"{SSL_CERT}:/server.crt:ro,Z", + kbs_client_image, + "kbs-client", + "--url", f"https://{hostname}:8080", + "--cert-file", "/server.crt", + "config", + "--auth-private-key", "/auth.key", + "set-resource", + "--path", resource_path, + "--resource-file", "/resource" + ], + capture_output=True, + text=True, + timeout=60, + ) + if result.returncode != 0: + LOG.error("kbs-client failed: %s", result.stderr or result.stdout) + return False + return True + except Exception as e: + LOG.exception("Error storing key in KBS: %s", e) + return False + finally: + if os.path.exists(tmp_path): + os.unlink(tmp_path) + + +def append_resource_policy(resource_path: str, evidence: dict, client_id: str) -> bool: + """Append key policy to resource policy file.""" + try: + with open(POLICY_FILE, "a+") as f: + f.seek(0) + if f"# machine-id: {client_id}" in f.read(): + LOG.exception("Resource policy already exists for machine-id: %s", client_id) + return False + tee_key = list(evidence.keys())[0] + pcr15_val = evidence[tee_key]["tpm"]["pcr15"] + {% raw %}policy = f'''# machine-id: {client_id} +allow {{ + #input["submods"]["cpu0"]["ear.status"] == "affirming" + path[0] == "resource" + path[1] == "disk-encryption" + path[2] == "{client_id}" + input_tcb["{tee_key}"]["tpm"]["pcr15"] == "{pcr15_val}" +}} +''' +{% endraw %} + f.write(policy + "\n") + return True + except Exception as e: + LOG.exception("Error appending resource policy: %s", e) + return False + + +class SecretRegistrationHandler(BaseHTTPRequestHandler): + """HTTP request handler for secret registration.""" + + def _send_json(self, status: int, data: dict): + body = json.dumps(data).encode() + self.send_response(status) + self.send_header("Content-Type", "application/json") + self.send_header("Content-Length", str(len(body))) + self.end_headers() + self.wfile.write(body) + self.wfile.flush() + + def do_POST(self): + if urlparse(self.path).path != "/register-encryption-key": + self.send_error(405, "Method Not Allowed") + return + content_length = int(self.headers.get("Content-Length", 0)) + try: + body = self.rfile.read(content_length) + data = json.loads(body) + except (json.JSONDecodeError, ValueError) as e: + LOG.warning("Invalid request body: %s", e) + self._send_json(400, {"error": "Invalid JSON"}) + return + + # Parse request body + attestation_token = data.get("attestation_token") + if not attestation_token: + self._send_json(400, {"error": "Missing attestation_token"}) + return + client_id = "".join(c for c in data.get("client_id", "unknown") if c.isalnum() or c in "-_") or "unknown" + evidence = get_evidence_from_attestation_token(attestation_token) + if not evidence: + self._send_json(400, {"error": "No Azure TPM-based attestation found in attestation token"}) + return + + # Create disk encryption key (32 bytes for LUKS2) + key = secrets.token_bytes(32) + resource_path = f"disk-encryption/{client_id}/luks-key-0" + if not store_key_in_kbs(resource_path, key): + self._send_json(500, {"error": "Failed to store key in KBS"}) + return + + # Append resource policy + if not append_resource_policy(resource_path, evidence, client_id): + self._send_json(500, {"error": "Failed to append resource policy"}) + return + + LOG.info("Registered disk encryption key for client %s at %s", client_id, resource_path) + self._send_json(200, { + "resource_path": resource_path, + "message": "Disk encryption key registered successfully", + }) + + +def main(): + server = HTTPServer((LISTEN_ADDRESS, LISTEN_PORT), SecretRegistrationHandler) + context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) + context.load_cert_chain(certfile=SSL_CERT, keyfile=SSL_KEY) + server.socket = context.wrap_socket(server.socket, server_side=True) + LOG.info("Secret registration server listening on https://%s:%d", LISTEN_ADDRESS, LISTEN_PORT) + try: + server.serve_forever() + except KeyboardInterrupt: + pass + finally: + server.server_close() + + +if __name__ == "__main__": + main() diff --git a/templates/secret_registration_server.service.j2 b/templates/secret_registration_server.service.j2 new file mode 100644 index 0000000..9d33c11 --- /dev/null +++ b/templates/secret_registration_server.service.j2 @@ -0,0 +1,28 @@ +{{ ansible_managed | comment }} +{{ "system_role:trustee_attestation_server" | comment(prefix="", postfix="") }} +# SPDX-License-Identifier: MIT +[Unit] +Description=Secret Registration Server - attestation-backed disk key registration +Documentation=https://confidentialcontainers.org/docs/attestation/ +After=network-online.target +Wants=network-online.target +# Start after Trustee pod if it exists +After=trustee-pod.service + +[Service] +Type=simple +ExecStart=/usr/local/bin/secret_registration_server.py +Restart=on-failure +RestartSec=5s +# Required for KBS and attestation access +Environment=PYTHONUNBUFFERED=1 +EnvironmentFile=-/etc/trustee/version.env + +# Security hardening +NoNewPrivileges=yes +PrivateTmp=yes +ProtectHome=yes +ReadWritePaths=/tmp + +[Install] +WantedBy=multi-user.target diff --git a/vars/main.yml b/vars/main.yml index b47291b..60ec63f 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -10,6 +10,8 @@ __trustee_server_trustee_packages: - podman - git __trustee_server_services: [] +__trustee_server_secret_registration_packages: + - python3 # ansible_facts required by the role __trustee_server_required_facts: - distribution From bcbfdbd477db2104bc870902732b7ac0bf7b0828 Mon Sep 17 00:00:00 2001 From: Li Tian Date: Tue, 10 Mar 2026 09:56:10 +0800 Subject: [PATCH 3/5] feat(test): add integration tests Integration tests for trustee_quadlet and secret_registration_server. Signed-off-by: Li Tian --- README.md | 33 ++++---- defaults/main.yml | 15 ++-- examples/simple.yml | 14 ++-- plans/README-plans.md | 4 - tasks/main.yml | 2 +- tasks/secret_registration_server.yml | 8 +- tasks/set_vars.yml | 8 +- tasks/trustee_quadlet.yml | 68 ++++++++-------- templates/foo.conf.j2 | 9 +++ templates/secret_registration_server.py.j2 | 11 ++- .../secret_registration_server.service.j2 | 5 +- .../defaults | 0 .../handlers | 0 .../meta | 0 .../tasks | 0 .../templates | 0 .../vars | 0 tests/setup-snapshot.yml | 4 +- tests/tests_default.yml | 80 +++++++++++++++++-- tests/tests_include_vars_from_parent.yml | 2 +- tests/tests_secret_registration_server.yml | 39 +++++++++ tests/vars/rh_distros_vars.yml | 2 +- vars/Fedora.yml | 2 +- vars/RedHat_10.yml | 2 +- vars/RedHat_7.yml | 2 +- vars/RedHat_8.yml | 2 +- vars/RedHat_9.yml | 2 +- vars/main.yml | 23 +++--- 28 files changed, 223 insertions(+), 114 deletions(-) create mode 100644 templates/foo.conf.j2 rename tests/roles/{linux-system-roles.trustee_server => linux-system-roles.trustee_attestation_server}/defaults (100%) rename tests/roles/{linux-system-roles.trustee_server => linux-system-roles.trustee_attestation_server}/handlers (100%) rename tests/roles/{linux-system-roles.trustee_server => linux-system-roles.trustee_attestation_server}/meta (100%) rename tests/roles/{linux-system-roles.trustee_server => linux-system-roles.trustee_attestation_server}/tasks (100%) rename tests/roles/{linux-system-roles.trustee_server => linux-system-roles.trustee_attestation_server}/templates (100%) rename tests/roles/{linux-system-roles.trustee_server => linux-system-roles.trustee_attestation_server}/vars (100%) create mode 100644 tests/tests_secret_registration_server.yml diff --git a/README.md b/README.md index 2241b8e..e0b27f8 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,10 @@ -# trustee_server +# trustee_attestation_server [![ansible-lint.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-lint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-lint.yml) [![ansible-test.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-test.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-test.yml) [![codespell.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/codespell.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/codespell.yml) [![markdownlint.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/markdownlint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/markdownlint.yml) [![qemu-kvm-integration-tests.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/qemu-kvm-integration-tests.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/qemu-kvm-integration-tests.yml) [![shellcheck.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/shellcheck.yml) [![tft.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft.yml) [![tft_citest_bad.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft_citest_bad.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft_citest_bad.yml) [![woke.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/woke.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/woke.yml) -![trustee_server](https://github.com/linux-system-roles/trustee_server/workflows/tox/badge.svg) -An Ansible role that deploys [Trustee](https://confidentialcontainers.org/docs/attestation/) server components for confidential computing. Trustee provides attestation and secret delivery services (KBS, Attestation Service) for workloads running in Trusted Execution Environments (TEEs). +![trustee_attestation_server](https://github.com/linux-system-roles/trustee_attestation_server/workflows/tox/badge.svg) + +An Ansible role that deploys [Trustee](https://confidentialcontainers.org/docs/attestation/) server components for confidential computing. Trustee provides attestation and secret delivery services (KBS, AS, RVPS) for workloads running in Trusted Execution Environments (TEEs). ## Features @@ -21,27 +22,21 @@ An Ansible role that deploys [Trustee](https://confidentialcontainers.org/docs/a ansible-galaxy collection install -r meta/collection-requirements.yml ``` -### Managed node - -- Fedora or RHEL 9+ -- Podman -- Python 3 - ## Example Playbook ```yaml - name: Deploy Trustee Server hosts: all vars: - trustee_server_trustee: true - trustee_server_quadlet_repo_url: "https://github.com/litian1992/trustee-quadlet-rhel.git" - trustee_server_quadlet_repo_path: "quadlet" - trustee_server_quadlet_repo_branch: "main" - trustee_server_quadlet_install_dir: "/etc/containers/systemd" - trustee_server_secret_registration_server_enabled: true - trustee_server_secret_registration_listen_port: 8081 + trustee_attestation_server_trustee: true + trustee_attestation_server_quadlet_repo_url: "https://github.com/litian1992/trustee-quadlet-rhel.git" + trustee_attestation_server_quadlet_repo_path: "quadlet" + trustee_attestation_server_quadlet_repo_branch: "main" + trustee_attestation_server_quadlet_install_dir: "/etc/containers/systemd" + trustee_attestation_server_secret_registration_enabled: true + trustee_attestation_server_secret_registration_listen_port: 8081 roles: - - linux-system-roles.trustee_server + - linux-system-roles.trustee_attestation_server ``` More examples are in the [`examples/`](examples) directory. @@ -51,9 +46,9 @@ More examples are in the [`examples/`](examples) directory. When enabled, the role: 1. Downloads the Podman Quadlets from designated repo -2. Generates all required certficates of Trustee server components +2. Generates all required certificates of Trustee server components 3. Add KBS port 8080 to firewalld -3. Enables the services by default +4. Enables the services by default Note that KBS listens on port 8080 which may require additional network security allowance depending on your environment. diff --git a/defaults/main.yml b/defaults/main.yml index f8ebab9..b670778 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -4,13 +4,12 @@ # This file also serves as a documentation for such a variables. # Trustee Server Components Quadlet repository configuration -trustee_server_trustee: true -trustee_server_quadlet_repo_url: "https://github.com/litian1992/trustee-quadlet-rhel.git" -trustee_server_quadlet_repo_path: "quadlet" -trustee_server_quadlet_repo_branch: "main" -trustee_server_quadlet_install_dir: "/etc/containers/systemd" +trustee_attestation_server_trustee: true +trustee_attestation_server_quadlet_repo_url: "https://github.com/litian1992/trustee-quadlet-rhel.git" +trustee_attestation_server_quadlet_repo_path: "quadlet" +trustee_attestation_server_quadlet_repo_branch: "main" +trustee_attestation_server_quadlet_install_dir: "/etc/containers/systemd" trustee_attestation_server_config_dir: "/etc/trustee" - # Secret registration server service configuration -trustee_server_secret_registration_server_enabled: false -trustee_server_secret_registration_listen_port: 8081 +trustee_attestation_server_secret_registration_enabled: false +trustee_attestation_server_secret_registration_listen_port: 8081 diff --git a/examples/simple.yml b/examples/simple.yml index ff3cebc..9b24ac8 100644 --- a/examples/simple.yml +++ b/examples/simple.yml @@ -3,11 +3,11 @@ - name: Deploy Trustee Server Components using Podman Quadlets from GitHub repository hosts: all vars: - trustee_server_trustee: true - trustee_server_quadlet_repo_url: "https://github.com/litian1992/trustee-quadlet-rhel.git" - trustee_server_quadlet_repo_path: "quadlet" - trustee_server_quadlet_repo_branch: "main" - trustee_server_quadlet_install_dir: "/etc/containers/systemd" - trustee_server_secret_registration_server_enabled: false + trustee_attestation_server_trustee: true + trustee_attestation_server_quadlet_repo_url: "https://github.com/litian1992/trustee-quadlet-rhel.git" + trustee_attestation_server_quadlet_repo_path: "quadlet" + trustee_attestation_server_quadlet_repo_branch: "main" + trustee_attestation_server_quadlet_install_dir: "/etc/containers/systemd" + trustee_attestation_server_secret_registration_enabled: false roles: - - linux-system-roles.trustee-server + - linux-system-roles.trustee_attestation_server diff --git a/plans/README-plans.md b/plans/README-plans.md index 70ef2c2..d6d732a 100644 --- a/plans/README-plans.md +++ b/plans/README-plans.md @@ -47,11 +47,7 @@ You can run tests locally with the `tmt try` cli or remotely in Testing Farm. $ TESTING_FARM_API_TOKEN= \ testing-farm request --pipeline-type="tmt-multihost" \ --plan-filter="tag:playbooks_parallel" \ -<<<<<<< HEAD --git-url "https://github.com//trustee_attestation_server" \ -======= - --git-url "https://github.com//trustee_server" \ ->>>>>>> 4efcd62 (feat(trustee_quadlet): add Trustee quadlet deployment) --git-ref "" \ --compose CentOS-Stream-9 \ -e "SYSTEM_ROLES_ONLY_TESTS=tests_default.yml" \ diff --git a/tasks/main.yml b/tasks/main.yml index 08a6257..38ebc4f 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -6,7 +6,7 @@ # Examples of some tasks: - name: Deploy Trustee Server Components using Podman Quadlets include_tasks: trustee_quadlet.yml - when: trustee_server_trustee | bool + when: trustee_attestation_server_trustee | bool - name: Deploy Secret Registration Server Service include_tasks: secret_registration_server.yml diff --git a/tasks/secret_registration_server.yml b/tasks/secret_registration_server.yml index 2b5edff..58fd02a 100644 --- a/tasks/secret_registration_server.yml +++ b/tasks/secret_registration_server.yml @@ -6,9 +6,9 @@ - name: Ensure secret registration server dependencies are installed ansible.builtin.package: - name: "{{ __trustee_server_secret_registration_packages }}" + name: "{{ __trustee_attestation_server_secret_registration_packages }}" state: present - use: "{{ (__trustee_server_is_ostree | d(false)) | + use: "{{ (__trustee_attestation_server_is_ostree | d(false)) | ternary('ansible.posix.rhel_rpm_ostree', omit) }}" - name: Deploy secret registration server script @@ -30,7 +30,7 @@ - name: Allow secret registration server port in firewall ansible.posix.firewalld: - port: "{{ trustee_server_secret_registration_listen_port }}/tcp" + port: "{{ trustee_attestation_server_secret_registration_listen_port }}/tcp" permanent: true immediate: true state: enabled @@ -41,4 +41,4 @@ __trustee_attestation_server_services: >- {{ __trustee_attestation_server_services | default([]) + ['secret_registration_server'] }} changed_when: true - notify: "restart trustee services" \ No newline at end of file + notify: "restart trustee services" diff --git a/tasks/set_vars.yml b/tasks/set_vars.yml index 641c518..f9584b4 100644 --- a/tasks/set_vars.yml +++ b/tasks/set_vars.yml @@ -1,12 +1,12 @@ --- - name: Ensure ansible_facts used by role setup: - gather_subset: "{{ __trustee_server_required_facts_subsets }}" - when: __trustee_server_required_facts | + gather_subset: "{{ __trustee_attestation_server_required_facts_subsets }}" + when: __trustee_attestation_server_required_facts | difference(ansible_facts.keys() | list) | length > 0 - name: Determine if system is ostree and set flag - when: not __trustee_server_is_ostree is defined + when: not __trustee_attestation_server_is_ostree is defined block: - name: Check if system is ostree stat: @@ -15,7 +15,7 @@ - name: Set flag to indicate system is ostree set_fact: - __trustee_server_is_ostree: "{{ __ostree_booted_stat.stat.exists }}" + __trustee_attestation_server_is_ostree: "{{ __ostree_booted_stat.stat.exists }}" - name: Set platform/version specific variables include_vars: "{{ __vars_file }}" diff --git a/tasks/trustee_quadlet.yml b/tasks/trustee_quadlet.yml index 86183db..7bf71d6 100644 --- a/tasks/trustee_quadlet.yml +++ b/tasks/trustee_quadlet.yml @@ -2,34 +2,34 @@ --- - name: Ensure required packages are installed ansible.builtin.package: - name: "{{ __trustee_server_trustee_packages }}" + name: "{{ __trustee_attestation_server_trustee_packages }}" state: present - use: "{{ (__trustee_server_is_ostree | d(false)) | + use: "{{ (__trustee_attestation_server_is_ostree | d(false)) | ternary('ansible.posix.rhel_rpm_ostree', omit) }}" - name: Ensure quadlet install directory exists ansible.builtin.file: - path: "{{ trustee_server_quadlet_install_dir }}" + path: "{{ trustee_attestation_server_quadlet_install_dir }}" state: directory mode: "0755" - name: Create a temporary directory for the quadlet repository ansible.builtin.tempfile: state: directory - register: __trustee_server_quadlet_repo_dir + register: __trustee_attestation_server_quadlet_repo_dir - name: Download Trustee Server quadlet files from GitHub repository ansible.builtin.git: - repo: "{{ trustee_server_quadlet_repo_url }}" - dest: "{{ __trustee_server_quadlet_repo_dir.path }}" - version: "{{ trustee_server_quadlet_repo_branch }}" + repo: "{{ trustee_attestation_server_quadlet_repo_url }}" + dest: "{{ __trustee_attestation_server_quadlet_repo_dir.path }}" + version: "{{ trustee_attestation_server_quadlet_repo_branch }}" depth: 1 force: true register: quadlet_repo_download - name: Find Trustee Server quadlet files in repository ansible.builtin.find: - paths: "{{ __trustee_server_quadlet_repo_dir.path }}/{{ trustee_server_quadlet_repo_path }}" + paths: "{{ __trustee_attestation_server_quadlet_repo_dir.path }}/{{ trustee_attestation_server_quadlet_repo_path }}" patterns: - "*.container" - "*.volume" @@ -40,13 +40,13 @@ - name: Fail if no Trustee Server quadlet files found ansible.builtin.fail: - msg: "No quadlet files found in {{ trustee_server_quadlet_repo_url }}/{{ trustee_server_quadlet_repo_path }}" + msg: "No quadlet files found in {{ trustee_attestation_server_quadlet_repo_url }}/{{ trustee_attestation_server_quadlet_repo_path }}" when: quadlet_files_found.files | length == 0 - name: Copy Trustee Server quadlet files to install directory ansible.builtin.copy: src: "{{ item.path }}" - dest: "{{ trustee_server_quadlet_install_dir }}/{{ item.path | basename }}" + dest: "{{ trustee_attestation_server_quadlet_install_dir }}/{{ item.path | basename }}" mode: "0644" remote_src: true force: true @@ -55,13 +55,13 @@ - name: Stat repository configs directory ansible.builtin.stat: - path: "{{ __trustee_server_quadlet_repo_dir.path }}/configs" + path: "{{ __trustee_attestation_server_quadlet_repo_dir.path }}/configs" register: __repo_configs_dir - name: Copy Trustee Server config files to config directory ansible.builtin.copy: - src: "{{ __trustee_server_quadlet_repo_dir.path }}/configs/" - dest: "{{ trustee_attestation_server_config_dir }}/" + src: "{{ __trustee_attestation_server_quadlet_repo_dir.path }}/configs/" + dest: "{{ __trustee_attestation_server_config_dir }}/" mode: "0644" remote_src: true force: true @@ -70,30 +70,31 @@ - name: Generate certificates for all components ansible.builtin.shell: | # Trustee Server SSL - if [ ! -f {{ trustee_attestation_server_config_dir }}/kbs/server.key ] || [ ! -f {{ trustee_attestation_server_config_dir }}/kbs/server.crt ]; then - openssl req -x509 -newkey rsa:2048 -nodes -keyout {{ trustee_attestation_server_config_dir }}/kbs/server.key \ + if [ ! -f {{ __trustee_attestation_server_config_dir }}/kbs/server.key ] || [ ! -f {{ __trustee_attestation_server_config_dir }}/kbs/server.crt ]; then + openssl req -x509 -newkey rsa:2048 -nodes -keyout {{ __trustee_attestation_server_config_dir }}/kbs/server.key \ -subj "/CN=$(hostname -f)/O=Red Hat" \ -addext "basicConstraints=CA:FALSE" \ -addext "keyUsage=digitalSignature,keyEncipherment" \ -addext "extendedKeyUsage=serverAuth" \ -addext "subjectAltName=DNS:$(hostname -f)" \ - -out {{ trustee_attestation_server_config_dir }}/kbs/server.crt + -out {{ __trustee_attestation_server_config_dir }}/kbs/server.crt fi # KBS authentication key pair - if [ ! -f {{ trustee_attestation_server_config_dir }}/kbs/auth.key ] || [ ! -f {{ trustee_attestation_server_config_dir }}/kbs/auth.pub ]; then - openssl genpkey -algorithm ed25519 -out {{ trustee_attestation_server_config_dir }}/kbs/auth.key - openssl pkey -in {{ trustee_attestation_server_config_dir }}/kbs/auth.key -pubout -out {{ trustee_attestation_server_config_dir }}/kbs/auth.pub + if [ ! -f {{ __trustee_attestation_server_config_dir }}/kbs/auth.key ] || [ ! -f {{ __trustee_attestation_server_config_dir }}/kbs/auth.pub ]; then + openssl genpkey -algorithm ed25519 -out {{ __trustee_attestation_server_config_dir }}/kbs/auth.key + openssl pkey -in {{ __trustee_attestation_server_config_dir }}/kbs/auth.key -pubout -out {{ __trustee_attestation_server_config_dir }}/kbs/auth.pub fi # Attestation Service token signer key pair - if [ ! -f {{ trustee_attestation_server_config_dir }}/as/token.key ] || [ ! -f {{ trustee_attestation_server_config_dir }}/as/token.crt ]; then - openssl ecparam -name prime256v1 -genkey -noout -out {{ trustee_attestation_server_config_dir }}/as/token.key - openssl req -new -x509 -key {{ trustee_attestation_server_config_dir }}/as/token.key \ - -out {{ trustee_attestation_server_config_dir }}/as/token.crt -days 3550 \ + if [ ! -f {{ __trustee_attestation_server_config_dir }}/as/token.key ] || [ ! -f {{ __trustee_attestation_server_config_dir }}/as/token.crt ]; then + openssl ecparam -name prime256v1 -genkey -noout -out {{ __trustee_attestation_server_config_dir }}/as/token.key + openssl req -new -x509 -key {{ __trustee_attestation_server_config_dir }}/as/token.key \ + -out {{ __trustee_attestation_server_config_dir }}/as/token.crt -days 3550 \ -subj "/CN=as-token-signer/O=Red Hat" - mkdir -p {{ trustee_attestation_server_config_dir }}/kbs/trusted_certs - cp {{ trustee_attestation_server_config_dir }}/as/token.crt {{ trustee_attestation_server_config_dir }}/kbs/trusted_certs/token0.crt + mkdir -p {{ __trustee_attestation_server_config_dir }}/kbs/trusted_certs + cp {{ __trustee_attestation_server_config_dir }}/as/token.crt {{ __trustee_attestation_server_config_dir }}/kbs/trusted_certs/token0.crt fi changed_when: true + no_log: true - name: Gather service facts ansible.builtin.service_facts: @@ -108,21 +109,22 @@ - name: Get the installed Trustee Server pod name ansible.builtin.find: - paths: "{{ trustee_server_quadlet_install_dir }}" + paths: "{{ trustee_attestation_server_quadlet_install_dir }}" patterns: "*.pod" register: __trustee_attestation_server_pod_name -- name: Append Trustee Server services to the list of services to restart - set_fact: - __trustee_attestation_server_services: >- - {{ __trustee_attestation_server_services | default([]) + [__trustee_attestation_server_pod_name.files[0].path | basename | replace('.pod', '-pod')] }} +- name: Enable and start Trustee Server services + ansible.builtin.systemd: + name: "{{ __trustee_attestation_server_pod_name.files[0].path | basename | replace('.pod', '-pod.service') }}" + enabled: true + state: restarted + daemon_reload: true when: __trustee_attestation_server_pod_name.files | length > 0 - changed_when: true - notify: Handler for trustee_attestation_server to restart services + failed_when: false # TODO keep the server.crt and DNS names in the role variables - name: Clean up temporary repository directory ansible.builtin.file: - path: "{{ __trustee_server_quadlet_repo_dir.path }}" + path: "{{ __trustee_attestation_server_quadlet_repo_dir.path }}" state: absent diff --git a/templates/foo.conf.j2 b/templates/foo.conf.j2 new file mode 100644 index 0000000..d5fe365 --- /dev/null +++ b/templates/foo.conf.j2 @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: MIT +# +# Example of a trustee_attestation_server of configuration file +# +{{ ansible_managed | comment }} +{{ "system_role:trustee_attestation_server" | comment(prefix="", postfix="") }} +[foo] +foo = {{ trustee_attestation_server_foo }} +bar = {{ trustee_attestation_server_bar }} diff --git a/templates/secret_registration_server.py.j2 b/templates/secret_registration_server.py.j2 index 2fdcd97..a244f2c 100644 --- a/templates/secret_registration_server.py.j2 +++ b/templates/secret_registration_server.py.j2 @@ -1,7 +1,9 @@ +{{ '#!/usr/bin/env python3' }} +# shebang template to avoid sanity test error +# SPDX-License-Identifier: MIT {{ ansible_managed | comment }} {{ "system_role:trustee_attestation_server" | comment(prefix="", postfix="") }} -#!/usr/bin/env python3 -# SPDX-License-Identifier: MIT + """ Secret Registration Server - receives attestation-backed registration requests, verifies attestation with Trustee, creates disk encryption keys and stores them in KBS. @@ -26,7 +28,7 @@ LOG = logging.getLogger(__name__) # Configuration from environment or defaults LISTEN_ADDRESS = "0.0.0.0" -LISTEN_PORT = {{ trustee_server_secret_registration_listen_port }} +LISTEN_PORT = {{ trustee_attestation_server_secret_registration_listen_port }} KBS_AUTH_KEY = "/etc/trustee/kbs/auth.key" POLICY_FILE = "/etc/trustee/kbs/policy.rego" SSL_CERT = "/etc/trustee/kbs/server.crt" @@ -46,6 +48,7 @@ def get_evidence_from_attestation_token(token: str) -> dict: def store_key_in_kbs(resource_path: str, key_data: bytes) -> bool: """Store key in Trustee KBS using kbs-client container or filesystem backend.""" + tmp_path = None try: with tempfile.NamedTemporaryFile(mode="wb", delete=False, suffix=".key") as f: f.write(key_data) @@ -81,7 +84,7 @@ def store_key_in_kbs(resource_path: str, key_data: bytes) -> bool: LOG.exception("Error storing key in KBS: %s", e) return False finally: - if os.path.exists(tmp_path): + if tmp_path and os.path.exists(tmp_path): os.unlink(tmp_path) diff --git a/templates/secret_registration_server.service.j2 b/templates/secret_registration_server.service.j2 index 9d33c11..913a5b8 100644 --- a/templates/secret_registration_server.service.j2 +++ b/templates/secret_registration_server.service.j2 @@ -1,6 +1,7 @@ +# SPDX-License-Identifier: MIT {{ ansible_managed | comment }} {{ "system_role:trustee_attestation_server" | comment(prefix="", postfix="") }} -# SPDX-License-Identifier: MIT + [Unit] Description=Secret Registration Server - attestation-backed disk key registration Documentation=https://confidentialcontainers.org/docs/attestation/ @@ -11,7 +12,7 @@ After=trustee-pod.service [Service] Type=simple -ExecStart=/usr/local/bin/secret_registration_server.py +ExecStart=/usr/bin/python3 /usr/local/bin/secret_registration_server.py Restart=on-failure RestartSec=5s # Required for KBS and attestation access diff --git a/tests/roles/linux-system-roles.trustee_server/defaults b/tests/roles/linux-system-roles.trustee_attestation_server/defaults similarity index 100% rename from tests/roles/linux-system-roles.trustee_server/defaults rename to tests/roles/linux-system-roles.trustee_attestation_server/defaults diff --git a/tests/roles/linux-system-roles.trustee_server/handlers b/tests/roles/linux-system-roles.trustee_attestation_server/handlers similarity index 100% rename from tests/roles/linux-system-roles.trustee_server/handlers rename to tests/roles/linux-system-roles.trustee_attestation_server/handlers diff --git a/tests/roles/linux-system-roles.trustee_server/meta b/tests/roles/linux-system-roles.trustee_attestation_server/meta similarity index 100% rename from tests/roles/linux-system-roles.trustee_server/meta rename to tests/roles/linux-system-roles.trustee_attestation_server/meta diff --git a/tests/roles/linux-system-roles.trustee_server/tasks b/tests/roles/linux-system-roles.trustee_attestation_server/tasks similarity index 100% rename from tests/roles/linux-system-roles.trustee_server/tasks rename to tests/roles/linux-system-roles.trustee_attestation_server/tasks diff --git a/tests/roles/linux-system-roles.trustee_server/templates b/tests/roles/linux-system-roles.trustee_attestation_server/templates similarity index 100% rename from tests/roles/linux-system-roles.trustee_server/templates rename to tests/roles/linux-system-roles.trustee_attestation_server/templates diff --git a/tests/roles/linux-system-roles.trustee_server/vars b/tests/roles/linux-system-roles.trustee_attestation_server/vars similarity index 100% rename from tests/roles/linux-system-roles.trustee_server/vars rename to tests/roles/linux-system-roles.trustee_attestation_server/vars diff --git a/tests/setup-snapshot.yml b/tests/setup-snapshot.yml index 9c7629e..d46b018 100644 --- a/tests/setup-snapshot.yml +++ b/tests/setup-snapshot.yml @@ -4,11 +4,11 @@ tasks: - name: Set platform/version specific variables include_role: - name: linux-system-roles.trustee_server + name: linux-system-roles.trustee_attestation_server tasks_from: set_vars.yml public: true - name: Install test packages package: - name: "{{ __trustee_server_packages }}" + name: "{{ __trustee_attestation_server_trustee_packages }}" state: present diff --git a/tests/tests_default.yml b/tests/tests_default.yml index 1a64cfd..a383510 100644 --- a/tests/tests_default.yml +++ b/tests/tests_default.yml @@ -2,12 +2,76 @@ --- - name: Ensure that the role runs with default parameters hosts: all - gather_facts: false # test that role works in this case - roles: - - linux-system-roles.trustee_server + gather_facts: true tasks: - - name: Check header for ansible_managed, fingerprint - include_tasks: tasks/check_header.yml - vars: - __file: /etc/foo.conf - __fingerprint: system_role:trustee_server + - name: Include trustee_attestation_server role + ansible.builtin.include_role: + name: linux-system-roles.trustee_attestation_server + public: true + + - name: Gather package facts + ansible.builtin.package_facts: + + - name: Assert required packages are installed + ansible.builtin.assert: + that: item in ansible_facts.packages + fail_msg: "Required package {{ item }} is not installed" + loop: "{{ __trustee_attestation_server_trustee_packages }}" + + - name: Check trustee quadlet install directory exists + ansible.builtin.stat: + path: "{{ trustee_attestation_server_quadlet_install_dir }}" + register: quadlet_dir + + - name: Assert quadlet directory exists + ansible.builtin.assert: + that: quadlet_dir.stat.exists + fail_msg: "Quadlet install directory {{ trustee_attestation_server_quadlet_install_dir }} was not created" + + - name: Find quadlet files in install directory + ansible.builtin.find: + paths: "{{ trustee_attestation_server_quadlet_install_dir }}" + patterns: + - "*.container" + - "*.volume" + - "*.network" + - "*.pod" + recurse: false + register: quadlet_files + + - name: Assert quadlet files exist + ansible.builtin.assert: + that: quadlet_files.matched | int > 0 + fail_msg: "No quadlet files found in {{ trustee_attestation_server_quadlet_install_dir }}" + + - name: Check trustee certificates and keys were generated + ansible.builtin.stat: + path: "{{ item }}" + register: trustee_certs + loop: + - "{{ __trustee_attestation_server_config_dir }}/kbs/server.key" + - "{{ __trustee_attestation_server_config_dir }}/kbs/server.crt" + - "{{ __trustee_attestation_server_config_dir }}/kbs/auth.key" + - "{{ __trustee_attestation_server_config_dir }}/kbs/auth.pub" + - "{{ __trustee_attestation_server_config_dir }}/as/token.key" + - "{{ __trustee_attestation_server_config_dir }}/as/token.crt" + - "{{ __trustee_attestation_server_config_dir }}/kbs/trusted_certs/token0.crt" + + - name: Assert trustee certificates and keys exist + ansible.builtin.assert: + that: item.stat.exists + fail_msg: "Trustee cert/key {{ item.item }} was not generated" + loop: "{{ trustee_certs.results }}" + + - name: Find trustee pod file + ansible.builtin.find: + paths: "{{ trustee_attestation_server_quadlet_install_dir }}" + patterns: "*.pod" + recurse: false + register: trustee_pod_files + + - name: Check trustee pod service is running + ansible.builtin.service: + name: "{{ (trustee_pod_files.files[0].path | basename) | replace('.pod', '') }}-pod" + state: started + check_mode: true \ No newline at end of file diff --git a/tests/tests_include_vars_from_parent.yml b/tests/tests_include_vars_from_parent.yml index f91ef14..d1986f9 100644 --- a/tests/tests_include_vars_from_parent.yml +++ b/tests/tests_include_vars_from_parent.yml @@ -44,7 +44,7 @@ import_role: name: caller vars: - roletoinclude: linux-system-roles.trustee_server + roletoinclude: linux-system-roles.trustee_attestation_server - name: Cleanup file: diff --git a/tests/tests_secret_registration_server.yml b/tests/tests_secret_registration_server.yml new file mode 100644 index 0000000..286f9df --- /dev/null +++ b/tests/tests_secret_registration_server.yml @@ -0,0 +1,39 @@ +# SPDX-License-Identifier: MIT +--- +- name: Ensure secret registration server is deployed when enabled + hosts: all + gather_facts: true + vars: + trustee_attestation_server_trustee: true + trustee_attestation_server_secret_registration_enabled: true + tasks: + - name: Include trustee_attestation_server role + ansible.builtin.include_role: + name: linux-system-roles.trustee_attestation_server + public: true + + - name: Gather package facts + ansible.builtin.package_facts: + manager: auto + + - name: Assert required packages are installed + ansible.builtin.assert: + that: item in ansible_facts.packages + fail_msg: "Required package {{ item }} is not installed" + loop: "{{ __trustee_attestation_server_trustee_packages + __trustee_attestation_server_secret_registration_packages }}" + + - name: Check secret registration server script exists + ansible.builtin.stat: + path: /usr/local/bin/secret_registration_server.py + register: __trustee_attestation_server_secret_reg_script + + - name: Assert secret registration server script was deployed + ansible.builtin.assert: + that: __trustee_attestation_server_secret_reg_script.stat.exists + fail_msg: "Secret registration server script was not deployed" + + - name: Check secret registration server service is running + ansible.builtin.service: + name: "secret_registration_server" + state: started + check_mode: true diff --git a/tests/vars/rh_distros_vars.yml b/tests/vars/rh_distros_vars.yml index 9113bd7..075986f 100644 --- a/tests/vars/rh_distros_vars.yml +++ b/tests/vars/rh_distros_vars.yml @@ -1,7 +1,7 @@ # vars for handling conditionals for RedHat and clones # DO NOT EDIT - file is auto-generated # repo is https://github.com/linux-system-roles/.github -# file is playbooks/trustee_servers/tests/vars/rh_distros_vars.yml +# file is playbooks/trustee_attestation_servers/tests/vars/rh_distros_vars.yml --- # Ansible distribution identifiers that the role treats like RHEL __trustee_attestation_server_rh_distros: diff --git a/vars/Fedora.yml b/vars/Fedora.yml index c483078..2a1b36a 100644 --- a/vars/Fedora.yml +++ b/vars/Fedora.yml @@ -2,4 +2,4 @@ --- # Put internal variables here with Fedora specific values. -__trustee_server_services: [] +__trustee_attestation_server_services: [] diff --git a/vars/RedHat_10.yml b/vars/RedHat_10.yml index 72ba4f9..71f6a3c 100644 --- a/vars/RedHat_10.yml +++ b/vars/RedHat_10.yml @@ -2,4 +2,4 @@ --- # Put internal variables here with Red Hat Enterprise Linux 10 specific values. -__trustee_server_services: [] +__trustee_attestation_server_services: [] diff --git a/vars/RedHat_7.yml b/vars/RedHat_7.yml index f14c4dc..5850a3d 100644 --- a/vars/RedHat_7.yml +++ b/vars/RedHat_7.yml @@ -2,4 +2,4 @@ --- # Put internal variables here with Red Hat Enterprise Linux 7 specific values. -__trustee_server_services: [] +__trustee_attestation_server_services: [] diff --git a/vars/RedHat_8.yml b/vars/RedHat_8.yml index cb1472c..f113976 100644 --- a/vars/RedHat_8.yml +++ b/vars/RedHat_8.yml @@ -2,4 +2,4 @@ --- # Put internal variables here with Red Hat Enterprise Linux 8 specific values. -__trustee_server_services: [] +__trustee_attestation_server_services: [] diff --git a/vars/RedHat_9.yml b/vars/RedHat_9.yml index c105b57..95d1164 100644 --- a/vars/RedHat_9.yml +++ b/vars/RedHat_9.yml @@ -2,4 +2,4 @@ --- # Put internal variables here with Red Hat Enterprise Linux 9 specific values. -__trustee_server_services: [] +__trustee_attestation_server_services: [] diff --git a/vars/main.yml b/vars/main.yml index 60ec63f..2cdc9c7 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -5,15 +5,16 @@ # value in a platform/version specific file in vars/ # Examples of non-distribution specific (generic) internal variables: -__trustee_server_foo_config: foo.conf -__trustee_server_trustee_packages: +__trustee_attestation_server_foo_config: foo.conf +__trustee_attestation_server_trustee_packages: - podman - git -__trustee_server_services: [] -__trustee_server_secret_registration_packages: +__trustee_attestation_server_services: [] +__trustee_attestation_server_secret_registration_packages: - python3 +__trustee_attestation_server_config_dir: "/etc/trustee" # ansible_facts required by the role -__trustee_server_required_facts: +__trustee_attestation_server_required_facts: - distribution - distribution_major_version - distribution_version @@ -21,23 +22,23 @@ __trustee_server_required_facts: # the subsets of ansible_facts that need to be gathered in case any of the # facts in required_facts is missing; see the documentation of # the 'gather_subset' parameter of the 'setup' module -__trustee_server_required_facts_subsets: "{{ ['!all', '!min'] + - __trustee_server_required_facts }}" +__trustee_attestation_server_required_facts_subsets: "{{ ['!all', '!min'] + + __trustee_attestation_server_required_facts }}" # BEGIN - DO NOT EDIT THIS BLOCK - rh distros variables # Ansible distribution identifiers that the role treats like RHEL -__trustee_server_rh_distros: +__trustee_attestation_server_rh_distros: - AlmaLinux - CentOS - RedHat - Rocky # Same as above but includes Fedora -__trustee_server_rh_distros_fedora: "{{ __trustee_server_rh_distros + ['Fedora'] }}" +__trustee_attestation_server_rh_distros_fedora: "{{ __trustee_attestation_server_rh_distros + ['Fedora'] }}" # Use this in conditionals to check if distro is Red Hat or clone -__trustee_server_is_rh_distro: "{{ ansible_facts['distribution'] in __trustee_server_rh_distros }}" +__trustee_attestation_server_is_rh_distro: "{{ ansible_facts['distribution'] in __trustee_attestation_server_rh_distros }}" # Use this in conditionals to check if distro is Red Hat or clone, or Fedora -__trustee_server_is_rh_distro_fedora: "{{ ansible_facts['distribution'] in __trustee_server_rh_distros_fedora }}" +__trustee_attestation_server_is_rh_distro_fedora: "{{ ansible_facts['distribution'] in __trustee_attestation_server_rh_distros_fedora }}" # END - DO NOT EDIT THIS BLOCK - rh distros variables From 1fb62152c1356c3ef28ff0dbf792f31de541a868 Mon Sep 17 00:00:00 2001 From: Li Tian Date: Fri, 27 Mar 2026 21:37:59 +0800 Subject: [PATCH 4/5] refactor(trustee_quadlet): move quadlet repo and install dir variables to private We don't want users to easily move away from designated Trustee quadlets. So move the repo and install path to private to reduce variants. Signed-off-by: Li Tian --- README.md | 4 ---- defaults/main.yml | 6 ------ examples/simple.yml | 4 ---- tasks/trustee_quadlet.yml | 14 +++++++------- tests/tests_default.yml | 10 +++++----- vars/main.yml | 4 ++++ 6 files changed, 16 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index e0b27f8..a578191 100644 --- a/README.md +++ b/README.md @@ -29,10 +29,6 @@ ansible-galaxy collection install -r meta/collection-requirements.yml hosts: all vars: trustee_attestation_server_trustee: true - trustee_attestation_server_quadlet_repo_url: "https://github.com/litian1992/trustee-quadlet-rhel.git" - trustee_attestation_server_quadlet_repo_path: "quadlet" - trustee_attestation_server_quadlet_repo_branch: "main" - trustee_attestation_server_quadlet_install_dir: "/etc/containers/systemd" trustee_attestation_server_secret_registration_enabled: true trustee_attestation_server_secret_registration_listen_port: 8081 roles: diff --git a/defaults/main.yml b/defaults/main.yml index b670778..690ef46 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -3,13 +3,7 @@ # Here is the right place to put the role's input variables. # This file also serves as a documentation for such a variables. -# Trustee Server Components Quadlet repository configuration trustee_attestation_server_trustee: true -trustee_attestation_server_quadlet_repo_url: "https://github.com/litian1992/trustee-quadlet-rhel.git" -trustee_attestation_server_quadlet_repo_path: "quadlet" -trustee_attestation_server_quadlet_repo_branch: "main" -trustee_attestation_server_quadlet_install_dir: "/etc/containers/systemd" -trustee_attestation_server_config_dir: "/etc/trustee" # Secret registration server service configuration trustee_attestation_server_secret_registration_enabled: false trustee_attestation_server_secret_registration_listen_port: 8081 diff --git a/examples/simple.yml b/examples/simple.yml index 9b24ac8..caf7201 100644 --- a/examples/simple.yml +++ b/examples/simple.yml @@ -4,10 +4,6 @@ hosts: all vars: trustee_attestation_server_trustee: true - trustee_attestation_server_quadlet_repo_url: "https://github.com/litian1992/trustee-quadlet-rhel.git" - trustee_attestation_server_quadlet_repo_path: "quadlet" - trustee_attestation_server_quadlet_repo_branch: "main" - trustee_attestation_server_quadlet_install_dir: "/etc/containers/systemd" trustee_attestation_server_secret_registration_enabled: false roles: - linux-system-roles.trustee_attestation_server diff --git a/tasks/trustee_quadlet.yml b/tasks/trustee_quadlet.yml index 7bf71d6..d75e3f2 100644 --- a/tasks/trustee_quadlet.yml +++ b/tasks/trustee_quadlet.yml @@ -9,7 +9,7 @@ - name: Ensure quadlet install directory exists ansible.builtin.file: - path: "{{ trustee_attestation_server_quadlet_install_dir }}" + path: "{{ __trustee_attestation_server_quadlet_install_dir }}" state: directory mode: "0755" @@ -20,16 +20,16 @@ - name: Download Trustee Server quadlet files from GitHub repository ansible.builtin.git: - repo: "{{ trustee_attestation_server_quadlet_repo_url }}" + repo: "{{ __trustee_attestation_server_quadlet_repo_url }}" dest: "{{ __trustee_attestation_server_quadlet_repo_dir.path }}" - version: "{{ trustee_attestation_server_quadlet_repo_branch }}" + version: "{{ __trustee_attestation_server_quadlet_repo_branch }}" depth: 1 force: true register: quadlet_repo_download - name: Find Trustee Server quadlet files in repository ansible.builtin.find: - paths: "{{ __trustee_attestation_server_quadlet_repo_dir.path }}/{{ trustee_attestation_server_quadlet_repo_path }}" + paths: "{{ __trustee_attestation_server_quadlet_repo_dir.path }}/{{ __trustee_attestation_server_quadlet_repo_path }}" patterns: - "*.container" - "*.volume" @@ -40,13 +40,13 @@ - name: Fail if no Trustee Server quadlet files found ansible.builtin.fail: - msg: "No quadlet files found in {{ trustee_attestation_server_quadlet_repo_url }}/{{ trustee_attestation_server_quadlet_repo_path }}" + msg: "No quadlet files found in {{ __trustee_attestation_server_quadlet_repo_url }}/{{ __trustee_attestation_server_quadlet_repo_path }}" when: quadlet_files_found.files | length == 0 - name: Copy Trustee Server quadlet files to install directory ansible.builtin.copy: src: "{{ item.path }}" - dest: "{{ trustee_attestation_server_quadlet_install_dir }}/{{ item.path | basename }}" + dest: "{{ __trustee_attestation_server_quadlet_install_dir }}/{{ item.path | basename }}" mode: "0644" remote_src: true force: true @@ -109,7 +109,7 @@ - name: Get the installed Trustee Server pod name ansible.builtin.find: - paths: "{{ trustee_attestation_server_quadlet_install_dir }}" + paths: "{{ __trustee_attestation_server_quadlet_install_dir }}" patterns: "*.pod" register: __trustee_attestation_server_pod_name diff --git a/tests/tests_default.yml b/tests/tests_default.yml index a383510..7593568 100644 --- a/tests/tests_default.yml +++ b/tests/tests_default.yml @@ -20,17 +20,17 @@ - name: Check trustee quadlet install directory exists ansible.builtin.stat: - path: "{{ trustee_attestation_server_quadlet_install_dir }}" + path: "{{ __trustee_attestation_server_quadlet_install_dir }}" register: quadlet_dir - name: Assert quadlet directory exists ansible.builtin.assert: that: quadlet_dir.stat.exists - fail_msg: "Quadlet install directory {{ trustee_attestation_server_quadlet_install_dir }} was not created" + fail_msg: "Quadlet install directory {{ __trustee_attestation_server_quadlet_install_dir }} was not created" - name: Find quadlet files in install directory ansible.builtin.find: - paths: "{{ trustee_attestation_server_quadlet_install_dir }}" + paths: "{{ __trustee_attestation_server_quadlet_install_dir }}" patterns: - "*.container" - "*.volume" @@ -42,7 +42,7 @@ - name: Assert quadlet files exist ansible.builtin.assert: that: quadlet_files.matched | int > 0 - fail_msg: "No quadlet files found in {{ trustee_attestation_server_quadlet_install_dir }}" + fail_msg: "No quadlet files found in {{ __trustee_attestation_server_quadlet_install_dir }}" - name: Check trustee certificates and keys were generated ansible.builtin.stat: @@ -65,7 +65,7 @@ - name: Find trustee pod file ansible.builtin.find: - paths: "{{ trustee_attestation_server_quadlet_install_dir }}" + paths: "{{ __trustee_attestation_server_quadlet_install_dir }}" patterns: "*.pod" recurse: false register: trustee_pod_files diff --git a/vars/main.yml b/vars/main.yml index 2cdc9c7..6810fbb 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -12,6 +12,10 @@ __trustee_attestation_server_trustee_packages: __trustee_attestation_server_services: [] __trustee_attestation_server_secret_registration_packages: - python3 +__trustee_attestation_server_quadlet_repo_url: "https://github.com/litian1992/trustee-quadlet-rhel.git" +__trustee_attestation_server_quadlet_repo_path: "quadlet" +__trustee_attestation_server_quadlet_repo_branch: "main" +__trustee_attestation_server_quadlet_install_dir: "/etc/containers/systemd" __trustee_attestation_server_config_dir: "/etc/trustee" # ansible_facts required by the role __trustee_attestation_server_required_facts: From d351f37f03644de3b8b7803e3c89f4f33ace5eb7 Mon Sep 17 00:00:00 2001 From: Li Tian Date: Fri, 27 Mar 2026 22:05:15 +0800 Subject: [PATCH 5/5] refactor(trustee_server): rename the role to trustee_server The present name 'trustee_attestation_server' is too long. The keyword attestation is not obviously reflected in the role. Signed-off-by: Li Tian --- .ansible-lint | 2 +- .github/workflows/tft.yml | 2 +- README.md | 14 ++--- contributing.md | 8 +-- defaults/main.yml | 6 +- examples/simple.yml | 6 +- handlers/main.yml | 2 +- plans/README-plans.md | 6 +- plans/test_playbooks_parallel.fmf | 2 +- tasks/main.yml | 6 +- tasks/secret_registration_server.yml | 14 ++--- tasks/set_vars.yml | 8 +-- tasks/trustee_quadlet.yml | 60 +++++++++---------- templates/foo.conf.j2 | 9 --- templates/secret_registration_server.py.j2 | 4 +- .../secret_registration_server.service.j2 | 2 +- .../defaults | 0 .../handlers | 0 .../meta | 0 .../tasks | 0 .../templates | 0 .../vars | 0 tests/setup-snapshot.yml | 4 +- tests/tests_default.yml | 30 +++++----- tests/tests_include_vars_from_parent.yml | 2 +- tests/tests_secret_registration_server.yml | 14 ++--- tests/vars/rh_distros_vars.yml | 10 ++-- vars/Fedora.yml | 2 +- vars/RedHat_10.yml | 2 +- vars/RedHat_7.yml | 2 +- vars/RedHat_8.yml | 2 +- vars/RedHat_9.yml | 2 +- vars/main.yml | 31 +++++----- 33 files changed, 121 insertions(+), 131 deletions(-) delete mode 100644 templates/foo.conf.j2 rename tests/roles/{linux-system-roles.trustee_attestation_server => linux-system-roles.trustee_server}/defaults (100%) rename tests/roles/{linux-system-roles.trustee_attestation_server => linux-system-roles.trustee_server}/handlers (100%) rename tests/roles/{linux-system-roles.trustee_attestation_server => linux-system-roles.trustee_server}/meta (100%) rename tests/roles/{linux-system-roles.trustee_attestation_server => linux-system-roles.trustee_server}/tasks (100%) rename tests/roles/{linux-system-roles.trustee_attestation_server => linux-system-roles.trustee_server}/templates (100%) rename tests/roles/{linux-system-roles.trustee_attestation_server => linux-system-roles.trustee_server}/vars (100%) diff --git a/.ansible-lint b/.ansible-lint index c6f988e..27a3522 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -21,6 +21,6 @@ exclude_paths: - .markdownlint.yaml - examples/roles/ mock_roles: - - linux-system-roles.trustee_attestation_server + - linux-system-roles.trustee_server supported_ansible_also: - "2.14.0" diff --git a/.github/workflows/tft.yml b/.github/workflows/tft.yml index f919267..22b9b68 100644 --- a/.github/workflows/tft.yml +++ b/.github/workflows/tft.yml @@ -181,7 +181,7 @@ jobs: tf_scope: private api_key: ${{ secrets.TF_API_KEY_RH }} update_pull_request_status: false - tmt_plan_filter: "tag:playbooks_parallel,trustee_attestation_server" + tmt_plan_filter: "tag:playbooks_parallel,trustee_server" - name: Set final commit status uses: myrotvorets/set-commit-status-action@master diff --git a/README.md b/README.md index a578191..e3e08f4 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,8 @@ -# trustee_attestation_server +# trustee_server -[![ansible-lint.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-lint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-lint.yml) [![ansible-test.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-test.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-test.yml) [![codespell.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/codespell.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/codespell.yml) [![markdownlint.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/markdownlint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/markdownlint.yml) [![qemu-kvm-integration-tests.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/qemu-kvm-integration-tests.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/qemu-kvm-integration-tests.yml) [![shellcheck.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/shellcheck.yml) [![tft.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft.yml) [![tft_citest_bad.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft_citest_bad.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft_citest_bad.yml) [![woke.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/woke.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/woke.yml) +[![ansible-lint.yml](https://github.com/linux-system-roles/trustee_server/actions/workflows/ansible-lint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_server/actions/workflows/ansible-lint.yml) [![ansible-test.yml](https://github.com/linux-system-roles/trustee_server/actions/workflows/ansible-test.yml/badge.svg)](https://github.com/linux-system-roles/trustee_server/actions/workflows/ansible-test.yml) [![codespell.yml](https://github.com/linux-system-roles/trustee_server/actions/workflows/codespell.yml/badge.svg)](https://github.com/linux-system-roles/trustee_server/actions/workflows/codespell.yml) [![markdownlint.yml](https://github.com/linux-system-roles/trustee_server/actions/workflows/markdownlint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_server/actions/workflows/markdownlint.yml) [![qemu-kvm-integration-tests.yml](https://github.com/linux-system-roles/trustee_server/actions/workflows/qemu-kvm-integration-tests.yml/badge.svg)](https://github.com/linux-system-roles/trustee_server/actions/workflows/qemu-kvm-integration-tests.yml) [![shellcheck.yml](https://github.com/linux-system-roles/trustee_server/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/linux-system-roles/trustee_server/actions/workflows/shellcheck.yml) [![tft.yml](https://github.com/linux-system-roles/trustee_server/actions/workflows/tft.yml/badge.svg)](https://github.com/linux-system-roles/trustee_server/actions/workflows/tft.yml) [![tft_citest_bad.yml](https://github.com/linux-system-roles/trustee_server/actions/workflows/tft_citest_bad.yml/badge.svg)](https://github.com/linux-system-roles/trustee_server/actions/workflows/tft_citest_bad.yml) [![woke.yml](https://github.com/linux-system-roles/trustee_server/actions/workflows/woke.yml/badge.svg)](https://github.com/linux-system-roles/trustee_server/actions/workflows/woke.yml) -![trustee_attestation_server](https://github.com/linux-system-roles/trustee_attestation_server/workflows/tox/badge.svg) +![trustee_server](https://github.com/linux-system-roles/trustee_server/workflows/tox/badge.svg) An Ansible role that deploys [Trustee](https://confidentialcontainers.org/docs/attestation/) server components for confidential computing. Trustee provides attestation and secret delivery services (KBS, AS, RVPS) for workloads running in Trusted Execution Environments (TEEs). @@ -28,11 +28,11 @@ ansible-galaxy collection install -r meta/collection-requirements.yml - name: Deploy Trustee Server hosts: all vars: - trustee_attestation_server_trustee: true - trustee_attestation_server_secret_registration_enabled: true - trustee_attestation_server_secret_registration_listen_port: 8081 + trustee_server_trustee: true + trustee_server_secret_registration_enabled: true + trustee_server_secret_registration_listen_port: 8081 roles: - - linux-system-roles.trustee_attestation_server + - linux-system-roles.trustee_server ``` More examples are in the [`examples/`](examples) directory. diff --git a/contributing.md b/contributing.md index 3c4d34d..e05d6a6 100644 --- a/contributing.md +++ b/contributing.md @@ -1,4 +1,4 @@ -# Contributing to the trustee_attestation_server Linux System Role +# Contributing to the trustee_server Linux System Role ## Where to start @@ -12,12 +12,12 @@ This has all of the common information that all role developers need: * How to create git commits and submit pull requests **Bugs and needed implementations** are listed on -[Github Issues](https://github.com/linux-system-roles/trustee_attestation_server/issues). +[Github Issues](https://github.com/linux-system-roles/trustee_server/issues). Issues labeled with -[**help wanted**](https://github.com/linux-system-roles/trustee_attestation_server/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22) +[**help wanted**](https://github.com/linux-system-roles/trustee_server/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22) are likely to be suitable for new contributors! -**Code** is managed on [Github](https://github.com/linux-system-roles/trustee_attestation_server), using +**Code** is managed on [Github](https://github.com/linux-system-roles/trustee_server), using [Pull Requests](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/about-pull-requests). ## Running CI Tests Locally diff --git a/defaults/main.yml b/defaults/main.yml index 690ef46..b755ab5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -3,7 +3,7 @@ # Here is the right place to put the role's input variables. # This file also serves as a documentation for such a variables. -trustee_attestation_server_trustee: true +trustee_server_trustee: true # Secret registration server service configuration -trustee_attestation_server_secret_registration_enabled: false -trustee_attestation_server_secret_registration_listen_port: 8081 +trustee_server_secret_registration_enabled: false +trustee_server_secret_registration_listen_port: 8081 diff --git a/examples/simple.yml b/examples/simple.yml index caf7201..56c1100 100644 --- a/examples/simple.yml +++ b/examples/simple.yml @@ -3,7 +3,7 @@ - name: Deploy Trustee Server Components using Podman Quadlets from GitHub repository hosts: all vars: - trustee_attestation_server_trustee: true - trustee_attestation_server_secret_registration_enabled: false + trustee_server_trustee: true + trustee_server_secret_registration_enabled: false roles: - - linux-system-roles.trustee_attestation_server + - linux-system-roles.trustee_server diff --git a/handlers/main.yml b/handlers/main.yml index b694c78..41893e2 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -10,5 +10,5 @@ name: "{{ item }}" enabled: true state: restarted - loop: "{{ __trustee_attestation_server_services | default([]) }}" + loop: "{{ __trustee_server_services | default([]) }}" listen: "restart trustee services" diff --git a/plans/README-plans.md b/plans/README-plans.md index d6d732a..58cd1b4 100644 --- a/plans/README-plans.md +++ b/plans/README-plans.md @@ -1,6 +1,6 @@ # Introduction CI Testing Plans -Linux System Roles CI runs [tmt](https://tmt.readthedocs.io/en/stable/index.html) test plans in [Testing farm](https://docs.testing-farm.io/Testing%20Farm/0.1/index.html) with the [tft.yml](https://github.com/linux-system-roles/trustee_attestation_server/blob/main/.github/workflows/tft.yml) GitHub workflow. +Linux System Roles CI runs [tmt](https://tmt.readthedocs.io/en/stable/index.html) test plans in [Testing farm](https://docs.testing-farm.io/Testing%20Farm/0.1/index.html) with the [tft.yml](https://github.com/linux-system-roles/trustee_server/blob/main/.github/workflows/tft.yml) GitHub workflow. The `plans/test_playbooks_parallel.fmf` plan is a test plan that runs test playbooks in parallel on multiple managed nodes. `plans/test_playbooks_parallel.fmf` is generated centrally from `https://github.com/linux-system-roles/.github/`. @@ -16,7 +16,7 @@ The `plans/test_playbooks_parallel.fmf` plan does the following steps: 2. Does the required preparation on systems. 3. For the given role and the given PR, runs the general test from [test.sh](https://github.com/linux-system-roles/tft-tests/blob/main/tests/general/test.sh). -The [tft.yml](https://github.com/linux-system-roles/trustee_attestation_server/blob/main/.github/workflows/tft.yml) workflow runs the above plan and uploads the results to our Fedora storage for public access. +The [tft.yml](https://github.com/linux-system-roles/trustee_server/blob/main/.github/workflows/tft.yml) workflow runs the above plan and uploads the results to our Fedora storage for public access. This workflow uses Testing Farm's Github Action [Schedule tests on Testing Farm](https://github.com/marketplace/actions/schedule-tests-on-testing-farm). ## Running Tests @@ -47,7 +47,7 @@ You can run tests locally with the `tmt try` cli or remotely in Testing Farm. $ TESTING_FARM_API_TOKEN= \ testing-farm request --pipeline-type="tmt-multihost" \ --plan-filter="tag:playbooks_parallel" \ - --git-url "https://github.com//trustee_attestation_server" \ + --git-url "https://github.com//trustee_server" \ --git-ref "" \ --compose CentOS-Stream-9 \ -e "SYSTEM_ROLES_ONLY_TESTS=tests_default.yml" \ diff --git a/plans/test_playbooks_parallel.fmf b/plans/test_playbooks_parallel.fmf index 727299c..6f223d4 100644 --- a/plans/test_playbooks_parallel.fmf +++ b/plans/test_playbooks_parallel.fmf @@ -10,7 +10,7 @@ provision: environment: # ensure versions are strings! SR_ANSIBLE_VER: "2.17" - SR_REPO_NAME: trustee_attestation_server + SR_REPO_NAME: trustee_server SR_PYTHON_VERSION: "3.12" SR_ONLY_TESTS: "" # tests_default.yml SR_TEST_LOCAL_CHANGES: true diff --git a/tasks/main.yml b/tasks/main.yml index 38ebc4f..ad87fb1 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -6,10 +6,10 @@ # Examples of some tasks: - name: Deploy Trustee Server Components using Podman Quadlets include_tasks: trustee_quadlet.yml - when: trustee_attestation_server_trustee | bool + when: trustee_server_trustee | bool - name: Deploy Secret Registration Server Service include_tasks: secret_registration_server.yml when: - - trustee_attestation_server_secret_registration_enabled | bool - - trustee_attestation_server_trustee | bool + - trustee_server_secret_registration_enabled | bool + - trustee_server_trustee | bool diff --git a/tasks/secret_registration_server.yml b/tasks/secret_registration_server.yml index 58fd02a..4465d0e 100644 --- a/tasks/secret_registration_server.yml +++ b/tasks/secret_registration_server.yml @@ -6,9 +6,9 @@ - name: Ensure secret registration server dependencies are installed ansible.builtin.package: - name: "{{ __trustee_attestation_server_secret_registration_packages }}" + name: "{{ __trustee_server_secret_registration_packages }}" state: present - use: "{{ (__trustee_attestation_server_is_ostree | d(false)) | + use: "{{ (__trustee_server_is_ostree | d(false)) | ternary('ansible.posix.rhel_rpm_ostree', omit) }}" - name: Deploy secret registration server script @@ -16,21 +16,21 @@ src: secret_registration_server.py.j2 dest: "/usr/local/bin/secret_registration_server.py" mode: "0755" - register: __trustee_attestation_server_secret_reg_script + register: __trustee_server_secret_reg_script - name: Deploy secret registration server systemd unit ansible.builtin.template: src: secret_registration_server.service.j2 dest: /etc/systemd/system/secret_registration_server.service mode: "0644" - register: __trustee_attestation_server_secret_reg_service + register: __trustee_server_secret_reg_service - name: Gather service facts for firewall check ansible.builtin.service_facts: - name: Allow secret registration server port in firewall ansible.posix.firewalld: - port: "{{ trustee_attestation_server_secret_registration_listen_port }}/tcp" + port: "{{ trustee_server_secret_registration_listen_port }}/tcp" permanent: true immediate: true state: enabled @@ -38,7 +38,7 @@ - name: Append secret registration server service to the list of services to restart set_fact: - __trustee_attestation_server_services: >- - {{ __trustee_attestation_server_services | default([]) + ['secret_registration_server'] }} + __trustee_server_services: >- + {{ __trustee_server_services | default([]) + ['secret_registration_server'] }} changed_when: true notify: "restart trustee services" diff --git a/tasks/set_vars.yml b/tasks/set_vars.yml index f9584b4..641c518 100644 --- a/tasks/set_vars.yml +++ b/tasks/set_vars.yml @@ -1,12 +1,12 @@ --- - name: Ensure ansible_facts used by role setup: - gather_subset: "{{ __trustee_attestation_server_required_facts_subsets }}" - when: __trustee_attestation_server_required_facts | + gather_subset: "{{ __trustee_server_required_facts_subsets }}" + when: __trustee_server_required_facts | difference(ansible_facts.keys() | list) | length > 0 - name: Determine if system is ostree and set flag - when: not __trustee_attestation_server_is_ostree is defined + when: not __trustee_server_is_ostree is defined block: - name: Check if system is ostree stat: @@ -15,7 +15,7 @@ - name: Set flag to indicate system is ostree set_fact: - __trustee_attestation_server_is_ostree: "{{ __ostree_booted_stat.stat.exists }}" + __trustee_server_is_ostree: "{{ __ostree_booted_stat.stat.exists }}" - name: Set platform/version specific variables include_vars: "{{ __vars_file }}" diff --git a/tasks/trustee_quadlet.yml b/tasks/trustee_quadlet.yml index d75e3f2..f100507 100644 --- a/tasks/trustee_quadlet.yml +++ b/tasks/trustee_quadlet.yml @@ -2,34 +2,34 @@ --- - name: Ensure required packages are installed ansible.builtin.package: - name: "{{ __trustee_attestation_server_trustee_packages }}" + name: "{{ __trustee_server_trustee_packages }}" state: present - use: "{{ (__trustee_attestation_server_is_ostree | d(false)) | + use: "{{ (__trustee_server_is_ostree | d(false)) | ternary('ansible.posix.rhel_rpm_ostree', omit) }}" - name: Ensure quadlet install directory exists ansible.builtin.file: - path: "{{ __trustee_attestation_server_quadlet_install_dir }}" + path: "{{ __trustee_server_quadlet_install_dir }}" state: directory mode: "0755" - name: Create a temporary directory for the quadlet repository ansible.builtin.tempfile: state: directory - register: __trustee_attestation_server_quadlet_repo_dir + register: __trustee_server_quadlet_repo_dir - name: Download Trustee Server quadlet files from GitHub repository ansible.builtin.git: - repo: "{{ __trustee_attestation_server_quadlet_repo_url }}" - dest: "{{ __trustee_attestation_server_quadlet_repo_dir.path }}" - version: "{{ __trustee_attestation_server_quadlet_repo_branch }}" + repo: "{{ __trustee_server_quadlet_repo_url }}" + dest: "{{ __trustee_server_quadlet_repo_dir.path }}" + version: "{{ __trustee_server_quadlet_repo_branch }}" depth: 1 force: true register: quadlet_repo_download - name: Find Trustee Server quadlet files in repository ansible.builtin.find: - paths: "{{ __trustee_attestation_server_quadlet_repo_dir.path }}/{{ __trustee_attestation_server_quadlet_repo_path }}" + paths: "{{ __trustee_server_quadlet_repo_dir.path }}/{{ __trustee_server_quadlet_repo_path }}" patterns: - "*.container" - "*.volume" @@ -40,13 +40,13 @@ - name: Fail if no Trustee Server quadlet files found ansible.builtin.fail: - msg: "No quadlet files found in {{ __trustee_attestation_server_quadlet_repo_url }}/{{ __trustee_attestation_server_quadlet_repo_path }}" + msg: "No quadlet files found in {{ __trustee_server_quadlet_repo_url }}/{{ __trustee_server_quadlet_repo_path }}" when: quadlet_files_found.files | length == 0 - name: Copy Trustee Server quadlet files to install directory ansible.builtin.copy: src: "{{ item.path }}" - dest: "{{ __trustee_attestation_server_quadlet_install_dir }}/{{ item.path | basename }}" + dest: "{{ __trustee_server_quadlet_install_dir }}/{{ item.path | basename }}" mode: "0644" remote_src: true force: true @@ -55,13 +55,13 @@ - name: Stat repository configs directory ansible.builtin.stat: - path: "{{ __trustee_attestation_server_quadlet_repo_dir.path }}/configs" + path: "{{ __trustee_server_quadlet_repo_dir.path }}/configs" register: __repo_configs_dir - name: Copy Trustee Server config files to config directory ansible.builtin.copy: - src: "{{ __trustee_attestation_server_quadlet_repo_dir.path }}/configs/" - dest: "{{ __trustee_attestation_server_config_dir }}/" + src: "{{ __trustee_server_quadlet_repo_dir.path }}/configs/" + dest: "{{ __trustee_server_config_dir }}/" mode: "0644" remote_src: true force: true @@ -70,28 +70,28 @@ - name: Generate certificates for all components ansible.builtin.shell: | # Trustee Server SSL - if [ ! -f {{ __trustee_attestation_server_config_dir }}/kbs/server.key ] || [ ! -f {{ __trustee_attestation_server_config_dir }}/kbs/server.crt ]; then - openssl req -x509 -newkey rsa:2048 -nodes -keyout {{ __trustee_attestation_server_config_dir }}/kbs/server.key \ + if [ ! -f {{ __trustee_server_config_dir }}/kbs/server.key ] || [ ! -f {{ __trustee_server_config_dir }}/kbs/server.crt ]; then + openssl req -x509 -newkey rsa:2048 -nodes -keyout {{ __trustee_server_config_dir }}/kbs/server.key \ -subj "/CN=$(hostname -f)/O=Red Hat" \ -addext "basicConstraints=CA:FALSE" \ -addext "keyUsage=digitalSignature,keyEncipherment" \ -addext "extendedKeyUsage=serverAuth" \ -addext "subjectAltName=DNS:$(hostname -f)" \ - -out {{ __trustee_attestation_server_config_dir }}/kbs/server.crt + -out {{ __trustee_server_config_dir }}/kbs/server.crt fi # KBS authentication key pair - if [ ! -f {{ __trustee_attestation_server_config_dir }}/kbs/auth.key ] || [ ! -f {{ __trustee_attestation_server_config_dir }}/kbs/auth.pub ]; then - openssl genpkey -algorithm ed25519 -out {{ __trustee_attestation_server_config_dir }}/kbs/auth.key - openssl pkey -in {{ __trustee_attestation_server_config_dir }}/kbs/auth.key -pubout -out {{ __trustee_attestation_server_config_dir }}/kbs/auth.pub + if [ ! -f {{ __trustee_server_config_dir }}/kbs/auth.key ] || [ ! -f {{ __trustee_server_config_dir }}/kbs/auth.pub ]; then + openssl genpkey -algorithm ed25519 -out {{ __trustee_server_config_dir }}/kbs/auth.key + openssl pkey -in {{ __trustee_server_config_dir }}/kbs/auth.key -pubout -out {{ __trustee_server_config_dir }}/kbs/auth.pub fi # Attestation Service token signer key pair - if [ ! -f {{ __trustee_attestation_server_config_dir }}/as/token.key ] || [ ! -f {{ __trustee_attestation_server_config_dir }}/as/token.crt ]; then - openssl ecparam -name prime256v1 -genkey -noout -out {{ __trustee_attestation_server_config_dir }}/as/token.key - openssl req -new -x509 -key {{ __trustee_attestation_server_config_dir }}/as/token.key \ - -out {{ __trustee_attestation_server_config_dir }}/as/token.crt -days 3550 \ + if [ ! -f {{ __trustee_server_config_dir }}/as/token.key ] || [ ! -f {{ __trustee_server_config_dir }}/as/token.crt ]; then + openssl ecparam -name prime256v1 -genkey -noout -out {{ __trustee_server_config_dir }}/as/token.key + openssl req -new -x509 -key {{ __trustee_server_config_dir }}/as/token.key \ + -out {{ __trustee_server_config_dir }}/as/token.crt -days 3550 \ -subj "/CN=as-token-signer/O=Red Hat" - mkdir -p {{ __trustee_attestation_server_config_dir }}/kbs/trusted_certs - cp {{ __trustee_attestation_server_config_dir }}/as/token.crt {{ __trustee_attestation_server_config_dir }}/kbs/trusted_certs/token0.crt + mkdir -p {{ __trustee_server_config_dir }}/kbs/trusted_certs + cp {{ __trustee_server_config_dir }}/as/token.crt {{ __trustee_server_config_dir }}/kbs/trusted_certs/token0.crt fi changed_when: true no_log: true @@ -109,22 +109,22 @@ - name: Get the installed Trustee Server pod name ansible.builtin.find: - paths: "{{ __trustee_attestation_server_quadlet_install_dir }}" + paths: "{{ __trustee_server_quadlet_install_dir }}" patterns: "*.pod" - register: __trustee_attestation_server_pod_name + register: __trustee_server_pod_name - name: Enable and start Trustee Server services ansible.builtin.systemd: - name: "{{ __trustee_attestation_server_pod_name.files[0].path | basename | replace('.pod', '-pod.service') }}" + name: "{{ __trustee_server_pod_name.files[0].path | basename | replace('.pod', '-pod.service') }}" enabled: true state: restarted daemon_reload: true - when: __trustee_attestation_server_pod_name.files | length > 0 + when: __trustee_server_pod_name.files | length > 0 failed_when: false # TODO keep the server.crt and DNS names in the role variables - name: Clean up temporary repository directory ansible.builtin.file: - path: "{{ __trustee_attestation_server_quadlet_repo_dir.path }}" + path: "{{ __trustee_server_quadlet_repo_dir.path }}" state: absent diff --git a/templates/foo.conf.j2 b/templates/foo.conf.j2 deleted file mode 100644 index d5fe365..0000000 --- a/templates/foo.conf.j2 +++ /dev/null @@ -1,9 +0,0 @@ -# SPDX-License-Identifier: MIT -# -# Example of a trustee_attestation_server of configuration file -# -{{ ansible_managed | comment }} -{{ "system_role:trustee_attestation_server" | comment(prefix="", postfix="") }} -[foo] -foo = {{ trustee_attestation_server_foo }} -bar = {{ trustee_attestation_server_bar }} diff --git a/templates/secret_registration_server.py.j2 b/templates/secret_registration_server.py.j2 index a244f2c..26b1f74 100644 --- a/templates/secret_registration_server.py.j2 +++ b/templates/secret_registration_server.py.j2 @@ -2,7 +2,7 @@ # shebang template to avoid sanity test error # SPDX-License-Identifier: MIT {{ ansible_managed | comment }} -{{ "system_role:trustee_attestation_server" | comment(prefix="", postfix="") }} +{{ "system_role:trustee_server" | comment(prefix="", postfix="") }} """ Secret Registration Server - receives attestation-backed registration requests, @@ -28,7 +28,7 @@ LOG = logging.getLogger(__name__) # Configuration from environment or defaults LISTEN_ADDRESS = "0.0.0.0" -LISTEN_PORT = {{ trustee_attestation_server_secret_registration_listen_port }} +LISTEN_PORT = {{ trustee_server_secret_registration_listen_port }} KBS_AUTH_KEY = "/etc/trustee/kbs/auth.key" POLICY_FILE = "/etc/trustee/kbs/policy.rego" SSL_CERT = "/etc/trustee/kbs/server.crt" diff --git a/templates/secret_registration_server.service.j2 b/templates/secret_registration_server.service.j2 index 913a5b8..07b726c 100644 --- a/templates/secret_registration_server.service.j2 +++ b/templates/secret_registration_server.service.j2 @@ -1,6 +1,6 @@ # SPDX-License-Identifier: MIT {{ ansible_managed | comment }} -{{ "system_role:trustee_attestation_server" | comment(prefix="", postfix="") }} +{{ "system_role:trustee_server" | comment(prefix="", postfix="") }} [Unit] Description=Secret Registration Server - attestation-backed disk key registration diff --git a/tests/roles/linux-system-roles.trustee_attestation_server/defaults b/tests/roles/linux-system-roles.trustee_server/defaults similarity index 100% rename from tests/roles/linux-system-roles.trustee_attestation_server/defaults rename to tests/roles/linux-system-roles.trustee_server/defaults diff --git a/tests/roles/linux-system-roles.trustee_attestation_server/handlers b/tests/roles/linux-system-roles.trustee_server/handlers similarity index 100% rename from tests/roles/linux-system-roles.trustee_attestation_server/handlers rename to tests/roles/linux-system-roles.trustee_server/handlers diff --git a/tests/roles/linux-system-roles.trustee_attestation_server/meta b/tests/roles/linux-system-roles.trustee_server/meta similarity index 100% rename from tests/roles/linux-system-roles.trustee_attestation_server/meta rename to tests/roles/linux-system-roles.trustee_server/meta diff --git a/tests/roles/linux-system-roles.trustee_attestation_server/tasks b/tests/roles/linux-system-roles.trustee_server/tasks similarity index 100% rename from tests/roles/linux-system-roles.trustee_attestation_server/tasks rename to tests/roles/linux-system-roles.trustee_server/tasks diff --git a/tests/roles/linux-system-roles.trustee_attestation_server/templates b/tests/roles/linux-system-roles.trustee_server/templates similarity index 100% rename from tests/roles/linux-system-roles.trustee_attestation_server/templates rename to tests/roles/linux-system-roles.trustee_server/templates diff --git a/tests/roles/linux-system-roles.trustee_attestation_server/vars b/tests/roles/linux-system-roles.trustee_server/vars similarity index 100% rename from tests/roles/linux-system-roles.trustee_attestation_server/vars rename to tests/roles/linux-system-roles.trustee_server/vars diff --git a/tests/setup-snapshot.yml b/tests/setup-snapshot.yml index d46b018..a30e2c1 100644 --- a/tests/setup-snapshot.yml +++ b/tests/setup-snapshot.yml @@ -4,11 +4,11 @@ tasks: - name: Set platform/version specific variables include_role: - name: linux-system-roles.trustee_attestation_server + name: linux-system-roles.trustee_server tasks_from: set_vars.yml public: true - name: Install test packages package: - name: "{{ __trustee_attestation_server_trustee_packages }}" + name: "{{ __trustee_server_trustee_packages }}" state: present diff --git a/tests/tests_default.yml b/tests/tests_default.yml index 7593568..73adb66 100644 --- a/tests/tests_default.yml +++ b/tests/tests_default.yml @@ -4,9 +4,9 @@ hosts: all gather_facts: true tasks: - - name: Include trustee_attestation_server role + - name: Include trustee_server role ansible.builtin.include_role: - name: linux-system-roles.trustee_attestation_server + name: