feat: change name to trustee_client, add systemd-cryptenroll and allow kbs_cert by file path

[litian1992]

Enhancement:

1. Refactor role name to trustee_client. Because trustee_attestation_client is too long and attestation is not a key factor in this role.
2. Besides kbs_cert_content, also allow users to pass in the cert by path using kbs_cert.
3. Add systemd-cryptenroll capability to encrypt_disk task when Secret Registration Client is not enabled.
4. Refactor the quadlet repo and the installation path to private to reduce variants.

Reason:

Result:

Issue Tracker Tickets (Jira or BZ if any):

Summary by Sourcery

Rename the role and its variables from trustee_attestation_client to trustee_client, expand disk encryption support to use systemd-cryptenroll when the Secret Registration Client is disabled, and allow KBS certificates to be provided either as inline content or via a file path, updating tests and documentation accordingly.

New Features:

• Support providing the KBS certificate via a file path in addition to inline certificate content.
• Add TPM2-backed disk encryption flow using systemd-cryptenroll and /etc/crypttab when the Secret Registration Client is disabled.

Enhancements:

• Rename the Ansible role and all associated variables, tests, and documentation from trustee_attestation_client to trustee_client.
• Clarify and extend README and example playbooks to document the new role name and KBS certificate options.

Tests:

• Update existing tests to use the new trustee_client naming and encrypted_disk mapper name, and add coverage for the systemd-cryptenroll disk encryption path and KBS certificate-from-path behavior.

[sourcery-ai]

Reviewer's Guide

Refactors the Ansible role from trustee_attestation_client to trustee_client across code, docs, CI, and tests, while adding TPM2-backed systemd-cryptenroll disk encryption support when the secret registration client is disabled and introducing support for providing the KBS certificate via either inline content or a file path, with corresponding tests and documentation updates.

Sequence diagram for updated disk encryption flow with Secret Registration Client and systemd_cryptenroll

sequenceDiagram
  actor Admin
  participant AnsibleController
  participant trustee_client_role
  participant SecretRegistrationClient
  participant systemd_cryptenroll
  participant TPM2
  participant Cryptsetup
  participant OS

  Admin->>AnsibleController: Run playbook with trustee_client_encrypt_disk=true
  AnsibleController->>trustee_client_role: Execute tasks/main.yml
  trustee_client_role->>trustee_client_role: include_tasks encrypt_disk.yml

  trustee_client_role->>trustee_client_role: Detect first unpartitioned disk

  alt trustee_client_secret_registration_enabled=true
    trustee_client_role->>SecretRegistrationClient: secret_registration_client.sh --fetch-key-to tempfile
    SecretRegistrationClient-->>trustee_client_role: LUKS key written to tempfile
  else trustee_client_secret_registration_enabled=false
    trustee_client_role->>OS: type systemd-cryptenroll
    OS-->>trustee_client_role: rc=0 if available
    alt systemd-cryptenroll available
      trustee_client_role->>OS: head -c 32 /dev/urandom | base64 > tempfile
      OS-->>trustee_client_role: Random key stored in tempfile
    end
  end

  trustee_client_role->>Cryptsetup: luksFormat --key-file tempfile disk_partition
  Cryptsetup-->>trustee_client_role: LUKS container created
  trustee_client_role->>Cryptsetup: open --key-file tempfile disk_partition encrypted_disk
  Cryptsetup-->>trustee_client_role: /dev/mapper/encrypted_disk
  trustee_client_role->>OS: mkfs.ext4 /dev/mapper/encrypted_disk
  trustee_client_role->>OS: mkdir -p trustee_client_encrypt_disk_mount_point
  trustee_client_role->>OS: mount /dev/mapper/encrypted_disk trustee_client_encrypt_disk_mount_point

