Initial commit#1
Conversation
| resource_tag: &str, | ||
| ) -> Result<String> { | ||
| //let output = StdCommand::new("trustee-attester") | ||
| let output = StdCommand::new("/home/afrosi/src/trustee/target/debug/kbs-client") |
travier
left a comment
travier
left a comment
There was a problem hiding this comment.
Not tested but looking good. Comments can be addressed as a follow up PR as well. Let's not forget to add a LICENSE to this repo immediately as well.
| "resource_repository": "conf-cluster", | ||
| "resource_type": "root" |
There was a problem hiding this comment.
We can probably have only one "path" variable here and have the logic of figuring out what is in there be in another tool.
There was a problem hiding this comment.
I split it because of the tag/id, this needs to be part of the path as well, so would you prefer to have a partial path here?
| } | ||
|
|
||
| fn main() -> Result<()> { | ||
| let matches = Command::new("clevis-pin-trustee") |
There was a problem hiding this comment.
You can use the derive pattern with structures to make this easier to read. See https://github.com/confidential-clusters/compute-pcrs/blob/main/cli/src/main.rs#L10 for an example.
sarroutbi
left a comment
sarroutbi
left a comment
There was a problem hiding this comment.
In general, changes LGTM. The only comment is that the logic for fetching the key, decoding it, and creating a Jwk is nearly identical in both the encrypt and decrypt functions.
You might create a helper function to handle this logic
alicefr
force-pushed
the
initial-commit
branch
from
f14f8cc to
121a2c6
Compare
alicefr
force-pushed
the
initial-commit
branch
from
121a2c6 to
0dd1152
Compare
Containerize the build of the pin. Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
@travier @uril as far as I understand we need to pass to the trustee-agent the certificate for the trustee sever, am I right? If so, don't we need here an array of certificates like for the urls? If so, then I would merge the urls together with the certificate for the pin configuration. Like: {
"servers": [
{
"url": "http://trustee1:8080",
"cert": "",
},
{
"url": "http://trustee2:8080",
"cert": "",
},
],
"resource_path": "conf-cluster/<id>/root",
} |
|
The pin configuration depends on the discussion in coreos/ignition#2099 |
|
@alicefr Yes, we do want a list of (KBSURL, https-certificate). |
|
Nice ! I added some minor comments. |
alicefr
force-pushed
the
initial-commit
branch
2 times, most recently
from
53671e6 to
5f76990
Compare
Signed-off-by: Alice Frosi <afrosi@redhat.com>
alicefr
force-pushed
the
initial-commit
branch
from
5f76990 to
49591e2
Compare
travier
left a comment
travier
left a comment
There was a problem hiding this comment.
Looking good. Some nits but we can also fix them later
| @@ -0,0 +1,10 @@ | |||
| FROM docker.io/library/rust:trixie as build | |||
There was a problem hiding this comment.
Let's use a Fedora image here to do the build. We can do what we did in compure-pcrs.
| @@ -0,0 +1,3 @@ | |||
| #!/bin/bash | |||
There was a problem hiding this comment.
Hum, why do we need that? Let's place the binaries in the right place directly?
| const MAX_ATTEMPTS: u32 = 3; | ||
| const DELAY: Duration = Duration::from_secs(5); |
There was a problem hiding this comment.
This is fine for now but we'll need to make this either bigger or configurable.
travier
left a comment
travier
left a comment
There was a problem hiding this comment.
Let's start with that and we'll iterate
4 participants
Create first version of the pin.
The
test.shscript tries to encrypt and unlock a device and can be used for some manual testing.In order to perform the encryption, you need to have trustee running and set its url in the
data.json. Additionally, you also need to upload the secret, and you can use thetest-secret-trusteeas example.I have uploaded the secret using the
kbs-clientfrom trustee:Clevis expect to have the encrypt and decrypt scripts, so I have created those scripts in my local enviroment:
and
Clevis looks for the scripts automatically based on the name of the pin