feat(secret_registration_client): add secret registration client service

[litian1992]

Enhancement:

Secret registration client serves as a companion to Trustee client that registers the CVM to Trustee server. This way Trustee server can serve each CVM as individuals. This secret registration client is also responsible for fetching key and mount the encrypted data disk at boot.

Additionally, drop SELinux disablement since the issue is fixed in quadlet.

Reason:

Result:

Issue Tracker Tickets (Jira or BZ if any):

Summary by Sourcery

Introduce a secret registration client service that integrates with Trustee guest components to manage disk encryption keys and automate encrypted disk mounting, while simplifying KBS certificate handling and removing obsolete SELinux handling.

New Features:

• Add a secret registration client script and systemd service that register the guest with the Trustee server and retrieve disk encryption keys via attestation.
• Enable optional integration of the secret registration client with the existing encrypted disk workflow so that keys are fetched from Trustee instead of being generated locally.

Enhancements:

• Update the disk encryption flow to use keys supplied by the secret registration client and clean up temporary key handling.
• Write the KBS certificate content directly to /etc/trustee-gc/server.crt for use by the registration client and related components.
• Refresh README and example playbooks to document the secret registration client and updated encryption behavior, including inline KBS certificate configuration.
• Strengthen role behavior tests to verify Trustee pod service activity, KBS certificate creation, and secret registration client deployment when enabled.
• Remove SELinux disablement logic and Podman storage-on-encrypted-disk configuration that are no longer required with the quadlet fixes.

Tests:

• Add tests ensuring the secret registration client packages, script, and systemd service are present and enabled when configured.

[sourcery-ai]

Reviewer's Guide

Introduces a secret registration client service that integrates with Trustee GC to obtain and use a remote disk-encryption key, rewires the encrypt-disk workflow to depend on it, writes the KBS certificate to disk, removes SELinux disabling and Podman storage-on-encrypted-disk logic, and extends tests/docs/defaults accordingly.

Sequence diagram for secret registration and key fetch during disk encryption

sequenceDiagram
    participant AnsibleRole
    participant EncryptDiskTask
    participant SecretRegistrationClientScript as secret_registration_client.sh
    participant CDH as ConfidentialDataHub_CDH
    participant RegServer as SecretRegistrationServer
    participant KBS as Trustee_KBS

    AnsibleRole->>EncryptDiskTask: include_tasks encrypt_disk.yml
    EncryptDiskTask->>EncryptDiskTask: Detect unpartitioned_disk
    EncryptDiskTask->>SecretRegistrationClientScript: --fetch-key-to /tmp/secret_key.bin

    SecretRegistrationClientScript->>CDH: GET /cdh/resource/disk-encryption/{client_id}/luks-key-0
    alt Key already registered
        CDH-->>SecretRegistrationClientScript: 200 OK, key
    else Key not found
        SecretRegistrationClientScript->>CDH: GET /aa/token?token_type=kbs
        CDH-->>SecretRegistrationClientScript: 200 OK, attestation_token
        SecretRegistrationClientScript->>RegServer: POST /register-encryption-key
        Note right of RegServer: Body includes attestation_token and client_id
        RegServer->>KBS: Store key bound to client_id
        KBS-->>RegServer: 200 OK
        RegServer-->>SecretRegistrationClientScript: 200 OK
        SecretRegistrationClientScript->>CDH: GET /cdh/resource/disk-encryption/{client_id}/luks-key-0
        CDH-->>SecretRegistrationClientScript: 200 OK, key
    end

    SecretRegistrationClientScript-->>EncryptDiskTask: Write key to /tmp/secret_key.bin

    EncryptDiskTask->>EncryptDiskTask: parted mklabel/mkpart
    EncryptDiskTask->>EncryptDiskTask: cryptsetup luksFormat --key-file /tmp/secret_key.bin
    EncryptDiskTask->>EncryptDiskTask: cryptsetup open encrypted-disk
    EncryptDiskTask->>EncryptDiskTask: mkfs.ext4 /dev/mapper/encrypted-disk
    EncryptDiskTask->>EncryptDiskTask: mount /dev/mapper/encrypted-disk to mount_point
    EncryptDiskTask->>EncryptDiskTask: Remove /tmp/secret_key.bin

Loading

Sequence diagram for secret registration client systemd service at boot

sequenceDiagram
    participant Systemd as systemd
    participant SecretRegService as secret_registration_client.service
    participant SecretRegistrationClientScript as secret_registration_client.sh
    participant CDH as ConfidentialDataHub_CDH
    participant RegServer as SecretRegistrationServer
    participant KBS as Trustee_KBS
    participant LUKSPartition as LUKS_partition

    Systemd->>SecretRegService: Start (After network-online and trustee-gc-pod)
    SecretRegService->>SecretRegistrationClientScript: ExecStart --mount-disk

