feat: change name to trustee_client, add systemd-cryptenroll and allow kbs_cert by file path

[litian1992]

Enhancement:

1. Refactor role name to trustee_client. Because trustee_attestation_client is too long and attestation is not a key factor in this role.
2. Besides kbs_cert_content, also allow users to pass in the cert by path using kbs_cert.
3. Add systemd-cryptenroll capability to encrypt_disk task when Secret Registration Client is not enabled.

Reason:

Result:

Issue Tracker Tickets (Jira or BZ if any):

Summary by Sourcery

Rename the role and its variables from trustee_attestation_client to trustee_client, expand disk encryption support to use systemd-cryptenroll when the Secret Registration Client is disabled, and allow KBS certificates to be provided either as inline content or via a file path, updating tests and documentation accordingly.

New Features:

• Support providing the KBS certificate via a file path in addition to inline certificate content.
• Add TPM2-backed disk encryption flow using systemd-cryptenroll and /etc/crypttab when the Secret Registration Client is disabled.

Enhancements:

• Rename the Ansible role and all associated variables, tests, and documentation from trustee_attestation_client to trustee_client.
• Clarify and extend README and example playbooks to document the new role name and KBS certificate options.

Tests:

• Update existing tests to use the new trustee_client naming and encrypted_disk mapper name, and add coverage for the systemd-cryptenroll disk encryption path and KBS certificate-from-path behavior.

[sourcery-ai]

Reviewer's Guide

Refactors the Ansible role from trustee_attestation_client to trustee_client across code, docs, CI, and tests, while adding TPM2-backed systemd-cryptenroll disk encryption support when the secret registration client is disabled and introducing support for providing the KBS certificate via either inline content or a file path, with corresponding tests and documentation updates.

Sequence diagram for updated disk encryption flow with Secret Registration Client and systemd_cryptenroll

sequenceDiagram
  actor Admin
  participant AnsibleController
  participant trustee_client_role
  participant SecretRegistrationClient
  participant systemd_cryptenroll
  participant TPM2
  participant Cryptsetup
  participant OS

  Admin->>AnsibleController: Run playbook with trustee_client_encrypt_disk=true
  AnsibleController->>trustee_client_role: Execute tasks/main.yml
  trustee_client_role->>trustee_client_role: include_tasks encrypt_disk.yml

  trustee_client_role->>trustee_client_role: Detect first unpartitioned disk

  alt trustee_client_secret_registration_enabled=true
    trustee_client_role->>SecretRegistrationClient: secret_registration_client.sh --fetch-key-to tempfile
    SecretRegistrationClient-->>trustee_client_role: LUKS key written to tempfile
  else trustee_client_secret_registration_enabled=false
    trustee_client_role->>OS: type systemd-cryptenroll
    OS-->>trustee_client_role: rc=0 if available
    alt systemd-cryptenroll available
      trustee_client_role->>OS: head -c 32 /dev/urandom | base64 > tempfile
      OS-->>trustee_client_role: Random key stored in tempfile
    end
  end

  trustee_client_role->>Cryptsetup: luksFormat --key-file tempfile disk_partition
  Cryptsetup-->>trustee_client_role: LUKS container created
  trustee_client_role->>Cryptsetup: open --key-file tempfile disk_partition encrypted_disk
  Cryptsetup-->>trustee_client_role: /dev/mapper/encrypted_disk
  trustee_client_role->>OS: mkfs.ext4 /dev/mapper/encrypted_disk
  trustee_client_role->>OS: mkdir -p trustee_client_encrypt_disk_mount_point
  trustee_client_role->>OS: mount /dev/mapper/encrypted_disk trustee_client_encrypt_disk_mount_point

  alt trustee_client_secret_registration_enabled=false and systemd_cryptenroll available
    trustee_client_role->>systemd_cryptenroll: Enroll TPM2 slot with unlock-key-file=tempfile
    systemd_cryptenroll->>TPM2: Bind key to PCR7
    TPM2-->>systemd_cryptenroll: TPM2 policy created
    trustee_client_role->>systemd_cryptenroll: Wipe password slot
    systemd_cryptenroll-->>trustee_client_role: LUKS updated

    trustee_client_role->>OS: lsblk -dno UUID disk_partition
    OS-->>trustee_client_role: UUID
    trustee_client_role->>OS: Update /etc/crypttab with encrypted_disk UUID and tpm2-device=auto
    trustee_client_role->>OS: Configure /etc/fstab and mount with x-systemd.requires=systemd-cryptsetup@encrypted_disk.service
  end

  trustee_client_role->>OS: Remove tempfile
  OS-->>trustee_client_role: Key file deleted
  trustee_client_role-->>AnsibleController: Disk encrypted and configured
  AnsibleController-->>Admin: Playbook run complete

Loading

Flow diagram for updated task inclusion and disk encryption conditions in main role

flowchart TD
  A_start["Start: tasks/main.yml"] --> B_quadlet["Include trustee_quadlet.yml\nwhen trustee_client_trustee_gc is true"]
  B_quadlet --> C_secretReg["Include secret_registration_client.yml\nwhen trustee_client_secret_registration_enabled is true\nAND trustee_client_trustee_gc is true"]
  C_secretReg --> D_encrypt["Include encrypt_disk.yml\nwhen trustee_client_encrypt_disk is true"]
  B_quadlet --> D_encrypt
  D_encrypt --> E_branch["Inside encrypt_disk.yml:\nIs there an unpartitioned disk?"]

