Fix vet error

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
Update unit-tests.yml with earthly
2025-09-03 07:44:15 +00:00 · 2025-04-22 12:21:48 +03:00 · 2025-04-22 10:54:44 +02:00 · 2025-04-22 10:53:50 +02:00 · 2025-04-22 10:42:58 +02:00 · 2025-04-22 10:41:38 +02:00
39 changed files with 2625 additions and 971 deletions
--- a/.earthlyignore
+++ b/.earthlyignore
@@ -0,0 +1 @@
+bin/
--- a/.github/ISSUE_TEMPLATE/file-issues-on-main-kairos-repo.md
+++ b/.github/ISSUE_TEMPLATE/file-issues-on-main-kairos-repo.md
@@ -0,0 +1,12 @@
+---
+name: File issues on main Kairos repo
+about: Tell users to file their issues on the main Kairos repo
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+:warning: All Kairos issues are tracked in our main repo, please file your issue there, thanks! :warning:
+
+https://github.com/kairos-io/kairos/issues
--- a/.github/workflows/dependabot_auto.yml
+++ b/.github/workflows/dependabot_auto.yml
@@ -0,0 +1,42 @@
+name: Dependabot auto-merge
+on:
+- pull_request_target
+
+permissions:
+  contents: write
+  pull-requests: write
+  packages: read
+
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2.3.0
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+          skip-commit-verification: true
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Approve a PR if not already approved
+        run: |
+          gh pr checkout "$PR_URL"
+            if [ "$(gh pr status --json reviewDecision -q .currentBranch.reviewDecision)" != "APPROVED" ];
+          then
+            gh pr review --approve "$PR_URL"
+          else
+            echo "PR already approved.";
+          fi
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+
+      - name: Enable auto-merge for Dependabot PRs
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
--- a/.github/workflows/e2e-tests.yml
+++ b/.github/workflows/e2e-tests.yml
@@ -0,0 +1,110 @@
+name: End to end tests
+on:
+  push:
+    paths-ignore:
+      - 'README.md'
+    branches:
+      - main
+  pull_request:
+    paths-ignore:
+      - 'README.md'
+
+concurrency:
+  group: ci-e2e-${{ github.head_ref || github.ref }}-${{ github.repository }}
+  cancel-in-progress: true
+
+jobs:
+  build-iso:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Install Go
+        uses: actions/setup-go@v5
+      - name: Install earthly
+        uses: earthly/actions-setup@v1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: build iso
+        run: |
+          # Configure earthly to use the docker mirror in CI
+          # https://docs.earthly.dev/ci-integration/pull-through-cache#configuring-earthly-to-use-the-cache
+          mkdir -p ~/.earthly/
+          cat << EOF > ~/.earthly/config.yml
+          global:
+            buildkit_additional_config: |
+              [registry."docker.io"]
+                mirrors = ["registry.docker-mirror.svc.cluster.local:5000"]
+              [registry."registry.docker-mirror.svc.cluster.local:5000"]
+                insecure = true
+          EOF
+
+          earthly -P +iso
+      - uses: actions/upload-artifact@v4
+        with:
+          name: challenger.iso.zip
+          path: |
+            build/*.iso
+  e2e-tests:
+    needs:
+      - build-iso
+    runs-on: kvm
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - label: "local-encryption"
+          - label: "remote-auto"
+          - label: "remote-static"
+          - label: "remote-https-pinned"
+          - label: "remote-https-bad-cert"
+          - label: "discoverable-kms"
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - name: Install earthly
+        uses: earthly/actions-setup@v1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Install deps
+        run: |
+          curl -L https://github.com/mudler/luet/releases/download/0.33.0/luet-0.33.0-linux-amd64 -o luet
+          chmod +x luet
+          sudo mv luet /usr/bin/luet
+          sudo mkdir -p /etc/luet/repos.conf.d/
+          sudo luet repo add -y kairos --url quay.io/kairos/packages --type docker
+          LUET_NOLOCK=true sudo -E luet install -y container/kubectl utils/k3d
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: challenger.iso.zip
+      - name: Run tests
+        env:
+          LABEL: ${{ matrix.label }}
+          KVM: true
+        run: |
+          sudo apt update && \
+          sudo apt install -y git qemu-system-x86 qemu-utils swtpm jq make glibc-tools \
+          openssl curl gettext ca-certificates curl gnupg lsb-release
+
+          export ISO=$PWD/$(ls *.iso)
+          # update controllers
+          make test
+          # Generate controller image
+          make docker-build
+          # We run with sudo to be able to access /dev/kvm
+          sudo -E ./scripts/e2e-tests.sh
+      - uses: actions/upload-artifact@v4
+        if: failure()
+        with:
+          name: ${{ matrix.label }}-test.logs.zip
+          path: tests/**/logs/*
+          if-no-files-found: warn
--- a/.github/workflows/image.yml
+++ b/.github/workflows/image.yml
@@ -1,4 +1,3 @@
---
 name: 'build container images'

 on:
@@ -8,12 +7,17 @@ on:
    tags:
      - '*'

+
+concurrency:
+  group: ci-image-${{ github.head_ref || github.ref }}-${{ github.repository }}
+  cancel-in-progress: true
+
 jobs:
  docker:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4

      - name: Prepare
        id: prep
@@ -46,18 +50,18 @@ jobs:

      - name: Login to DockerHub
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_USERNAME }}
          password: ${{ secrets.QUAY_PASSWORD }}

      - name: Build
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v6
        with:
          builder: ${{ steps.buildx.outputs.name }}
          context: .
          file: ./Dockerfile
          platforms: linux/amd64,linux/arm64
          push: true
-          tags: ${{ steps.prep.outputs.tags }}
+          tags: ${{ steps.prep.outputs.tags }}
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -0,0 +1,33 @@
+name: Lint
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    paths:
+      - '**'
+
+
+concurrency:
+  group: ci-lint-${{ github.head_ref || github.ref }}-${{ github.repository }}
+  cancel-in-progress: true
+
+env:
+  FORCE_COLOR: 1
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Install Go
+        uses: actions/setup-go@v5
+      - name: Install earthly
+        uses: earthly/actions-setup@v1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run Lint checks
+        run: |
+          earthly +lint
--- a/.github/workflows/osv-scanner-pr.yaml
+++ b/.github/workflows/osv-scanner-pr.yaml
@@ -0,0 +1,21 @@
+name: OSV-Scanner PR Scan
+
+# Change "main" to your default branch if you use a different name, i.e. "master"
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+  merge_group:
+    branches: [main]
+
+permissions:
+  # Require writing security events to upload SARIF file to security tab
+  security-events: write
+  # Only need to read contents adn actions
+  contents: read
+  actions: read
+
+jobs:
+  scan-pr:
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v1.9.2"
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,27 @@
+name: goreleaser
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: |
+          git fetch --prune --unshallow
+      - name: Install gcc for arm64
+        run: sudo apt-get update && sudo apt-get install -y build-essential crossbuild-essential-arm64
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          version: latest
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/renovate_auto.yml
+++ b/.github/workflows/renovate_auto.yml
@@ -0,0 +1,35 @@
+name: Renovate auto-merge
+on:
+- pull_request_target
+
+permissions:
+  contents: write
+  pull-requests: write
+  packages: read
+
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: ${{ github.actor == 'renovate[bot]' }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Approve a PR if not already approved
+        run: |
+          gh pr checkout "$PR_URL"
+            if [ "$(gh pr status --json reviewDecision -q .currentBranch.reviewDecision)" != "APPROVED" ];
+          then
+            gh pr review --approve "$PR_URL"
+          else
+            echo "PR already approved.";
+          fi
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+
+      - name: Enable auto-merge for Renovate PRs
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
--- a/.github/workflows/secscan.yaml
+++ b/.github/workflows/secscan.yaml
@@ -0,0 +1,32 @@
+name: "Security Scan"
+
+# Run workflow each time code is pushed to your repository and on a schedule.
+# The scheduled workflow runs every at 00:00 on Sunday UTC time.
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    paths:
+      - '**'
+  schedule:
+    - cron: '0 0 * * 0'
+
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+    env:
+      GO111MODULE: on
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v4
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@master
+        with:
+          # we let the report trigger content trigger a failure using the GitHub Security features.
+          args: '-no-fail -fmt sarif -out results.sarif ./...'
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: results.sarif
--- a/.github/workflows/unit-tests.yml
+++ b/.github/workflows/unit-tests.yml
@@ -1,18 +1,35 @@
 name: Unit tests
 on:
- push:
-   branches:
-     - master
- pull_request:
-
+  push:
+    branches:
+      - master
+  pull_request:
+env:
+  FORCE_COLOR: 1
+concurrency:
+  group: ci-unit-${{ github.head_ref || github.ref }}-${{ github.repository }}
+  cancel-in-progress: true
 jobs:
  unit-tests:
+    strategy:
+      matrix:
+        go-version: ["1.24-bookworm"]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          fetch-depth: 0
+      - name: Install earthly
+        uses: earthly/actions-setup@v1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run tests
        run: |
-          ./earthly.sh +test
+          earthly +test --GO_VERSION=${{ matrix.go-version }}
+      - name: Codecov
+        uses: codecov/codecov-action@v5
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          file: ./coverage.out
--- a/.gitignore
+++ b/.gitignore
@@ -24,3 +24,5 @@ testbin/*
 *~