    SecretRegistrationClientScript->>SecretRegistrationClientScript: Check mountpoint mounted
    alt Already mounted
        SecretRegistrationClientScript-->>SecretRegService: Exit success
        SecretRegService-->>Systemd: Active (exited)
    else Not mounted
        SecretRegistrationClientScript->>LUKSPartition: Scan blkid for TYPE=crypto_LUKS
        LUKSPartition-->>SecretRegistrationClientScript: First unmounted LUKS device

        SecretRegistrationClientScript->>SecretRegistrationClientScript: mktemp key_path
        SecretRegistrationClientScript->>CDH: GET /cdh/resource/disk-encryption/{client_id}/luks-key-0
        alt Key already present
            CDH-->>SecretRegistrationClientScript: 200 OK, key
        else Key not present
            SecretRegistrationClientScript->>CDH: GET /aa/token?token_type=kbs
            CDH-->>SecretRegistrationClientScript: 200 OK, attestation_token
            SecretRegistrationClientScript->>RegServer: POST /register-encryption-key
            Note right of RegServer: Body includes attestation_token and client_id
            RegServer->>KBS: Store or provision key
            KBS-->>RegServer: 200 OK
            RegServer-->>SecretRegistrationClientScript: 200 OK
            SecretRegistrationClientScript->>CDH: GET /cdh/resource/disk-encryption/{client_id}/luks-key-0
            CDH-->>SecretRegistrationClientScript: 200 OK, key
        end

        SecretRegistrationClientScript->>LUKSPartition: cryptsetup open --key-file key_path encrypted-disk
        SecretRegistrationClientScript->>LUKSPartition: mount /dev/mapper/encrypted-disk to MOUNT_POINT
        SecretRegistrationClientScript->>SecretRegistrationClientScript: Remove key_path
        SecretRegistrationClientScript-->>SecretRegService: Exit success
        SecretRegService-->>Systemd: Active (exited, RemainAfterExit=yes)
    end

Loading

Flow diagram for updated Ansible role task orchestration

flowchart TD
    A[Set_platform_and_version_specific_variables
    tasks_set_vars.yml] --> B{trustee_attestation_client_trustee_gc}

    B -- true --> C[Deploy_Trustee_Guest_Components
    trustee_quadlet.yml]
    B -- false --> D[Skip_Trustee_GC_deployment]

    C --> E{trustee_attestation_client_secret_registration_client_enabled}
    D --> E

    E -- true --> F[Deploy_Secret_Registration_Client_Service
    secret_registration_client.yml]
    E -- false --> G[Skip_Secret_Registration_Client]

    F --> H{trustee_attestation_client_encrypt_disk
    and
    trustee_attestation_client_secret_registration_client_enabled}
    G --> H

    H -- true --> I[Create_encrypted_disk_partition
    encrypt_disk.yml]
    H -- false --> J[Skip_disk_encryption]

Loading

File-Level Changes

Change	Details	Files
Add Secret Registration Client script, systemd service, tasks, and tests, wired into the role’s main flow and defaults.	Introduce secret_registration_client.sh Bash script template that registers with the Trustee server via attestation, retrieves the disk-encryption key from CDH/KBS, and supports fetch-key and mount-disk modes. Add secret_registration_client.service systemd unit template that runs the client at boot after the Trustee GC pod and mounts the encrypted disk. Create secret_registration_client.yml tasks to install jq dependency, deploy the script and unit, reload systemd, and enable the service. Expose trustee_attestation_client_secret_registration_client_enabled default variable and include the new tasks from main.yml when enabled. Add tests to verify required packages are installed, the client script is deployed, and the systemd service is enabled when the feature is turned on.	templates/secret_registration_client.sh.j2 templates/secret_registration_client.service.j2 tasks/secret_registration_client.yml defaults/main.yml vars/main.yml tasks/main.yml tests/tests_secret_registration_client.yml examples/simple.yml README.md
Refactor disk-encryption workflow to use the Secret Registration Client as the source of the LUKS key instead of generating and exporting a local key fact.	Change encrypt_disk.yml to call secret_registration_client.sh --fetch-key-to to obtain a key file, then create the partition table, encrypt with cryptsetup using that key, open, format, and mount the encrypted device. Remove generation of a random key, the encrypted_disk_key exported fact, and temporary key handling in favor of a fetched key file that is cleaned up at the end. Update the main task flow so disk encryption only runs when both encryption and the secret registration client are enabled, and add documentation describing the new dependency and flow.	tasks/encrypt_disk.yml tasks/main.yml README.md
Persist KBS certificate content to /etc/trustee-gc/server.crt and test its presence.	Write the value of trustee_attestation_client_trustee_kbs_cert directly into /etc/trustee-gc/server.crt during quadlet deployment when non-empty. Update documentation and examples to treat trustee_attestation_client_trustee_kbs_cert as inline certificate content instead of a file path. Add an integration test that asserts the server.crt file exists after role execution.	tasks/trustee_quadlet.yml README.md examples/simple.yml tests/tests_kbs_config.yml
Remove SELinux-disabling behavior and its tests, and adjust tests to assert Trustee pod is running instead.	Delete tasks that changed SELinux to permissive/disabled and modified /etc/selinux/config. Replace SELinux-related tests with checks that ensure a Trustee pod quadlet file is present and the corresponding systemd pod service is active. Keep overall trustee deployment validation but focus on pod availability rather than SELinux configuration.	tasks/trustee_quadlet.yml tests/tests_default.yml
Minor behavioral and docs cleanup around Quadlet deployment and encrypted-disk storage configuration.	Remove tasks that configured Podman storage to use the encrypted disk mount point. Clarify README feature descriptions for Trustee Client, Secret Registration Client, and Encrypt Disk, and add high-level flow descriptions for each. Adjust examples and defaults to align with the new configuration options and flows.	tasks/trustee_quadlet.yml README.md examples/simple.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 7 issues, and left some high level feedback:

