Merge pull request #171 from alicefr/use-secret-kv

Change how to pass ignition to KubeVirt VMs

Author: alicefr

Makefile

@@ -28,8 +28,8 @@ COMPUTE_PCRS_IMAGE=$(REGISTRY)/compute-pcrs:$(TAG)
 REG_SERVER_IMAGE=$(REGISTRY)/registration-server:$(TAG)
 ATTESTATION_KEY_REGISTER_IMAGE=$(REGISTRY)/attestation-key-register:$(TAG)
 TRUSTEE_IMAGE ?= quay.io/trusted-execution-clusters/key-broker-service:20260106
-# tagged as 2026-01-20-attestation
-APPROVED_IMAGE ?= quay.io/trusted-execution-clusters/fedora-coreos@sha256:79a0657399e6c67c7c95b8a09193d18e5675b5aa3cfb4d75ea5c8d4d53b2af74
+# tagged as 42.20251012.2.0
+APPROVED_IMAGE ?= quay.io/trusted-execution-clusters/fedora-coreos@sha256:6997f51fd27d1be1b5fc2e6cc3ebf16c17eb94d819b5d44ea8d6cf5f826ee773
 
 BUILD_TYPE ?= release
 IMAGE_BUILD_OPTION ?=

REUSE.toml

@@ -16,7 +16,7 @@ path = [
   "lib/src/vendor_kopium/*",
   "must-gather/README.md",
   "tests/README.md",
-  "examples/vm-coreos-ign.yaml",
+  "examples/*",
   "scripts/install-kubevirt.sh"
 ]
 SPDX-FileCopyrightText = [

examples/README.md

@@ -0,0 +1,19 @@
+# Examples
+
+The examples directories contains how you can run and attest a [KubeVirt](https://github.com/kubevirt/kubevirt) VM against the Trusted Execution Clusters operator.
+
+## How to use KubeVirt example
+
+Before provisioning the KubeVirt VM, a secret with the ignition configuration needs to be created. You can use the helper script:
+```console
+examples/create-ignition-secret.sh examples/ignition-coreos.json coreos-ignition-secret
+```
+
+The `ignition-coreos.json` contains some basic configuration for the attestation server and the merge request for the clevis pin.
+
+Then, the KubeVirt VM can be deployed:
+```console
+kubectl apply -f examples/vm-coreos-ign.yaml 
+```
+
+The example deploys an image build from the [investigations](https://github.com/trusted-execution-clusters/investigations) repository.

examples/create-ignition-secret.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+# Script to create a Kubernetes secret from an Ignition configuration file
+# Usage: ./create-ignition-secret.sh <ignition-file> <secret-name> [namespace]
+
+set -e
+
+
+if [ $# -lt 2 ]; then
+    echo "Usage: $0 <ignition-file> <secret-name> [namespace]"
+    echo "Example: $0 ignition-coreos.json coreos-ignition-secret trusted-execution-clusters"
+    exit 1
+fi
+
+IGNITION_FILE="$1"
+SECRET_NAME="$2"
+NAMESPACE="${3:-default}"
+
+if [ ! -f "$IGNITION_FILE" ]; then
+    echo "Error: Ignition file '$IGNITION_FILE' not found"
+    exit 1
+fi
+
+echo "Creating Kubernetes secret '$SECRET_NAME' in namespace '$NAMESPACE' from '$IGNITION_FILE'..."
+kubectl create secret generic "$SECRET_NAME" \
+    --from-file=userdata="$IGNITION_FILE" \
+    --namespace="$NAMESPACE" \
+    --dry-run=client -o yaml | kubectl apply -f -

examples/ignition-coreos.json

@@ -0,0 +1,58 @@
+{
+  "ignition": {
+    "config": {
+      "merge": [
+        {
+          "source": "http://register-server.trusted-execution-clusters.svc.cluster.local:8000/ignition-clevis-pin-trustee"
+        }
+      ]
+    },
+    "version": "3.6.0-experimental"
+  },
+  "passwd": {
+    "users": [
+      {
+        "name": "core",
+        "sshAuthorizedKeys": [
+          "<your-ssh-key>"
+        ]
+      }
+    ]
+  },
+  "storage": {
+    "files": [
+      {
+        "path": "/etc/profile.d/systemd-pager.sh",
+        "contents": {
+          "compression": "",
+          "source": "data:,%23%20Tell%20systemd%20to%20not%20use%20a%20pager%20when%20printing%20information%0Aexport%20SYSTEMD_PAGER%3Dcat%0A"
+        },
+        "mode": 420
+      }
+    ]
+  },
+  "systemd": {
+    "units": [
+      {
+        "enabled": false,
+        "name": "zincati.service"
+      },
+      {
+        "dropins": [
+          {
+            "contents": "[Service]\n# Override Execstart in main unit\nExecStart=\n# Add new Execstart with `-` prefix to ignore failure`\nExecStart=-/usr/sbin/agetty --autologin core --noclear %I $TERM\n",
+            "name": "autologin-core.conf"
+          }
+        ],
+        "name": "[email protected]"
+      }
+    ]
+  },
+  "attestation": {
+    "attestation_key": {
+      "registration": {
+        "url": "http://attestation-key-register.trusted-execution-clusters.svc.cluster.local:8001/register-ak"
+      }
+    }
+  }
+}

