From dafab629b3eabcbb7d81ea195c5c0bdf42e16543 Mon Sep 17 00:00:00 2001 From: Chirag <73184157+SpaceFace02@users.noreply.github.com> Date: Thu, 14 May 2026 12:31:54 +0530 Subject: [PATCH 1/2] Update documentation with deploy script and other minor changes --- docs/usage/getting-started-guide.md | 68 ++++++++++++++++++++++++++++- 1 file changed, 67 insertions(+), 1 deletion(-) diff --git a/docs/usage/getting-started-guide.md b/docs/usage/getting-started-guide.md index bdd5447b..de6df1ec 100644 --- a/docs/usage/getting-started-guide.md +++ b/docs/usage/getting-started-guide.md @@ -13,12 +13,23 @@ Kind can be used with `docker` or `podman`. Although, we set `podman` as default export RUNTIME=docker ``` +Also make sure the container CLI environment variable is configured +```console +export CONTAINER_CLI=docker +``` + In order to interact with the cluster, `kubectl` is required. ```console dnf install -y kubectl ``` -Our kind cluster configuration is available under the `kind` directory and it uses the script `scripts/create-cluster-kind.sh`. The cluster can be simply created by running: +Our kind cluster configuration is available under the `kind` directory and it uses the script `scripts/create-cluster-kind.sh`. +Make sure any previously installed cluster is deleted before attempting to install a new one: +```console +make cluster-down +``` + +The cluster can be simply created by running: ```console make cluster-up ``` @@ -77,11 +88,29 @@ export AK_REGISTRATION_ADDR=attestation-key-register.trusted-execution-clusters. ``` This example works with KubeVirt when the KBS is reachable using the pod networking. +Make sure Kube-virt is also installed before trying to install the operator and testing functionality. +```console +make install-kubevirt +``` + Finally, the operator can be installed with: ```console make install ``` +Wait for cluster to be ready: +```console +sleep 10m +``` + +Print cluster status +```console +kubectl -n trusted-execution-clusters get po,svc +``` + + +Refer to the one-shot deploy script at the end of this README for a quick install once you've understood the process. + Further customization of the project can be controlled with the following env variables: + NAMESPACE: sets the namespace where the operator will be deplyoed + PLATFORM: use during the installation to configure the platform where the operator will be deployed (`kind` or `openshift`) @@ -132,3 +161,40 @@ kubectl logs -n trusted-execution-clusters ``` In the logs, trustee prints the content of the TPM PCR registers. They need to match with the reference values present in the configmap `trustee-data` under `reference-values.json`. + +## One shot deploy script + +```bash +#! /bin/bash +set -euo pipefail +set -v + +# kind exports +export CONTAINER_CLI=docker +export RUNTIME=docker + +# oparator exports +export AK_REGISTRATION_ADDR=attestation-key-register.trusted-execution-clusters.svc.cluster.local +export TRUSTEE_ADDR=kbs-service.trusted-execution-clusters.svc.cluster.local +export REGISTRY=localhost:5000/trusted-cluster-operator + +# clean and create new cluster +make cluster-down +make cluster-up +make install-kubevirt + +# install operator +make push +make manifests +make install + +# print cluster status +kubectl -n trusted-execution-clusters get po,svc + +# wait for cluster to be ready +sleep 10m + +# create Vm +examples/create-ignition-secret.sh examples/ignition-coreos.json coreos-ignition-secret +kubectl apply -f examples/vm-coreos-ign.yaml +``` \ No newline at end of file From 33f7e9cd4fc802e3f6c9489bb1a1508f077a00ce Mon Sep 17 00:00:00 2001 From: Chirag Rao <73184157+SpaceFace02@users.noreply.github.com> Date: Thu, 14 May 2026 12:59:46 +0530 Subject: [PATCH 2/2] Changes based on review comments and sourcery suggestions --- docs/usage/getting-started-guide.md | 56 +++-------------------------- tests/README.md | 2 ++ 2 files changed, 7 insertions(+), 51 deletions(-) diff --git a/docs/usage/getting-started-guide.md b/docs/usage/getting-started-guide.md index de6df1ec..d49d4710 100644 --- a/docs/usage/getting-started-guide.md +++ b/docs/usage/getting-started-guide.md @@ -13,7 +13,7 @@ Kind can be used with `docker` or `podman`. Although, we set `podman` as default export RUNTIME=docker ``` -Also make sure the container CLI environment variable is configured +The `CONTAINER_CLI` env var will used for building and pushing. If you require a non-Podman engine for building and pushing images, you can override it with the `$CONTAINER_CLI` variable. ```console export CONTAINER_CLI=docker ``` @@ -85,12 +85,6 @@ Example: export TRUSTEE_ADDR=kbs-service.trusted-execution-clusters.svc.cluster.local export AK_REGISTRATION_ADDR=attestation-key-register.trusted-execution-clusters.svc.cluster.local -``` -This example works with KubeVirt when the KBS is reachable using the pod networking. - -Make sure Kube-virt is also installed before trying to install the operator and testing functionality. -```console -make install-kubevirt ``` Finally, the operator can be installed with: @@ -98,9 +92,9 @@ Finally, the operator can be installed with: make install ``` -Wait for cluster to be ready: +Wait for cluster to be ready and in installed state: ```console -sleep 10m +kubectl wait -n trusted-execution-clusters --for=condition=Installed TrustedExecutionCluster trusted-execution-cluster ``` Print cluster status @@ -108,11 +102,8 @@ Print cluster status kubectl -n trusted-execution-clusters get po,svc ``` - -Refer to the one-shot deploy script at the end of this README for a quick install once you've understood the process. - Further customization of the project can be controlled with the following env variables: -+ NAMESPACE: sets the namespace where the operator will be deplyoed ++ NAMESPACE: sets the namespace where the operator will be deployed + PLATFORM: use during the installation to configure the platform where the operator will be deployed (`kind` or `openshift`) + INTEGRATION_TEST_THREADS: how many integration tests are run in parallel + REGISTRY: the registry used to publish the images @@ -160,41 +151,4 @@ The attestation failing can be debugged by verifying the deployment of trustee. kubectl logs -n trusted-execution-clusters ``` -In the logs, trustee prints the content of the TPM PCR registers. They need to match with the reference values present in the configmap `trustee-data` under `reference-values.json`. - -## One shot deploy script - -```bash -#! /bin/bash -set -euo pipefail -set -v - -# kind exports -export CONTAINER_CLI=docker -export RUNTIME=docker - -# oparator exports -export AK_REGISTRATION_ADDR=attestation-key-register.trusted-execution-clusters.svc.cluster.local -export TRUSTEE_ADDR=kbs-service.trusted-execution-clusters.svc.cluster.local -export REGISTRY=localhost:5000/trusted-cluster-operator - -# clean and create new cluster -make cluster-down -make cluster-up -make install-kubevirt - -# install operator -make push -make manifests -make install - -# print cluster status -kubectl -n trusted-execution-clusters get po,svc - -# wait for cluster to be ready -sleep 10m - -# create Vm -examples/create-ignition-secret.sh examples/ignition-coreos.json coreos-ignition-secret -kubectl apply -f examples/vm-coreos-ign.yaml -``` \ No newline at end of file +In the logs, trustee prints the content of the TPM PCR registers. They need to match with the reference values present in the configmap `trustee-data` under `reference-values.json`. \ No newline at end of file diff --git a/tests/README.md b/tests/README.md index 69ce205b..82afec58 100644 --- a/tests/README.md +++ b/tests/README.md @@ -9,6 +9,8 @@ Upon a successful test, the namespace is cleaned up, otherwise it is kept for in The tests use [`virtctl`](https://kubevirt.io/user-guide/user_workloads/virtctl_client_tool/) in order to interact with VM, like getting the serial console and verifying that the guest has correctly booted by ssh-ing into it. +Other dependencies: *openssl-devel, gcc-c++* + N.B KubeVirt requires the cluster to be run as a privileged container on the host in order to handle the devices. Therefore, for now, we have moved to Docker with kind in order to generate the cluster. In the future, we might be able to move to rootful podman. Run the tests locally with kind: