Skip to content

Commit ab314bc

Browse files
richmrichm
committed
docs: document role parameters [citest_skip]
document role parameters in README.md Signed-off-by: Rich Megginson <rmeggins@redhat.com>
1 parent 4b656a2 commit ab314bc

1 file changed

Lines changed: 53 additions & 16 deletions

File tree

README.md

Lines changed: 53 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,59 @@ An Ansible role that deploys [Trustee](https://confidentialcontainers.org/docs/a
2222
ansible-galaxy collection install -r meta/collection-requirements.yml
2323
```
2424

25+
## Variables
26+
27+
### trustee_server_trustee
28+
29+
Whether to deploy the Trustee server components (KBS, AS, RVPS) using Podman
30+
Quadlets.
31+
32+
The secret registration server is only deployed when this is `true` and
33+
[`trustee_server_secret_registration_enabled`](#trustee_server_secret_registration_enabled)
34+
is `true`.
35+
36+
Default: `true`
37+
38+
Type: `bool`
39+
40+
### trustee_server_secret_registration_enabled
41+
42+
Whether to deploy the secret registration HTTPS service that receives
43+
attestation-backed registration requests, verifies attestation, creates disk
44+
encryption keys, and stores them in Trustee KBS.
45+
46+
This has no effect unless [`trustee_server_trustee`](#trustee_server_trustee)
47+
is `true`, because the registration server depends on Trustee.
48+
49+
Default: `false`
50+
51+
Type: `bool`
52+
53+
### trustee_server_secret_registration_listen_port
54+
55+
TCP port on which the secret registration server listens. The role opens this
56+
port in firewalld when `firewalld` is running.
57+
58+
Default: `8081`
59+
60+
Type: `int`
61+
62+
### trustee_server_secure_logging
63+
64+
If `true`, suppress potentially sensitive output from tasks that handle
65+
credentials, secrets, and other sensitive data by setting `no_log: true` on
66+
those tasks. This prevents passwords, API tokens, private keys, and similar
67+
sensitive information from appearing in Ansible logs and console output.
68+
69+
If you need to debug issues with credential handling or secret management, you
70+
can temporarily set `trustee_server_secure_logging: false` to see the full output from
71+
these tasks. However, be aware that this may expose sensitive information in
72+
logs, so it should only be used in development or troubleshooting scenarios.
73+
74+
Default: `true`
75+
76+
Type: `bool`
77+
2578
## Example Playbook
2679

2780
```yaml
@@ -59,22 +112,6 @@ When enabled, the secret registration server:
59112

60113
Clients can then fetch the key from Trustee CDH using attestation.
61114

62-
## Variables
63-
64-
### trustee_server_secure_logging
65-
66-
If `true`, suppress potentially sensitive output from tasks that handle
67-
credentials, secrets, and other sensitive data by setting `no_log: true` on
68-
those tasks. This prevents passwords, API tokens, private keys, and similar
69-
sensitive information from appearing in Ansible logs and console output.
70-
71-
If you need to debug issues with credential handling or secret management, you
72-
can temporarily set `trustee_server_secure_logging: false` to see the full output from
73-
these tasks. However, be aware that this may expose sensitive information in
74-
logs, so it should only be used in development or troubleshooting scenarios.
75-
76-
Default: `true`
77-
78115
## License
79116

80117
MIT

0 commit comments

Comments
 (0)