 /helm-chart
+build/
+dist/
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -0,0 +1,73 @@
+# Make sure to check the documentation at http://goreleaser.com
+version: 2
+project_name: kcrypt-discovery-challenger
+builds:
+  - env:
+      - CGO_ENABLED=0
+      - CGO_LDFLAGS="-ldl"
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+    binary: '{{ .ProjectName }}'
+    id: default
+    main: ./cmd/discovery/main.go
+  - env:
+      - CGO_ENABLED=0
+      - GOEXPERIMENT=boringcrypto
+      - CGO_LDFLAGS="-ldl"
+    goos:
+      - linux
+    goarch:
+      - amd64
+    binary: '{{ .ProjectName }}'
+    id: fips-amd64
+    main: ./cmd/discovery/main.go
+    hooks:
+      post:
+        - bash -c 'set -e; go version {{.Path}} | grep boringcrypto || (echo "boringcrypto not found" && exit 1)'
+  - env:
+      - CGO_ENABLED=0
+      - GOEXPERIMENT=boringcrypto
+      - CC=aarch64-linux-gnu-gcc
+      - CGO_LDFLAGS="-ldl"
+    goos:
+      - linux
+    goarch:
+      - arm64
+    binary: '{{ .ProjectName }}'
+    id: fips-arm64
+    main: ./cmd/discovery/main.go
+    hooks:
+      post:
+      - bash -c 'set -e; go version {{.Path}} | grep boringcrypto || (echo "boringcrypto not found" && exit 1)'
+source:
+  enabled: true
+  name_template: '{{ .ProjectName }}-{{ .Tag }}-source'
+archives:
+  - id: default-archive
+    ids:
+      - default
+    name_template: '{{ .ProjectName }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}-{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
+  - id: fips-archive
+    ids:
+     - fips-arm64
+     - fips-amd64
+    name_template: '{{ .ProjectName }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}-{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}-fips'
+checksum:
+  name_template: '{{ .ProjectName }}-{{ .Tag }}-checksums.txt'
+snapshot:
+  version_template: "{{ .Tag }}-next"
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - '^docs:'
+      - '^test:'
+      - '^Merge pull request'
+env:
+  - GOSUMDB=sum.golang.org
+before:
+  hooks:
+    - go mod tidy
--- a/.yamllint
+++ b/.yamllint
@@ -0,0 +1,21 @@
+extends: default
+
+rules:
+  # 80 chars should be enough, but don't fail if a line is longer
+  line-length:
+    max: 150
+    level: warning
+
+  # accept both     key:
+  #                   - item
+  #
+  # and             key:
+  #                 - item
+  indentation:
+    indent-sequences: whatever
+
+  truthy:
+    check-keys: false
+
+  document-start:
+    present: false
--- a/4
+++ b/4
@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.18 as builder
+FROM golang:1.24 as builder

 WORKDIR /workspace
 # Copy the Go Modules manifests
@@ -16,7 +16,7 @@ COPY pkg/ pkg/
 COPY controllers/ controllers/

 # Build
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager main.go
+RUN CGO_ENABLED=0 go build -a -o manager main.go

 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
--- a/111
+++ b/111
@@ -1,14 +1,20 @@
 VERSION 0.6
-ARG BASE_IMAGE=quay.io/kairos/core-opensuse:latest
+
+# renovate: datasource=github-releases depName=kairos-io/kairos
+ARG KAIROS_VERSION="v2.5.0"
+ARG BASE_IMAGE=quay.io/kairos/ubuntu:23.10-core-amd64-generic-$KAIROS_VERSION
+
 ARG OSBUILDER_IMAGE=quay.io/kairos/osbuilder-tools
-ARG GO_VERSION=1.18
+# renovate: datasource=docker depName=golang
+ARG GO_VERSION=1.24-bookworm
+ARG LUET_VERSION=0.33.0

 build-challenger:
-    FROM golang:alpine
+    FROM +go-deps
    COPY . /work
    WORKDIR /work
    RUN CGO_ENABLED=0 go build -o kcrypt-discovery-challenger ./cmd/discovery
-    SAVE ARTIFACT /work/kcrypt-discovery-challenger AS LOCAL kcrypt-discovery-challenger
+    SAVE ARTIFACT /work/kcrypt-discovery-challenger kcrypt-discovery-challenger AS LOCAL kcrypt-discovery-challenger

 image:
    FROM $BASE_IMAGE
@@ -16,37 +22,94 @@ image:
    COPY +build-challenger/kcrypt-discovery-challenger /system/discovery/kcrypt-discovery-challenger
    SAVE IMAGE $IMAGE

+image-rootfs:
+    FROM +image
+    SAVE ARTIFACT --keep-own /. rootfs
+
 iso:
    ARG OSBUILDER_IMAGE
    ARG ISO_NAME=challenger
    FROM $OSBUILDER_IMAGE
-    RUN zypper in -y jq docker
    WORKDIR /build
-    WITH DOCKER --allow-privileged --load $IMAGE=(+image --IMAGE=test)
-        RUN /entrypoint.sh --name $ISO_NAME --debug build-iso --date=false --local test --output /build/
-    END
-    # See: https://github.com/rancher/elemental-cli/issues/228
-    RUN sha256sum $ISO_NAME.iso > $ISO_NAME.iso.sha256
+    COPY --keep-own +image-rootfs/rootfs /build/rootfs
+    RUN /entrypoint.sh --name $ISO_NAME --debug build-iso --squash-no-compression --date=false --output /build/ dir:/build/rootfs
    SAVE ARTIFACT /build/$ISO_NAME.iso kairos.iso AS LOCAL build/$ISO_NAME.iso
    SAVE ARTIFACT /build/$ISO_NAME.iso.sha256 kairos.iso.sha256 AS LOCAL build/$ISO_NAME.iso.sha256

-test:
+go-deps:
    ARG GO_VERSION
    FROM golang:$GO_VERSION
-    ENV CGO_ENABLED=0
+    WORKDIR /build
+    COPY go.mod go.sum ./
+    RUN go mod download
+    RUN go mod verify
+    SAVE ARTIFACT go.mod AS LOCAL go.mod
+    SAVE ARTIFACT go.sum AS LOCAL go.sum

+test:
+    FROM +go-deps
+    ENV CGO_ENABLED=0
    WORKDIR /work

-    # Cache layer for modules
-    COPY go.mod go.sum ./
-    RUN go mod download && go mod verify
-
-    RUN go get github.com/onsi/gomega/...
-    RUN go get github.com/onsi/ginkgo/v2/ginkgo/internal@v2.1.4
-    RUN go get github.com/onsi/ginkgo/v2/ginkgo/generators@v2.1.4
-    RUN go get github.com/onsi/ginkgo/v2/ginkgo/labels@v2.1.4
-    RUN go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo
-
-    COPY . /work
-    RUN PATH=$PATH:$GOPATH/bin ginkgo run --covermode=atomic --coverprofile=coverage.out -p -r pkg/challenger cmd/discovery/client
+    COPY . .
+    RUN go run github.com/onsi/ginkgo/v2/ginkgo run --covermode=atomic --coverprofile=coverage.out -p -r pkg/challenger cmd/discovery/client
    SAVE ARTIFACT coverage.out AS LOCAL coverage.out
+
+# Generic targets
+# usage e.g. ./earthly.sh +datasource-iso --CLOUD_CONFIG=tests/assets/qrcode.yaml
+datasource-iso:
+    ARG OSBUILDER_IMAGE
+    ARG CLOUD_CONFIG
+    FROM $OSBUILDER_IMAGE
+    RUN zypper in -y mkisofs
+    WORKDIR /build
+    RUN touch meta-data
+
+    COPY ${CLOUD_CONFIG} user-data
+    RUN cat user-data
+    RUN mkisofs -output ci.iso -volid cidata -joliet -rock user-data meta-data
+    SAVE ARTIFACT /build/ci.iso iso.iso AS LOCAL build/datasource.iso
+
+luet:
+    FROM quay.io/luet/base:$LUET_VERSION
+    SAVE ARTIFACT /usr/bin/luet /luet
+
+e2e-tests-image:
+    FROM opensuse/tumbleweed
+    RUN zypper in -y go1.23 git qemu-x86 qemu-arm qemu-tools swtpm docker jq docker-compose make glibc libopenssl-devel curl gettext-runtime awk envsubst
+    ENV GOPATH="/go"
+
+    COPY . /test
+    WORKDIR /test
+
+    IF [ -e /test/build/kairos.iso ]
+        ENV ISO=/test/build/kairos.iso
+    ELSE
+        COPY +iso/kairos.iso kairos.iso
+        ENV ISO=/test/kairos.iso
+    END
+
+    COPY +luet/luet /usr/bin/luet
+    RUN mkdir -p /etc/luet/repos.conf.d/
+    RUN luet repo add -y kairos --url quay.io/kairos/packages --type docker
+    RUN LUET_NOLOCK=true luet install -y container/kubectl utils/k3d
+
+controller-latest:
+    FROM DOCKERFILE .
+    SAVE IMAGE controller:latest
+
+e2e-tests:
+    FROM +e2e-tests-image
+    ARG LABEL
+    RUN make test # This also generates the latest controllers automatically, we do that before building the docker image with them
+    WITH DOCKER --allow-privileged --load controller:latest=+controller-latest
+        RUN ./scripts/e2e-tests.sh
+    END
+
+lint:
+    BUILD +yamllint
+
+yamllint:
+    FROM cytopia/yamllint
+    COPY . .
+    RUN yamllint .github/workflows/
--- a/6
+++ b/6
@@ -103,7 +103,7 @@ vet: ## Run go vet against code.

 .PHONY: test
 test: manifests generate fmt vet envtest ## Run tests.
-	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test ./... -coverprofile cover.out
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test ./pkg/... -coverprofile cover.out

 ##@ Build

@@ -160,7 +160,7 @@ ENVTEST ?= $(LOCALBIN)/setup-envtest

 ## Tool Versions
 KUSTOMIZE_VERSION ?= v3.8.7
-CONTROLLER_TOOLS_VERSION ?= v0.9.2
+CONTROLLER_TOOLS_VERSION ?= v0.14.0

 KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"
 .PHONY: kustomize
@@ -257,4 +257,4 @@ undeploy-dev: ## Undeploy controller from the K8s cluster specified in ~/.kube/c
 kubesplit: manifests kustomize
 	rm -rf helm-chart
 	mkdir helm-chart
-	$(KUSTOMIZE) build config/default | kubesplit -helm helm-chart
+	$(KUSTOMIZE) build config/default | kubesplit -helm helm-chart
--- a/README.md
+++ b/README.md
@@ -1,10 +1,72 @@
-# kcrypt-challenger
+<h1 align="center">
+  <br>
+     <img width="184" alt="kairos-white-column 5bc2fe34" src="https://user-images.githubusercontent.com/2420543/193010398-72d4ba6e-7efe-4c2e-b7ba-d3a826a55b7d.png"><br>
+    Kcrypt challenger
+<br>
+</h1>
+
+<h3 align="center">Kcrypt TPM challenger</h3>
+<p align="center">
+  <a href="https://opensource.org/licenses/">
+    <img src="https://img.shields.io/badge/licence-APL2-brightgreen"
+         alt="license">
+  </a>
+  <a href="https://github.com/kairos-io/kcrypt-challenger/issues"><img src="https://img.shields.io/github/issues/kairos-io/kcrypt-challenger"></a>
+  <a href="https://kairos.io/docs/" target=_blank> <img src="https://img.shields.io/badge/Documentation-blue"
+         alt="docs"></a>
+  <img src="https://img.shields.io/badge/made%20with-Go-blue">
+  <img src="https://goreportcard.com/badge/github.com/kairos-io/kcrypt-challenger" alt="go report card" />
+  <a href="https://github.com/kairos-io/kcrypt-challenger/actions/workflows/e2e-tests.yml?query=branch%3Amain"> <img src="https://github.com/kairos-io/kcrypt-challenger/actions/workflows/e2e-tests.yml/badge.svg?branch=main"></a>
+</p>
+
+
+With Kairos you can build immutable, bootable Kubernetes and OS images for your edge devices as easily as writing a Dockerfile. Optional P2P mesh with distributed ledger automates node bootstrapping and coordination. Updating nodes is as easy as CI/CD: push a new image to your container registry and let secure, risk-free A/B atomic upgrades do the rest.
+
+
+<table>
+<tr>
+<th align="center">
+<img width="640" height="1px">
+<p> 
+<small>
+Documentation
+</small>
+</p>
+</th>
+<th align="center">
+<img width="640" height="1">
+<p> 
+<small>
+Contribute
+</small>
+</p>
+</th>
+</tr>
+<tr>
+<td>
+
+ 📚 [Getting started with Kairos](https://kairos.io/docs/getting-started) <br> :bulb: [Examples](https://kairos.io/docs/examples) <br> :movie_camera: [Video](https://kairos.io/docs/media/) <br> :open_hands:[Engage with the Community](https://kairos.io/community/)
+  
+</td>
+<td>
+  
+🙌[ CONTRIBUTING.md ]( https://github.com/kairos-io/kairos/blob/master/CONTRIBUTING.md ) <br> :raising_hand: [ GOVERNANCE ]( https://github.com/kairos-io/kairos/blob/master/GOVERNANCE.md ) <br>:construction_worker:[Code of conduct](https://github.com/kairos-io/kairos/blob/master/CODE_OF_CONDUCT.md) 
+  
+</td>
+</tr>
+</table>

 | :exclamation: | This is experimental! |
 |-|:-|

 This is the Kairos kcrypt-challenger Kubernetes Native Extension. 

