Add design document for the operator architecture

[alicefr]

No description provided.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: alicefr

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Jakob-Naucke]

Thank you for the write-up. A couple of comments.

[Jakob-Naucke]

Could mention the endpoint here too like you do for AK reg further below. I think it makes it clearer what happens technically.

[yalzhang]

/test operator-lifecycle-verify

[openshift-ci]

@alicefr: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/infra-provision-verify	2cb48a4	link	true	/test infra-provision-verify
ci/prow/operator-lifecycle-verify	2cb48a4	link	true	/test operator-lifecycle-verify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[yalzhang]

@alicefr: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Please ignore the test-related messages. I had planned to test concurrent runs, but I forgot that the fix hasn’t been merged yet. The latest fix now skips tests for documentation changes.

[Jakob-Naucke]

nits

Suggested change

	1. **Registration Server**: HTTP service that handles initial machine registration and Ignition configuration delivery. Deployes in the *registration server*.
	2. **AttestationKey Controller**: Manages attestation key registration and approval. Deployed in the *register-ak* pod.
	3. **Trustee Integration**: Updates Trustee deployment with secrets and attestation keys for node verification. Part of the *operator* pod.
	4. **Machine Controller**: Reconciles Machine custom resources representing individual nodes. Part of the *operator* pod
	5. **Secret Management**: Generates and manages LUKS. encryption keys and attestation key secrets. Part of the *operator* pod.
	6. **Attestation Server**: [Trustee](https://github.com/confidential-containers/trustee) deployment handle the attestation request
	7. **Reference Values calculation**: calculate the reference values provided by the approved images.
	1. **Registration Server**: HTTP service that handles initial machine registration and Ignition configuration delivery. Deploys in the *registration server* pod.
	2. **AttestationKey Controller**: Manages attestation key registration and approval. Deployed in the *attestation key registration server* pod.
	3. **Trustee Integration**: Updates Trustee deployment with secrets and attestation keys for node verification. Part of the *operator* pod.
	4. **Machine Controller**: Reconciles Machine custom resources representing individual nodes. Part of the *operator* pod.
	5. **Secret Management**: Generates and manages LUKS encryption keys and attestation key secrets. Part of the *operator* pod.
	6. **Attestation Server**: [Trustee](https://github.com/confidential-containers/trustee) deployment handle the attestation request
	7. **Reference Values calculation**: Calculates the reference values provided by the approved images.

[alicefr]

The deployment is although called register-ak :). Maybe not the best name, I agree

[Jakob-Naucke]

hmm, I think then they should all be named by pod, and speaking even more technically, it's attestation-key-register