Skip to content

Commit 9792173

Browse files
committed
docs: document role parameters in README.md [citest_skip]
document role parameters in README.md Signed-off-by: Rich Megginson <rmeggins@redhat.com>
1 parent d24e9d2 commit 9792173

1 file changed

Lines changed: 102 additions & 16 deletions

File tree

README.md

Lines changed: 102 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,108 @@ trustee_client_secret_registration_enabled: true
2626
trustee_client_encrypt_disk: true
2727
```
2828
29+
## Variables
30+
31+
### trustee_client_trustee_gc
32+
33+
Whether to deploy Trustee Guest Components using Podman Quadlets (packages,
34+
quadlet files, `/etc/trustee-gc/` configuration, and the `trustee-gc` pod
35+
service). When `false`, this part of the role is skipped.
36+
37+
The secret registration client is only deployed when this variable and
38+
`trustee_client_secret_registration_enabled` are both `true`.
39+
40+
Default: `true`
41+
42+
Type: `bool`
43+
44+
### trustee_client_kbs_url
45+
46+
URL of the Key Broker Service (KBS) used by Trustee Guest Components. When
47+
non-empty, the role replaces the `KBS_URL` placeholder in the Attestation Agent
48+
and Confidential Data Hub `config.toml` files under `/etc/trustee-gc/` with
49+
this value.
50+
51+
If unset (empty string), the bundled placeholder values in those files are left
52+
unchanged.
53+
54+
Default: `""`
55+
56+
Type: `string`
57+
58+
### trustee_client_kbs_cert_content
59+
60+
PEM-encoded TLS certificate for the KBS server, as a string (for example from
61+
Ansible Vault). When non-empty, the role replaces the `KBS_CERT` placeholder in
62+
the AA and CDH `config.toml` files and writes the certificate to
63+
`/etc/trustee-gc/server.crt`.
64+
65+
Use either this variable or `trustee_client_kbs_cert_src`, not both as the
66+
primary source; if both are set, explicit content takes precedence when it is
67+
non-empty.
68+
69+
Default: `""`
70+
71+
Type: `string`
72+
73+
### trustee_client_kbs_cert_src
74+
75+
Path on the control node to a PEM certificate file for the KBS server. Used
76+
when `trustee_client_kbs_cert_content` is empty. The file is read with
77+
`lookup('file', ...)` and applied like `trustee_client_kbs_cert_content`.
78+
79+
Default: `""`
80+
81+
Type: `string`
82+
83+
### trustee_client_secret_registration_enabled
84+
85+
Whether to install and configure the secret registration client (requires
86+
Trustee Guest Components; see `trustee_client_trustee_gc`). When `true`, the
87+
client can register with the Secret Registration Server and supply disk
88+
encryption keys when encrypt-disk features use it.
89+
90+
Default: `false`
91+
92+
Type: `bool`
93+
94+
### trustee_client_encrypt_disk
95+
96+
Whether to locate an unpartitioned disk, create a LUKS2 encrypted volume, and
97+
mount it. The encryption key comes from the secret registration client when
98+
`trustee_client_secret_registration_enabled` is `true`, otherwise from a
99+
generated key and TPM binding via `systemd-cryptenroll` (PCR 7).
100+
101+
Default: `false`
102+
103+
Type: `bool`
104+
105+
### trustee_client_encrypt_disk_mount_point
106+
107+
Filesystem path where the encrypted disk (mapper device
108+
`trustee_client_encrypted_disk_0`) is mounted when
109+
`trustee_client_encrypt_disk` is `true`. The directory is created if missing.
110+
111+
Default: `"/mnt/encrypted-disk"`
112+
113+
Type: `string`
114+
115+
### trustee_client_secure_logging
116+
117+
If `true`, suppress potentially sensitive output from tasks that handle
118+
credentials, secrets, and other sensitive data by setting `no_log: true` on
119+
those tasks. This prevents passwords, API tokens, private keys, and similar
120+
sensitive information from appearing in Ansible logs and console output.
121+
122+
If you need to debug issues with credential handling or secret management, you
123+
can temporarily set `trustee_client_secure_logging: false` to see the full output from
124+
these tasks. However, be aware that this may expose sensitive information in
125+
logs, so it should only be used in development or troubleshooting scenarios.
126+
127+
Default: `true`
128+
129+
Type: `bool`
130+
29131
## Example Playbook
30132

31133
Including an example of how to use your role (for instance, with variables
@@ -69,22 +171,6 @@ An unpartitioned empty disk must be attached to the target. When enabled, this t
69171
3. Mounts it at the designated path
70172
4. Sets up automatic unlock and mount either with Secret Registration Client service or /etc/crypttab with `systemd-cryptenroll`
71173

72-
## Variables
73-
74-
### trustee_client_secure_logging
75-
76-
If `true`, suppress potentially sensitive output from tasks that handle
77-
credentials, secrets, and other sensitive data by setting `no_log: true` on
78-
those tasks. This prevents passwords, API tokens, private keys, and similar
79-
sensitive information from appearing in Ansible logs and console output.
80-
81-
If you need to debug issues with credential handling or secret management, you
82-
can temporarily set `trustee_client_secure_logging: false` to see the full output from
83-
these tasks. However, be aware that this may expose sensitive information in
84-
logs, so it should only be used in development or troubleshooting scenarios.
85-
86-
Default: `true`
87-
88174
## License
89175

90176
Whenever possible, please prefer MIT.

0 commit comments

Comments
 (0)