+## Usage
+
+See the documentation in our website: https://kairos.io/docs/advanced/partition_encryption/.
+
+## Installation
+
 To install, use helm:

 ```
--- a/cmd/discovery/client/client.go
+++ b/cmd/discovery/client/client.go
@@ -9,13 +9,18 @@ import (

 	"github.com/jaypipes/ghw/pkg/block"
 	"github.com/kairos-io/kairos-challenger/pkg/constants"
+	"github.com/kairos-io/kairos-challenger/pkg/payload"
 	"github.com/kairos-io/kcrypt/pkg/bus"
 	"github.com/kairos-io/tpm-helpers"
 	"github.com/mudler/go-pluggable"
 	"github.com/mudler/yip/pkg/utils"
 )

+// Because of how go-pluggable works, we can't just print to stdout
+const LOGFILE = "/tmp/kcrypt-challenger-client.log"
+
 var errPartNotFound error = fmt.Errorf("pass for partition not found")
+var errBadCertificate error = fmt.Errorf("unknown certificate")

 func NewClient() (*Client, error) {
 	conf, err := unmarshalConfig()
@@ -28,6 +33,10 @@ func NewClient() (*Client, error) {

 // ❯ echo '{ "data": "{ \\"label\\": \\"LABEL\\" }"}' | sudo -E WSS_SERVER="http://localhost:8082/challenge" ./challenger "discovery.password"
 func (c *Client) Start() error {
+	if err := os.RemoveAll(LOGFILE); err != nil { // Start fresh
+		return fmt.Errorf("removing the logfile: %w", err)
+	}
+
 	factory := pluggable.NewPluginFactory()

 	// Input: bus.EventInstallPayload
@@ -57,50 +66,77 @@ func (c *Client) Start() error {
 	return factory.Run(pluggable.EventType(os.Args[1]), os.Stdin, os.Stdout)
 }

+func (c *Client) generatePass(postEndpoint string, headers map[string]string, p *block.Partition) error {
+
+	rand := utils.RandomString(32)
+	pass, err := tpm.EncryptBlob([]byte(rand))
+	if err != nil {
+		return err
+	}
+	bpass := base64.RawURLEncoding.EncodeToString(pass)
+
+	opts := []tpm.Option{
+		tpm.WithCAs([]byte(c.Config.Kcrypt.Challenger.Certificate)),
+		tpm.AppendCustomCAToSystemCA,
+		tpm.WithAdditionalHeader("label", p.FilesystemLabel),
+		tpm.WithAdditionalHeader("name", p.Name),
+		tpm.WithAdditionalHeader("uuid", p.UUID),
+	}
+	for k, v := range headers {
+		opts = append(opts, tpm.WithAdditionalHeader(k, v))
+	}
+
+	conn, err := tpm.Connection(postEndpoint, opts...)
+	if err != nil {
+		return err
+	}
+
+	return conn.WriteJSON(payload.Data{Passphrase: bpass, GeneratedBy: constants.TPMSecret})
+}
+
 func (c *Client) waitPass(p *block.Partition, attempts int) (pass string, err error) {
-	// IF we don't have any server configured, just do local
-	if c.Config.Kcrypt.Challenger.Server == "" {
+	additionalHeaders := map[string]string{}
+	serverURL := c.Config.Kcrypt.Challenger.Server
+
+	// If we don't have any server configured, just do local
+	if serverURL == "" {
 		return localPass(c.Config)
 	}

-	challengeEndpoint := fmt.Sprintf("%s/getPass", c.Config.Kcrypt.Challenger.Server)
-	postEndpoint := fmt.Sprintf("%s/postPass", c.Config.Kcrypt.Challenger.Server)
-
-	// IF server doesn't have a pass for us, then we generate one and we set it
-	if _, _, err := getPass(challengeEndpoint, p); err == errPartNotFound {
-		rand := utils.RandomString(32)
-		pass, err := tpm.EncryptBlob([]byte(rand))
-		if err != nil {
-			return "", err
-		}
-		bpass := base64.RawURLEncoding.EncodeToString(pass)
-
-		opts := []tpm.Option{
-			tpm.WithAdditionalHeader("label", p.Label),
-			tpm.WithAdditionalHeader("name", p.Name),
-			tpm.WithAdditionalHeader("uuid", p.UUID),
-		}
-		conn, err := tpm.Connection(postEndpoint, opts...)
-		if err != nil {
-			return "", err
-		}
-		err = conn.WriteJSON(map[string]string{"passphrase": bpass, constants.GeneratedByKey: constants.TPMSecret})
-		if err != nil {
-			return rand, err
-		}
+	if c.Config.Kcrypt.Challenger.MDNS {
+		serverURL, additionalHeaders, err = queryMDNS(serverURL)
 	}

+	getEndpoint := fmt.Sprintf("%s/getPass", serverURL)
+	postEndpoint := fmt.Sprintf("%s/postPass", serverURL)
+
 	for tries := 0; tries < attempts; tries++ {
 		var generated bool
-		pass, generated, err = getPass(challengeEndpoint, p)
+		pass, generated, err = getPass(getEndpoint, additionalHeaders, c.Config.Kcrypt.Challenger.Certificate, p)
+		if err == errPartNotFound {
+			// IF server doesn't have a pass for us, then we generate one and we set it
+			err = c.generatePass(postEndpoint, additionalHeaders, p)
+			if err != nil {
+				return
+			}
+			// Attempt to fetch again - validate that the server has it now
+			tries = 0
+			continue
+		}
+
 		if generated { // passphrase is encrypted
 			return c.decryptPassphrase(pass)
 		}

-		if err == nil || err == errPartNotFound { // passphrase not encrypted or not available
+		if err == errBadCertificate { // No need to retry, won't succeed.
 			return
 		}

+		if err == nil { // passphrase available, no errors
+			return
+		}
+
+		logToFile("Failed with error: %s . Will retry.\n", err.Error())
 		time.Sleep(1 * time.Second) // network errors? retry
 	}

@@ -127,3 +163,14 @@ func (c *Client) decryptPassphrase(pass string) (string, error) {

 	return string(passBytes), err
 }
+
+func logToFile(format string, a ...any) {
+	s := fmt.Sprintf(format, a...)
+	file, err := os.OpenFile(LOGFILE, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
+	if err != nil {
+		panic(err)
+	}
+	defer file.Close()
+
+	file.WriteString(s)
+}
--- a/cmd/discovery/client/config.go
+++ b/cmd/discovery/client/config.go
@@ -1,8 +1,9 @@
 package client

 import (
-	"github.com/kairos-io/kairos/pkg/config"
+	"github.com/kairos-io/kairos-sdk/collector"
 	kconfig "github.com/kairos-io/kcrypt/pkg/config"
+	"gopkg.in/yaml.v3"
 )

 type Client struct {
@@ -12,12 +13,12 @@ type Client struct {
 type Config struct {
 	Kcrypt struct {
 		Challenger struct {
-			Server string `yaml:"challenger_server,omitempty"`
-			// Non-volatile index memory: where we store the encrypted passphrase (offline mode)
-			NVIndex string `yaml:"nv_index,omitempty"`
-			// Certificate index: this is where the rsa pair that decrypts the passphrase lives
-			CIndex    string `yaml:"c_index,omitempty"`
-			TPMDevice string `yaml:"tpm_device,omitempty"`
+			MDNS        bool   `yaml:"mdns,omitempty"`
+			Server      string `yaml:"challenger_server,omitempty"`
+			NVIndex     string `yaml:"nv_index,omitempty"` // Non-volatile index memory: where we store the encrypted passphrase (offline mode)
+			CIndex      string `yaml:"c_index,omitempty"`  // Certificate index: this is where the rsa pair that decrypts the passphrase lives
+			TPMDevice   string `yaml:"tpm_device,omitempty"`
+			Certificate string `yaml:"certificate,omitempty"`
 		}
 	}
 }
@@ -25,12 +26,21 @@ type Config struct {
 func unmarshalConfig() (Config, error) {
 	var result Config

-	c, err := config.Scan(config.Directories(kconfig.ConfigScanDirs...), config.NoLogs)
+	o := &collector.Options{NoLogs: true, MergeBootCMDLine: false}
+	if err := o.Apply(collector.Directories(append(kconfig.ConfigScanDirs, "/tmp/oem")...)); err != nil {
+		return result, err
+	}
+
+	c, err := collector.Scan(o, func(d []byte) ([]byte, error) {
+		return d, nil
+	})
 	if err != nil {
 		return result, err
 	}

-	if err = c.Unmarshal(&result); err != nil {
+	a, _ := c.String()
+	err = yaml.Unmarshal([]byte(a), &result)
+	if err != nil {
 		return result, err
 	}

--- a/cmd/discovery/client/enc.go
+++ b/cmd/discovery/client/enc.go
@@ -3,8 +3,10 @@ package client
 import (
 	"encoding/json"
 	"fmt"
+	"strings"

 	"github.com/kairos-io/kairos-challenger/pkg/constants"
+	"github.com/kairos-io/kairos-challenger/pkg/payload"

 	"github.com/jaypipes/ghw/pkg/block"
 	"github.com/kairos-io/tpm-helpers"
@@ -14,24 +16,40 @@ import (

 const DefaultNVIndex = "0x1500000"

-func getPass(server string, partition *block.Partition) (string, bool, error) {
-	msg, err := tpm.Get(server,
-		tpm.WithAdditionalHeader("label", partition.Label),
+func getPass(server string, headers map[string]string, certificate string, partition *block.Partition) (string, bool, error) {
+	opts := []tpm.Option{
+		tpm.WithCAs([]byte(certificate)),
+		tpm.AppendCustomCAToSystemCA,
+		tpm.WithAdditionalHeader("label", partition.FilesystemLabel),
 		tpm.WithAdditionalHeader("name", partition.Name),
-		tpm.WithAdditionalHeader("uuid", partition.UUID))
+		tpm.WithAdditionalHeader("uuid", partition.UUID),
+	}
+	for k, v := range headers {
+		opts = append(opts, tpm.WithAdditionalHeader(k, v))
+	}
+
+	msg, err := tpm.Get(server, opts...)
 	if err != nil {
 		return "", false, err
 	}
-	result := map[string]interface{}{}
+	result := payload.Data{}
 	err = json.Unmarshal(msg, &result)
 	if err != nil {
 		return "", false, errors.Wrap(err, string(msg))
 	}
-	generatedBy, generated := result[constants.GeneratedByKey]
-	p, ok := result["passphrase"]
-	if ok {
-		return fmt.Sprint(p), generated && generatedBy == constants.TPMSecret, nil
+
+	if result.HasPassphrase() {
+		return fmt.Sprint(result.Passphrase), result.HasBeenGenerated() && result.GeneratedBy == constants.TPMSecret, nil
+	} else if result.HasError() {
+		if strings.Contains(result.Error, "No secret found for") {
+			return "", false, errPartNotFound
+		}
+		if strings.Contains(result.Error, "x509: certificate signed by unknown authority") {
+			return "", false, errBadCertificate
+		}
+		return "", false, errors.New(result.Error)
 	}
+
 	return "", false, errPartNotFound
 }

--- a/cmd/discovery/client/mdns.go
+++ b/cmd/discovery/client/mdns.go
@@ -0,0 +1,85 @@
+package client
+
+import (
+	"fmt"
+	"net/url"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/hashicorp/mdns"
+)
+
+const (
+	MDNSServiceType = "_kcrypt._tcp"
+	MDNSTimeout     = 15 * time.Second
+)
+
+// queryMDNS will make an mdns query on local network to find a kcrypt challenger server
+// instance. If none is found, the original URL is returned and no additional headers.
+// If a response is received, the IP address and port from the response will be returned// and an additional "Host" header pointing to the original host.
+func queryMDNS(originalURL string) (string, map[string]string, error) {
+	additionalHeaders := map[string]string{}
+	var err error
+
+	parsedURL, err := url.Parse(originalURL)
+	if err != nil {
+		return originalURL, additionalHeaders, fmt.Errorf("parsing the original host: %w", err)
+	}
+
+	host := parsedURL.Host
+	if !strings.HasSuffix(host, ".local") { // sanity check
+		return "", additionalHeaders, fmt.Errorf("domain should end in \".local\" when using mdns")
+	}
+
+	mdnsIP, mdnsPort := discoverMDNSServer(host)
+	if mdnsIP == "" { // no reply
+		logToFile("no reply from mdns\n")
+		return originalURL, additionalHeaders, nil
+	}
+
+	additionalHeaders["Host"] = parsedURL.Host
+	newURL := strings.ReplaceAll(originalURL, host, mdnsIP)
+	// Remove any port in the original url
+	if port := parsedURL.Port(); port != "" {
