feat: change name to trustee_client, add systemd-cryptenroll and allow kbs_cert by file path

.ansible-lint

@@ -21,6 +21,6 @@ exclude_paths:
   - .markdownlint.yaml
   - examples/roles/
 mock_roles:
-  - linux-system-roles.trustee_attestation_client
+  - linux-system-roles.trustee_client
 supported_ansible_also:
   - "2.14.0"

.github/workflows/tft.yml

@@ -181,7 +181,7 @@ jobs:
           tf_scope: private
           api_key: ${{ secrets.TF_API_KEY_RH }}
           update_pull_request_status: false
-          tmt_plan_filter: "tag:playbooks_parallel,trustee_attestation_client"
+          tmt_plan_filter: "tag:playbooks_parallel,trustee_client"
 
       - name: Set final commit status
         uses: myrotvorets/set-commit-status-action@master

.gitignore

@@ -3,6 +3,7 @@ vault.yml
 *.pyc
 *.retry
 /tests/.coverage
+/tests/kbs_test_cert.crt
 /tests/htmlcov*
 /.tox
 /venv*/

README.md

@@ -1,8 +1,8 @@
-# trustee_attestation_client
+# trustee_client
 
-[![ansible-lint.yml](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/ansible-lint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/ansible-lint.yml) [![ansible-test.yml](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/ansible-test.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/ansible-test.yml) [![codespell.yml](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/codespell.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/codespell.yml) [![markdownlint.yml](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/markdownlint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/markdownlint.yml) [![qemu-kvm-integration-tests.yml](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/qemu-kvm-integration-tests.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/qemu-kvm-integration-tests.yml) [![shellcheck.yml](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/shellcheck.yml) [![tft.yml](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/tft.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/tft.yml) [![tft_citest_bad.yml](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/tft_citest_bad.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/tft_citest_bad.yml) [![woke.yml](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/woke.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/woke.yml)
+[![ansible-lint.yml](https://github.com/linux-system-roles/trustee_client/actions/workflows/ansible-lint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_client/actions/workflows/ansible-lint.yml) [![ansible-test.yml](https://github.com/linux-system-roles/trustee_client/actions/workflows/ansible-test.yml/badge.svg)](https://github.com/linux-system-roles/trustee_client/actions/workflows/ansible-test.yml) [![codespell.yml](https://github.com/linux-system-roles/trustee_client/actions/workflows/codespell.yml/badge.svg)](https://github.com/linux-system-roles/trustee_client/actions/workflows/codespell.yml) [![markdownlint.yml](https://github.com/linux-system-roles/trustee_client/actions/workflows/markdownlint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_client/actions/workflows/markdownlint.yml) [![qemu-kvm-integration-tests.yml](https://github.com/linux-system-roles/trustee_client/actions/workflows/qemu-kvm-integration-tests.yml/badge.svg)](https://github.com/linux-system-roles/trustee_client/actions/workflows/qemu-kvm-integration-tests.yml) [![shellcheck.yml](https://github.com/linux-system-roles/trustee_client/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/linux-system-roles/trustee_client/actions/workflows/shellcheck.yml) [![tft.yml](https://github.com/linux-system-roles/trustee_client/actions/workflows/tft.yml/badge.svg)](https://github.com/linux-system-roles/trustee_client/actions/workflows/tft.yml) [![tft_citest_bad.yml](https://github.com/linux-system-roles/trustee_client/actions/workflows/tft_citest_bad.yml/badge.svg)](https://github.com/linux-system-roles/trustee_client/actions/workflows/tft_citest_bad.yml) [![woke.yml](https://github.com/linux-system-roles/trustee_client/actions/workflows/woke.yml/badge.svg)](https://github.com/linux-system-roles/trustee_client/actions/workflows/woke.yml)
 
-![trustee_attestation_client](https://github.com/linux-system-roles/trustee_attestation_client/workflows/tox/badge.svg)
+![trustee_client](https://github.com/linux-system-roles/trustee_client/workflows/tox/badge.svg)
 
 Ansible role for deploying Trustee Guest Components using Podman Quadlets for
 confidential virtual machine deployments. The role downloads quadlet files and
@@ -20,13 +20,10 @@ storage devices.
 Example of setting the variables:
 
 ```yaml
-trustee_attestation_client_quadlet_repo_url: "https://github.com/litian1992/trustee-gc-quadlet-rhel"
-trustee_attestation_client_quadlet_repo_path: "quadlet"
-trustee_attestation_client_quadlet_repo_branch: "main"
-trustee_attestation_client_kbs_url: "https://kbs.example.com"
-trustee_attestation_client_kbs_cert_content: "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
-trustee_attestation_client_secret_registration_enabled: true
-trustee_attestation_client_encrypt_disk: true
+trustee_client_kbs_url: "https://kbs.example.com"
+trustee_client_kbs_cert_content: "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"  # or trustee_client_kbs_cert_src: "/path/to/server.crt"
+trustee_client_secret_registration_enabled: true
+trustee_client_encrypt_disk: true
 ```
 
