chore: Rename cvm_deploy to trustee_attestation_client

Rename the role to correspond to the newly created
trustee_attestation_server role.

Author: spetrosi

.ansible-lint

@@ -21,6 +21,6 @@ exclude_paths:
   - .markdownlint.yaml
   - examples/roles/
 mock_roles:
-  - linux-system-roles.cvm_deploy
+  - linux-system-roles.trustee_attestation_client
 supported_ansible_also:
   - "2.14.0"

.github/workflows/tft.yml

@@ -181,7 +181,7 @@ jobs:
           tf_scope: private
           api_key: ${{ secrets.TF_API_KEY_RH }}
           update_pull_request_status: false
-          tmt_plan_filter: "tag:playbooks_parallel,cvm_deploy"
+          tmt_plan_filter: "tag:playbooks_parallel,trustee_attestation_client"
 
       - name: Set final commit status
         uses: myrotvorets/set-commit-status-action@master

README.md

@@ -1,8 +1,8 @@
-# cvm_deploy
+# trustee_attestation_client
 
-[![ansible-lint.yml](https://github.com/linux-system-roles/cvm_deploy/actions/workflows/ansible-lint.yml/badge.svg)](https://github.com/linux-system-roles/cvm_deploy/actions/workflows/ansible-lint.yml) [![ansible-test.yml](https://github.com/linux-system-roles/cvm_deploy/actions/workflows/ansible-test.yml/badge.svg)](https://github.com/linux-system-roles/cvm_deploy/actions/workflows/ansible-test.yml) [![codespell.yml](https://github.com/linux-system-roles/cvm_deploy/actions/workflows/codespell.yml/badge.svg)](https://github.com/linux-system-roles/cvm_deploy/actions/workflows/codespell.yml) [![markdownlint.yml](https://github.com/linux-system-roles/cvm_deploy/actions/workflows/markdownlint.yml/badge.svg)](https://github.com/linux-system-roles/cvm_deploy/actions/workflows/markdownlint.yml) [![qemu-kvm-integration-tests.yml](https://github.com/linux-system-roles/cvm_deploy/actions/workflows/qemu-kvm-integration-tests.yml/badge.svg)](https://github.com/linux-system-roles/cvm_deploy/actions/workflows/qemu-kvm-integration-tests.yml) [![shellcheck.yml](https://github.com/linux-system-roles/cvm_deploy/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/linux-system-roles/cvm_deploy/actions/workflows/shellcheck.yml) [![tft.yml](https://github.com/linux-system-roles/cvm_deploy/actions/workflows/tft.yml/badge.svg)](https://github.com/linux-system-roles/cvm_deploy/actions/workflows/tft.yml) [![tft_citest_bad.yml](https://github.com/linux-system-roles/cvm_deploy/actions/workflows/tft_citest_bad.yml/badge.svg)](https://github.com/linux-system-roles/cvm_deploy/actions/workflows/tft_citest_bad.yml) [![woke.yml](https://github.com/linux-system-roles/cvm_deploy/actions/workflows/woke.yml/badge.svg)](https://github.com/linux-system-roles/cvm_deploy/actions/workflows/woke.yml)
+[![ansible-lint.yml](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/ansible-lint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/ansible-lint.yml) [![ansible-test.yml](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/ansible-test.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/ansible-test.yml) [![codespell.yml](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/codespell.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/codespell.yml) [![markdownlint.yml](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/markdownlint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/markdownlint.yml) [![qemu-kvm-integration-tests.yml](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/qemu-kvm-integration-tests.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/qemu-kvm-integration-tests.yml) [![shellcheck.yml](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/shellcheck.yml) [![tft.yml](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/tft.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/tft.yml) [![tft_citest_bad.yml](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/tft_citest_bad.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/tft_citest_bad.yml) [![woke.yml](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/woke.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/woke.yml)
 
-![cvm_deploy](https://github.com/linux-system-roles/cvm_deploy/workflows/tox/badge.svg)
+![trustee_attestation_client](https://github.com/linux-system-roles/trustee_attestation_client/workflows/tox/badge.svg)
 
