Skip to content

Use the clevis pin with the AK registration#202

Merged
alicefr merged 11 commits intotrusted-execution-clusters:mainfrom
alicefr:register-ak-uuid
Feb 19, 2026
Merged

Use the clevis pin with the AK registration#202
alicefr merged 11 commits intotrusted-execution-clusters:mainfrom
alicefr:register-ak-uuid

Conversation

@alicefr
Copy link
Contributor

@alicefr alicefr commented Feb 18, 2026

Instead of relying on ignition for the AK registration, now we can use the clevis pin. The major difference is that now the we communicated the uuid for the AK registration, in this way the AK can be matched with the corresponding the machine based on the uuid instead of the ip.

@alicefr alicefr requested a review from Jakob-Naucke February 18, 2026 15:09
@alicefr alicefr marked this pull request as draft February 18, 2026 15:10
@alicefr
Copy link
Contributor Author

alicefr commented Feb 18, 2026

Set to draft until I fully run the tests locally and fix the linting

@alicefr
Copy link
Contributor Author

alicefr commented Feb 18, 2026

The tests passed locally

Comment on lines 180 to 173
let addr = SocketAddr::from(([0, 0, 0, 0], args.port));
info!("Listening on {addr}");
let addr: SocketAddr = ([0, 0, 0, 0], args.port).into();
info!("Listening on {}", addr);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: not sure why this block is necessary

long,
default_value = "http://attestation-key-register:8001/register-ak"
)]
attestation_key_registration_url: String,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be mandatory? What about non-AK deployments?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no, good point!

@alicefr alicefr force-pushed the register-ak-uuid branch 3 times, most recently from b5a0b55 to 14393ed Compare February 19, 2026 07:56
@alicefr alicefr marked this pull request as ready for review February 19, 2026 08:08
@alicefr alicefr requested a review from Jakob-Naucke February 19, 2026 08:08
// let initdata = Initdata {
// uuid: id.to_string(),
// };
// ... initdata: serde_json::to_string(&initdata)?,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this scrapped?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, I also need to put the num_entries. I had some compilation issue

The AK registration endpoint is now part of the clevis pin configuration
and it needs to be make configurable via the TEC CR.

Signed-off-by: Alice Frosi <afrosi@redhat.com>
We match the attestation keys with the machine using the uuid and not
the IP anymore. Therefore, there is a new field uuid in the AK spec and
we removed the registration ip from the machine spec.

Signed-off-by: Alice Frosi <afrosi@redhat.com>
Signed-off-by: Alice Frosi <afrosi@redhat.com>
The attesation key is now approved if there is an existing machine with
the same uuid.

Signed-off-by: Alice Frosi <afrosi@redhat.com>
The AK is now registered with the uuid and the public key content.

Signed-off-by: Alice Frosi <afrosi@redhat.com>
Now, the clevis pin configuration includea the registration of the
attestation key.

Signed-off-by: Alice Frosi <afrosi@redhat.com>
Signed-off-by: Alice Frosi <afrosi@redhat.com>
We added a new field in the TEC CRD.

Signed-off-by: Alice Frosi <afrosi@redhat.com>
…8e1bf40a0c3e

The AK is approved if there is a matching machine with the same uuid.
Update the behavior of the tests using the uuid instead of the ip.

Signed-off-by: Alice Frosi <afrosi@redhat.com>
We cannot rely anymore on the IP since the machine is now only
identified with the uuid. Instead, we now ssh into the VM, fetch the
uuid from the clevis header and match the machine with the uuid.

Signed-off-by: Alice Frosi <afrosi@redhat.com>
Assisted-by: Claude
The new kubevirt image includes the clevis pin with the attestation key
registration.

Signed-off-by: Alice Frosi <afrosi@redhat.com>
@openshift-ci
Copy link

openshift-ci bot commented Feb 19, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: alicefr, Jakob-Naucke

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@alicefr
Copy link
Contributor Author

alicefr commented Feb 19, 2026

@Jakob-Naucke let me give a last pass with the tests locally, if they pass I will merge it

@alicefr
Copy link
Contributor Author

alicefr commented Feb 19, 2026

The test passed, merging

@alicefr alicefr merged commit 5026319 into trusted-execution-clusters:main Feb 19, 2026
8 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants

Comments