docs(changelog): version 1.0.0 [citest_skip]

[richm]

Update changelog and .README.html for version 1.0.0

Signed-off-by: Rich Megginson rmeggins@redhat.com

Summary by Sourcery

Add generated HTML README and document the 1.0.0 release.

Documentation:

• Add .README.html documenting the trustee_server Ansible role, its features, variables, and usage.
• Introduce CHANGELOG.md capturing the initial 1.0.0 release notes and related changes.

[sourcery-ai]

Reviewer's Guide

Adds generated HTML README documentation and a new changelog for version 1.0.0 of the trustee_server role, documenting features, configuration variables, and recent changes.

Sequence diagram for secret registration server key provisioning flow

sequenceDiagram
    actor Client
    participant SecretRegistrationServer
    participant AttestationService
    participant TrusteeKBS
    participant PolicyStore

    Client->>SecretRegistrationServer: POST /register-encryption-key
    activate SecretRegistrationServer
    SecretRegistrationServer->>SecretRegistrationServer: Parse attestation_token and client_id
    SecretRegistrationServer->>AttestationService: Verify attestation_token
    activate AttestationService
    AttestationService-->>SecretRegistrationServer: Attestation verification result
    deactivate AttestationService

    alt attestation valid
        SecretRegistrationServer->>SecretRegistrationServer: Generate disk encryption key
        SecretRegistrationServer->>TrusteeKBS: Store encryption key with client_id
        activate TrusteeKBS
        TrusteeKBS-->>SecretRegistrationServer: Storage confirmation
        deactivate TrusteeKBS
        SecretRegistrationServer->>PolicyStore: Append resource policy to policy.rego
        SecretRegistrationServer-->>Client: 201 Created (registration successful)
    else attestation invalid
        SecretRegistrationServer-->>Client: 4xx Error (attestation failed)
    end
    deactivate SecretRegistrationServer

Loading

Flow diagram for trustee_server role deployment logic

graph TD
    A[Start trustee_server role] --> B{trustee_server_trustee is true}
    B -->|false| Z[Skip Trustee server and secret registration server deployment]
    B -->|true| C[Download Podman Quadlets for KBS, AS, RVPS]
    C --> D[Generate certificates for Trustee server components]
    D --> E[Configure and enable Trustee services]
    E --> F[Open KBS port 8080 in firewalld if running]
    F --> G{trustee_server_secret_registration_enabled is true}

    G -->|false| H[Do not deploy secret registration server]
    G -->|true| I[Deploy secret registration HTTPS service]

    I --> J[Configure listen port from trustee_server_secret_registration_listen_port]
    J --> K[Open secret registration port in firewalld if running]

    subgraph Secure_logging_behavior
        L{trustee_server_secure_logging is true}
        L -->|true| M[Set no_log true on tasks handling secrets]
        L -->|false| N[Allow full task output for debugging]
    end

    F --> L
    H --> O[Role complete]
    K --> O
    Z --> O

Loading

File-Level Changes

Change	Details	Files
Add generated HTML README describing the trustee_server Ansible role and its features.	Introduce .README.html generated via Pandoc using the GitHub HTML5 template and associated CSS. Document role overview, features, requirements, variables, example playbook, and component behavior. Describe secret registration server workflow, port usage, and security-related options such as secure logging.	.README.html
Introduce initial changelog documenting version 1.0.0 changes.	Create CHANGELOG.md with a 1.0.0 entry dated 2026-05-07. Summarize new features such as Trustee quadlet deployment, secret registration server, syslog fingerprints, and secure logging variable. List CI, testing, refactor, and documentation-related changes that led up to 1.0.0.	CHANGELOG.md

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 2 issues, and left some high level feedback:

• Consider whether .README.html should be a tracked artifact or generated from the canonical README source as part of the release/build process, to avoid maintaining large embedded CSS/HTML in the repo by hand.
• It might help future maintainers if you add a brief note near the top of .README.html or in the changelog indicating how and with which command this file is generated (e.g., specific pandoc invocation), so it can be reliably regenerated for future versions.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider whether `.README.html` should be a tracked artifact or generated from the canonical README source as part of the release/build process, to avoid maintaining large embedded CSS/HTML in the repo by hand.
- It might help future maintainers if you add a brief note near the top of `.README.html` or in the changelog indicating how and with which command this file is generated (e.g., specific pandoc invocation), so it can be reliably regenerated for future versions.