examples/vm-coreos-ign.yaml

@@ -5,67 +5,6 @@ metadata:
 spec:
   runStrategy: Always
   template:
-    metadata:
-      annotations:
-        kubevirt.io/ignitiondata: |
-          {
-            "ignition": {
-              "config": {
-                "merge": [
-                  {
-                    "source": "http://register-server.trusted-execution-clusters.svc.cluster.local:8000/ignition-clevis-pin-trustee"
-                  }
-                ]
-              },
-              "version": "3.6.0-experimental"
-            },
-            "passwd": {
-              "users": [
-                {
-                  "name": "core",
-                  "sshAuthorizedKeys": [
-                    "<your-ssh-key>"
-                  ]
-                }
-              ]
-            },
-            "storage": {
-              "files": [
-                {
-                  "path": "/etc/profile.d/systemd-pager.sh",
-                  "contents": {
-                    "compression": "",
-                    "source": "data:,%23%20Tell%20systemd%20to%20not%20use%20a%20pager%20when%20printing%20information%0Aexport%20SYSTEMD_PAGER%3Dcat%0A"
-                  },
-                  "mode": 420
-                }
-              ]
-            },
-            "systemd": {
-              "units": [
-                {
-                  "enabled": false,
-                  "name": "zincati.service"
-                },
-                {
-                  "dropins": [
-                    {
-                      "contents": "[Service]\n# Override Execstart in main unit\nExecStart=\n# Add new Execstart with `-` prefix to ignore failure`\nExecStart=-/usr/sbin/agetty --autologin core --noclear %I $TERM\n",
-                      "name": "autologin-core.conf"
-                    }
-                  ],
-                  "name": "[email protected]"
-                }
-              ]
-            },
-            "attestation": {
-              "attestation_key": {
-                "registration": {
-                  "url": "http://attestation-key-register.trusted-execution-clusters.svc.cluster.local:8001/register-ak"
-                }
-              }
-            }
-          }
     spec:
       domain:
         features:
@@ -82,12 +21,19 @@ spec:
           - name: containerdisk
             disk:
               bus: virtio
+          - name: cloudinitdisk
+            disk:
+              bus: virtio
           rng: {}
         resources:
           requests:
             memory: 4096M
       volumes:
       - name: containerdisk
         containerDisk:
-          image: "quay.io/trusted-execution-clusters/fedora-coreos-kubevirt:2026-14-01"
+          image: "quay.io/trusted-execution-clusters/fedora-coreos-kubevirt:20260129"
           imagePullPolicy: Always
+      - name: cloudinitdisk
+        cloudInitConfigDrive:
+          secretRef:
+            name: coreos-ignition-secret

scripts/pre-pull-images.sh

@@ -12,7 +12,6 @@ IMAGES=(
 	"quay.io/kubevirt/virt-controller:${KV_VERSION}"
 	"quay.io/kubevirt/virt-operator:${KV_VERSION}"
 	"$TRUSTEE_IMAGE"
-	"$APPROVED_IMAGE"
 	"quay.io/trusted-execution-clusters/fedora-coreos-kubevirt:2026-14-01"
 )
 

test_utils/src/virt.rs

@@ -168,11 +168,27 @@ pub async fn create_kubevirt_vm(
     register_server_url: &str,
     image: &str,
 ) -> anyhow::Result<()> {
+    use k8s_openapi::api::core::v1::Secret;
     use kube::Api;
 
     let ignition_config = generate_ignition_config(ssh_public_key, register_server_url, namespace);
     let ignition_json = serde_json::to_string(&ignition_config)?;
 