• In secret_registration_client.sh, the way REGISTRATION_SERVER_URL and REGISTRATION_SERVER_PORT are combined (${REGISTRATION_SERVER_URL%:*}:${REGISTRATION_SERVER_PORT}) assumes a simple host:port URL and will behave unexpectedly if the KBS URL includes a path, scheme-only URL, or no port; consider parsing or configuring the registration endpoint separately instead of string-mangling the URL.
• The encrypt-disk flow uses a fixed path (/tmp/secret_key.bin) for the fetched key, while the client script uses mktemp for the same purpose; for consistency and to reduce the risk of races or permission issues, consider switching encrypt_disk.yml to use a securely created temp file as well.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In `secret_registration_client.sh`, the way `REGISTRATION_SERVER_URL` and `REGISTRATION_SERVER_PORT` are combined (`${REGISTRATION_SERVER_URL%:*}:${REGISTRATION_SERVER_PORT}`) assumes a simple host:port URL and will behave unexpectedly if the KBS URL includes a path, scheme-only URL, or no port; consider parsing or configuring the registration endpoint separately instead of string-mangling the URL.
- The encrypt-disk flow uses a fixed path (`/tmp/secret_key.bin`) for the fetched key, while the client script uses `mktemp` for the same purpose; for consistency and to reduce the risk of races or permission issues, consider switching `encrypt_disk.yml` to use a securely created temp file as well.

## Individual Comments

### Comment 1
<location path="tasks/trustee_quadlet.yml" line_range="123-127" />
<code_context>
   when: trustee_gc_pod_name.files | length > 0
   failed_when: false

+- name: Write KBS certificate to /etc/trustee-gc/server.crt
+  ansible.builtin.copy:
+    content: "{{ trustee_attestation_client_trustee_kbs_cert }}"
+    dest: /etc/trustee-gc/server.crt
+    mode: "0644"
+  when: trustee_attestation_client_trustee_kbs_cert | length > 0
+
</code_context>
<issue_to_address>
**issue (bug_risk):** KBS certificate variable is treated as inline content but example still uses it as a file path, likely breaking TLS to KBS.

This task now assumes `trustee_attestation_client_trustee_kbs_cert` contains PEM content (`content: ...`), but `examples/simple.yml` still sets it to a file path. That will write the literal path into `/etc/trustee-gc/server.crt`, causing `curl --cacert /etc/trustee-gc/server.crt` in `secret_registration_client.sh` to fail TLS verification. Please either (a) switch to `src:` and keep the variable as a path, or (b) update defaults/examples/docs to require PEM content and rename the variable to reflect that.
</issue_to_address>

### Comment 2
<location path="tasks/main.yml" line_range="10-12" />
<code_context>
   include_tasks: trustee_quadlet.yml
   when: trustee_attestation_client_trustee_gc | bool
+
+- name: Deploy Secret Registration Client Service
+  include_tasks: secret_registration_client.yml
+  when: trustee_attestation_client_secret_registration_client_enabled | bool
+
+- name: Create encrypted disk partition
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Secret registration client is deployed without enforcing the documented dependency on Trustee GC.