  alt trustee_client_secret_registration_enabled=false and systemd_cryptenroll available
    trustee_client_role->>systemd_cryptenroll: Enroll TPM2 slot with unlock-key-file=tempfile
    systemd_cryptenroll->>TPM2: Bind key to PCR7
    TPM2-->>systemd_cryptenroll: TPM2 policy created
    trustee_client_role->>systemd_cryptenroll: Wipe password slot
    systemd_cryptenroll-->>trustee_client_role: LUKS updated

    trustee_client_role->>OS: lsblk -dno UUID disk_partition
    OS-->>trustee_client_role: UUID
    trustee_client_role->>OS: Update /etc/crypttab with encrypted_disk UUID and tpm2-device=auto
    trustee_client_role->>OS: Configure /etc/fstab and mount with x-systemd.requires=systemd-cryptsetup@encrypted_disk.service
  end

  trustee_client_role->>OS: Remove tempfile
  OS-->>trustee_client_role: Key file deleted
  trustee_client_role-->>AnsibleController: Disk encrypted and configured
  AnsibleController-->>Admin: Playbook run complete

Loading

Flow diagram for updated task inclusion and disk encryption conditions in main role

flowchart TD
  A_start["Start: tasks/main.yml"] --> B_quadlet["Include trustee_quadlet.yml\nwhen trustee_client_trustee_gc is true"]
  B_quadlet --> C_secretReg["Include secret_registration_client.yml\nwhen trustee_client_secret_registration_enabled is true\nAND trustee_client_trustee_gc is true"]
  C_secretReg --> D_encrypt["Include encrypt_disk.yml\nwhen trustee_client_encrypt_disk is true"]
  B_quadlet --> D_encrypt
  D_encrypt --> E_branch["Inside encrypt_disk.yml:\nIs there an unpartitioned disk?"]

  E_branch -->|No| Z_end["End: no encryption performed"]
  E_branch -->|Yes| F_checkSecretReg["Check trustee_client_secret_registration_enabled"]

  F_checkSecretReg -->|true| G_useSecretReg["Use Secret Registration Client\nfetch key to tempfile"]
  F_checkSecretReg -->|false| H_checkCryptenroll["Check for systemd-cryptenroll command"]

  H_checkCryptenroll -->|Available| I_useTPM2["Generate random key to tempfile\nEncrypt disk and bind key via systemd-cryptenroll\nConfigure crypttab and fstab for auto-unlock"]
  H_checkCryptenroll -->|Not available| J_encryptOnly["Encrypt and mount using key file\n(no TPM2 auto-unlock path)"]

  G_useSecretReg --> K_encryptMount["Encrypt LUKS partition with fetched key\nand mount encrypted_disk"]
  I_useTPM2 --> K_encryptMount
  J_encryptOnly --> K_encryptMount