  E_branch -->|No| Z_end["End: no encryption performed"]
  E_branch -->|Yes| F_checkSecretReg["Check trustee_client_secret_registration_enabled"]

  F_checkSecretReg -->|true| G_useSecretReg["Use Secret Registration Client\nfetch key to tempfile"]
  F_checkSecretReg -->|false| H_checkCryptenroll["Check for systemd-cryptenroll command"]

  H_checkCryptenroll -->|Available| I_useTPM2["Generate random key to tempfile\nEncrypt disk and bind key via systemd-cryptenroll\nConfigure crypttab and fstab for auto-unlock"]
  H_checkCryptenroll -->|Not available| J_encryptOnly["Encrypt and mount using key file\n(no TPM2 auto-unlock path)"]

  G_useSecretReg --> K_encryptMount["Encrypt LUKS partition with fetched key\nand mount encrypted_disk"]
  I_useTPM2 --> K_encryptMount
  J_encryptOnly --> K_encryptMount

  K_encryptMount --> L_cleanup["Remove key tempfile"]
  L_cleanup --> Z_end

Loading

File-Level Changes

Change	Details	Files
Rename the Ansible role and all variables from trustee_attestation_client to trustee_client and align documentation, examples, vars, handlers, and CI/test wiring.	Update role name usages in playbooks, tests, examples, and include_role/roles references to linux-system-roles.trustee_client. Rename all public/default variables (e.g. trustee_attestation_client_* -> trustee_client_) and internal vars (_trustee_attestation_client -> _trustee_client*). Adjust handlers and platform-specific vars to use the new __trustee_client_services and related internal variables. Update README, contributing guide, plans README, and workflow/test-plan links and badges to point to the trustee_client repo and name. Revise comments and template metadata strings to reference system_role:trustee_client.	tasks/main.yml defaults/main.yml vars/main.yml vars/Fedora.yml vars/RedHat_7.yml vars/RedHat_8.yml vars/RedHat_9.yml vars/RedHat_10.yml tests/vars/rh_distros_vars.yml tests/tests_default.yml tests/tests_trustee_gc_disabled.yml tests/tests_secret_registration_client.yml tests/tests_include_vars_from_parent.yml tests/setup-snapshot.yml examples/simple.yml handlers/main.yml templates/secret_registration_client.sh.j2 templates/secret_registration_client.service.j2 README.md contributing.md plans/README-plans.md .github/workflows/tft.yml
Extend disk encryption to support systemd-cryptenroll with TPM2 auto-unlock when the Secret Registration Client is disabled, and adjust naming of the encrypted LUKS device.	Refactor encrypt_disk.yml to use trustee_client_* variables and _trustee_client* internals for disk selection and package installation. Gate key acquisition via secret_registration_client.sh on trustee_client_secret_registration_enabled, and add an alternate path that checks for systemd-cryptenroll and generates a random key when the client is disabled. Change the LUKS mapper device name from encrypted-disk to encrypted_disk consistently in role logic and scripts. Add a block that runs systemd-cryptenroll to bind TPM2 to the LUKS volume, wipes the password slot, writes an /etc/crypttab entry with tpm2-device=auto, and configures /etc/fstab plus a systemd-aware mount. Ensure the temporary key file is always cleaned up using the new __trustee_client_secret_key_tempfile variable.	tasks/encrypt_disk.yml templates/secret_registration_client.sh.j2 tasks/secret_registration_client.yml tests/tests_encrypt_disk.yml
Introduce support for providing the KBS certificate via either inline content or file path and propagate it into trustee-gc configuration and server.crt.	Add new default variable trustee_client_kbs_cert for a certificate file path alongside trustee_client_kbs_cert_content. In trustee_quadlet.yml, compute __trustee_client_kbs_cert_content from either trustee_client_kbs_cert_content or the contents of trustee_client_kbs_cert (using lookup('file')) when either is set and configs are present. Update replace tasks to substitute KBS_URL and KBS_CERT placeholders with trustee_client_kbs_url and __trustee_client_kbs_cert_content for both cdh and aa config.toml files. Write /etc/trustee-gc/server.crt from __trustee_client_kbs_cert_content when present instead of directly from the older variable. Document the new usage pattern in README and examples, showing both inline and path-based cert options.	tasks/trustee_quadlet.yml defaults/main.yml README.md examples/simple.yml
Add and extend tests to cover the new systemd-cryptenroll disk encryption path and KBS cert-by-path behavior.	Update existing tests to use trustee_client_* variable names and the new encrypted_disk device name and mount point variables. Add a new encrypt-disk test play that runs the role with trustee_client_secret_registration_enabled=false, verifies the encrypted disk is mounted, and asserts /etc/crypttab and /etc/fstab contain the expected encrypted_disk and tpm2-device=auto entries. Add a new KBS configuration test play that creates a cert file on the control node, passes it via trustee_client_kbs_cert, and asserts that both trustee-gc config TOML and /etc/trustee-gc/server.crt contain the expected content. Ensure snapshot/setup utilities and CI test plans reference the renamed role and new variable names for package installation and test filtering.	tests/tests_encrypt_disk.yml tests/tests_kbs_config.yml tests/tests_default.yml tests/tests_trustee_gc_disabled.yml tests/tests_secret_registration_client.yml tests/setup-snapshot.yml plans/test_playbooks_parallel.fmf .github/workflows/tft.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 2 issues, and left some high level feedback:

