@@ -26,6 +26,108 @@ trustee_client_secret_registration_enabled: true
2626trustee_client_encrypt_disk : true
2727` ` `
2828
29+ ## Variables
30+
31+ ### trustee_client_trustee_gc
32+
33+ Whether to deploy Trustee Guest Components using Podman Quadlets (packages,
34+ quadlet files, ` /etc/trustee-gc/` configuration, and the `trustee-gc` pod
35+ service). When `false`, this part of the role is skipped.
36+
37+ The secret registration client is only deployed when this variable and
38+ ` trustee_client_secret_registration_enabled` are both `true`.
39+
40+ Default : ` true`
41+
42+ Type : ` bool`
43+
44+ # ## trustee_client_kbs_url
45+
46+ URL of the Key Broker Service (KBS) used by Trustee Guest Components. When
47+ non-empty, the role replaces the `KBS_URL` placeholder in the Attestation Agent
48+ and Confidential Data Hub `config.toml` files under `/etc/trustee-gc/` with
49+ this value.
50+
51+ If unset (empty string), the bundled placeholder values in those files are left
52+ unchanged.
53+
54+ Default : ` ""`
55+
56+ Type : ` string`
57+
58+ # ## trustee_client_kbs_cert_content
59+
60+ PEM-encoded TLS certificate for the KBS server, as a string (for example from
61+ Ansible Vault). When non-empty, the role replaces the `KBS_CERT` placeholder in
62+ the AA and CDH `config.toml` files and writes the certificate to
63+ ` /etc/trustee-gc/server.crt` .
64+
65+ Use either this variable or `trustee_client_kbs_cert_src`, not both as the
66+ primary source; if both are set, explicit content takes precedence when it is
67+ non-empty.
68+
69+ Default : ` ""`
70+
71+ Type : ` string`
72+
73+ # ## trustee_client_kbs_cert_src
74+
75+ Path on the control node to a PEM certificate file for the KBS server. Used
76+ when `trustee_client_kbs_cert_content` is empty. The file is read with
77+ ` lookup('file', ...)` and applied like `trustee_client_kbs_cert_content`.
78+
79+ Default : ` ""`
80+
81+ Type : ` string`
82+
83+ # ## trustee_client_secret_registration_enabled
84+
85+ Whether to install and configure the secret registration client (requires
86+ Trustee Guest Components; see `trustee_client_trustee_gc`). When `true`, the
87+ client can register with the Secret Registration Server and supply disk
88+ encryption keys when encrypt-disk features use it.
89+
90+ Default : ` false`
91+
92+ Type : ` bool`
93+
94+ # ## trustee_client_encrypt_disk
95+
96+ Whether to locate an unpartitioned disk, create a LUKS2 encrypted volume, and
97+ mount it. The encryption key comes from the secret registration client when
98+ ` trustee_client_secret_registration_enabled` is `true`, otherwise from a
99+ generated key and TPM binding via `systemd-cryptenroll` (PCR 7).
100+
101+ Default : ` false`
102+
103+ Type : ` bool`
104+
105+ # ## trustee_client_encrypt_disk_mount_point
106+
107+ Filesystem path where the encrypted disk (mapper device
108+ ` trustee_client_encrypted_disk_0` ) is mounted when
109+ ` trustee_client_encrypt_disk` is `true`. The directory is created if missing.
110+
111+ Default : ` "/mnt/encrypted-disk"`
112+
113+ Type : ` string`
114+
115+ # ## trustee_client_secure_logging
116+
117+ If `true`, suppress potentially sensitive output from tasks that handle
118+ credentials, secrets, and other sensitive data by setting `no_log : true` on
119+ those tasks. This prevents passwords, API tokens, private keys, and similar
120+ sensitive information from appearing in Ansible logs and console output.
121+
122+ If you need to debug issues with credential handling or secret management, you
123+ can temporarily set `trustee_client_secure_logging : false` to see the full output from
124+ these tasks. However, be aware that this may expose sensitive information in
125+ logs, so it should only be used in development or troubleshooting scenarios.
126+
127+ Default : ` true`
128+
129+ Type : ` bool`
130+
29131# # Example Playbook
30132
31133Including an example of how to use your role (for instance, with variables
@@ -69,22 +171,6 @@ An unpartitioned empty disk must be attached to the target. When enabled, this t
691713. Mounts it at the designated path
701724. Sets up automatic unlock and mount either with Secret Registration Client service or /etc/crypttab with `systemd-cryptenroll`
71173
72- # # Variables
73-
74- # ## trustee_client_secure_logging
75-
76- If `true`, suppress potentially sensitive output from tasks that handle
77- credentials, secrets, and other sensitive data by setting `no_log : true` on
78- those tasks. This prevents passwords, API tokens, private keys, and similar
79- sensitive information from appearing in Ansible logs and console output.
80-
81- If you need to debug issues with credential handling or secret management, you
82- can temporarily set `trustee_client_secure_logging : false` to see the full output from
83- these tasks. However, be aware that this may expose sensitive information in
84- logs, so it should only be used in development or troubleshooting scenarios.
85-
86- Default : ` true`
87-
88174# # License
89175
90176Whenever possible, please prefer MIT.
0 commit comments