From 13e26a98e5f8a1cbbf401b918d7288090a5a6c05 Mon Sep 17 00:00:00 2001
From: Jakob Naucke <jnaucke@redhat.com>
Date: Thu, 16 Oct 2025 13:33:11 +0200
Subject: [PATCH 1/2] Separately spec Trustee KBS port and public address

Trustee port was taken from the public address to avoid redundany, but
that made 2.5 assumptions that aren't necessarily true:
- Trustee public address is always known ahead of time.
- Public address will (a) contain a port that is (b) identical to the
  cluster-internal one.

Instead, add the `trusteeKbsPort` field to the cocl CRD. The existing
field `trusteeAddr` is renamed to `publicTrusteeAddr` for clarity.

Signed-off-by: Jakob Naucke <jnaucke@redhat.com>
---
 Makefile                    | 2 +-
 crds/src/lib.rs             | 4 +++-
 operator/src/main.rs        | 7 ++-----
 register-server/src/main.rs | 4 ++--
 4 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/Makefile b/Makefile
index 90e3fd11..6e0b1c3a 100644
--- a/Makefile
+++ b/Makefile
@@ -63,7 +63,7 @@ ifndef TRUSTEE_ADDR
 	$(error TRUSTEE_ADDR is undefined)
 endif
 	scripts/clean-cluster-kind.sh $(OPERATOR_IMAGE) $(COMPUTE_PCRS_IMAGE) $(REG_SERVER_IMAGE)
-	yq '.spec.trusteeAddr = "$(TRUSTEE_ADDR):8080" | .spec.registerServerPort = 8000' \
+	yq '.spec.publicTrusteeAddr = "$(TRUSTEE_ADDR):8080" | .spec.trusteeKbsPort = 8080 | .spec.registerServerPort = 8000' \
 		-i manifests/confidential_cluster_cr.yaml
 	$(KUBECTL) apply -f manifests/operator.yaml
 	$(KUBECTL) apply -f manifests/confidential_cluster_crd.yaml
diff --git a/crds/src/lib.rs b/crds/src/lib.rs
index 25a022c8..9faa9b63 100644
--- a/crds/src/lib.rs
+++ b/crds/src/lib.rs
@@ -21,7 +21,9 @@ pub struct ConfidentialClusterSpec {
     pub pcrs_compute_image: String,
     pub register_server_image: String,
     #[serde(skip_serializing_if = "Option::is_none")]
-    pub trustee_addr: Option<String>,
+    pub public_trustee_addr: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub trustee_kbs_port: Option<i32>,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub register_server_port: Option<i32>,
 }
diff --git a/operator/src/main.rs b/operator/src/main.rs
index f8c00ce6..642c666e 100644
--- a/operator/src/main.rs
+++ b/operator/src/main.rs
@@ -104,11 +104,8 @@ async fn install_trustee_configuration(client: Client, cocl: &ConfidentialCluste
     }
 
     let name = operator::name_or_default(&cocl.metadata);
-    let err = format!("ConfidentialCluster {name} did not specify a Trustee address");
-    let trustee_addr = cocl.spec.trustee_addr.clone().context(err)?;
-    let mut split = trustee_addr.split(":");
-    // TODO upgrade to 443 once supported
-    let kbs_port: i32 = split.nth(1).and_then(|s| s.parse().ok()).unwrap_or(80);
+    let err = format!("ConfidentialCluster {name} did not specify a Trustee KBS port");
+    let kbs_port = cocl.spec.trustee_kbs_port.context(err)?;
     match trustee::generate_kbs_service(client.clone(), owner_reference.clone(), kbs_port).await {
         Ok(_) => info!("Generate the KBS service"),
         Err(e) => error!("Failed to create the KBS service: {e}"),
diff --git a/register-server/src/main.rs b/register-server/src/main.rs
index c5174a99..dad29370 100644
--- a/register-server/src/main.rs
+++ b/register-server/src/main.rs
@@ -90,8 +90,8 @@ async fn get_public_trustee_addr(client: Client) -> anyhow::Result<String> {
     }
     let cocl = list.items.pop().unwrap();
     let name = cocl.metadata.name.as_deref().unwrap_or("<no name>");
-    cocl.spec.trustee_addr.context(format!(
-        "ConfidentialCluster {name} did not specify a Trustee address. \
+    cocl.spec.public_trustee_addr.context(format!(
+        "ConfidentialCluster {name} did not specify a public Trustee address. \
          Add an address and re-register the node."
     ))
 }

From 69c2b6e2eb384b57ea6d7ab91795f37ea314d630 Mon Sep 17 00:00:00 2001
From: Jakob Naucke <jnaucke@redhat.com>
Date: Thu, 16 Oct 2025 13:38:36 +0200
Subject: [PATCH 2/2] API group confidential-clusters.io

was confidential-containers.io, which isn't this project

Signed-off-by: Jakob Naucke <jnaucke@redhat.com>
---
 crds/src/lib.rs          | 4 ++--
 manifest-gen/src/main.rs | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/crds/src/lib.rs b/crds/src/lib.rs
index 9faa9b63..181bed11 100644
--- a/crds/src/lib.rs
+++ b/crds/src/lib.rs
@@ -9,7 +9,7 @@ use serde::{Deserialize, Serialize};
 
 #[derive(CustomResource, Default, Debug, Clone, Deserialize, Serialize, JsonSchema)]
 #[kube(
-    group = "confidential-containers.io",
+    group = "confidential-clusters.io",
     version = "v1alpha1",
     kind = "ConfidentialCluster",
     namespaced,
@@ -30,7 +30,7 @@ pub struct ConfidentialClusterSpec {
 
 #[derive(CustomResource, Debug, Clone, Deserialize, Serialize, JsonSchema)]
 #[kube(
-    group = "confidential-containers.io",
+    group = "confidential-clusters.io",
     version = "v1alpha1",
     kind = "Machine",
     namespaced,
diff --git a/manifest-gen/src/main.rs b/manifest-gen/src/main.rs
index 52c1e6b0..929fa303 100644
--- a/manifest-gen/src/main.rs
+++ b/manifest-gen/src/main.rs
@@ -201,7 +201,7 @@ fn generate_operator(args: &Args) -> Result<()> {
                 ..Default::default()
             },
             PolicyRule {
-                api_groups: Some(vec!["confidential-containers.io".to_string()]),
+                api_groups: Some(vec![Machine::group(&()).to_string()]),
                 resources: Some(vec!["machines".to_string()]),
                 verbs: vec![
                     "create".to_string(),