Investigate CI failures#313
Draft
Jakob-Naucke wants to merge 12 commits into
Draft
Conversation
Signed-off-by: Roy Kaufman <rkaufman@redhat.com>
The race scenario: - Assume the operator is installed and TEC object exists - Apply an approved-image yaml file (create a new CR instance) - Delete the TEC object (immediately) - The new approved-image is not deleted with the TEC object This happens because kube-rs finalizer() does not call the Apply handler on the first reconcile — it only adds the finalizer and returns. This means adopt_approved_image inside image_add_reconcile never runs on the first reconcile. If the TEC is deleted before the second reconcile, the owner reference is never set and GC (garbage collector) cannot cascade-delete the ApprovedImage. Move adoption before the finalizer() call in image_reconcile so it runs on the very first reconcile. For more information see https://docs.rs/kube/latest/kube/runtime/finalizer/fn.finalizer.html in sections Guarantees, Assumptions (Third point) and Expected Flow(from 1 to 6). Signed-off-by: Roy Kaufman <rkaufman@redhat.com>
All trustee resources, including the resource policy, attestation policy, RV, LUKS key, and AK, are now synchronized using the KBS API.
The main motivation for this is replacing the patch mechanism that causes a restart of the trustee deployment.
Also, this abstraction over the trustee backend simplifies the process of upgrading to future versions of trustee.
Config:
- Update kbs-config.toml to v0.20.0 format
- Store reference values in dedicated ConfigMap (trustee-rv-data)
instead of trustee-data
API-driven resource management:
- Add KBS API client functions: send_secret, delete_secret,
register_ak, sync_resource_policy, sync_attestation_policy,
sync_reference_values
- Replace volume-mount approach for secrets with KBS API calls
- Add trustee deployment reconciler that syncs policies, reference
values, and secrets when deployment becomes available
Dependencies:
- Add kbs-client and jsonwebtoken crates
- Bump trustee image tag to v0.20.0
Signed-off-by: Roy Kaufman <rkaufman@redhat.com>
test_luks_key_sync - verify the initial LUKS key upload, re-sync after trustee restart, and LUKS key deletion on machine removal. test_attestation_key_sync - verify that attestation keys are registered with the KBS and re-registered after trustee restarts. Signed-off-by: Roy Kaufman <rkaufman@redhat.com>
Tested functions: - sync_all_machine_luks_key - update_attestation_keys Signed-off-by: Roy Kaufman <rkaufman@redhat.com>
required on OpenShift SCC Signed-off-by: Jakob Naucke <jnaucke@redhat.com>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Jakob-Naucke The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Reviewer's GuideRefactors the trustee operator to integrate directly with the KBS API (using JWT auth and kbs-client), replaces in‑pod volume-based secret and policy management with explicit sync controllers and config maps/secrets, updates Trustee/KBS configuration and versions, and extends tests and CI to validate LUKS key and attestation key resync behavior and aid debugging intermittent CI failures. Sequence diagram for trustee deployment sync controller interactions with KBSsequenceDiagram
participant Controller as TrusteeSyncController
participant Kube as KubernetesAPI
participant KBS
Controller->>Kube: watch Deployment label app=TRUSTEE_APP_LABEL
Kube-->>Controller: Deployment with status Available=True
Controller->>Controller: trustee_deployment_reconcile()
alt Deployment Available
Controller->>KBS: sync_resource_policy() / kbs_client::set_resource_policy
Controller->>KBS: sync_attestation_policy() / kbs_client::set_attestation_policy
Controller->>Kube: sync_reference_values_from_configmap()
Controller->>KBS: sync_reference_values() / kbs_client::set_sample_rv
Controller->>Kube: sync_all_machine_luks_key() / list Machine, get Secret
Controller->>KBS: send_secret() / kbs_client::set_resource
Controller->>Kube: update_attestation_keys() / list Secret
Controller->>KBS: register_ak() / kbs_client::set_sample_rv
else Deployment not Available
Controller-->Controller: Action::await_change()
end
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
1353d67 to
4de09c8
Compare
Signed-off-by: Jakob Naucke <jnaucke@redhat.com>
for crates and testing Fixes: trusted-execution-clusters#227 Signed-off-by: Jakob Naucke <jnaucke@redhat.com>
so that status is updated in a timely manner Signed-off-by: Jakob Naucke <jnaucke@redhat.com>
Signed-off-by: Jakob Naucke <jnaucke@redhat.com>
Signed-off-by: Jakob Naucke <jnaucke@redhat.com> Assisted-by: AI
GHA has been seen to run out of space. Add a flag to delete local image after push. Signed-off-by: Jakob Naucke <jnaucke@redhat.com> Assisted-by: AI
4de09c8 to
00e5c14
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
GHA & openshift/release#79393 saw many random failures, most related to finalizer. Most recent run on the latter showed a resource apparently taking 4 minutes to patch. (Also) testing here for a faster feedback loop.
Summary by Sourcery
Integrate the trustee operator more tightly with an external KBS, switching from in-pod secret mounting to API-based secret and policy synchronization, updating trustee configuration and image versions, and enhancing logging and tests to diagnose and stabilize CI behavior.
New Features:
Bug Fixes:
Build:
CI: