Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: Create CRD for component deployment #77

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

WIP: Create CRD for component deployment #77

wants to merge 1 commit into from

Conversation

sarroutbi
Copy link
Collaborator

This is a Work In Progress pull request. It allows deploying attestation-operator through CRD configuration, without Helm.

There are still opened issues:

  • Registrar Deployment
  • Verifier Deployment
  • Agents Deployment
  • Possibility to install the operator controller in a namespace different from Keylime
  • Check that up to date controller (Agent/Registrar) continues working

@sarroutbi sarroutbi force-pushed the 202402201246-deployment-from-controller branch from 6f98a90 to 00962cc Compare March 22, 2024 23:49
@mayaCostantini
Copy link
Collaborator

@sarroutbi thanks for the PR, could you please provide the command used to deploy the operator with those changes? I am currently getting the following error:

Defaulted container "keylime-agent" out of: keylime-agent, keylime-agent-init (init)
 INFO  keylime_agent::config > Using hashed EK as UUID
 WARN  keylime_agent         > Measured boot measurement list not available: /sys/kernel/security/tpm0/binary_boot_measurements
 WARN  keylime_agent         > Cannot drop privileges since 'run_as' is empty in 'agent' section of 'keylime-agent.conf'.
 INFO  keylime_agent         > Starting server with API version v2.1...
Error: Other("IAK/IDevID enabled but cert could not be used")

@sarroutbi
Copy link
Collaborator Author

sarroutbi commented Apr 2, 2024
edited
Loading

@sarroutbi thanks for the PR, could you please provide the command used to deploy the operator with those changes? I am currently getting the following error:

Defaulted container "keylime-agent" out of: keylime-agent, keylime-agent-init (init)
 INFO  keylime_agent::config > Using hashed EK as UUID
 WARN  keylime_agent         > Measured boot measurement list not available: /sys/kernel/security/tpm0/binary_boot_measurements
 WARN  keylime_agent         > Cannot drop privileges since 'run_as' is empty in 'agent' section of 'keylime-agent.conf'.
 INFO  keylime_agent         > Starting server with API version v2.1...
Error: Other("IAK/IDevID enabled but cert could not be used")

Hello Maya. This is not related to the change itself, but with the agent ... You need to set KEYLIME_AGENT_ENABLE_IAK_IDEVID environment variable to "false":

diff --git a/build/helm/keylime/charts/keylime-agent/templates/daemonset.yaml b/build/helm/keylime/charts/keylime-agent/templates/daemonset.yaml
index a9067a6..8c3d1f2 100644
--- a/build/helm/keylime/charts/keylime-agent/templates/daemonset.yaml
+++ b/build/helm/keylime/charts/keylime-agent/templates/daemonset.yaml
@@ -89,6 +89,8 @@ spec:
             # tied to the host mount
             - name: KEYLIME_AGENT_AGENT_DATA_PATH
               value: "/var/lib/keylime-persistent/agent_data.json"
+            - name: KEYLIME_AGENT_ENABLE_IAK_IDEVID
+              value: "false"

@maugustosilva maugustosilva mentioned this pull request Apr 22, 2024
Closed
26 tasks
@ansasaki
Copy link
Contributor

@sarroutbi thanks for the PR, could you please provide the command used to deploy the operator with those changes? I am currently getting the following error:

Defaulted container "keylime-agent" out of: keylime-agent, keylime-agent-init (init)
 INFO  keylime_agent::config > Using hashed EK as UUID
 WARN  keylime_agent         > Measured boot measurement list not available: /sys/kernel/security/tpm0/binary_boot_measurements
 WARN  keylime_agent         > Cannot drop privileges since 'run_as' is empty in 'agent' section of 'keylime-agent.conf'.
 INFO  keylime_agent         > Starting server with API version v2.1...
Error: Other("IAK/IDevID enabled but cert could not be used")

Hello Maya. This is not related to the change itself, but with the agent ... You need to set KEYLIME_AGENT_ENABLE_IAK_IDEVID environment variable to "false":

diff --git a/build/helm/keylime/charts/keylime-agent/templates/daemonset.yaml b/build/helm/keylime/charts/keylime-agent/templates/daemonset.yaml
index a9067a6..8c3d1f2 100644
--- a/build/helm/keylime/charts/keylime-agent/templates/daemonset.yaml
+++ b/build/helm/keylime/charts/keylime-agent/templates/daemonset.yaml
@@ -89,6 +89,8 @@ spec:
             # tied to the host mount
             - name: KEYLIME_AGENT_AGENT_DATA_PATH
               value: "/var/lib/keylime-persistent/agent_data.json"
+            - name: KEYLIME_AGENT_ENABLE_IAK_IDEVID
+              value: "false"

This is due to a bug fixed on agent master, but not yet released: keylime/rust-keylime#729
The fix will be included on the next release, and will be reflected on the upstream agent image.

@maugustosilva maugustosilva mentioned this pull request May 21, 2024
Closed
26 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
do not merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sarroutbi @mayaCostantini @ansasaki