operator: KBS API for LUKS key registration

Makefile

@@ -28,8 +28,10 @@ OPERATOR_IMAGE ?= $(REGISTRY)/trusted-cluster-operator:$(TAG)
 COMPUTE_PCRS_IMAGE=$(REGISTRY)/compute-pcrs:$(TAG)
 REG_SERVER_IMAGE=$(REGISTRY)/registration-server:$(TAG)
 ATTESTATION_KEY_REGISTER_IMAGE=$(REGISTRY)/attestation-key-register:$(TAG)
-TRUSTEE_IMAGE ?= quay.io/trusted-execution-clusters/key-broker-service:v0.17.0
+
+TRUSTEE_IMAGE ?= quay.io/trusted-execution-clusters/key-broker-service:v0.20.0
 TEST_IMAGE ?= quay.io/trusted-execution-clusters/fedora-coreos-kubevirt:42.20260622
+
 # tagged as 42.20251012.2.0
 APPROVED_IMAGE ?= quay.io/trusted-execution-clusters/fedora-coreos@sha256:6997f51fd27d1be1b5fc2e6cc3ebf16c17eb94d819b5d44ea8d6cf5f826ee773
 

operator/Cargo.toml

@@ -31,6 +31,10 @@ serde_json.workspace = true
 thiserror = "2.0.18"
 tokio.workspace = true
 toml = "1.1.2"
+kbs-client = {git = "https://github.com/confidential-containers/trustee.git", rev = "e65897a9ad4eb3ac69fa2ec75ed831200eb2acd7", default-features = false, features = ["native-tls"] }
+jsonwebtoken = { version = "10.4.0", default-features = false, features = ["use_pem"] }
+jsonwebtoken-openssl = "1.0.0"
+jiff = "0.2.29"
 
 [dev-dependencies]
 http.workspace = true

operator/src/attestation_key_register.rs

@@ -331,7 +331,7 @@ async fn secret_reconcile(
         match ev {
             Event::Apply(_secret) => {
                 // On creation/update, just update the trustee deployment volumes
-                trustee::update_attestation_keys(&ctx)
+                trustee::update_attestation_keys(ctx.client.clone())
                     .await
                     .map(|_| Action::await_change())
                     .map_err(|e| {
@@ -345,7 +345,7 @@ async fn secret_reconcile(
                     "AttestationKey secret {secret_name} is being deleted, updating trustee deployment volumes"
                 );
                 // Update trustee deployment - secrets with deletion_timestamp will be filtered out
-                trustee::update_attestation_keys(&ctx)
+                trustee::update_attestation_keys(ctx.client.clone())
                     .await
                     .map(|_| Action::await_change())
                     .map_err(|e| {

operator/src/kbs-config.toml

@@ -2,36 +2,35 @@
 sockets = ["0.0.0.0:8080"]
 
 [admin]
-type = "DenyAll"
+authorization_mode = "AuthenticatedAuthorization"
+
+  [admin.authentication.bearer_jwt]
+  identity_providers = [
+    { public_key_uri = "/opt/trustee/keys/public.pub" }
+  ]
+
+  [admin.authorization.regex_acl]
+  acls = [{ role = "admin", allowed_endpoints = "^/kbs/.+$" }]
 
 [attestation_token]
-insecure_key = true
-attestation_token_type = "CoCo"
+insecure_header_jwk = true
 
 [attestation_service]
 type = "coco_as_builtin"
-work_dir = "/opt/trustee"
-policy_engine = "opa"
+timeout = 5
 
   [attestation_service.attestation_token_broker]
-  type = "Ear"
-  policy_dir = "/opt/trustee/policies"
-
-  [attestation_service.attestation_token_config]
   duration_min = 5
 
   [attestation_service.rvps_config]
   type = "BuiltIn"
 
-    [attestation_service.rvps_config.storage]
-    type = "LocalJson"
-    file_path = "/opt/trustee/reference-values.json"
-
-
 [[plugins]]
 name = "resource"
-type = "LocalFs"
-dir_path = "/opt/trustee/kbs-repository"
+storage_backend_type = "kvstorage"
+
+[storage_backend]
+storage_type = "LocalJson"
 
