feat: Add Trustee quadlet and secret registration server

.ansible-lint

@@ -21,6 +21,6 @@ exclude_paths:
   - .markdownlint.yaml
   - examples/roles/
 mock_roles:
-  - linux-system-roles.trustee_attestation_server
+  - linux-system-roles.trustee_server
 supported_ansible_also:
   - "2.14.0"

.github/workflows/tft.yml

@@ -181,7 +181,7 @@ jobs:
           tf_scope: private
           api_key: ${{ secrets.TF_API_KEY_RH }}
           update_pull_request_status: false
-          tmt_plan_filter: "tag:playbooks_parallel,trustee_attestation_server"
+          tmt_plan_filter: "tag:playbooks_parallel,trustee_server"
 
       - name: Set final commit status
         uses: myrotvorets/set-commit-status-action@master

README.md

@@ -1,105 +1,69 @@
-# Role Name
+# trustee_server
 
-[![ansible-lint.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-lint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-lint.yml) [![ansible-test.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-test.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-test.yml) [![codespell.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/codespell.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/codespell.yml) [![markdownlint.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/markdownlint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/markdownlint.yml) [![qemu-kvm-integration-tests.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/qemu-kvm-integration-tests.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/qemu-kvm-integration-tests.yml) [![shellcheck.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/shellcheck.yml) [![tft.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft.yml) [![tft_citest_bad.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft_citest_bad.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft_citest_bad.yml) [![woke.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/woke.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/woke.yml)
+[![ansible-lint.yml](https://github.com/linux-system-roles/trustee_server/actions/workflows/ansible-lint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_server/actions/workflows/ansible-lint.yml) [![ansible-test.yml](https://github.com/linux-system-roles/trustee_server/actions/workflows/ansible-test.yml/badge.svg)](https://github.com/linux-system-roles/trustee_server/actions/workflows/ansible-test.yml) [![codespell.yml](https://github.com/linux-system-roles/trustee_server/actions/workflows/codespell.yml/badge.svg)](https://github.com/linux-system-roles/trustee_server/actions/workflows/codespell.yml) [![markdownlint.yml](https://github.com/linux-system-roles/trustee_server/actions/workflows/markdownlint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_server/actions/workflows/markdownlint.yml) [![qemu-kvm-integration-tests.yml](https://github.com/linux-system-roles/trustee_server/actions/workflows/qemu-kvm-integration-tests.yml/badge.svg)](https://github.com/linux-system-roles/trustee_server/actions/workflows/qemu-kvm-integration-tests.yml) [![shellcheck.yml](https://github.com/linux-system-roles/trustee_server/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/linux-system-roles/trustee_server/actions/workflows/shellcheck.yml) [![tft.yml](https://github.com/linux-system-roles/trustee_server/actions/workflows/tft.yml/badge.svg)](https://github.com/linux-system-roles/trustee_server/actions/workflows/tft.yml) [![tft_citest_bad.yml](https://github.com/linux-system-roles/trustee_server/actions/workflows/tft_citest_bad.yml/badge.svg)](https://github.com/linux-system-roles/trustee_server/actions/workflows/tft_citest_bad.yml) [![woke.yml](https://github.com/linux-system-roles/trustee_server/actions/workflows/woke.yml/badge.svg)](https://github.com/linux-system-roles/trustee_server/actions/workflows/woke.yml)
 
-![template](https://github.com/linux-system-roles/template/workflows/tox/badge.svg)
+![trustee_server](https://github.com/linux-system-roles/trustee_server/workflows/tox/badge.svg)
 
-A template for an ansible role that configures some GNU/Linux subsystem or
-service. A brief description of the role goes here.
+An Ansible role that deploys [Trustee](https://confidentialcontainers.org/docs/attestation/) server components for confidential computing. Trustee provides attestation and secret delivery services (KBS, AS, RVPS) for workloads running in Trusted Execution Environments (TEEs).
 
-## Requirements
+## Features
+
+- **Trustee Server (Quadlet)**: Deploys Trustee Key Broker Service(KBS), Attestation Service(AS) and Reference Value Provider Service(RVPS) using Podman Quadlets from a GitHub repository
+- **Secret Registration Server**: HTTPS service that receives attestation-backed registration requests, verifies attestation, creates disk encryption keys, and stores them in Trustee KBS
 
-Any prerequisites that may not be covered by Ansible itself or the role should
-be mentioned here.  This includes platform dependencies not managed by the
-role, hardware requirements, external collections, etc.  There should be a
-distinction between *control node* requirements (like collections) and
-*managed node* requirements (like special hardware, platform provisioning).
+## Requirements
 