+		newURL = strings.ReplaceAll(newURL, port, "")
+	}
+
+	// Add any possible port from the mdns response
+	if mdnsPort != "" {
+		newURL = strings.ReplaceAll(newURL, mdnsIP, fmt.Sprintf("%s:%s", mdnsIP, mdnsPort))
+	}
+
+	return newURL, additionalHeaders, nil
+}
+
+// discoverMDNSServer performs an mDNS query to discover any running kcrypt challenger
+// servers on the same network that matches the given hostname.
+// If a response if received, the IP address and the Port from the response are returned.
+func discoverMDNSServer(hostname string) (string, string) {
+	// Make a channel for results and start listening
+	entriesCh := make(chan *mdns.ServiceEntry, 4)
+	defer close(entriesCh)
+
+	logToFile("Will now wait for some mdns server to respond\n")
+	// Start the lookup. It will block until we read from the chan.
+	mdns.Lookup(MDNSServiceType, entriesCh)
+
+	expectedHost := hostname + "." // FQDN
+	// Wait until a matching server is found or we reach a timeout
+	for {
+		select {
+		case entry := <-entriesCh:
+			logToFile("mdns response received\n")
+			if entry.Host == expectedHost {
+				logToFile("%s matches %s\n", entry.Host, expectedHost)
+				return entry.AddrV4.String(), strconv.Itoa(entry.Port) // TODO: v6?
+			} else {
+				logToFile("%s didn't match %s\n", entry.Host, expectedHost)
+			}
+		case <-time.After(MDNSTimeout):
+			logToFile("timed out waiting for mdns\n")
+			return "", ""
+		}
+	}
+}
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -82,4 +82,4 @@ spec:
        - name: wss
          port: 8082
          protocol: TCP
-          targetPort: wss
+          targetPort: wss
--- a/controllers/suite_test.go
+++ b/controllers/suite_test.go
@@ -20,14 +20,13 @@ import (
 	"path/filepath"
 	"testing"

-	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"

 	"k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/rest"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/envtest"
-	"sigs.k8s.io/controller-runtime/pkg/envtest/printer"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"

@@ -44,10 +43,7 @@ var testEnv *envtest.Environment

 func TestAPIs(t *testing.T) {
 	RegisterFailHandler(Fail)
-
-	RunSpecsWithDefaultAndCustomReporters(t,
-		"Controller Suite",
-		[]Reporter{printer.NewlineReporter{}})
+	RunSpecs(t, "Control")
 }

 var _ = BeforeSuite(func() {
--- a/earthly.sh
+++ b/earthly.sh
@@ -1,3 +1,3 @@
 #!/bin/bash

-docker run --privileged -v /var/run/docker.sock:/var/run/docker.sock --rm -t -v $(pwd):/workspace -v earthly-tmp:/tmp/earthly:rw earthly/earthly:v0.6.21 --allow-privileged $@
+docker run --privileged -v /var/run/docker.sock:/var/run/docker.sock --rm -t -v $(pwd):/workspace -v earthly-tmp:/tmp/earthly:rw earthly/earthly:v0.8.15 --allow-privileged $@
--- a/go.mod
+++ b/go.mod
@@ -1,134 +1,182 @@
 module github.com/kairos-io/kairos-challenger

-go 1.18
+go 1.24.2

 require (
-	github.com/gorilla/websocket v1.5.0
-	github.com/jaypipes/ghw v0.9.0
-	github.com/kairos-io/kairos v1.24.3-56.0.20230118103822-e3dbd41dddd1
-	github.com/kairos-io/kcrypt v0.4.5-0.20230118125949-27183fbce7ea
-	github.com/kairos-io/tpm-helpers v0.0.0-20230119140150-3fa97128ef6b
-	github.com/mudler/go-pluggable v0.0.0-20220716112424-189d463e3ff3
-	github.com/mudler/yip v0.11.4
-	github.com/onsi/ginkgo v1.16.5
-	github.com/onsi/ginkgo/v2 v2.7.0
-	github.com/onsi/gomega v1.25.0
+	github.com/go-logr/logr v1.4.2
+	github.com/google/uuid v1.6.0
+	github.com/gorilla/websocket v1.5.3
+	github.com/hashicorp/mdns v1.0.6
+	github.com/jaypipes/ghw v0.14.0
+	github.com/kairos-io/kairos-sdk v0.7.3
+	github.com/kairos-io/kcrypt v0.13.0
+	github.com/kairos-io/tpm-helpers v0.0.0-20240123063624-f7a3fcc66199
+	github.com/mudler/go-pluggable v0.0.0-20230126220627-7710299a0ae5
+	github.com/mudler/go-processmanager v0.0.0-20240820160718-8b802d3ecf82
+	github.com/mudler/yip v1.15.0
+	github.com/onsi/ginkgo/v2 v2.23.0
+	github.com/onsi/gomega v1.36.2
 	github.com/pkg/errors v0.9.1
-	k8s.io/api v0.24.2
-	k8s.io/apimachinery v0.24.2
-	k8s.io/client-go v0.24.2
-	sigs.k8s.io/controller-runtime v0.12.2
+	github.com/spectrocloud/peg v0.0.0-20240405075800-c5da7125e30f
+	gopkg.in/yaml.v3 v3.0.1
+	k8s.io/api v0.27.2
+	k8s.io/apimachinery v0.27.2
+	k8s.io/client-go v0.27.2
+	sigs.k8s.io/controller-runtime v0.15.0
 )

 require (
-	atomicgo.dev/cursor v0.1.1 // indirect
+	atomicgo.dev/cursor v0.2.0 // indirect
 	atomicgo.dev/keyboard v0.2.9 // indirect
-	cloud.google.com/go v0.93.3 // indirect
-	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest v0.11.18 // indirect
-	github.com/Azure/go-autorest/autorest/adal v0.9.13 // indirect
-	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
-	github.com/Azure/go-autorest/logger v0.2.1 // indirect
-	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
+	atomicgo.dev/schedule v0.1.0 // indirect
+	dario.cat/mergo v1.0.1 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Masterminds/semver/v3 v3.1.1 // indirect
-	github.com/Masterminds/sprig/v3 v3.2.2 // indirect
-	github.com/PuerkitoBio/purell v1.1.1 // indirect
-	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
+	github.com/Masterminds/semver/v3 v3.3.1 // indirect
+	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/Microsoft/hcsshim v0.12.9 // indirect
 	github.com/StackExchange/wmi v1.2.1 // indirect
 	github.com/avast/retry-go v3.0.0+incompatible // indirect
 	github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/bramvdbogaerde/go-scp v1.2.1 // indirect
+	github.com/cavaliergopher/grab/v3 v3.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/chuckpreslar/emission v0.0.0-20170206194824-a7ddd980baf9 // indirect
-	github.com/containerd/console v1.0.3 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/codingsince1985/checksum v1.2.6 // indirect
+	github.com/containerd/cgroups/v3 v3.0.5 // indirect
+	github.com/containerd/console v1.0.4 // indirect
+	github.com/containerd/containerd v1.7.25 // indirect
+	github.com/containerd/continuity v0.4.5 // indirect
+	github.com/containerd/errdefs v1.0.0 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
+	github.com/containerd/log v0.1.0 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect
+	github.com/containerd/typeurl/v2 v2.2.3 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/denisbrodbeck/machineid v1.0.1 // indirect
-	github.com/emicklei/go-restful v2.9.5+incompatible // indirect
-	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
+	github.com/distribution/reference v0.6.0 // indirect
+	github.com/docker/cli v27.5.0+incompatible // indirect
+	github.com/docker/distribution v2.8.3+incompatible // indirect
+	github.com/docker/docker v27.5.1+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.8.2 // indirect
+	github.com/docker/go-connections v0.5.0 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
+	github.com/emicklei/go-restful/v3 v3.10.1 // indirect
+	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/folbricht/tpmk v0.1.2-0.20230104073416-f20b20c289d7 // indirect
-	github.com/form3tech-oss/jwt-go v3.2.5+incompatible // indirect
-	github.com/fsnotify/fsnotify v1.5.4 // indirect
-	github.com/ghodss/yaml v1.0.0 // indirect
-	github.com/go-logr/logr v1.2.3 // indirect
-	github.com/go-logr/zapr v1.2.0 // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-logr/zapr v1.2.4 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
-	github.com/go-openapi/jsonpointer v0.19.5 // indirect
-	github.com/go-openapi/jsonreference v0.19.5 // indirect
-	github.com/go-openapi/swag v0.19.14 // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonreference v0.20.1 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
+	github.com/gofrs/uuid v4.4.0+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/certificate-transparency-go v1.1.4 // indirect
 	github.com/google/gnostic v0.5.7-v3refs // indirect
 	github.com/google/go-attestation v0.4.4-0.20220404204839-8820d49b18d9 // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/go-containerregistry v0.20.3 // indirect
 	github.com/google/go-tpm v0.3.3 // indirect
 	github.com/google/go-tpm-tools v0.3.10 // indirect
 	github.com/google/go-tspi v0.3.0 // indirect
-	github.com/google/gofuzz v1.1.0 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/pprof v0.0.0-20250208200701-d0013a598941 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/google/uuid v1.3.0 // indirect
-	github.com/gookit/color v1.5.2 // indirect
+	github.com/gookit/color v1.5.4 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
-	github.com/huandu/xstrings v1.3.2 // indirect
-	github.com/imdario/mergo v0.3.13 // indirect
-	github.com/itchyny/gojq v0.12.11 // indirect
-	github.com/itchyny/timefmt-go v0.1.5 // indirect
-	github.com/joho/godotenv v1.4.0 // indirect
+	github.com/huandu/xstrings v1.5.0 // indirect
+	github.com/imdario/mergo v0.3.15 // indirect
+	github.com/ipfs/go-log v1.0.5 // indirect
+	github.com/ipfs/go-log/v2 v2.5.1 // indirect
+	github.com/itchyny/gojq v0.12.17 // indirect
+	github.com/itchyny/timefmt-go v0.1.6 // indirect
+	github.com/joho/godotenv v1.5.1 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/lithammer/fuzzysearch v1.1.5 // indirect
-	github.com/mailru/easyjson v0.7.6 // indirect
-	github.com/mattn/go-isatty v0.0.17 // indirect
-	github.com/mattn/go-runewidth v0.0.14 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
+	github.com/klauspost/compress v1.17.11 // indirect
+	github.com/lithammer/fuzzysearch v1.1.8 // indirect
+	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/miekg/dns v1.1.55 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
+	github.com/moby/sys/sequential v0.6.0 // indirect
+	github.com/moby/sys/userns v0.1.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 // indirect
-	github.com/nxadm/tail v1.4.8 // indirect
-	github.com/prometheus/client_golang v1.13.0 // indirect
-	github.com/prometheus/client_model v0.2.0 // indirect
-	github.com/prometheus/common v0.37.0 // indirect
-	github.com/prometheus/procfs v0.8.0 // indirect
-	github.com/pterm/pterm v0.12.53 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/opentracing/opentracing-go v1.2.0 // indirect
+	github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 // indirect
+	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
+	github.com/prometheus/client_golang v1.20.2 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/common v0.55.0 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/pterm/pterm v0.12.80 // indirect
 	github.com/qeesung/image2ascii v1.0.1 // indirect
-	github.com/rivo/uniseg v0.4.3 // indirect
-	github.com/shopspring/decimal v1.3.1 // indirect
-	github.com/spf13/cast v1.5.0 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/twpayne/go-vfs v1.7.2 // indirect
+	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/rs/zerolog v1.33.0 // indirect