 ## Example Playbook
@@ -38,15 +35,12 @@ passed in as parameters) is always nice for users too:
 - name: Deploy Trustee Guest Components using Podman Quadlets
   hosts: all
   vars:
-    trustee_attestation_client_quadlet_repo_url: "https://github.com/litian1992/trustee-gc-quadlet-rhel"
-    trustee_attestation_client_quadlet_repo_path: "quadlet"
-    trustee_attestation_client_quadlet_repo_branch: "main"
-    trustee_attestation_client_kbs_url: "https://kbs.example.com"
-    trustee_attestation_client_kbs_cert_content: "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
-    trustee_attestation_client_secret_registration_enabled: true
-    trustee_attestation_client_encrypt_disk: true
+    trustee_client_kbs_url: "https://kbs.example.com"
+    trustee_client_kbs_cert_content: "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
+    trustee_client_secret_registration_enabled: true
+    trustee_client_encrypt_disk: true
   roles:
-    - linux-system-roles.trustee_attestation_client
+    - linux-system-roles.trustee_client
 ```
 
 ## Trustee Client
@@ -66,11 +60,14 @@ When enabled, this task:
 
 ## Encrypt Disk
 
-When enabled, this task:
+An unpartitioned empty disk must be attached to the target. When enabled, this task:
 
 1. Finds the first unpartitioned and unmounted disk
-2. Requests disk encryption key from Secret Registration Client
-3. Encrypts the disk using above encryption key and mounts it at the designated path
+2. Encrypts the disk using a key from either:
+  a. secret key fetched using Secret Registration Client (when enabled), or
+  b. `systemd-cryptenroll` which binds to PCR 7
+3. Mounts it at the designated path
+4. Sets up automatic unlock and mount either with Secret Registration Client service or /etc/crypttab with `systemd-cryptenroll`
 
 ## License
 

contributing.md

@@ -1,4 +1,4 @@
-# Contributing to the trustee_attestation_client Linux System Role
+# Contributing to the trustee_client Linux System Role
 
 ## Where to start
 
@@ -12,12 +12,12 @@ This has all of the common information that all role developers need:
 * How to create git commits and submit pull requests
 
 **Bugs and needed implementations** are listed on
-[Github Issues](https://github.com/linux-system-roles/trustee_attestation_client/issues).
+[Github Issues](https://github.com/linux-system-roles/trustee_client/issues).
 Issues labeled with
-[**help wanted**](https://github.com/linux-system-roles/trustee_attestation_client/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22)
+[**help wanted**](https://github.com/linux-system-roles/trustee_client/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22)
 are likely to be suitable for new contributors!
 
-**Code** is managed on [Github](https://github.com/linux-system-roles/trustee_attestation_client), using
+**Code** is managed on [Github](https://github.com/linux-system-roles/trustee_client), using
 [Pull Requests](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/about-pull-requests).
 
 ## Running CI Tests Locally

defaults/main.yml

@@ -3,20 +3,17 @@
 # Here is the right place to put the role's input variables.
 # This file also serves as a documentation for such a variables.
 
-# Trustee Guest Components Quadlet repository configuration
-trustee_attestation_client_trustee_gc: true
-trustee_attestation_client_quadlet_repo_url: "https://github.com/litian1992/trustee-gc-quadlet-rhel"
-trustee_attestation_client_quadlet_repo_path: "quadlet"
-trustee_attestation_client_quadlet_repo_branch: "main"
-trustee_attestation_client_quadlet_install_dir: "/etc/containers/systemd"
+# Trustee Guest Components Quadlet (see vars/main.yml for quadlet repo defaults)
+trustee_client_trustee_gc: true
 
 # Trustee KBS configuration
-trustee_attestation_client_kbs_url: ""
-trustee_attestation_client_kbs_cert_content: ""
+trustee_client_kbs_url: ""
+trustee_client_kbs_cert_content: ""
+trustee_client_kbs_cert_src: ""  # Path to cert file (alternative to trustee_client_kbs_cert_content)
 
 # Secret registration client configuration
-trustee_attestation_client_secret_registration_enabled: false
+trustee_client_secret_registration_enabled: false
 
 # Encrypt disk configuration
-trustee_attestation_client_encrypt_disk: false