 Ansible role for deploying Trustee Guest Components using Podman Quadlets for
 confidential virtual machine deployments. The role downloads quadlet files and
@@ -19,11 +19,11 @@ The role will:
    install directory (`/etc/containers/systemd` by default)
 4. Copy config files from the repository's `configs` directory to `/etc/trustee-gc/`
 5. Replace `KBS_URL` and `KBS_CERT` placeholders in `/etc/trustee-gc/cdh/config.toml`
-   with the values from `cvm_deploy_trustee_kbs_url` and `cvm_deploy_trustee_kbs_cert`
+   with the values from `trustee_attestation_client_trustee_kbs_url` and `trustee_attestation_client_trustee_kbs_cert`
    variables (if provided)
 6. Reload systemd daemon
 7. Enable and start the Trustee Guest Components services
-8. (Optional) If `cvm_deploy_encrypt_disk` is `true`:
+8. (Optional) If `trustee_attestation_client_encrypt_disk` is `true`:
    - Find an unpartitioned and unmounted disk
    - Create a GPT partition table and partition on the disk
    - Generate an encryption key and encrypt the partition using LUKS
@@ -34,19 +34,19 @@ The role will:
 Example of setting the variables:
 
 ```yaml
-cvm_deploy_quadlet_repo_url: "https://github.com/litian1992/trustee-gc-quadlet-rhel"
-cvm_deploy_quadlet_repo_path: "quadlet"
-cvm_deploy_quadlet_repo_branch: "main"
-cvm_deploy_trustee_kbs_url: "https://kbs.example.com"
-cvm_deploy_trustee_kbs_cert: "/path/to/cert.pem"
-cvm_deploy_encrypt_disk: true
+trustee_attestation_client_quadlet_repo_url: "https://github.com/litian1992/trustee-gc-quadlet-rhel"
+trustee_attestation_client_quadlet_repo_path: "quadlet"
+trustee_attestation_client_quadlet_repo_branch: "main"
+trustee_attestation_client_trustee_kbs_url: "https://kbs.example.com"
+trustee_attestation_client_trustee_kbs_cert: "/path/to/cert.pem"
+trustee_attestation_client_encrypt_disk: true
 ```
 