-[policy_engine]
-policy_path = "/opt/trustee/policy.rego"
+  [storage_backend.backends.local_json]
+  file_dir_path = "/opt/trustee/storage"

operator/src/main.rs

@@ -15,7 +15,7 @@ use kube::runtime::controller::{Action, Controller};
 use kube::runtime::reflector::{self, Store};
 use kube::runtime::watcher;
 use kube::{Api, Client};
-use log::{info, warn};
+use log::{error, info, warn};
 
 use operator::{generate_owner_reference, upsert_condition};
 use trusted_cluster_operator_lib::{TrustedExecutionCluster, TrustedExecutionClusterStatus};
@@ -28,12 +28,11 @@ mod register_server;
 #[cfg(test)]
 mod test_utils;
 mod trustee;
-
 use crate::conditions::*;
 use operator::*;
 
 /// Default tag for Trustee image
-const TRUSTEE_VERSION: &str = "v0.17.0";
+const TRUSTEE_VERSION: &str = "v0.20.0";
 /// Default version tag for operator-managed component images
 const COMPONENT_VERSION: &str = "v0.2.0";
 /// Default registry
@@ -137,7 +136,6 @@ async fn reconcile(
         warn!("Installation of a component failed: {e:?}\nRequeueing...");
         return Ok(Action::requeue(Duration::from_secs(60)));
     }
-    reference_values::adopt_approved_images(kube_client, &cluster).await?;
 
     let installed_condition = installed_condition(INSTALLED_REASON, generation, existing_status);
     let changed = upsert_condition(&mut conditions, installed_condition);
@@ -167,10 +165,21 @@ async fn install_trustee_configuration(
         .context("Failed to create the KBS configuration configmap")?;
     info!("Generated configmap for the KBS configuration");
 
-    trustee::generate_attestation_policy(client.clone(), owner_reference.clone())
-        .await
-        .context("Failed to create the attestation policy configmap")?;
-    info!("Generated configmap for the attestation policy");
+    match reference_values::create_pcrs_config_map(client.clone()).await {
+        Ok(_) => info!("Created bare configmap for PCRs"),
+        Err(e) => error!("Failed to create the PCRs configmap: {e}"),
+    }
+
+    match trustee::generate_trustee_auth_keys_secret(client.clone(), owner_reference.clone()).await
+    {
+        Ok(_) => info!("Generate auth keys for the KBS API",),
+        Err(e) => error!("Failed to create the auth keys: {e}"),
+    }
+
+    match trustee::generate_rv_data(client.clone(), owner_reference.clone()).await {
+        Ok(_) => info!("Created configmap for reference values"),
+        Err(e) => error!("Failed to create the reference values configmap: {e}"),
+    }
 
     let kbs_port = cluster.spec.trustee_kbs_port;
     trustee::generate_kbs_service(client.clone(), owner_reference.clone(), kbs_port)
@@ -247,7 +256,7 @@ async fn install_attestation_key_register(
 #[tokio::main]
 async fn main() -> Result<()> {
     env_logger::Builder::from_env(Env::default().default_filter_or("info")).init();
-
+    let _ = jsonwebtoken_openssl::install_default();
     let kube_client = Client::try_default().await?;
     info!("trusted execution clusters operator",);
 
@@ -278,9 +287,9 @@ async fn main() -> Result<()> {
     attestation_key_register::launch_ak_controller(ak_ctx.clone()).await;
     attestation_key_register::launch_machine_ak_controller(ak_ctx.clone()).await;
     attestation_key_register::launch_secret_ak_controller(ak_ctx).await;
-    reference_values::create_pcrs_config_map(kube_client.clone()).await?;
     reference_values::launch_rv_image_controller(kube_client.clone()).await;
     reference_values::launch_rv_job_controller(kube_client.clone()).await;
+    trustee::launch_trustee_sync_controller(kube_client.clone()).await;
 
     Controller::new(cl, watcher::Config::default())
         .run(reconcile, controller_error_policy, ctx)
@@ -294,11 +303,9 @@ async fn main() -> Result<()> {
 mod tests {
     use http::{Method, Request, StatusCode};
     use k8s_openapi::api::apps::v1::Deployment;
-    use k8s_openapi::api::core::v1::{ConfigMap, Service};
+    use k8s_openapi::api::core::v1::{ConfigMap, Secret, Service};
     use k8s_openapi::{apimachinery::pkg::apis::meta::v1::Time, jiff::Timestamp};
-    use kube::api::ObjectList;
     use kube::client::Body;
-    use trusted_cluster_operator_lib::ApprovedImage;
 