  K_encryptMount --> L_cleanup["Remove key tempfile"]
  L_cleanup --> Z_end

Loading

File-Level Changes

Change	Details	Files
Rename the Ansible role and all variables from trustee_attestation_client to trustee_client and align documentation, examples, vars, handlers, and CI/test wiring.	Update role name usages in playbooks, tests, examples, and include_role/roles references to linux-system-roles.trustee_client. Rename all public/default variables (e.g. trustee_attestation_client_* -> trustee_client_) and internal vars (_trustee_attestation_client -> _trustee_client*). Adjust handlers and platform-specific vars to use the new __trustee_client_services and related internal variables. Update README, contributing guide, plans README, and workflow/test-plan links and badges to point to the trustee_client repo and name. Revise comments and template metadata strings to reference system_role:trustee_client.	tasks/main.yml defaults/main.yml vars/main.yml vars/Fedora.yml vars/RedHat_7.yml vars/RedHat_8.yml vars/RedHat_9.yml vars/RedHat_10.yml tests/vars/rh_distros_vars.yml tests/tests_default.yml tests/tests_trustee_gc_disabled.yml tests/tests_secret_registration_client.yml tests/tests_include_vars_from_parent.yml tests/setup-snapshot.yml examples/simple.yml handlers/main.yml templates/secret_registration_client.sh.j2 templates/secret_registration_client.service.j2 README.md contributing.md plans/README-plans.md .github/workflows/tft.yml
Extend disk encryption to support systemd-cryptenroll with TPM2 auto-unlock when the Secret Registration Client is disabled, and adjust naming of the encrypted LUKS device.	Refactor encrypt_disk.yml to use trustee_client_* variables and _trustee_client* internals for disk selection and package installation. Gate key acquisition via secret_registration_client.sh on trustee_client_secret_registration_enabled, and add an alternate path that checks for systemd-cryptenroll and generates a random key when the client is disabled. Change the LUKS mapper device name from encrypted-disk to encrypted_disk consistently in role logic and scripts. Add a block that runs systemd-cryptenroll to bind TPM2 to the LUKS volume, wipes the password slot, writes an /etc/crypttab entry with tpm2-device=auto, and configures /etc/fstab plus a systemd-aware mount. Ensure the temporary key file is always cleaned up using the new __trustee_client_secret_key_tempfile variable.	tasks/encrypt_disk.yml templates/secret_registration_client.sh.j2 tasks/secret_registration_client.yml tests/tests_encrypt_disk.yml
Introduce support for providing the KBS certificate via either inline content or file path and propagate it into trustee-gc configuration and server.crt.	Add new default variable trustee_client_kbs_cert for a certificate file path alongside trustee_client_kbs_cert_content. In trustee_quadlet.yml, compute __trustee_client_kbs_cert_content from either trustee_client_kbs_cert_content or the contents of trustee_client_kbs_cert (using lookup('file')) when either is set and configs are present. Update replace tasks to substitute KBS_URL and KBS_CERT placeholders with trustee_client_kbs_url and __trustee_client_kbs_cert_content for both cdh and aa config.toml files. Write /etc/trustee-gc/server.crt from __trustee_client_kbs_cert_content when present instead of directly from the older variable. Document the new usage pattern in README and examples, showing both inline and path-based cert options.	tasks/trustee_quadlet.yml defaults/main.yml README.md examples/simple.yml
Add and extend tests to cover the new systemd-cryptenroll disk encryption path and KBS cert-by-path behavior.	Update existing tests to use trustee_client_* variable names and the new encrypted_disk device name and mount point variables. Add a new encrypt-disk test play that runs the role with trustee_client_secret_registration_enabled=false, verifies the encrypted disk is mounted, and asserts /etc/crypttab and /etc/fstab contain the expected encrypted_disk and tpm2-device=auto entries. Add a new KBS configuration test play that creates a cert file on the control node, passes it via trustee_client_kbs_cert, and asserts that both trustee-gc config TOML and /etc/trustee-gc/server.crt contain the expected content. Ensure snapshot/setup utilities and CI test plans reference the renamed role and new variable names for package installation and test filtering.	tests/tests_encrypt_disk.yml tests/tests_kbs_config.yml tests/tests_default.yml tests/tests_trustee_gc_disabled.yml tests/tests_secret_registration_client.yml tests/setup-snapshot.yml plans/test_playbooks_parallel.fmf .github/workflows/tft.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 2 issues, and left some high level feedback:

• In encrypt_disk.yml, when trustee_client_secret_registration_enabled is false and systemd-cryptenroll is not available, the role still partitions, encrypts, and mounts the disk without configuring any auto-unlock mechanism; consider skipping disk encryption entirely in this case (or failing early with a clear message) to avoid leaving an unusable encrypted volume.
• The systemd-cryptenroll presence check uses command: type systemd-cryptenroll, which relies on shell built-ins and may be less portable; using stat on a known path or command: systemd-cryptenroll --version (and checking rc) would be more robust and explicit.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In `encrypt_disk.yml`, when `trustee_client_secret_registration_enabled` is false and `systemd-cryptenroll` is not available, the role still partitions, encrypts, and mounts the disk without configuring any auto-unlock mechanism; consider skipping disk encryption entirely in this case (or failing early with a clear message) to avoid leaving an unusable encrypted volume.
- The `systemd-cryptenroll` presence check uses `command: type systemd-cryptenroll`, which relies on shell built-ins and may be less portable; using `stat` on a known path or `command: systemd-cryptenroll --version` (and checking `rc`) would be more robust and explicit.

