Work in progress documents about Confidential Clusters.
ssh-keygen -f coreos.keyscripts/install_vm.sh -b config.bu -k "$(cat coreos.key.pub)"scripts/uninstall_vm.sh -n <vm_name>"Currently, ignition does not support encrypting the disk using trustee (see this RFC for more details). Therefore, we need to build a custom initramfs which contains the trustee attester, and the KBS information hardcoded in the setup script.
Build the Fedora CoreOS or Centos Stream CoreOS image with the custom initrd:
cd coreos
# Centos Stream CoreOS image
just os=scos build oci-archive osbuild-qemu
# Fedora CoreOS image
just build oci-archive osbuild-qemuGenerate the key pair for Trustee:
scripts/gen_key.shCreate trustee and helper containers for the setup:
sudo podman kube play trustee.yamlThe pods exposes 3 ports:
8080: for the KBS and Trustee8000: serving the ignition file with the clevis configuration5001: serving the registration endpoint for the AK
The script scripts/populate-local-kbs.sh populate the local KBS.
scripts/populate-local-kbs.shYou can now launch the VM by exposing the trustee IP (for example, using the IP of virbr0).
export TRUSTEE_ADDR=192.168.122.1
scripts/install_vm.sh -k coreos.key.pub -b configs/ak.bu -i $(pwd)/coreos/fcos-qemu.x86_64.qcow2 -n <VM_NAME>