     use super::*;
     use trusted_cluster_operator_test_utils::mock_client::*;
@@ -436,31 +443,26 @@ mod tests {
         };
 
         let clos = async |req: Request<Body>, ctr| {
-            if ctr < 8 && req.method() == Method::POST {
+            if ctr < 10 && req.method() == Method::POST {
                 use serde_json::to_string;
                 let resp = match ctr {
-                    // Trustee
-                    0 => to_string(&ConfigMap::default()),
-                    1 => to_string(&ConfigMap::default()),
-                    2 => to_string(&Service::default()),
-                    3 => to_string(&Deployment::default()),
-                    // Registration server
-                    4 => to_string(&Deployment::default()),
-                    5 => to_string(&Service::default()),
-                    // Attestation key register server
-                    6 => to_string(&Deployment::default()),
-                    7 => to_string(&Service::default()),
+                    // install_trustee_configuration
+                    0 => to_string(&ConfigMap::default()), // trustee-data
+                    1 => to_string(&ConfigMap::default()), // image-pcrs
+                    2 => to_string(&Secret::default()),    // trustee-auth
+                    3 => to_string(&ConfigMap::default()), // trustee-rv-data
+                    4 => to_string(&Service::default()),   // kbs-service
+                    5 => to_string(&Deployment::default()), // trustee-deployment
+                    // install_register_server
+                    6 => to_string(&Deployment::default()), // register-server
+                    7 => to_string(&Service::default()),    // register-server-svc
+                    // install_attestation_key_register
+                    8 => to_string(&Deployment::default()), // ak-register
+                    9 => to_string(&Service::default()),    // ak-register-svc
                     _ => unreachable!("unexpected counter {ctr}"),
                 };
                 Ok(resp.unwrap())
-            } else if ctr == 8 && req.method() == Method::GET {
-                let object_list = ObjectList::<ApprovedImage> {
-                    items: Vec::new(),
-                    types: Default::default(),
-                    metadata: Default::default(),
-                };
-                Ok(serde_json::to_string(&object_list).unwrap())
-            } else if ctr == 9 && req.method() == Method::PATCH {
+            } else if ctr == 10 && req.method() == Method::PATCH {
                 let body = req.into_body().collect_bytes().await.unwrap().to_vec();
                 let body = String::from_utf8_lossy(&body);
                 assert!(body.contains("ForeignCondition"),);
@@ -491,7 +493,7 @@ mod tests {
         cluster.status = Some(TrustedExecutionClusterStatus {
             conditions: Some(vec![pre_existing_installed, foreign_condition]),
         });
-        count_check!(10, clos, |client| {
+        count_check!(11, clos, |client| {
             let result = reconcile(Arc::new(cluster), Arc::new(dummy_cluster_ctx(client))).await;
             assert_eq!(result.unwrap(), Action::await_change());
         });

operator/src/reference_values.rs

@@ -220,22 +220,6 @@ async fn adopt_approved_image(
     Ok(())
 }
 
-pub async fn adopt_approved_images(
-    client: Client,
-    cluster: &TrustedExecutionCluster,
-) -> Result<()> {
-    let images: Api<ApprovedImage> = Api::default_namespaced(client.clone());
-    let images_list = images.list(&Default::default()).await?;
-    for image in images_list.items.iter() {
-        if image.metadata.deletion_timestamp.is_none()
-            && let Some(name) = image.metadata.name.as_ref()
-        {
-            adopt_approved_image(client.clone(), name, cluster).await?;
-        }
-    }
-    Ok(())
-}
-
 async fn image_reconcile(
     image: Arc<ApprovedImage>,
     client: Arc<Client>,
@@ -247,6 +231,12 @@ async fn image_reconcile(
         .await
         .map_err(|e| -> ControllerError { e.into() })?;
 