## Individual Comments

### Comment 1
<location path="tasks/encrypt_disk.yml" line_range="47-52" />
<code_context>
+      when: trustee_client_secret_registration_enabled | bool
+      no_log: true
+
+    - name: Check systemd-cryptenroll command exists
+      ansible.builtin.command: type systemd-cryptenroll
+      register: __trustee_client_cryptenroll_check
+      changed_when: false
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Using `type systemd-cryptenroll` may be shell-dependent; consider a more portable existence check.

`ansible.builtin.command` runs via `/bin/sh`, and `type` isn’t portable across all shells or may not be available as a builtin, which can cause false negatives or different rc/output handling. Prefer a more portable check such as `command -v systemd-cryptenroll` or a direct path check with `stat` on `/usr/bin/systemd-cryptenroll` (or the expected location).

```suggestion
      no_log: true

    - name: Check systemd-cryptenroll command exists
      ansible.builtin.command: command -v systemd-cryptenroll
      register: __trustee_client_cryptenroll_check
      changed_when: false
```
</issue_to_address>

### Comment 2
<location path="README.md" line_range="72" />
<code_context>
 1. Finds the first unpartitioned and unmounted disk
-2. Requests disk encryption key from Secret Registration Client
-3. Encrypts the disk using above encryption key and mounts it at the designated path
+3. Encrypts the disk using key either from:
+  a. secret key fetched using Secret Registration Client (when enabled), or
+  b. `systemd-cryptenroll` which binds to PCR 7
</code_context>
<issue_to_address>
**nitpick (typo):** Minor grammar issue in "Encrypts the disk using key either from".

Consider rephrasing to: "Encrypts the disk using a key from either:" or "Encrypts the disk using the key from either:".

```suggestion
3. Encrypts the disk using a key from either:
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[richm]

@spetrosi are we going to rename the repo also?

[richm]

lgtm - @spetrosi ?

[spetrosi]

[citest]

[richm]

you will also need to rename tests/roles/linux-system-roles.trustee_attestation_client -> tests/roles/linux-system-roles.trustee_client

[litian1992]

you will also need to rename tests/roles/linux-system-roles.trustee_attestation_client -> tests/roles/linux-system-roles.trustee_client

Ah, thank you. I was wondering why the tests fail.

[richm]

lgtm - @spetrosi ?

[spetrosi]

It would be good to support having the trustee_client_kbs_cert_src file both on the controller and remotely. I.e. have a boolean var trustee_client_kbs_cert_remote_src that users can set to true to look for the file remotely.
Like in https://github.com/linux-system-roles/mssql?tab=readme-ov-file#mssql_tls_remote_src

[litian1992]

This file is actually the SSL cert from the Trustee server which the client should trust. It would beat the purpose for users to put on the client side (remotely) manually which simply won't scale and breaks the sync.

[richm]

The convention we use for TLS related parameter naming is specified here - https://linux-system-roles.github.io/documentation/tls_crypto_parameter_and_key_names.html

A suffix of _src indicates the file is on the controller. Without that suffix, the file is on the managed (i.e. remote) node. so trustee_client_kbs_cert_src is a file on the controller, and the contents of that file will be copied to the managed/remote node.

[spetrosi]

Suggested change

	ansible.posix.mount:
	mount:

@richm in the downstream we will vendor the mount module and it will be callable with mount:. And in the upstream it will be called from ansible.posix. Right?

[richm]

@richm in the downstream we will vendor the mount module and it will be callable with mount:. And in the upstream it will be called from ansible.posix. Right?

Correct. But it should be fine to use ansible.posix.mount here - we have logic in the rpm spec file to convert ansible.posix.something to redhat.rhel_system_roles.something

[spetrosi]

[citest]

[richm]

lgtm - @spetrosi ready to merge?