## Individual Comments

### Comment 1
<location path=".README.html" line_range="116-129" />
<code_context>
+code span.vs { color: #4070a0; } /* VerbatimString */
+code span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warning */
+  </style>
+  <!--[if lt IE 9]>
+    <script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv-printshiv.min.js"></script>
+  <![endif]-->
+</head>
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Re-evaluate including the html5shiv script from an external CDN

This conditional include loads html5shiv from a third-party CDN via a protocol-relative URL, which can conflict with strict CSPs, offline/air‑gapped environments, or policies against external JS. Since IE < 9 is deprecated and likely not a target, consider removing this block; if legacy IE support is still required, vendor the script locally or otherwise make this external dependency explicit and intentional.

```suggestion
code span.op { color: #666666; } /* Operator */
code span.ot { color: #007020; } /* Other */
code span.pp { color: #bc7a00; } /* Preprocessor */
code span.sc { color: #4070a0; } /* SpecialChar */
code span.ss { color: #bb6688; } /* SpecialString */
code span.st { color: #4070a0; } /* String */
code span.va { color: #19177c; } /* Variable */
code span.vs { color: #4070a0; } /* VerbatimString */
code span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warning */
  </style>
</head>
```
</issue_to_address>

### Comment 2
<location path="CHANGELOG.md" line_range="15" />
<code_context>
+
+### Other Changes
+
+- ci: tox-lsr 3.17.0 - container test improvements, use ansible 2.20 for fedora 43 [citest_skip] (#1)
+- ci: tox-lsr 3.17.1 - previous update broke container tests, this fixes them [citest_skip] (#3)
+- test: ensure role gathers the facts it uses by having test clear_facts before include_role (#11)
</code_context>
<issue_to_address>
**nitpick (typo):** Consider capitalizing proper nouns "Ansible" and "Fedora".

Here they reference the Ansible project and Fedora distribution, so please capitalize them as "Ansible" and "Fedora" for correctness.

```suggestion
- ci: tox-lsr 3.17.0 - container test improvements, use Ansible 2.20 for Fedora 43 [citest_skip] (#1)
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

🚨 suggestion (security): Re-evaluate including the html5shiv script from an external CDN

This conditional include loads html5shiv from a third-party CDN via a protocol-relative URL, which can conflict with strict CSPs, offline/air‑gapped environments, or policies against external JS. Since IE < 9 is deprecated and likely not a target, consider removing this block; if legacy IE support is still required, vendor the script locally or otherwise make this external dependency explicit and intentional.

Suggested change

	code span.op { color: #666666; } /* Operator */
	code span.ot { color: #007020; } /* Other */
	code span.pp { color: #bc7a00; } /* Preprocessor */
	code span.sc { color: #4070a0; } /* SpecialChar */
	code span.ss { color: #bb6688; } /* SpecialString */
	code span.st { color: #4070a0; } /* String */
	code span.va { color: #19177c; } /* Variable */
	code span.vs { color: #4070a0; } /* VerbatimString */
	code span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warning */
	</style>
	<!--[if lt IE 9]>
	<script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv-printshiv.min.js"></script>
	<![endif]-->
	</head>
	code span.op { color: #666666; } /* Operator */
	code span.ot { color: #007020; } /* Other */
	code span.pp { color: #bc7a00; } /* Preprocessor */
	code span.sc { color: #4070a0; } /* SpecialChar */
	code span.ss { color: #bb6688; } /* SpecialString */
	code span.st { color: #4070a0; } /* String */
	code span.va { color: #19177c; } /* Variable */
	code span.vs { color: #4070a0; } /* VerbatimString */
	code span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warning */
	</style>
	</head>

[sourcery-ai]

nitpick (typo): Consider capitalizing proper nouns "Ansible" and "Fedora".

Here they reference the Ansible project and Fedora distribution, so please capitalize them as "Ansible" and "Fedora" for correctness.

Suggested change

	- ci: tox-lsr 3.17.0 - container test improvements, use ansible 2.20 for fedora 43 [citest_skip] (#1)
	- ci: tox-lsr 3.17.0 - container test improvements, use Ansible 2.20 for Fedora 43 [citest_skip] (#1)