+	github.com/shirou/gopsutil/v4 v4.24.7 // indirect
+	github.com/shoenig/go-m1cpu v0.1.6 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
+	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect
+	github.com/spf13/cast v1.7.1 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/tklauser/go-sysconf v0.3.12 // indirect
+	github.com/tklauser/numcpus v0.6.1 // indirect
+	github.com/twpayne/go-vfs/v4 v4.3.0 // indirect
+	github.com/vbatts/tar-split v0.11.6 // indirect
 	github.com/wayneashleyberry/terminal-dimensions v1.1.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
+	github.com/yusufpapurcu/wmi v1.2.4 // indirect
+	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect
+	go.opentelemetry.io/otel v1.34.0 // indirect
+	go.opentelemetry.io/otel/metric v1.34.0 // indirect
+	go.opentelemetry.io/otel/trace v1.34.0 // indirect
 	go.uber.org/atomic v1.10.0 // indirect
-	go.uber.org/multierr v1.8.0 // indirect
-	go.uber.org/zap v1.23.0 // indirect
-	golang.org/x/crypto v0.5.0 // indirect
-	golang.org/x/net v0.5.0 // indirect
-	golang.org/x/oauth2 v0.4.0 // indirect
-	golang.org/x/sys v0.4.0 // indirect
-	golang.org/x/term v0.4.0 // indirect
-	golang.org/x/text v0.6.0 // indirect
-	golang.org/x/time v0.0.0-20220411224347-583f2d630306 // indirect
-	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.28.1 // indirect
+	go.uber.org/multierr v1.9.0 // indirect
+	go.uber.org/zap v1.24.0 // indirect
+	golang.org/x/crypto v0.33.0 // indirect
+	golang.org/x/mod v0.23.0 // indirect
+	golang.org/x/net v0.35.0 // indirect
+	golang.org/x/oauth2 v0.25.0 // indirect
+	golang.org/x/sync v0.11.0 // indirect
+	golang.org/x/sys v0.30.0 // indirect
+	golang.org/x/term v0.29.0 // indirect
+	golang.org/x/text v0.22.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
+	golang.org/x/tools v0.30.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250212204824-5a70512c5d8b // indirect
+	google.golang.org/grpc v1.70.0 // indirect
+	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
-	gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
 	howett.net/plist v1.0.0 // indirect
-	k8s.io/apiextensions-apiserver v0.24.2 // indirect
-	k8s.io/component-base v0.24.2 // indirect
-	k8s.io/klog/v2 v2.80.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42 // indirect
-	k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect
-	sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
-	sigs.k8s.io/yaml v1.3.0 // indirect
+	k8s.io/apiextensions-apiserver v0.27.2 // indirect
+	k8s.io/component-base v0.27.2 // indirect
+	k8s.io/klog/v2 v2.90.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
+	k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5 // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/main.go
+++ b/main.go
@@ -23,6 +23,7 @@ import (

 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
+
 	"k8s.io/client-go/kubernetes"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"

@@ -120,7 +121,9 @@ func main() {
 		os.Exit(1)
 	}

-	go challenger.Start(context.Background(), clientset, reconciler, namespace, challengerAddr)
+	serverLog := ctrl.Log.WithName("server")
+
+	go challenger.Start(context.Background(), serverLog, clientset, reconciler, namespace, challengerAddr)

 	setupLog.Info("starting manager")
 	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
--- a/mdns-notes.md
+++ b/mdns-notes.md
@@ -0,0 +1,103 @@
+# Prerequisites
+
+Nodes and KMS should be on the same local network (mdns requirement)
+
+# Steps
+
+- Create a cluster with a port bound to the host:
+
+```
+k3d cluster create kcrypt -p '30000:30000@server:0' 
+```
+
+(we are going to assign this port to the kcrypt challenger server and advertise it over mdns)
+
+- Follow [the instructions to setup the kcrypt challenger server](https://github.com/kairos-io/kcrypt-challenger#installation):
+
+```
+helm repo add kairos https://kairos-io.github.io/helm-charts
+helm install kairos-crd kairos/kairos-crds
+```
+
+Create the following 'kcrypt-challenger-values.yaml` file:
+
+
+```yaml
+service:
+  challenger:
+    type: "NodePort"
+    port: 8082
+    nodePort: 30000
+```
+
+and deploy the challenger server with it:
+
+```bash
+helm install -f kcrypt-challenger-values.yaml kairos-challenger kairos/kairos-challenger
+```
+
+- Add the sealedvolume and secret for the tpm chip:
+
+```
+apiVersion: v1
+kind: Secret
+metadata:
+  name: example-host-tpm-secret
+  namespace: default
+type: Opaque
+stringData:
+  pass: "awesome-passphrase"
+---
+apiVersion: keyserver.kairos.io/v1alpha1
+kind: SealedVolume
+metadata:
+    name: example-host
+    namespace: default
+spec:
+  TPMHash: "5640e37f4016da16b841a93880dcc44886904392fa3c86681087b77db5afedbe"
+  partitions:
+    - label: COS_PERSISTENT
+      secret:
+        name: example-host-tpm-secret
+        path: pass
+  quarantined: false
+```
+
+- Start the [simple-mdns-server](https://github.com/kairos-io/simple-mdns-server)
+
+```
+go run . --port 30000 --interfaceName enp121s0 --serviceType _kcrypt._tcp --hostName mychallenger.local
+```
+
+
+- Start a node in manual install mode
+
+- Replace `/system/discovery/kcrypt-discovery-challenger` with a custom build (until we merge)
+
+- Create the following config:
+
+```
+#cloud-config
+
+users:
+  - name: kairos
+    passwd: kairos
+
+install:
+  grub_options:
+    extra_cmdline: "rd.neednet=1"
+  encrypted_partitions:
+  - COS_PERSISTENT
+
+# Kcrypt configuration block
+kcrypt:
+  challenger:
+    mdns: true
+    challenger_server: "http://mychallenger.local"
+```
+
+- Install:
+
+```
+kairos-agent manual-install --device auto config.yaml
+```
--- a/pkg/challenger/challenger.go
+++ b/pkg/challenger/challenger.go
@@ -6,10 +6,14 @@ import (
 	"fmt"
 	"io/ioutil"
 	"net/http"
+	"strings"
 	"time"

+	"github.com/go-logr/logr"
+
 	keyserverv1alpha1 "github.com/kairos-io/kairos-challenger/api/v1alpha1"
 	"github.com/kairos-io/kairos-challenger/pkg/constants"
+	"github.com/kairos-io/kairos-challenger/pkg/payload"
 	"sigs.k8s.io/controller-runtime/pkg/client"

 	"github.com/kairos-io/kairos-challenger/controllers"
@@ -45,6 +49,24 @@ var upgrader = websocket.Upgrader{
 	WriteBufferSize: 1024,
 }

+func cleanKubeName(s string) (d string) {
+	d = strings.ReplaceAll(s, "_", "-")
+	d = strings.ToLower(d)
+	return
+}
+
+func (s SealedVolumeData) DefaultSecret() (string, string) {
+	secretName := fmt.Sprintf("%s-%s", s.VolumeName, s.PartitionLabel)
+	secretPath := "passphrase"
+	if s.SecretName != "" {
+		secretName = s.SecretName
+	}
+	if s.SecretPath != "" {
+		secretPath = s.SecretPath
+	}
+	return cleanKubeName(secretName), cleanKubeName(secretPath)
+}
+
 func writeRead(conn *websocket.Conn, input []byte) ([]byte, error) {
 	writer, err := conn.NextWriter(websocket.BinaryMessage)
 	if err != nil {
@@ -76,8 +98,8 @@ func getPubHash(token string) (string, error) {
 	return tpm.DecodePubHash(ek)
 }

-func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *controllers.SealedVolumeReconciler, namespace, address string) {
-	fmt.Println("Challenger started at", address)
+func Start(ctx context.Context, logger logr.Logger, kclient *kubernetes.Clientset, reconciler *controllers.SealedVolumeReconciler, namespace, address string) {
+	logger.Info("Challenger started", "address", address)
 	s := http.Server{
 		Addr:         address,
 		ReadTimeout:  10 * time.Second,
@@ -87,188 +109,213 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr
 	m := http.NewServeMux()

 	m.HandleFunc("/postPass", func(w http.ResponseWriter, r *http.Request) {
-		conn, _ := upgrader.Upgrade(w, r, nil) // error ignored for sake of simplicity
-		for {
-			if err := tpm.AuthRequest(r, conn); err != nil {
-				fmt.Println("error", err.Error())
-				return
-			}
-			defer conn.Close()
-			token := r.Header.Get("Authorization")
-
-			hashEncoded, err := getPubHash(token)
+		conn, err := upgrader.Upgrade(w, r, nil)
+		if err != nil {
+			logger.Error(err, "upgrading connection")
+			return
+		}
+		defer func() {
+			err := conn.Close()
 			if err != nil {
-				fmt.Println("error decoding pubhash", err.Error())
-				return
+				logger.Error(err, "closing the connection")
 			}
+		}()

-			label := r.Header.Get("label")
-			name := r.Header.Get("name")
-			uuid := r.Header.Get("uuid")
-			v := map[string]string{}
+		logger.Info("Receiving passphrase")
+		if err := tpm.AuthRequest(r, conn); err != nil {
+			errorMessage(conn, logger, err, "auth request")
+			return
+		}
+		logger.Info("[Receiving passphrase] auth succeeded")

-			volumeList := &keyserverv1alpha1.SealedVolumeList{}
+		token := r.Header.Get("Authorization")
+		hashEncoded, err := getPubHash(token)
+		if err != nil {
+			errorMessage(conn, logger, err, "decoding pubhash")
+			return
+		}
+		logger.Info("[Receiving passphrase] pubhash", "encodedhash", hashEncoded)
+
+		label := r.Header.Get("label")
+		name := r.Header.Get("name")
+		uuid := r.Header.Get("uuid")
+		v := &payload.Data{}
+		logger.Info("Reading request data", "label", label, "name", name, "uuid", uuid)
+
+		volumeList := &keyserverv1alpha1.SealedVolumeList{}
+		for {
 			if err := reconciler.List(ctx, volumeList, &client.ListOptions{Namespace: namespace}); err != nil {
-				fmt.Println("Failed listing volumes")
-				fmt.Println(err)
+				logger.Error(err, "listing volumes")
 				continue
 			}
-
-			sealedVolumeData := findVolumeFor(PassphraseRequestData{
-				TPMHash:    hashEncoded,
-				Label:      label,
-				DeviceName: name,
-				UUID:       uuid,
-			}, volumeList)
-
-			if sealedVolumeData == nil {
-				fmt.Println("No TPM Hash found for", hashEncoded)
-				conn.Close()
-				return
-			}
-
-			if err := conn.ReadJSON(&v); err != nil {
-				fmt.Println("error", err.Error())
-				return
-			}
-
-			pass, ok := v["passphrase"]
-			if ok {
-				secretName := fmt.Sprintf("%s-%s", sealedVolumeData.VolumeName, sealedVolumeData.PartitionLabel)
-				secretPath := "passphrase"
-				if sealedVolumeData.SecretName != "" {
-					secretName = sealedVolumeData.SecretName
-				}
-				if sealedVolumeData.SecretPath != "" {
-					secretPath = sealedVolumeData.SecretPath
-				}
-				_, err := kclient.CoreV1().Secrets(namespace).Get(ctx, secretName, v1.GetOptions{})
-				if err != nil {
-					if !apierrors.IsNotFound(err) {
-						fmt.Printf("Failed getting secret: %s\n", err.Error())
-						continue
-					}
-
-					secret := corev1.Secret{
-						TypeMeta: v1.TypeMeta{
-							Kind:       "Secret",
-							APIVersion: "apps/v1",
-						},
-						ObjectMeta: v1.ObjectMeta{
-							Name:      secretName,
-							Namespace: namespace,
-						},
-						Data: map[string][]byte{
-							secretPath:               []byte(pass),
-							constants.GeneratedByKey: []byte(v[constants.GeneratedByKey]),