• In encrypt_disk.yml, when trustee_client_secret_registration_enabled is false and systemd-cryptenroll is not available, the role still partitions, encrypts, and mounts the disk without configuring any auto-unlock mechanism; consider skipping disk encryption entirely in this case (or failing early with a clear message) to avoid leaving an unusable encrypted volume.
• The systemd-cryptenroll presence check uses command: type systemd-cryptenroll, which relies on shell built-ins and may be less portable; using stat on a known path or command: systemd-cryptenroll --version (and checking rc) would be more robust and explicit.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In `encrypt_disk.yml`, when `trustee_client_secret_registration_enabled` is false and `systemd-cryptenroll` is not available, the role still partitions, encrypts, and mounts the disk without configuring any auto-unlock mechanism; consider skipping disk encryption entirely in this case (or failing early with a clear message) to avoid leaving an unusable encrypted volume.
- The `systemd-cryptenroll` presence check uses `command: type systemd-cryptenroll`, which relies on shell built-ins and may be less portable; using `stat` on a known path or `command: systemd-cryptenroll --version` (and checking `rc`) would be more robust and explicit.

## Individual Comments

### Comment 1
<location path="tasks/encrypt_disk.yml" line_range="47-52" />
<code_context>
+      when: trustee_client_secret_registration_enabled | bool
+      no_log: true
+
+    - name: Check systemd-cryptenroll command exists
+      ansible.builtin.command: type systemd-cryptenroll
+      register: __trustee_client_cryptenroll_check
+      changed_when: false
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Using `type systemd-cryptenroll` may be shell-dependent; consider a more portable existence check.

`ansible.builtin.command` runs via `/bin/sh`, and `type` isn’t portable across all shells or may not be available as a builtin, which can cause false negatives or different rc/output handling. Prefer a more portable check such as `command -v systemd-cryptenroll` or a direct path check with `stat` on `/usr/bin/systemd-cryptenroll` (or the expected location).

```suggestion
      no_log: true

    - name: Check systemd-cryptenroll command exists
      ansible.builtin.command: command -v systemd-cryptenroll
      register: __trustee_client_cryptenroll_check
      changed_when: false
```
</issue_to_address>

### Comment 2
<location path="README.md" line_range="72" />
<code_context>
 1. Finds the first unpartitioned and unmounted disk
-2. Requests disk encryption key from Secret Registration Client
-3. Encrypts the disk using above encryption key and mounts it at the designated path
+3. Encrypts the disk using key either from:
+  a. secret key fetched using Secret Registration Client (when enabled), or
+  b. `systemd-cryptenroll` which binds to PCR 7
</code_context>
<issue_to_address>
**nitpick (typo):** Minor grammar issue in "Encrypts the disk using key either from".

Consider rephrasing to: "Encrypts the disk using a key from either:" or "Encrypts the disk using the key from either:".

```suggestion
3. Encrypts the disk using a key from either:
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[richm]

what if there is more than 1 encrypted_disk? or is that not possible?

[litian1992]

how does trustee_client_encrypted_disk_0 sound?

[richm]

there is no builtin mount module - https://docs.ansible.com/projects/ansible/latest/collections/ansible/builtin/index.html#modules

Suggested change

	ansible.builtin.mount:
	ansible.posix.mount:

[litian1992]

Hmm, I'm a little surprised not catching error on this. But it did seem succeeding

# grep encrypt /etc/fstab 
/dev/mapper/encrypted_disk /mnt/encrypted-disk ext4 defaults,x-systemd.requires=systemd-cryptsetup@encrypted_disk.service 0 0

[richm]

A long time ago, the mount module was "built-in" (it was included with the Ansible 2.9 bundle before the ansible-core days), and Ansible still has some logic internally to redirect. However, it is fragile to rely on this implicit behavior - better to be explicit and use the real ansible.posix.mount module.

[richm]

@spetrosi are we going to rename the repo also?