+    // Create the secret with the ignition configuration
+    let secret_name = format!("{}-ignition-secret", vm_name);
+    let secret = Secret {
+        metadata: ObjectMeta {
+            name: Some(secret_name.clone()),
+            namespace: Some(namespace.to_string()),
+            ..Default::default()
+        },
+        string_data: Some(BTreeMap::from([("userdata".to_string(), ignition_json)])),
+        ..Default::default()
+    };
+
+    let secrets: Api<Secret> = Api::namespaced(client.clone(), namespace);
+    secrets.create(&Default::default(), &secret).await?;
+
     let vm = VirtualMachine {
         metadata: ObjectMeta {
             name: Some(vm_name.to_string()),
@@ -182,10 +198,7 @@ pub async fn create_kubevirt_vm(
         spec: VirtualMachineSpec {
             run_strategy: Some("Always".to_string()),
             template: VirtualMachineTemplate {
-                metadata: Some(BTreeMap::from([(
-                    "annotations".to_string(),
-                    serde_json::json!({"kubevirt.io/ignitiondata": ignition_json}),
-                )])),
+                metadata: None,
                 spec: Some(VirtualMachineTemplateSpec {
                     domain: VirtualMachineTemplateSpecDomain {
                         features: Some(VirtualMachineTemplateSpecDomainFeatures {
@@ -205,14 +218,24 @@ pub async fn create_kubevirt_vm(
                             ..Default::default()
                         }),
                         devices: VirtualMachineTemplateSpecDomainDevices {
-                            disks: Some(vec![VirtualMachineTemplateSpecDomainDevicesDisks {
-                                name: "containerdisk".to_string(),
-                                disk: Some(VirtualMachineTemplateSpecDomainDevicesDisksDisk {
-                                    bus: Some("virtio".to_string()),
+                            disks: Some(vec![
+                                VirtualMachineTemplateSpecDomainDevicesDisks {
+                                    name: "containerdisk".to_string(),
+                                    disk: Some(VirtualMachineTemplateSpecDomainDevicesDisksDisk {
+                                        bus: Some("virtio".to_string()),
+                                        ..Default::default()
+                                    }),
                                     ..Default::default()
-                                }),
-                                ..Default::default()
-                            }]),
+                                },
+                                VirtualMachineTemplateSpecDomainDevicesDisks {
+                                    name: "cloudinitdisk".to_string(),
+                                    disk: Some(VirtualMachineTemplateSpecDomainDevicesDisksDisk {
+                                        bus: Some("virtio".to_string()),
+                                        ..Default::default()
+                                    }),
+                                    ..Default::default()
+                                },
+                            ]),
                             tpm: Some(VirtualMachineTemplateSpecDomainDevicesTpm {
                                 persistent: Some(true),
                                 ..Default::default()
@@ -232,15 +255,27 @@ pub async fn create_kubevirt_vm(
                         }),
                         ..Default::default()
                     },
-                    volumes: Some(vec![VirtualMachineTemplateSpecVolumes {
-                        name: "containerdisk".to_string(),
-                        container_disk: Some(VirtualMachineTemplateSpecVolumesContainerDisk {
-                            image: image.to_string(),
-                            image_pull_policy: Some("Always".to_string()),
+                    volumes: Some(vec![
+                        VirtualMachineTemplateSpecVolumes {
+                            name: "containerdisk".to_string(),
+                            container_disk: Some(VirtualMachineTemplateSpecVolumesContainerDisk {
+                                image: image.to_string(),
+                                image_pull_policy: Some("Always".to_string()),
+                                ..Default::default()
+                            }),
                             ..Default::default()
-                        }),
-                        ..Default::default()
-                    }]),
+                        },
+                        VirtualMachineTemplateSpecVolumes {
+                            name: "cloudinitdisk".to_string(),
+                            cloud_init_config_drive: Some(VirtualMachineTemplateSpecVolumesCloudInitConfigDrive {
+                                secret_ref: Some(VirtualMachineTemplateSpecVolumesCloudInitConfigDriveSecretRef {
+                                    name: Some(secret_name),
+                                }),
+                                ..Default::default()
+                            }),
+                            ..Default::default()
+                        },
+                    ]),
                     ..Default::default()
                 }),
             },

tests/attestation.rs

@@ -54,7 +54,7 @@ impl SingleAttestationContext {
             "http://register-server.{}.svc.cluster.local:8000/ignition-clevis-pin-trustee",
             namespace
         );
-        let image = "quay.io/trusted-execution-clusters/fedora-coreos-kubevirt:2026-14-01";
+        let image = "quay.io/trusted-execution-clusters/fedora-coreos-kubevirt:20260129";
 
         test_ctx.info(format!("Creating VM: {}", vm_name));
         virt::create_kubevirt_vm(
@@ -127,7 +127,7 @@ async fn test_parallel_vm_attestation() -> anyhow::Result<()> {
         "http://register-server.{}.svc.cluster.local:8000/ignition-clevis-pin-trustee",
         namespace
     );
-    let image = "quay.io/trusted-execution-clusters/fedora-coreos-kubevirt:2026-14-01";
+    let image = "quay.io/trusted-execution-clusters/fedora-coreos-kubevirt:20260129";
 
     // Launch both VMs in parallel
     let vm1_name = "test-coreos-vm1";