+    if let Some(ref cluster) = cluster {
+        adopt_approved_image(kube_client.clone(), &name, cluster)
+            .await
+            .map_err(|e| -> ControllerError { e.into() })?;
+    }
+
     let images: Api<ApprovedImage> = Api::default_namespaced(kube_client.clone());
     finalizer(&images, APPROVED_IMAGE_FINALIZER, image, |ev| async {
         match ev {
@@ -277,19 +267,6 @@ async fn image_add_reconcile(
         info!("TrustedExecutionCluster is being deleted, deferring image processing for {name}");
         return Ok(Action::requeue(Duration::from_secs(5)));
     }
-    let uid_owns = |uid: &String| {
-        let refs = image.metadata.owner_references.as_ref();
-        refs.map(|os| os.iter().any(|o| o.uid == *uid))
-    };
-    let cluster_owns = |cluster: &TrustedExecutionCluster| {
-        let uid = cluster.metadata.uid.as_ref();
-        uid.and_then(uid_owns).unwrap_or(false)
-    };
-    // Adopt the image by adding TEC as owner reference if not already owned
-    if !cluster_owns(&cluster) {
-        adopt_approved_image(client.clone(), name, &cluster).await?;
-    }
-
     let (action, reason) = match handle_new_image(client.clone(), image).await {
         Ok(reason) => (Action::await_change(), reason),
         Err(e) => {
@@ -428,7 +405,6 @@ mod tests {
     use http::{Method, Request, StatusCode};
     use k8s_openapi::api::batch::v1::JobStatus;
     use k8s_openapi::apimachinery::pkg::apis::meta::v1::Time;
-    use kube::api::ObjectList;
     use kube::client::Body;
     use trusted_cluster_operator_test_utils::mock_client::*;
     use trusted_cluster_operator_test_utils::test_error_method;
@@ -491,12 +467,13 @@ mod tests {
                 Ok(serde_json::to_string(&dummy_pcrs_map()).unwrap())
             }
             (2, &Method::GET) | (3, &Method::PUT) => {
-                assert!(req.uri().path().contains(trustee::TRUSTEE_DATA_MAP));
+                assert!(req.uri().path().contains(trustee::TRUSTEE_RV_MAP));
                 Ok(serde_json::to_string(&dummy_trustee_map()).unwrap())
             }
+            (4, &Method::GET) => Err(StatusCode::NOT_FOUND),
             _ => panic!("unexpected API interaction: {req:?}, counter {ctr}"),
         };
-        count_check!(4, clos, |client| {
+        count_check!(5, clos, |client| {
             let job = Arc::new(dummy_job());
             let result = job_reconcile(job, Arc::new(client)).await.unwrap();
             assert_eq!(result, Action::await_change());
@@ -563,37 +540,6 @@ mod tests {
         test_error_method!(clos, Method::PATCH);
     }
 
-    #[tokio::test]
-    async fn test_adopt_approved_images() {
-        let cluster = dummy_cluster();
-        let clos = async |req: Request<_>, ctr| {
-            if ctr == 0 && req.method() == Method::GET {
-                let mut deleted = dummy_image();
-                deleted.metadata.deletion_timestamp = Some(Time(Timestamp::now()));
-                let list = ObjectList {
-                    items: vec![dummy_image(), deleted, dummy_image()],
-                    types: Default::default(),
-                    metadata: Default::default(),
-                };
-                Ok(serde_json::to_string(&list).unwrap())
-            } else if ctr < 3 && req.method() == Method::PATCH {
-                Ok(serde_json::to_string(&dummy_image()).unwrap())
-            } else {
-                panic!("unexpected API interaction: {req:?}, counter {ctr}")
-            }
-        };
-        count_check!(3, clos, |client| {
-            assert!(adopt_approved_images(client, &cluster).await.is_ok());
-        });
-    }
-
-    #[tokio::test]
-    async fn test_adopt_approved_images_error() {
-        let cluster = dummy_cluster();
-        let clos = |client| adopt_approved_images(client, &cluster);
-        test_error_method!(clos, Method::GET);
-    }
-
     // handle_new_image and its caller image_add_reconcile are
     // inherently online functions and not tested here
 
@@ -608,12 +554,13 @@ mod tests {
                 Ok(serde_json::to_string(&dummy_pcrs_map()).unwrap())
             }
             (3, &Method::GET) | (4, &Method::PUT) => {
-                assert!(req.uri().path().contains(trustee::TRUSTEE_DATA_MAP));
+                assert!(req.uri().path().contains(trustee::TRUSTEE_RV_MAP));
                 Ok(serde_json::to_string(&dummy_trustee_map()).unwrap())
             }
+            (5, &Method::GET) => Err(StatusCode::NOT_FOUND),
             _ => panic!("unexpected API interaction: {req:?}, counter {ctr}"),
         };
-        count_check!(5, clos, |client| {
+        count_check!(6, clos, |client| {
             assert!(image_remove_reconcile(client, image, cluster).await.is_ok());
         });
     }