search

intel / trusted-certificate-issuer

Trusted Certificate Service (TCS) is a K8s service to protect signing keys using Intel's SGX technology. K8s CSR and cert-manager CR APIs are both supported. TCS also contains integration samples for Istio service mesh and Key Management Reference Application (KMRA).
Apache License 2.0
29 stars 15 forks source link

Issuer does not become ready #40

Closed snackewm closed 2 years ago

snackewm commented 2 years ago

Using the main branch of TCS and the Trusted Attestation Controller along with KMRA 2.0, the TCS Issuer, Kubernetes cluster is v1.24.3, the following TCS Issuer does not become ready.

apiVersion: tcs.intel.com/v1alpha1
kind: TCSIssuer
metadata:
    name: my-ca
    namespace: sandbox
spec:
    secretName: my-ca-cert
    selfSign: false

Does not become Ready, even though it appears that all operations (quote verification, wrapped key transfer, wrapped key secret creation) have occurred.

~/git/trusted-attestation-controller/sandbox$ kubectl get quoteattestation,tcsissuer,secret -n sandbox
NAME                                   AGE
quoteattestation.tcs.intel.com/my-ca   24m

NAME                            AGE   READY   REASON      MESSAGE
tcsissuer.tcs.intel.com/my-ca   25m   False   Reconcile   Initiated key provisioning using QuoteAttestation

NAME           TYPE     DATA   AGE
secret/my-ca   Opaque   2      24m

Logs attached. tac-plugin.log tcs.log kmra.log tac.log

avalluri commented 2 years ago

@snackewm Thanks for reporting the issue. Guess I figured out the root cause for this issue. In recent changes somehow TCS stop reconciling after creating the quote attestation object. #42 supposed to fix this. Can you give it a try if it works for you.