`secret_registration_client.yml` documents a dependency on Trustee GC (`trustee_attestation_client_trustee_gc`), but this task is only gated on `trustee_attestation_client_secret_registration_client_enabled`. This allows enabling the client without GC/CDH deployed, leading to runtime failure when calling `${CDH_URL}`. Please also require `trustee_attestation_client_trustee_gc | bool` (or add a fail-fast guard) so misconfiguration is caught early.
</issue_to_address>

### Comment 3
<location path="tasks/encrypt_disk.yml" line_range="34-35" />
<code_context>
     - name: Set fact with disk device path and partition path
       ansible.builtin.set_fact:
         disk_device: "/dev/{{ unpartitioned_disk.stdout }}"
+        secret_key_file: "/tmp/secret_key.bin"
         disk_partition: >-
           /dev/{{ unpartitioned_disk.stdout }}{{ 'p' if 'nvme' in unpartitioned_disk.stdout else '' }}1
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Using a fixed /tmp/secret_key.bin path for the disk key introduces an avoidable security and concurrency risk.

This hard-coded `secret_key_file` path leaves a predictable filename in `/tmp`, creates a race window before cleanup, and prevents safe concurrent runs. Prefer `ansible.builtin.tempfile` (or another per-run unique path) and pass that into `secret_registration_client.sh --fetch-key-to`, then remove it after use.

Suggested implementation:

```
    - name: Create temporary file for disk encryption key
      ansible.builtin.tempfile:
        state: file
        suffix: secret_key.bin
      register: secret_key_tmp

    - name: Set fact with disk device path and partition path
      ansible.builtin.set_fact:
        disk_device: "/dev/{{ unpartitioned_disk.stdout }}"
        secret_key_file: "{{ secret_key_tmp.path }}"
        disk_partition: >-
          /dev/{{ unpartitioned_disk.stdout }}{{ 'p' if 'nvme' in unpartitioned_disk.stdout else '' }}1

    - name: Acquire disk encryption key from Secret Registration Client service
      ansible.builtin.shell: |
        /usr/local/bin/secret_registration_client.sh --fetch-key-to {{ secret_key_file }}
      changed_when: true

    - name: Remove temporary disk encryption key file
      ansible.builtin.file:
        path: "{{ secret_key_file }}"
        state: absent

```

If the `secret_key_file` is used by additional tasks later in `tasks/encrypt_disk.yml` (for example, passed to a disk encryption command), move the "Remove temporary disk encryption key file" task to immediately after the final use of `secret_key_file` so the key remains available for all required operations but is still cleaned up promptly afterward.
</issue_to_address>

### Comment 4
<location path="README.md" line_range="56" />
<code_context>
+
+1. Downloads the Podman Quadlets from designated repo
+2. Configures the settings in /etc/trustee-gc/
+3. Enables and start trustee-gc.pod as a service
+
+## Secret Registration Client
</code_context>
<issue_to_address>
**issue (typo):** Fix verb agreement in 'Enables and start'.

Change to `Enables and starts trustee-gc.pod as a service` so the verbs agree grammatically.

```suggestion
3. Enables and starts trustee-gc.pod as a service
```
</issue_to_address>

### Comment 5
<location path="README.md" line_range="62" />
<code_context>
+
+When enabled, this task:
+
+1. Sends registation request to Secret Registration Server via HTTPS to acquire disk encryption keys
+2. Requests above disk encryption key upon boot when Encrypt Disk is enabled to decrypt and mount disk
+
</code_context>
<issue_to_address>
**issue (typo):** Correct the spelling of 'registation' to 'registration' and consider adding an article.

For example: `Sends a registration request to the Secret Registration Server via HTTPS to acquire disk encryption keys.`
</issue_to_address>

### Comment 6
<location path="README.md" line_range="63" />
<code_context>
+When enabled, this task:
+
+1. Sends registation request to Secret Registration Server via HTTPS to acquire disk encryption keys
+2. Requests above disk encryption key upon boot when Encrypt Disk is enabled to decrypt and mount disk
+
+## Encrypt Disk
</code_context>
<issue_to_address>
**suggestion (typo):** Improve wording by adding missing articles for clarity.

Consider rephrasing this line to: `Requests the above disk encryption key upon boot when Encrypt Disk is enabled, to decrypt and mount the disk.`

```suggestion
2. Requests the above disk encryption key upon boot when Encrypt Disk is enabled, to decrypt and mount the disk
```
</issue_to_address>

### Comment 7
<location path="README.md" line_range="71" />
<code_context>
+
+1. Finds the first unpartitioned and unmounted disk
+2. Requests disk encryption key from Secret Registration Client
+3. Encrypts the disk using above encryption key and mount to designated path
+
 ## License
</code_context>
<issue_to_address>
**issue (typo):** Fix grammar in the phrase about encrypting and mounting the disk.

Change to `Encrypts the disk using the above encryption key and mounts it at the designated path` to fix verb agreement and the missing article.

```suggestion
3. Encrypts the disk using the above encryption key and mounts it at the designated path
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[richm]

there are a couple of files that do not end with a newline

[richm]

lgtm - @spetrosi ?