-### Collection requirements
+### Control node
 
-For instance, if the role depends on some collections and has a
-`meta/collection-requirements.yml` file for installing those dependencies, and
-in order to manage `rpm-ostree` systems, it should be mentioned here that the
- user should run
+- Ansible 2.9 or later
+- Install collection dependencies:
 
 ```bash
-ansible-galaxy collection install -vv -r meta/collection-requirements.yml
+ansible-galaxy collection install -r meta/collection-requirements.yml
 ```
 
-on the *control node* before using the role.
-
-## Role Variables
-
-A description of all input variables (i.e. variables that are defined in
-`defaults/main.yml`) for the role should go here as these form an API of the
-role.  Each variable should have its own section e.g.
-
-### template_foo
-
-This variable is required.  It is a string that lists the foo of the role.
-There is no default value.
-
-### template_bar
-
-This variable is optional.  It is a boolean that tells the role to disable bar.
-The default value is `true`.
-
-Variables that are not intended as input, like variables defined in
-`vars/main.yml`, variables that are read from other roles and/or the global
-scope (ie. hostvars, group vars, etc.) can be also mentioned here but keep in
-mind that as these are probably not part of the role API they may change during
-the lifetime.
-
-Example of setting the variables:
+## Example Playbook
 
 ```yaml
-template_foo: "oof"
-template_bar: false
+- name: Deploy Trustee Server
+  hosts: all
+  vars:
+    trustee_server_trustee: true
+    trustee_server_secret_registration_enabled: true
+    trustee_server_secret_registration_listen_port: 8081
+  roles:
+    - linux-system-roles.trustee_server
 ```
 
-## Variables Exported by the Role
+More examples are in the [`examples/`](examples) directory.
 
-This section is optional.  Some roles may export variables for playbooks to
-use later.  These are analogous to "return values" in Ansible modules.  For
-example, if a role performs some action that will require a system reboot, but
-the user wants to defer the reboot, the role might set a variable like
-`template_reboot_needed: true` that the playbook can use to reboot at a more
-convenient time.
+## Trustee Server
 
-Example:
+When enabled, the role:
 
-### template_reboot_needed
-
-Default `false` - if `true`, this means a reboot is needed to apply the changes
-made by the role
-
-## Example Playbook
+1. Downloads the Podman Quadlets from designated repo
+2. Generates all required certificates of Trustee server components
+3. Add KBS port 8080 to firewalld
+4. Enables the services by default
 
-Including an example of how to use your role (for instance, with variables
-passed in as parameters) is always nice for users too:
+Note that KBS listens on port 8080 which may require additional network security allowance depending on your environment.
 
-```yaml
-- name: Manage the template subsystem
-  hosts: all
-  vars:
-    template_foo: "foo foo!"
-    template_bar: false
-  roles:
-    - linux-system-roles.template
-```
+## Secret Registration Server
 
-More examples can be provided in the [`examples/`](examples) directory. These
-can be useful, especially for documentation.
+When enabled, the secret registration server:
 
-## rpm-ostree
+1. Listens for `POST /register-encryption-key` with `attestation_token` and `client_id` (machine-id)
+2. Verifies the attestation token (Azure TPM-based)
+3. Creates a disk encryption key and stores it in Trustee KBS
+4. Appends resource policy to `/etc/trustee/kbs/policy.rego`
 
-See README-ostree.md
+Clients can then fetch the key from Trustee CDH using attestation.
 
 ## License
 
-Whenever possible, please prefer MIT.
+MIT
 
-## Author Information
+## Author
 
 An optional section for the role authors to include contact information, or a
 website (HTML is not allowed).

contributing.md

@@ -1,4 +1,4 @@
-# Contributing to the trustee_attestation_server Linux System Role
+# Contributing to the trustee_server Linux System Role
 
 ## Where to start
 
@@ -12,12 +12,12 @@ This has all of the common information that all role developers need:
 * How to create git commits and submit pull requests
 
 **Bugs and needed implementations** are listed on
-[Github Issues](https://github.com/linux-system-roles/trustee_attestation_server/issues).
+[Github Issues](https://github.com/linux-system-roles/trustee_server/issues).
 Issues labeled with
-[**help wanted**](https://github.com/linux-system-roles/trustee_attestation_server/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22)
+[**help wanted**](https://github.com/linux-system-roles/trustee_server/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22)
 are likely to be suitable for new contributors!
 
-**Code** is managed on [Github](https://github.com/linux-system-roles/trustee_attestation_server), using
+**Code** is managed on [Github](https://github.com/linux-system-roles/trustee_server), using
 [Pull Requests](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/about-pull-requests).
 
 ## Running CI Tests Locally

defaults/main.yml

@@ -3,6 +3,7 @@
 # Here is the right place to put the role's input variables.
 # This file also serves as a documentation for such a variables.
 