 ## Variables Exported by the Role
 
 ### encrypted_disk_key
 
-If disk encryption is enabled (`cvm_deploy_encrypt_disk: true`), this fact
+If disk encryption is enabled (`trustee_attestation_client_encrypt_disk: true`), this fact
 contains the base64-encoded encryption key for the encrypted disk. This key is
 required to mount the encrypted disk after a reboot. The key is automatically
 generated during disk encryption and should be securely stored for future use.
@@ -60,14 +60,14 @@ passed in as parameters) is always nice for users too:
 - name: Deploy Trustee Guest Components using Podman Quadlets
   hosts: all
   vars:
-    cvm_deploy_quadlet_repo_url: "https://github.com/litian1992/trustee-gc-quadlet-rhel"
-    cvm_deploy_quadlet_repo_path: "quadlet"
-    cvm_deploy_quadlet_repo_branch: "main"
-    cvm_deploy_trustee_kbs_url: "https://kbs.example.com"
-    cvm_deploy_trustee_kbs_cert: "/path/to/kbs-cert.pem"
-    cvm_deploy_encrypt_disk: true
+    trustee_attestation_client_quadlet_repo_url: "https://github.com/litian1992/trustee-gc-quadlet-rhel"
+    trustee_attestation_client_quadlet_repo_path: "quadlet"
+    trustee_attestation_client_quadlet_repo_branch: "main"
+    trustee_attestation_client_trustee_kbs_url: "https://kbs.example.com"
+    trustee_attestation_client_trustee_kbs_cert: "/path/to/kbs-cert.pem"
+    trustee_attestation_client_encrypt_disk: true
   roles:
-    - linux-system-roles.cvm_deploy
+    - linux-system-roles.trustee_attestation_client
 ```
 
 ## License

contributing.md

@@ -1,4 +1,4 @@
-# Contributing to the cvm_deploy Linux System Role
+# Contributing to the trustee_attestation_client Linux System Role
 
 ## Where to start
 
@@ -12,12 +12,12 @@ This has all of the common information that all role developers need:
 * How to create git commits and submit pull requests
 
 **Bugs and needed implementations** are listed on
-[Github Issues](https://github.com/linux-system-roles/cvm_deploy/issues).
+[Github Issues](https://github.com/linux-system-roles/trustee_attestation_client/issues).
 Issues labeled with
-[**help wanted**](https://github.com/linux-system-roles/cvm_deploy/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22)
+[**help wanted**](https://github.com/linux-system-roles/trustee_attestation_client/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22)
 are likely to be suitable for new contributors!
 
-**Code** is managed on [Github](https://github.com/linux-system-roles/cvm_deploy), using
+**Code** is managed on [Github](https://github.com/linux-system-roles/trustee_attestation_client), using
 [Pull Requests](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/about-pull-requests).
 
 ## Running CI Tests Locally

defaults/main.yml

@@ -4,16 +4,16 @@
 # This file also serves as a documentation for such a variables.
 
 # Trustee Guest Components Quadlet repository configuration
-cvm_deploy_trustee_gc: true
-cvm_deploy_quadlet_repo_url: "https://github.com/litian1992/trustee-gc-quadlet-rhel"
-cvm_deploy_quadlet_repo_path: "quadlet"
-cvm_deploy_quadlet_repo_branch: "main"
-cvm_deploy_quadlet_install_dir: "/etc/containers/systemd"
+trustee_attestation_client_trustee_gc: true
+trustee_attestation_client_quadlet_repo_url: "https://github.com/litian1992/trustee-gc-quadlet-rhel"
+trustee_attestation_client_quadlet_repo_path: "quadlet"
+trustee_attestation_client_quadlet_repo_branch: "main"
+trustee_attestation_client_quadlet_install_dir: "/etc/containers/systemd"
 
 # Trustee KBS configuration
-cvm_deploy_trustee_kbs_url: ""
-cvm_deploy_trustee_kbs_cert: ""
+trustee_attestation_client_trustee_kbs_url: ""
+trustee_attestation_client_trustee_kbs_cert: ""
 
 # Encrypt disk configuration
-cvm_deploy_encrypt_disk: false
-cvm_deploy_encrypt_disk_mount_point: "/mnt/encrypted-disk"
+trustee_attestation_client_encrypt_disk: false
+trustee_attestation_client_encrypt_disk_mount_point: "/mnt/encrypted-disk"

examples/simple.yml

@@ -3,12 +3,12 @@
 - name: Deploy Trustee Guest Components using Podman Quadlets from GitHub repository
   hosts: all
   vars:
-    cvm_deploy_quadlet_repo_url: "https://github.com/litian1992/trustee-gc-quadlet-rhel"
-    cvm_deploy_quadlet_repo_path: "quadlet"
-    cvm_deploy_quadlet_repo_branch: "main"
-    cvm_deploy_quadlet_install_dir: "/etc/containers/systemd"
-    cvm_deploy_encrypt_disk: false
-    cvm_deploy_trustee_kbs_url: "https://kbs.example.com"
-    cvm_deploy_trustee_kbs_cert: "/path/to/kbs-cert.pem"
+    trustee_attestation_client_quadlet_repo_url: "https://github.com/litian1992/trustee-gc-quadlet-rhel"
+    trustee_attestation_client_quadlet_repo_path: "quadlet"
+    trustee_attestation_client_quadlet_repo_branch: "main"
+    trustee_attestation_client_quadlet_install_dir: "/etc/containers/systemd"
+    trustee_attestation_client_encrypt_disk: false
+    trustee_attestation_client_trustee_kbs_url: "https://kbs.example.com"
+    trustee_attestation_client_trustee_kbs_cert: "/path/to/kbs-cert.pem"
   roles:
-    - linux-system-roles.cvm_deploy
+    - linux-system-roles.trustee_attestation_client

handlers/main.yml

@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: MIT
 ---
-- name: Handler for cvm_deploy to restart services
+- name: Handler for trustee_attestation_client to restart services
   service:
     name: "{{ item }}"
     state: restarted