-						},
-						Type: "Opaque",
-					}
-					_, err := kclient.CoreV1().Secrets(namespace).Create(ctx, &secret, v1.CreateOptions{})
-					if err != nil {
-						fmt.Println("failed during secret creation")
-					}
-				} else {
-					fmt.Println("Posted for already existing secret - ignoring")
-				}
-			} else {
-				fmt.Println("Invalid answer from client: doesn't contain any passphrase")
-			}
+			break
 		}
+
+		logger.Info("Looking up volume with request data")
+		sealedVolumeData := findVolumeFor(PassphraseRequestData{
+			TPMHash:    hashEncoded,
+			Label:      label,
+			DeviceName: name,
+			UUID:       uuid,
+		}, volumeList)
+
+		if sealedVolumeData == nil {
+			errorMessage(conn, logger, fmt.Errorf("no TPM Hash found for %s", hashEncoded), "")
+			return
+		}
+		logger.Info("[Looking up volume with request data] succeeded")
+
+		if err := conn.ReadJSON(v); err != nil {
+			logger.Error(err, "reading json from connection")
+			return
+		}
+
+		if !v.HasPassphrase() {
+			errorMessage(conn, logger, fmt.Errorf("invalid answer from client: doesn't contain any passphrase"), "")
+		}
+		if v.HasError() {
+			errorMessage(conn, logger, fmt.Errorf("error: %s", v.Error), v.Error)
+		}
+
+		secretName, secretPath := sealedVolumeData.DefaultSecret()
+		logger.Info("Looking up secret in with name", "name", secretName, "namespace", namespace)
+		_, err = kclient.CoreV1().Secrets(namespace).Get(ctx, secretName, v1.GetOptions{})
+		if err == nil {
+			logger.Info("Posted for already existing secret - ignoring")
+			return
+		}
+		if !apierrors.IsNotFound(err) {
+			errorMessage(conn, logger, err, "failed getting secret")
+			return
+		}
+
+		logger.Info("secret not found, creating one")
+		secret := corev1.Secret{
+			TypeMeta: v1.TypeMeta{
+				Kind:       "Secret",
+				APIVersion: "apps/v1",
+			},
+			ObjectMeta: v1.ObjectMeta{
+				Name:      secretName,
+				Namespace: namespace,
+			},
+			StringData: map[string]string{
+				secretPath:               v.Passphrase,
+				constants.GeneratedByKey: v.GeneratedBy,
+			},
+			Type: "Opaque",
+		}
+		_, err = kclient.CoreV1().Secrets(namespace).Create(ctx, &secret, v1.CreateOptions{})
+		if err != nil {
+			errorMessage(conn, logger, err, "failed during secret creation")
+		}
+		logger.Info("created new secret")
 	})

 	m.HandleFunc("/getPass", func(w http.ResponseWriter, r *http.Request) {
-		conn, _ := upgrader.Upgrade(w, r, nil) // error ignored for sake of simplicity
+		conn, err := upgrader.Upgrade(w, r, nil)
+		if err != nil {
+			logger.Error(err, "upgrading connection")
+			return
+		}
+		defer func() {
+			err := conn.Close()
+			if err != nil {
+				logger.Error(err, "closing the connection")
+			}
+		}()

+		logger.Info("Received connection")
+		volumeList := &keyserverv1alpha1.SealedVolumeList{}
 		for {
-			fmt.Println("Received connection")
-			volumeList := &keyserverv1alpha1.SealedVolumeList{}
 			if err := reconciler.List(ctx, volumeList, &client.ListOptions{Namespace: namespace}); err != nil {
-				fmt.Println("Failed listing volumes")
-				fmt.Println(err)
+				logger.Error(err, "listing volumes")
 				continue
 			}
-
-			token := r.Header.Get("Authorization")
-			label := r.Header.Get("label")
-			name := r.Header.Get("name")
-			uuid := r.Header.Get("uuid")
-
-			if err := tpm.AuthRequest(r, conn); err != nil {
-				fmt.Println("error validating challenge", err.Error())
-				return
-			}
-
-			hashEncoded, err := getPubHash(token)
-			if err != nil {
-				fmt.Println("error decoding pubhash", err.Error())
-				return
-			}
-
-			sealedVolumeData := findVolumeFor(PassphraseRequestData{
-				TPMHash:    hashEncoded,
-				Label:      label,
-				DeviceName: name,
-				UUID:       uuid,
-			}, volumeList)
-
-			if sealedVolumeData == nil {
-				fmt.Println("No TPM Hash found for", hashEncoded)
-				conn.Close()
-				return
-			}
-			writer, _ := conn.NextWriter(websocket.BinaryMessage)
-			if !sealedVolumeData.Quarantined {
-				secretName := fmt.Sprintf("%s-%s", sealedVolumeData.VolumeName, sealedVolumeData.PartitionLabel)
-				secretPath := "passphrase"
-				if sealedVolumeData.SecretName != "" {
-					secretName = sealedVolumeData.SecretName
-				}
-				if sealedVolumeData.SecretPath != "" {
-					secretPath = sealedVolumeData.SecretPath
-				}
-
-				// 1. The admin sets a specific cleartext password from Kube manager
-				//      SealedVolume -> with a secret .
-				// 2. The admin just adds a SealedVolume associated with a TPM Hash ( you don't provide any passphrase )
-				// 3. There is no challenger server at all (offline mode)
-				//
-				secret, err := kclient.CoreV1().Secrets(namespace).Get(ctx, secretName, v1.GetOptions{})
-				if err == nil {
-					passphrase := secret.Data[secretPath]
-					generatedBy, generated := secret.Data[constants.GeneratedByKey]
-					result := map[string]string{"passphrase": string(passphrase)}
-					if generated {
-						result[constants.GeneratedByKey] = string(generatedBy)
-					}
-					err = json.NewEncoder(writer).Encode(result)
-					if err != nil {
-						fmt.Println("error encoding the passphrase to json", err.Error(), string(passphrase))
-					}
-					if err = writer.Close(); err != nil {
-						fmt.Println("error closing the writer", err.Error())
-						return
-					}
-					if err = conn.Close(); err != nil {
-						fmt.Println("error closing the connection", err.Error())
-						return
-					}
-
-					return
-				}
-			} else {
-				fmt.Println("error getting the secret", err.Error())
-				if err = conn.Close(); err != nil {
-					fmt.Println("error closing the connection", err.Error())
-					return
-				}
-				return
-			}
+			break
 		}
-	},
-	)

-	s.Handler = m
+		logger.Info("reading data from request")
+		token := r.Header.Get("Authorization")
+		label := r.Header.Get("label")
+		name := r.Header.Get("name")
+		uuid := r.Header.Get("uuid")
+
+		tokenStr := "empty"
+		if token != "" {
+			tokenStr = "not empty"
+		}
+		logger.Info("request data", "token", tokenStr, "label", label, "name", name, "uuid", uuid)
+
+		if err := tpm.AuthRequest(r, conn); err != nil {
+			logger.Error(err, "error validating challenge")
+			return
+		}
+
+		hashEncoded, err := getPubHash(token)
+		if err != nil {
+			logger.Error(err, "error decoding pubhash")
+			return
+		}
+
+		logger.Info("Looking up volume with request data")
+		sealedVolumeData := findVolumeFor(PassphraseRequestData{
+			TPMHash:    hashEncoded,
+			Label:      label,
+			DeviceName: name,
+			UUID:       uuid,
+		}, volumeList)
+
+		if sealedVolumeData == nil {
+			errorMessage(conn, logger, fmt.Errorf("no volume found with data from request and hash: %s", hashEncoded), "")
+			return
+		}
+		logger.Info("[Looking up volume with request data] succeeded")
+
+		if sealedVolumeData.Quarantined {
+			errorMessage(conn, logger, fmt.Errorf("quarantined: %s", sealedVolumeData.PartitionLabel), "")
+			return
+		}
+
+		secretName, secretPath := sealedVolumeData.DefaultSecret()
+
+		// 1. The admin sets a specific cleartext password from Kube manager
+		//      SealedVolume -> with a secret .
+		// 2. The admin just adds a SealedVolume associated with a TPM Hash ( you don't provide any passphrase )
+		// 3. There is no challenger server at all (offline mode)
+		//
+		logger.Info(fmt.Sprintf("looking up secret %s in namespace %s", secretName, namespace))
+		secret, err := kclient.CoreV1().Secrets(namespace).Get(ctx, secretName, v1.GetOptions{})
+		if err != nil {
+			if apierrors.IsNotFound(err) {
+				errorMessage(conn, logger, fmt.Errorf("No secret found for %s and %s", hashEncoded, sealedVolumeData.PartitionLabel), "")
+			} else {
+				errorMessage(conn, logger, err, "getting the secret from Kubernetes")
+			}
+
+			return
+		}
+		logger.Info(fmt.Sprintf("secret %s found in namespace %s", secretName, namespace))
+
+		passphrase := secret.Data[secretPath]
+		generatedBy := secret.Data[constants.GeneratedByKey]
+
+		writer, err := conn.NextWriter(websocket.BinaryMessage)
+		if err != nil {
+			logger.Error(err, "getting a writer from the connection")
+		}
+		p := payload.Data{Passphrase: string(passphrase), GeneratedBy: string(generatedBy)}
+		err = json.NewEncoder(writer).Encode(p)
+		if err != nil {
+			logger.Error(err, "writing passphrase to the websocket channel")
+		}
+		if err = writer.Close(); err != nil {
+			logger.Error(err, "closing the writer")
+			return
+		}
+	})
+
+	s.Handler = logRequestHandler(logger, m)

 	go func() {
 		err := s.ListenAndServe()
@@ -290,12 +337,19 @@ func findVolumeFor(requestData PassphraseRequestData, volumeList *keyserverv1alp
 				deviceNameMatches := requestData.DeviceName != "" && p.DeviceName == requestData.DeviceName
 				uuidMatches := requestData.UUID != "" && p.UUID == requestData.UUID
 				labelMatches := requestData.Label != "" && p.Label == requestData.Label
-
+				secretName := ""
+				if p.Secret != nil && p.Secret.Name != "" {
+					secretName = p.Secret.Name
+				}
+				secretPath := ""
+				if p.Secret != nil && p.Secret.Path != "" {
+					secretPath = p.Secret.Path
+				}
 				if labelMatches || uuidMatches || deviceNameMatches {
 					return &SealedVolumeData{
 						Quarantined:    v.Spec.Quarantined,
-						SecretName:     p.Secret.Name,
-						SecretPath:     p.Secret.Path,
+						SecretName:     secretName,
+						SecretPath:     secretPath,
 						VolumeName:     v.Name,
 						PartitionLabel: p.Label,
 					}
@@ -306,3 +360,36 @@ func findVolumeFor(requestData PassphraseRequestData, volumeList *keyserverv1alp

 	return nil
 }
+
+// errorMessage should be used when an error should be both, printed to the stdout
+// and sent over the wire to the websocket client.
+func errorMessage(conn *websocket.Conn, logger logr.Logger, theErr error, description string) {
+	if theErr == nil {
+		return
+	}
+	logger.Error(theErr, description)
+
+	writer, err := conn.NextWriter(websocket.BinaryMessage)
+	if err != nil {
+		logger.Error(err, "getting a writer from the connection")
+	}
+
+	errMsg := theErr.Error()
+	err = json.NewEncoder(writer).Encode(payload.Data{Error: errMsg})
+	if err != nil {
+		logger.Error(err, "error encoding the response to json")
+	}
+	err = writer.Close()
+	if err != nil {
+		logger.Error(err, "closing the writer")
+	}
+}
+
+func logRequestHandler(logger logr.Logger, h http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		logger.Info("Incoming request", "method", r.Method, "uri", r.URL.String(),
+			"referer", r.Header.Get("Referer"), "userAgent", r.Header.Get("User-Agent"))
+
+		h.ServeHTTP(w, r)
+	})
+}
--- a/pkg/payload/payload.go
+++ b/pkg/payload/payload.go
@@ -0,0 +1,19 @@
+package payload
+
+type Data struct {
+	Passphrase  string `json:"passphrase"`