-# Examples of role input variables:
-template_foo: foo
-template_bar: true
+trustee_server_trustee: true
+# Secret registration server service configuration
+trustee_server_secret_registration_enabled: false
+trustee_server_secret_registration_listen_port: 8081

examples/simple.yml

@@ -1,9 +1,9 @@
 # SPDX-License-Identifier: MIT
 ---
-- name: Example template role invocation
+- name: Deploy Trustee Server Components using Podman Quadlets from GitHub repository
   hosts: all
   vars:
-    template_foo: example variable value
-    template_bar: false
+    trustee_server_trustee: true
+    trustee_server_secret_registration_enabled: false
   roles:
-    - linux-system-roles.template
+    - linux-system-roles.trustee_server

handlers/main.yml

@@ -1,7 +1,14 @@
 # SPDX-License-Identifier: MIT
 ---
-- name: Handler for template to restart services
-  service:
+- name: Reload systemd daemon for trustee
+  ansible.builtin.systemd:
+    daemon_reload: true
+  listen: "restart trustee services"
+
+- name: Enable and restart trustee services
+  ansible.builtin.systemd:
     name: "{{ item }}"
+    enabled: true
     state: restarted
-  loop: "{{ __template_services }}"
+  loop: "{{ __trustee_server_services | default([]) }}"
+  listen: "restart trustee services"

meta/main.yml

@@ -1,9 +1,9 @@
 # SPDX-License-Identifier: MIT
 ---
 galaxy_info:
-  author: John Doe <jdoe@corp.com>
-  description: Basic template for Linux system roles
-  company: John Doe, Inc.
+  author: Li Tian <litian@redhat.com>
+  description: Deploy Trustee Server Components using Podman Quadlets from GitHub repository
+  company: Red Hat, Inc.
   license: MIT
   min_ansible_version: "2.9"
   platforms:
@@ -14,13 +14,15 @@ galaxy_info:
       versions:
         - "9"
   galaxy_tags:
+    - trustee
+    - attestation
     - el9
     - el10
     - fedora
     # Support running this role in system container environments, and enable
     # tests. Remove if not applicable.
-    - container
+    # - container
     # Support running this role during container builds (mostly useful for
     # bootc), and enable tests. Remove if not applicable.
-    - containerbuild
+    # - containerbuild
 dependencies: []

plans/README-plans.md

@@ -1,6 +1,6 @@
 # Introduction CI Testing Plans
 
-Linux System Roles CI runs [tmt](https://tmt.readthedocs.io/en/stable/index.html) test plans in [Testing farm](https://docs.testing-farm.io/Testing%20Farm/0.1/index.html) with the [tft.yml](https://github.com/linux-system-roles/trustee_attestation_server/blob/main/.github/workflows/tft.yml) GitHub workflow.
+Linux System Roles CI runs [tmt](https://tmt.readthedocs.io/en/stable/index.html) test plans in [Testing farm](https://docs.testing-farm.io/Testing%20Farm/0.1/index.html) with the [tft.yml](https://github.com/linux-system-roles/trustee_server/blob/main/.github/workflows/tft.yml) GitHub workflow.
 
 The `plans/test_playbooks_parallel.fmf` plan is a test plan that runs test playbooks in parallel on multiple managed nodes.
 `plans/test_playbooks_parallel.fmf` is generated centrally from `https://github.com/linux-system-roles/.github/`.
@@ -16,7 +16,7 @@ The `plans/test_playbooks_parallel.fmf` plan does the following steps:
 2. Does the required preparation on systems.
 3. For the given role and the given PR, runs the general test from [test.sh](https://github.com/linux-system-roles/tft-tests/blob/main/tests/general/test.sh).
 
-The [tft.yml](https://github.com/linux-system-roles/trustee_attestation_server/blob/main/.github/workflows/tft.yml) workflow runs the above plan and uploads the results to our Fedora storage for public access.
+The [tft.yml](https://github.com/linux-system-roles/trustee_server/blob/main/.github/workflows/tft.yml) workflow runs the above plan and uploads the results to our Fedora storage for public access.
 This workflow uses Testing Farm's Github Action [Schedule tests on Testing Farm](https://github.com/marketplace/actions/schedule-tests-on-testing-farm).
 
