WIP: Create CRD for component deployment

[sarroutbi]

This is a Work In Progress pull request. It allows deploying attestation-operator through CRD configuration, without Helm.

There are still opened issues:

• Registrar Deployment
• Verifier Deployment
• Agents Deployment
• Possibility to install the operator controller in a namespace different from Keylime
• Check that up to date controller (Agent/Registrar) continues working

[mayaCostantini]

@sarroutbi thanks for the PR, could you please provide the command used to deploy the operator with those changes? I am currently getting the following error:

Defaulted container "keylime-agent" out of: keylime-agent, keylime-agent-init (init)
 INFO  keylime_agent::config > Using hashed EK as UUID
 WARN  keylime_agent         > Measured boot measurement list not available: /sys/kernel/security/tpm0/binary_boot_measurements
 WARN  keylime_agent         > Cannot drop privileges since 'run_as' is empty in 'agent' section of 'keylime-agent.conf'.
 INFO  keylime_agent         > Starting server with API version v2.1...
Error: Other("IAK/IDevID enabled but cert could not be used")

[sarroutbi]

@sarroutbi thanks for the PR, could you please provide the command used to deploy the operator with those changes? I am currently getting the following error:

Defaulted container "keylime-agent" out of: keylime-agent, keylime-agent-init (init)
 INFO  keylime_agent::config > Using hashed EK as UUID
 WARN  keylime_agent         > Measured boot measurement list not available: /sys/kernel/security/tpm0/binary_boot_measurements
 WARN  keylime_agent         > Cannot drop privileges since 'run_as' is empty in 'agent' section of 'keylime-agent.conf'.
 INFO  keylime_agent         > Starting server with API version v2.1...
Error: Other("IAK/IDevID enabled but cert could not be used")

Hello Maya. This is not related to the change itself, but with the agent ... You need to set KEYLIME_AGENT_ENABLE_IAK_IDEVID environment variable to "false":

diff --git a/build/helm/keylime/charts/keylime-agent/templates/daemonset.yaml b/build/helm/keylime/charts/keylime-agent/templates/daemonset.yaml
index a9067a6..8c3d1f2 100644
--- a/build/helm/keylime/charts/keylime-agent/templates/daemonset.yaml
+++ b/build/helm/keylime/charts/keylime-agent/templates/daemonset.yaml
@@ -89,6 +89,8 @@ spec:
             # tied to the host mount
             - name: KEYLIME_AGENT_AGENT_DATA_PATH
               value: "/var/lib/keylime-persistent/agent_data.json"
+            - name: KEYLIME_AGENT_ENABLE_IAK_IDEVID
+              value: "false"

[ansasaki]

@sarroutbi thanks for the PR, could you please provide the command used to deploy the operator with those changes? I am currently getting the following error:

Defaulted container "keylime-agent" out of: keylime-agent, keylime-agent-init (init)
 INFO  keylime_agent::config > Using hashed EK as UUID
 WARN  keylime_agent         > Measured boot measurement list not available: /sys/kernel/security/tpm0/binary_boot_measurements
 WARN  keylime_agent         > Cannot drop privileges since 'run_as' is empty in 'agent' section of 'keylime-agent.conf'.
 INFO  keylime_agent         > Starting server with API version v2.1...
Error: Other("IAK/IDevID enabled but cert could not be used")

Hello Maya. This is not related to the change itself, but with the agent ... You need to set KEYLIME_AGENT_ENABLE_IAK_IDEVID environment variable to "false":

diff --git a/build/helm/keylime/charts/keylime-agent/templates/daemonset.yaml b/build/helm/keylime/charts/keylime-agent/templates/daemonset.yaml
index a9067a6..8c3d1f2 100644
--- a/build/helm/keylime/charts/keylime-agent/templates/daemonset.yaml
+++ b/build/helm/keylime/charts/keylime-agent/templates/daemonset.yaml
@@ -89,6 +89,8 @@ spec:
             # tied to the host mount
             - name: KEYLIME_AGENT_AGENT_DATA_PATH
               value: "/var/lib/keylime-persistent/agent_data.json"
+            - name: KEYLIME_AGENT_ENABLE_IAK_IDEVID
+              value: "false"

This is due to a bug fixed on agent master, but not yet released: keylime/rust-keylime#729
The fix will be included on the next release, and will be reflected on the upstream agent image.