Skip to content

Add attestation key registration service #124

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
alicefr wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Add attestation key registration service #124

alicefr wants to merge 10 commits into from

Conversation

@alicefr
Copy link
Contributor

@alicefr alicefr commented Jan 5, 2026

The new service allows to add attestation key as trusted keys in trustee

@alicefr alicefr marked this pull request as draft January 5, 2026 15:24
@alicefr
Copy link
Contributor Author

alicefr commented Jan 5, 2026

@Jakob-Naucke I still need to add unit tests and run the test suite, but running the VM from the example, it works. If you have time and what to start to have a look at the code

Jakob-Naucke
Jakob-Naucke reviewed Jan 6, 2026
View reviewed changes
Copy link
Contributor

@Jakob-Naucke Jakob-Naucke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

first set of random comments

@Jakob-Naucke Jakob-Naucke mentioned this pull request Jan 7, 2026
Open
@openshift-ci
Copy link

openshift-ci bot commented Jan 7, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: alicefr

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@Jakob-Naucke Jakob-Naucke mentioned this pull request Jan 7, 2026
Closed
@alicefr alicefr force-pushed the register-ak branch 2 times, most recently from ed9f0d0 to ab836c0 Compare January 9, 2026 09:54
alicefr added 9 commits January 9, 2026 11:31
@alicefr
Add AttestationKey crd
7e66696 
The attestationkey represents a request for a registration of a trusted
attestation key. The key is added to the trusted key, only if there is a
machine which corresponds to the IP declared in the AK.

Signed-off-by: Alice Frosi <afrosi@redhat.com>
@alicefr
Create attestation key registration service
e7ed606 
The attestation key registration offers an API to register an
attestation key. It creates a corresponding CR and the AttestationKey
will be approved and added to the trusted key, if there is a matching
machine.

Once an attestation key is approved, the corresponding secret is created
and added to trustee deployment. In the same way, if a machine owning an
attestation key is removed, also the AK and its secrets are removed from
the trustee deployment.

Signed-off-by: Alice Frosi <afrosi@redhat.com>
@alicefr
Example of KubeVirt VM with the attestation key registration
cf481b2 
Signed-off-by: Alice Frosi <afrosi@redhat.com>
@alicefr
Update trustee policy for attestation with the new expected values
1df236d 
Signed-off-by: Alice Frosi <afrosi@redhat.com>
@alicefr
Script to clean-up the cluster from a tec installation
44f3482 
Signed-off-by: Alice Frosi <afrosi@redhat.com>
@alicefr
Script to pre-pull the image in kind
1760873 
If you already have the image cached locally, you can simply load them
in the kind cluster, which is much faster then downloaded each cluster
creation.

Signed-off-by: Alice Frosi <afrosi@redhat.com>
@alicefr
Adjust integration tests
7e917f8 
It requires a kubevirt container disk with the latest changes, the
igniiton version needs to be set to the 3.0.0-experimental and include
the attestation key registration endpoint.

Signed-off-by: Alice Frosi <afrosi@redhat.com>
@alicefr
Update configuration for latest trustee
14748a7 
The latest configuration mandate to have the admin.type set.

Signed-off-by: Alice Frosi <afrosi@redhat.com>
@alicefr
Update the trustee and kubevirt image
a601f73 
They contains the latest trustee and attester which are compatible.

Signed-off-by: Alice Frosi <afrosi@redhat.com>
@alicefr
Update reference value in the tests
158de0c 
We have update the approved image and the reference values have changed.

Signed-off-by: Alice Frosi <afrosi@redhat.com>
@alicefr alicefr marked this pull request as ready for review January 9, 2026 13:16
@openshift-ci
Copy link

openshift-ci bot commented Jan 9, 2026

@alicefr: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/infra-provision-verify 158de0c link true /test infra-provision-verify
ci/prow/operator-lifecycle-verify 158de0c link true /test operator-lifecycle-verify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jakob-Naucke Jakob-Naucke Jakob-Naucke left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@alicefr @Jakob-Naucke @openshift-merge-robot