-  loop: "{{ __cvm_deploy_services }}"
+  loop: "{{ __trustee_attestation_client_services }}"

plans/README-plans.md

@@ -1,6 +1,6 @@
 # Introduction CI Testing Plans
 
-Linux System Roles CI runs [tmt](https://tmt.readthedocs.io/en/stable/index.html) test plans in [Testing farm](https://docs.testing-farm.io/Testing%20Farm/0.1/index.html) with the [tft.yml](https://github.com/linux-system-roles/cvm_deploy/blob/main/.github/workflows/tft.yml) GitHub workflow.
+Linux System Roles CI runs [tmt](https://tmt.readthedocs.io/en/stable/index.html) test plans in [Testing farm](https://docs.testing-farm.io/Testing%20Farm/0.1/index.html) with the [tft.yml](https://github.com/linux-system-roles/trustee_attestation_client/blob/main/.github/workflows/tft.yml) GitHub workflow.
 
 The `plans/test_playbooks_parallel.fmf` plan is a test plan that runs test playbooks in parallel on multiple managed nodes.
 `plans/test_playbooks_parallel.fmf` is generated centrally from `https://github.com/linux-system-roles/.github/`.
@@ -16,7 +16,7 @@ The `plans/test_playbooks_parallel.fmf` plan does the following steps:
 2. Does the required preparation on systems.
 3. For the given role and the given PR, runs the general test from [test.sh](https://github.com/linux-system-roles/tft-tests/blob/main/tests/general/test.sh).
 
-The [tft.yml](https://github.com/linux-system-roles/cvm_deploy/blob/main/.github/workflows/tft.yml) workflow runs the above plan and uploads the results to our Fedora storage for public access.
+The [tft.yml](https://github.com/linux-system-roles/trustee_attestation_client/blob/main/.github/workflows/tft.yml) workflow runs the above plan and uploads the results to our Fedora storage for public access.
 This workflow uses Testing Farm's Github Action [Schedule tests on Testing Farm](https://github.com/marketplace/actions/schedule-tests-on-testing-farm).
 
 ## Running Tests
@@ -47,7 +47,7 @@ You can run tests locally with the `tmt try` cli or remotely in Testing Farm.
     $ TESTING_FARM_API_TOKEN=<your_api_token> \
         testing-farm request --pipeline-type="tmt-multihost" \
         --plan-filter="tag:playbooks_parallel" \
-        --git-url "https://github.com/<my_user>/cvm_deploy" \
+        --git-url "https://github.com/<my_user>/trustee_attestation_client" \
         --git-ref "<my_branch>" \
         --compose CentOS-Stream-9 \
         -e "SYSTEM_ROLES_ONLY_TESTS=tests_default.yml" \

plans/test_playbooks_parallel.fmf

@@ -12,7 +12,7 @@ provision:
 environment:
   # ensure versions are strings!
   SR_ANSIBLE_VER: "2.17"
-  SR_REPO_NAME: cvm_deploy
+  SR_REPO_NAME: trustee_attestation_client
   SR_PYTHON_VERSION: "3.12"
   SR_ONLY_TESTS: ""  # tests_default.yml
   SR_TEST_LOCAL_CHANGES: true

tasks/encrypt_disk.yml

@@ -24,9 +24,9 @@
   block:
     - name: Ensure packages for disk encryption are installed
       ansible.builtin.package:
-        name: "{{ __cvm_deploy_encrypt_disk_packages }}"
+        name: "{{ __trustee_attestation_client_encrypt_disk_packages }}"
         state: present
-        use: "{{ (__cvm_deploy_is_ostree | d(false)) |
+        use: "{{ (__trustee_attestation_client_is_ostree | d(false)) |
               ternary('ansible.posix.rhel_rpm_ostree', omit) }}"
 
     - name: Set fact with disk device path and partition path
@@ -44,23 +44,23 @@
     - name: Generate a temp file for the key
       ansible.builtin.tempfile:
         state: file
-      register: __cvm_deploy_tmp_key
+      register: __trustee_attestation_client_tmp_key
 
     - name: Generate a key and encrypt the partition
       ansible.builtin.shell: |
         set -o pipefail
-        head -c 32 /dev/urandom | base64 > {{ __cvm_deploy_tmp_key.path }}
-        cryptsetup luksFormat --key-file {{ __cvm_deploy_tmp_key.path }} --batch-mode {{ disk_partition }}
-        cryptsetup open --key-file {{ __cvm_deploy_tmp_key.path }} {{ disk_partition }} encrypted-disk
+        head -c 32 /dev/urandom | base64 > {{ __trustee_attestation_client_tmp_key.path }}
+        cryptsetup luksFormat --key-file {{ __trustee_attestation_client_tmp_key.path }} --batch-mode {{ disk_partition }}
+        cryptsetup open --key-file {{ __trustee_attestation_client_tmp_key.path }} {{ disk_partition }} encrypted-disk
         mkfs.ext4 /dev/mapper/encrypted-disk
-        [ -d {{ cvm_deploy_encrypt_disk_mount_point }} ] || mkdir -p {{ cvm_deploy_encrypt_disk_mount_point }}
-        mount /dev/mapper/encrypted-disk {{ cvm_deploy_encrypt_disk_mount_point }}
+        [ -d {{ trustee_attestation_client_encrypt_disk_mount_point }} ] || mkdir -p {{ trustee_attestation_client_encrypt_disk_mount_point }}
+        mount /dev/mapper/encrypted-disk {{ trustee_attestation_client_encrypt_disk_mount_point }}
       changed_when: true
       no_log: true
 
     - name: Read key from remote host
       ansible.builtin.slurp:
-        src: "{{ __cvm_deploy_tmp_key.path }}"
+        src: "{{ __trustee_attestation_client_tmp_key.path }}"
       register: slurped_key
       no_log: true
 
@@ -71,6 +71,6 @@
 
     - name: Clean up temporary key file
       ansible.builtin.file:
-        path: "{{ __cvm_deploy_tmp_key.path }}"
+        path: "{{ __trustee_attestation_client_tmp_key.path }}"
         state: absent
 # TODO: Add a systemd service to mount the encrypted disk at boot