-trustee_attestation_client_encrypt_disk_mount_point: "/mnt/encrypted-disk"
+trustee_client_encrypt_disk: false
+trustee_client_encrypt_disk_mount_point: "/mnt/encrypted-disk"

examples/simple.yml

@@ -3,13 +3,11 @@
 - name: Deploy Trustee Guest Components using Podman Quadlets from GitHub repository
   hosts: all
   vars:
-    trustee_attestation_client_quadlet_repo_url: "https://github.com/litian1992/trustee-gc-quadlet-rhel"
-    trustee_attestation_client_quadlet_repo_path: "quadlet"
-    trustee_attestation_client_quadlet_repo_branch: "main"
-    trustee_attestation_client_quadlet_install_dir: "/etc/containers/systemd"
-    trustee_attestation_client_encrypt_disk: false
-    trustee_attestation_client_kbs_url: "https://kbs.example.com"
-    trustee_attestation_client_kbs_cert_content: "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
-    trustee_attestation_client_secret_registration_enabled: false
+    trustee_client_encrypt_disk: false
+    trustee_client_kbs_url: "https://kbs.example.com"
+    # Use either cert content or path to cert file:
+    trustee_client_kbs_cert_content: "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
+    # trustee_client_kbs_cert_src: "/path/to/server.crt"
+    trustee_client_secret_registration_enabled: false
   roles:
-    - linux-system-roles.trustee_attestation_client
+    - linux-system-roles.trustee_client

handlers/main.yml

@@ -10,5 +10,5 @@
     name: "{{ item }}"
     enabled: true
     state: restarted
-  loop: "{{ __trustee_attestation_client_services | default([]) }}"
+  loop: "{{ __trustee_client_services | default([]) }}"
   listen: "restart trustee services"

plans/README-plans.md

@@ -1,6 +1,6 @@
 # Introduction CI Testing Plans
 
-Linux System Roles CI runs [tmt](https://tmt.readthedocs.io/en/stable/index.html) test plans in [Testing farm](https://docs.testing-farm.io/Testing%20Farm/0.1/index.html) with the [tft.yml](https://github.com/linux-system-roles/trustee_attestation_client/blob/main/.github/workflows/tft.yml) GitHub workflow.
+Linux System Roles CI runs [tmt](https://tmt.readthedocs.io/en/stable/index.html) test plans in [Testing farm](https://docs.testing-farm.io/Testing%20Farm/0.1/index.html) with the [tft.yml](https://github.com/linux-system-roles/trustee_client/blob/main/.github/workflows/tft.yml) GitHub workflow.
 
 The `plans/test_playbooks_parallel.fmf` plan is a test plan that runs test playbooks in parallel on multiple managed nodes.
 `plans/test_playbooks_parallel.fmf` is generated centrally from `https://github.com/linux-system-roles/.github/`.
@@ -16,7 +16,7 @@ The `plans/test_playbooks_parallel.fmf` plan does the following steps:
 2. Does the required preparation on systems.
 3. For the given role and the given PR, runs the general test from [test.sh](https://github.com/linux-system-roles/tft-tests/blob/main/tests/general/test.sh).
 
-The [tft.yml](https://github.com/linux-system-roles/trustee_attestation_client/blob/main/.github/workflows/tft.yml) workflow runs the above plan and uploads the results to our Fedora storage for public access.
+The [tft.yml](https://github.com/linux-system-roles/trustee_client/blob/main/.github/workflows/tft.yml) workflow runs the above plan and uploads the results to our Fedora storage for public access.
 This workflow uses Testing Farm's Github Action [Schedule tests on Testing Farm](https://github.com/marketplace/actions/schedule-tests-on-testing-farm).
 
 ## Running Tests
@@ -47,7 +47,7 @@ You can run tests locally with the `tmt try` cli or remotely in Testing Farm.
     $ TESTING_FARM_API_TOKEN=<your_api_token> \
         testing-farm request --pipeline-type="tmt-multihost" \
         --plan-filter="tag:playbooks_parallel" \
-        --git-url "https://github.com/<my_user>/trustee_attestation_client" \
+        --git-url "https://github.com/<my_user>/trustee_client" \
         --git-ref "<my_branch>" \
         --compose CentOS-Stream-9 \
         -e "SYSTEM_ROLES_ONLY_TESTS=tests_default.yml" \

plans/test_playbooks_parallel.fmf

@@ -12,7 +12,7 @@ provision:
 environment:
   # ensure versions are strings!
   SR_ANSIBLE_VER: "2.17"
-  SR_REPO_NAME: trustee_attestation_client
+  SR_REPO_NAME: trustee_client
   SR_PYTHON_VERSION: "3.12"
   SR_ONLY_TESTS: ""  # tests_default.yml
   SR_TEST_LOCAL_CHANGES: true