linux-system-roles.trustee_server public: true - name: Gather package facts @@ -16,21 +16,21 @@ ansible.builtin.assert: that: item in ansible_facts.packages fail_msg: "Required package {{ item }} is not installed" - loop: "{{ __trustee_attestation_server_trustee_packages }}" + loop: "{{ __trustee_server_trustee_packages }}" - name: Check trustee quadlet install directory exists ansible.builtin.stat: - path: "{{ __trustee_attestation_server_quadlet_install_dir }}" + path: "{{ __trustee_server_quadlet_install_dir }}" register: quadlet_dir - name: Assert quadlet directory exists ansible.builtin.assert: that: quadlet_dir.stat.exists - fail_msg: "Quadlet install directory {{ __trustee_attestation_server_quadlet_install_dir }} was not created" + fail_msg: "Quadlet install directory {{ __trustee_server_quadlet_install_dir }} was not created" - name: Find quadlet files in install directory ansible.builtin.find: - paths: "{{ __trustee_attestation_server_quadlet_install_dir }}" + paths: "{{ __trustee_server_quadlet_install_dir }}" patterns: - "*.container" - "*.volume" @@ -42,20 +42,20 @@ - name: Assert quadlet files exist ansible.builtin.assert: that: quadlet_files.matched | int > 0 - fail_msg: "No quadlet files found in {{ __trustee_attestation_server_quadlet_install_dir }}" + fail_msg: "No quadlet files found in {{ __trustee_server_quadlet_install_dir }}" - name: Check trustee certificates and keys were generated ansible.builtin.stat: path: "{{ item }}" register: trustee_certs loop: - - "{{ __trustee_attestation_server_config_dir }}/kbs/server.key" - - "{{ __trustee_attestation_server_config_dir }}/kbs/server.crt" - - "{{ __trustee_attestation_server_config_dir }}/kbs/auth.key" - - "{{ __trustee_attestation_server_config_dir }}/kbs/auth.pub" - - "{{ __trustee_attestation_server_config_dir }}/as/token.key" - - "{{ __trustee_attestation_server_config_dir }}/as/token.crt" - - "{{ __trustee_attestation_server_config_dir }}/kbs/trusted_certs/token0.crt" + - "{{ __trustee_server_config_dir }}/kbs/server.key" + - "{{ __trustee_server_config_dir }}/kbs/server.crt" + - "{{ __trustee_server_config_dir }}/kbs/auth.key" + - "{{ __trustee_server_config_dir }}/kbs/auth.pub" + - "{{ __trustee_server_config_dir }}/as/token.key" + - "{{ __trustee_server_config_dir }}/as/token.crt" + - "{{ __trustee_server_config_dir }}/kbs/trusted_certs/token0.crt" - name: Assert trustee certificates and keys exist ansible.builtin.assert: @@ -65,7 +65,7 @@ - name: Find trustee pod file ansible.builtin.find: - paths: "{{ __trustee_attestation_server_quadlet_install_dir }}" + paths: "{{ __trustee_server_quadlet_install_dir }}" patterns: "*.pod" recurse: false register: trustee_pod_files diff --git a/tests/tests_include_vars_from_parent.yml b/tests/tests_include_vars_from_parent.yml index d1986f9..f91ef14 100644 --- a/tests/tests_include_vars_from_parent.yml +++ b/tests/tests_include_vars_from_parent.yml @@ -44,7 +44,7 @@ import_role: name: caller vars: - roletoinclude: linux-system-roles.trustee_attestation_server + roletoinclude: linux-system-roles.trustee_server - name: Cleanup file: diff --git a/tests/tests_secret_registration_server.yml b/tests/tests_secret_registration_server.yml index 286f9df..1deb2ac 100644 --- a/tests/tests_secret_registration_server.yml +++ b/tests/tests_secret_registration_server.yml @@ -4,12 +4,12 @@ hosts: all gather_facts: true vars: - trustee_attestation_server_trustee: true - trustee_attestation_server_secret_registration_enabled: true + trustee_server_trustee: true + trustee_server_secret_registration_enabled: true tasks: - - name: Include trustee_attestation_server role + - name: Include trustee_server role ansible.builtin.include_role: - name: linux-system-roles.trustee_attestation_server + name: linux-system-roles.trustee_server public: true - name: Gather package facts @@ -20,16 +20,16 @@ ansible.builtin.assert: that: item in ansible_facts.packages fail_msg: "Required package {{ item }} is not installed" - loop: "{{ __trustee_attestation_server_trustee_packages + __trustee_attestation_server_secret_registration_packages }}" + loop: "{{ __trustee_server_trustee_packages + __trustee_server_secret_registration_packages }}" - name: Check secret registration server script exists ansible.builtin.stat: path: /usr/local/bin/secret_registration_server.py - register: __trustee_attestation_server_secret_reg_script + register: __trustee_server_secret_reg_script - name: Assert secret registration server script was deployed ansible.builtin.assert: - that: __trustee_attestation_server_secret_reg_script.stat.exists + that: __trustee_server_secret_reg_script.stat.exists fail_msg: "Secret registration server script was not deployed" - name: Check secret registration server service is running diff --git a/tests/vars/rh_distros_vars.yml b/tests/vars/rh_distros_vars.yml index 075986f..d9da062 100644 --- a/tests/vars/rh_distros_vars.yml +++ b/tests/vars/rh_distros_vars.yml @@ -1,20 +1,20 @@ # vars for handling conditionals for RedHat and clones # DO NOT EDIT - file is auto-generated # repo is https://github.com/linux-system-roles/.github -# file is playbooks/trustee_attestation_servers/tests/vars/rh_distros_vars.yml +# file is playbooks/trustee_server/tests/vars/rh_distros_vars.yml --- # Ansible distribution identifiers that the role treats like RHEL -__trustee_attestation_server_rh_distros: +__trustee_server_rh_distros: - AlmaLinux - CentOS - RedHat - Rocky # Same as above but includes Fedora -__trustee_attestation_server_rh_distros_fedora: "{{ __trustee_attestation_server_rh_distros + ['Fedora'] }}" +__trustee_server_rh_distros_fedora: "{{ __trustee_server_rh_distros + ['Fedora'] }}" # Use this in conditionals to check if distro is Red Hat or clone -__trustee_attestation_server_is_rh_distro: "{{ ansible_facts['distribution'] in __trustee_attestation_server_rh_distros }}" +__trustee_server_is_rh_distro: "{{ ansible_facts['distribution'] in __trustee_server_rh_distros }}" # Use this in conditionals to check if distro is Red Hat or clone, or Fedora -__trustee_attestation_server_is_rh_distro_fedora: "{{ ansible_facts['distribution'] in __trustee_attestation_server_rh_distros_fedora }}" +__trustee_server_is_rh_distro_fedora: "{{ ansible_facts['distribution'] in __trustee_server_rh_distros_fedora }}" diff --git a/vars/Fedora.yml b/vars/Fedora.yml index 2a1b36a..c483078 100644 --- a/vars/Fedora.yml +++ b/vars/Fedora.yml @@ -2,4 +2,4 @@ --- # Put internal variables here with Fedora specific values. -__trustee_attestation_server_services: [] +__trustee_server_services: [] diff --git a/vars/RedHat_10.yml b/vars/RedHat_10.yml index 71f6a3c..72ba4f9 100644 --- a/vars/RedHat_10.yml +++ b/vars/RedHat_10.yml @@ -2,4 +2,4 @@ --- # Put internal variables here with Red Hat Enterprise Linux 10 specific values. -__trustee_attestation_server_services: [] +__trustee_server_services: [] diff --git a/vars/RedHat_7.yml b/vars/RedHat_7.yml index 5850a3d..f14c4dc 100644 --- a/vars/RedHat_7.yml +++ b/vars/RedHat_7.yml @@ -2,4 +2,4 @@ --- # Put internal variables here with Red Hat Enterprise Linux 7 specific values. -__trustee_attestation_server_services: [] +__trustee_server_services: [] diff --git a/vars/RedHat_8.yml b/vars/RedHat_8.yml index f113976..cb1472c 100644 --- a/vars/RedHat_8.yml +++ b/vars/RedHat_8.yml @@ -2,4 +2,4 @@ --- # Put internal variables here with Red Hat Enterprise Linux 8 specific values. -__trustee_attestation_server_services: [] +__trustee_server_services: [] diff --git a/vars/RedHat_9.yml b/vars/RedHat_9.yml index 95d1164..c105b57 100644 --- a/vars/RedHat_9.yml +++ b/vars/RedHat_9.yml @@ -2,4 +2,4 @@ --- # Put internal variables here with Red Hat Enterprise Linux 9 specific values. -__trustee_attestation_server_services: [] +__trustee_server_services: [] diff --git a/vars/main.yml b/vars/main.yml index 6810fbb..3a35f06 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -5,20 +5,19 @@ # value in a platform/version specific file in vars/ # Examples of non-distribution specific (generic) internal variables: -__trustee_attestation_server_foo_config: foo.conf -__trustee_attestation_server_trustee_packages: +__trustee_server_trustee_packages: - podman - git -__trustee_attestation_server_services: [] -__trustee_attestation_server_secret_registration_packages: +__trustee_server_services: [] +__trustee_server_secret_registration_packages: - python3 -__trustee_attestation_server_quadlet_repo_url: "https://github.com/litian1992/trustee-quadlet-rhel.git" -__trustee_attestation_server_quadlet_repo_path: "quadlet" -__trustee_attestation_server_quadlet_repo_branch: "main" -__trustee_attestation_server_quadlet_install_dir: "/etc/containers/systemd" -__trustee_attestation_server_config_dir: "/etc/trustee" +__trustee_server_quadlet_repo_url: "https://github.com/litian1992/trustee-quadlet-rhel.git" +__trustee_server_quadlet_repo_path: "quadlet" +__trustee_server_quadlet_repo_branch: "main" +__trustee_server_quadlet_install_dir: "/etc/containers/systemd" +__trustee_server_config_dir: "/etc/trustee" # ansible_facts required by the role -__trustee_attestation_server_required_facts: +__trustee_server_required_facts: - distribution - distribution_major_version - distribution_version @@ -26,23 +25,23 @@ __trustee_attestation_server_required_facts: # the subsets of ansible_facts that need to be gathered in case any of the # facts in required_facts is missing; see the documentation of # the 'gather_subset' parameter of the 'setup' module -__trustee_attestation_server_required_facts_subsets: "{{ ['!all', '!min'] + - __trustee_attestation_server_required_facts }}" +__trustee_server_required_facts_subsets: "{{ ['!all', '!min'] + + __trustee_server_required_facts }}" # BEGIN - DO NOT EDIT THIS BLOCK - rh distros variables # Ansible distribution identifiers that the role treats like RHEL -__trustee_attestation_server_rh_distros: +__trustee_server_rh_distros: - AlmaLinux - CentOS - RedHat - Rocky # Same as above but includes Fedora -__trustee_attestation_server_rh_distros_fedora: "{{ __trustee_attestation_server_rh_distros + ['Fedora'] }}" +__trustee_server_rh_distros_fedora: "{{ __trustee_server_rh_distros + ['Fedora'] }}" # Use this in conditionals to check if distro is Red Hat or clone -__trustee_attestation_server_is_rh_distro: "{{ ansible_facts['distribution'] in __trustee_attestation_server_rh_distros }}" +__trustee_server_is_rh_distro: "{{ ansible_facts['distribution'] in __trustee_server_rh_distros }}" # Use this in conditionals to check if distro is Red Hat or clone, or Fedora -__trustee_attestation_server_is_rh_distro_fedora: "{{ ansible_facts['distribution'] in __trustee_attestation_server_rh_distros_fedora }}" +__trustee_server_is_rh_distro_fedora: "{{ ansible_facts['distribution'] in __trustee_server_rh_distros_fedora }}" # END - DO NOT EDIT THIS BLOCK - rh distros variables