 ## Running Tests
@@ -47,7 +47,7 @@ You can run tests locally with the `tmt try` cli or remotely in Testing Farm.
     $ TESTING_FARM_API_TOKEN=<your_api_token> \
         testing-farm request --pipeline-type="tmt-multihost" \
         --plan-filter="tag:playbooks_parallel" \
-        --git-url "https://github.com/<my_user>/trustee_attestation_server" \
+        --git-url "https://github.com/<my_user>/trustee_server" \
         --git-ref "<my_branch>" \
         --compose CentOS-Stream-9 \
         -e "SYSTEM_ROLES_ONLY_TESTS=tests_default.yml" \

plans/test_playbooks_parallel.fmf

@@ -10,7 +10,7 @@ provision:
 environment:
   # ensure versions are strings!
   SR_ANSIBLE_VER: "2.17"
-  SR_REPO_NAME: trustee_attestation_server
+  SR_REPO_NAME: trustee_server
   SR_PYTHON_VERSION: "3.12"
   SR_ONLY_TESTS: ""  # tests_default.yml
   SR_TEST_LOCAL_CHANGES: true

tasks/main.yml

@@ -4,24 +4,12 @@
   include_tasks: tasks/set_vars.yml
 
 # Examples of some tasks:
-- name: Ensure required packages are installed
-  package:
-    name: "{{ __template_packages }}"
-    state: present
-    use: "{{ (__template_is_ostree | d(false)) |
-             ternary('ansible.posix.rhel_rpm_ostree', omit) }}"
+- name: Deploy Trustee Server Components using Podman Quadlets
+  include_tasks: trustee_quadlet.yml
+  when: trustee_server_trustee | bool
 
-- name: Ensure required services are enabled and started
-  service:
-    name: "{{ item }}"
-    state: started
-    enabled: true
-  loop: "{{ __template_services }}"
-
-- name: Generate /etc/{{ __template_foo_config }}
-  template:
-    src: "{{ __template_foo_config }}.j2"
-    dest: /etc/{{ __template_foo_config }}
-    backup: true
-    mode: "0400"
-  notify: Handler for template to restart services
+- name: Deploy Secret Registration Server Service
+  include_tasks: secret_registration_server.yml
+  when:
+    - trustee_server_secret_registration_enabled | bool
+    - trustee_server_trustee | bool

tasks/secret_registration_server.yml

@@ -0,0 +1,44 @@
+# SPDX-License-Identifier: MIT
+---
+# Secret registration server: receives client requests with Trustee attestation,
+# and client ID (machine-id), creates disk encryption keys and stores them in KBS.
+# Requires Trustee (trustee_quadlet) to be deployed.
+
+- name: Ensure secret registration server dependencies are installed
+  ansible.builtin.package:
+    name: "{{ __trustee_server_secret_registration_packages }}"
+    state: present
+    use: "{{ (__trustee_server_is_ostree | d(false)) |
+          ternary('ansible.posix.rhel_rpm_ostree', omit) }}"
+
+- name: Deploy secret registration server script
+  ansible.builtin.template:
+    src: secret_registration_server.py.j2
+    dest: "/usr/local/bin/secret_registration_server.py"
+    mode: "0755"
+  register: __trustee_server_secret_reg_script
+
+- name: Deploy secret registration server systemd unit
+  ansible.builtin.template:
+    src: secret_registration_server.service.j2
+    dest: /etc/systemd/system/secret_registration_server.service
+    mode: "0644"
+  register: __trustee_server_secret_reg_service
+
+- name: Gather service facts for firewall check
+  ansible.builtin.service_facts:
+
+- name: Allow secret registration server port in firewall
+  ansible.posix.firewalld:
+    port: "{{ trustee_server_secret_registration_listen_port }}/tcp"
+    permanent: true
+    immediate: true
+    state: enabled
+  when: (ansible_facts.services | default({})).get('firewalld.service', {}).get('state', '') == 'running'
+
+- name: Append secret registration server service to the list of services to restart
+  set_fact:
+    __trustee_server_services: >-
+      {{ __trustee_server_services | default([]) + ['secret_registration_server'] }}
+  changed_when: true
+  notify: "restart trustee services"

tasks/set_vars.yml

@@ -1,12 +1,12 @@
 ---
 - name: Ensure ansible_facts used by role
   setup:
-    gather_subset: "{{ __template_required_facts_subsets }}"
-  when: __template_required_facts |
+    gather_subset: "{{ __trustee_server_required_facts_subsets }}"
+  when: __trustee_server_required_facts |
     difference(ansible_facts.keys() | list) | length > 0
 
 - name: Determine if system is ostree and set flag
-  when: not __template_is_ostree is defined
+  when: not __trustee_server_is_ostree is defined
   block:
     - name: Check if system is ostree
       stat:
@@ -15,7 +15,7 @@
 
     - name: Set flag to indicate system is ostree
       set_fact:
-        __template_is_ostree: "{{ __ostree_booted_stat.stat.exists }}"
+        __trustee_server_is_ostree: "{{ __ostree_booted_stat.stat.exists }}"
 
 - name: Set platform/version specific variables
   include_vars: "{{ __vars_file }}"