+	Error       string `json:"error"`
+	GeneratedBy string `json:"generated_by"`
+}
+
+func (d Data) HasError() bool {
+	return d.Error != ""
+}
+
+func (d Data) HasPassphrase() bool {
+	return d.Passphrase != ""
+}
+
+func (d Data) HasBeenGenerated() bool {
+	return d.GeneratedBy != ""
+}
--- a/renovate.json
+++ b/renovate.json
@@ -0,0 +1,44 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:base"
+  ],
+  "schedule": [
+    "after 11pm every weekday",
+    "before 7am every weekday",
+    "every weekend"
+  ],
+  "timezone": "Europe/Brussels",
+  "rebaseWhen": "behind-base-branch",
+  "reviewers": [ "team:maintainers" ],
+  "packageRules": [
+    {
+      "matchUpdateTypes": [
+        "patch"
+      ],
+      "automerge": true
+    }
+  ],
+  "regexManagers": [
+    {
+      "fileMatch": [
+        "^Earthfile$"
+      ],
+      "matchStrings": [
+        "#\\s*renovate:\\s*datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\sARG\\s+.+_VERSION=(?<currentValue>.*?)\\s"
+      ],
+      "versioningTemplate": "{{#if versioning}}{{versioning}}{{else}}semver{{/if}}"
+    },
+    {
+      "fileMatch": [
+        "^earthly\\.(sh|ps1)$"
+      ],
+      "datasourceTemplate": "docker",
+      "depNameTemplate": "earthly/earthly",
+      "matchStrings": [
+        "earthly\\/earthly:(?<currentValue>.*?)\\s"
+      ],
+      "versioningTemplate": "semver-coerced"
+    }
+  ]
+}
--- a/scripts/e2e-tests.sh
+++ b/scripts/e2e-tests.sh
@@ -0,0 +1,60 @@
+#!/bin/bash
+
+set -e
+
+# This scripts prepares a cluster where we install the kcrypt CRDs.
+# This is where sealed volumes are created.
+
+GINKGO_NODES="${GINKGO_NODES:-1}"
+K3S_IMAGE="rancher/k3s:v1.26.1-k3s1"
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+CLUSTER_NAME=$(echo $RANDOM | md5sum | head -c 10; echo;)
+export KUBECONFIG=$(mktemp)
+
+# https://unix.stackexchange.com/a/423052
+getFreePort() {
+  echo $(comm -23 <(seq "30000" "30200" | sort) <(ss -Htan | awk '{print $4}' | cut -d':' -f2 | sort -u) | shuf | head -n "1")
+}
+
+cleanup() {
+  echo "Cleaning up $CLUSTER_NAME"
+  k3d cluster delete "$CLUSTER_NAME" || true
+  rm -rf "$KUBECONFIG"
+}
+trap cleanup EXIT
+
+# Create a cluster and bind ports 80 and 443 on the host
+# This will allow us to access challenger server on 10.0.2.2 which is the IP
+# on which qemu "sees" the host.
+# We change the CIDR because k3s creates iptables rules that block DNS traffic to this CIDR
+# (something like that). If you run k3d inside a k3s cluster (inside a Pod), DNS won't work
+# inside the k3d server container unless you use a different CIDR.
+# Here we are avoiding CIDR "10.43.x.x"
+k3d cluster create "$CLUSTER_NAME" --k3s-arg "--cluster-cidr=10.49.0.1/16@server:0" --k3s-arg "--service-cidr=10.48.0.1/16@server:0" -p '80:80@server:0' -p '443:443@server:0' --image "$K3S_IMAGE"
+k3d kubeconfig get "$CLUSTER_NAME" > "$KUBECONFIG"
+
+# Import the controller image that we built at the start into to the cluster
+# this image has to exists and be available in the local docker
+k3d image import -c "$CLUSTER_NAME" controller:latest
+
+# Install cert manager
+kubectl apply -f https://github.com/jetstack/cert-manager/releases/latest/download/cert-manager.yaml
+kubectl wait --for=condition=Available deployment --timeout=2m -n cert-manager --all
+
+# Replace the CLUSTER_IP in the kustomize resource
+# Only needed for debugging so that we can access the server from the host
+# (the 10.0.2.2 IP address is only useful from within qemu)
+export CLUSTER_IP=$(docker inspect "k3d-${CLUSTER_NAME}-server-0"  | jq -r '.[0].NetworkSettings.Networks[].IPAddress')
+envsubst \
+    < "$SCRIPT_DIR/../tests/assets/challenger-server-ingress.template.yaml" \
+    > "$SCRIPT_DIR/../tests/assets/challenger-server-ingress.yaml"
+
+# Install the challenger server kustomization
+kubectl apply -k "$SCRIPT_DIR/../tests/assets/"
+
+# 10.0.2.2 is where the vm sees the host
+# https://stackoverflow.com/a/6752280
+export KMS_ADDRESS="10.0.2.2.challenger.sslip.io"
+
+go run github.com/onsi/ginkgo/v2/ginkgo -v --nodes $GINKGO_NODES --label-filter $LABEL --fail-fast -r ./tests/
--- a/tests/assets/challenger-patch.yaml
+++ b/tests/assets/challenger-patch.yaml
@@ -0,0 +1,37 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+        - name: manager
+          # Don't try to pull the image we built locally
+          imagePullPolicy: IfNotPresent
+          args:
+          - "--health-probe-bind-address"
+          - ":8081"
+          - "--metrics-bind-address"
+          - "127.0.0.1:8080"
+          - "--namespace"
+          - "default"
+          - "--leader-elect"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kcrypt-escrow-server
+  namespace: system
+spec:
+  type: ClusterIP
+  selector:
+    control-plane: controller-manager
+  ports:
+    - name: wss
+      port: 8082
+      protocol: TCP
+      targetPort: 8082
--- a/tests/assets/challenger-server-ingress.template.yaml
+++ b/tests/assets/challenger-server-ingress.template.yaml
@@ -0,0 +1,46 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: challenger-server
+  annotations:
+    cert-manager.io/cluster-issuer: "selfsigned"
+    kubernetes.io/ingress.class: "traefik"
+spec:
+  tls:
+  - hosts:
+    - 10.0.2.2.challenger.sslip.io
+    - ${CLUSTER_IP}.challenger.sslip.io
+    - discoverable-kms.local
+    secretName: kms-tls
+  rules:
+    - host: 10.0.2.2.challenger.sslip.io
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: kcrypt-controller-kcrypt-escrow-server
+                port:
+                  number: 8082
+    - host: ${CLUSTER_IP}.challenger.sslip.io
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: kcrypt-controller-kcrypt-escrow-server
+                port:
+                  number: 8082
+    - host: discoverable-kms.local
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: kcrypt-controller-kcrypt-escrow-server
+                port:
+                  number: 8082
--- a/tests/assets/cluster-issuer.yaml
+++ b/tests/assets/cluster-issuer.yaml
@@ -0,0 +1,8 @@
+---
+# Self-signed issuer
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned
+spec:
+  selfSigned: {}
--- a/tests/assets/kustomization.yaml
+++ b/tests/assets/kustomization.yaml
@@ -0,0 +1,13 @@
+# Adds namespace to all resources.
+namespace: default
+
+bases:
+- ../../config/default
+
+resources:
+- challenger-server-ingress.yaml
+- cluster-issuer.yaml
+
+patchesStrategicMerge:
+# Fix labels and selectors to make challenger server accessible
+- challenger-patch.yaml
--- a/tests/encryption_test.go
+++ b/tests/encryption_test.go
@@ -0,0 +1,454 @@
+package e2e_test
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"path"
+	"strconv"
+	"strings"
+	"syscall"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	. "github.com/spectrocloud/peg/matcher"
+	"gopkg.in/yaml.v3"
+
+	client "github.com/kairos-io/kairos-challenger/cmd/discovery/client"
+)
+
+var installationOutput string
+var vm VM
+var mdnsVM VM
+
+var _ = Describe("kcrypt encryption", func() {
+	var config string
+	var vmOpts VMOptions
+	var expectedInstallationSuccess bool
+
+	BeforeEach(func() {
+		expectedInstallationSuccess = true
+
+		vmOpts = DefaultVMOptions()
+		RegisterFailHandler(printInstallationOutput)
+		_, vm = startVM(vmOpts)
+		fmt.Printf("\nvm.StateDir = %+v\n", vm.StateDir)
+
+		vm.EventuallyConnects(1200)
+	})
+
+	JustBeforeEach(func() {
+		configFile, err := os.CreateTemp("", "")
+		Expect(err).ToNot(HaveOccurred())
+		defer os.Remove(configFile.Name())
+
+		err = os.WriteFile(configFile.Name(), []byte(config), 0744)
+		Expect(err).ToNot(HaveOccurred())
+
+		err = vm.Scp(configFile.Name(), "config.yaml", "0744")
+		Expect(err).ToNot(HaveOccurred())
+
+		installationOutput, err = vm.Sudo("/bin/bash -c 'set -o pipefail && kairos-agent manual-install --device auto config.yaml 2>&1 | tee manual-install.txt'")
+		if expectedInstallationSuccess {
+			Expect(err).ToNot(HaveOccurred(), installationOutput)
+		}
+	})
+
+	AfterEach(func() {
+		vm.GatherLog("/run/immucore/immucore.log")
+		err := vm.Destroy(func(vm VM) {
+			// Stop TPM emulator
+			tpmPID, err := os.ReadFile(path.Join(vm.StateDir, "tpm", "pid"))
+			Expect(err).ToNot(HaveOccurred())
+
+			if len(tpmPID) != 0 {
+				pid, err := strconv.Atoi(string(tpmPID))
+				Expect(err).ToNot(HaveOccurred())
+
+				syscall.Kill(pid, syscall.SIGKILL)
+			}
+		})
+		Expect(err).ToNot(HaveOccurred())
+	})
+
+	When("discovering KMS with mdns", Label("discoverable-kms"), func() {
+		var tpmHash string
+		var mdnsHostname string
+
+		BeforeEach(func() {
+			By("creating the secret in kubernetes")
+			tpmHash = createTPMPassphraseSecret(vm)
+
+			mdnsHostname = "discoverable-kms.local"
+
+			By("deploying simple-mdns-server vm")
+			mdnsVM = deploySimpleMDNSServer(mdnsHostname)
+
+			config = fmt.Sprintf(`#cloud-config
+
+hostname: metal-{{ trunc 4 .MachineID }}
+users:
+- name: kairos
+  passwd: kairos
+
+install:
+  encrypted_partitions:
+  - COS_PERSISTENT
+  grub_options:
+    extra_cmdline: "rd.neednet=1"
+  reboot: false # we will reboot manually
+
+kcrypt:
+  challenger:
+	  mdns: true
+    challenger_server: "http://%[1]s"
+`, mdnsHostname)
+		})
+
+		AfterEach(func() {
+			cmd := exec.Command("kubectl", "delete", "sealedvolume", tpmHash)
+			out, err := cmd.CombinedOutput()
+			Expect(err).ToNot(HaveOccurred(), out)
+
+			err = mdnsVM.Destroy(func(vm VM) {})
+			Expect(err).ToNot(HaveOccurred())
+		})
+
+		It("discovers the KMS using mdns", func() {
+			Skip("TODO: make this test work")
+
+			By("rebooting")
+			vm.Reboot()
+			By("checking that we can connect after installation")
+			vm.EventuallyConnects(1200)
+			By("checking if we got an encrypted partition")
+			out, err := vm.Sudo("blkid")
+			Expect(err).ToNot(HaveOccurred(), out)
+			Expect(out).To(MatchRegexp("TYPE=\"crypto_LUKS\" PARTLABEL=\"persistent\""), out)
+		})
+	})
+
+	// https://kairos.io/docs/advanced/partition_encryption/#offline-mode
+	When("doing local encryption", Label("local-encryption"), func() {
+		BeforeEach(func() {
+			config = `#cloud-config
+
+install:
+  encrypted_partitions:
+  - COS_PERSISTENT
+  reboot: false # we will reboot manually
+
+hostname: metal-{{ trunc 4 .MachineID }}
+users:
+- name: kairos
+  passwd: kairos
+`
+		})
+
+		It("boots and has an encrypted partition", func() {
+			vm.Reboot()
+			vm.EventuallyConnects(1200)
+			out, err := vm.Sudo("blkid")
+			Expect(err).ToNot(HaveOccurred(), out)
+			Expect(out).To(MatchRegexp("TYPE=\"crypto_LUKS\" PARTLABEL=\"persistent\""), out)
+		})
+	})
+
+	//https://kairos.io/docs/advanced/partition_encryption/#online-mode
+	When("using a remote key management server (automated passphrase generation)", Label("remote-auto"), func() {
+		var tpmHash string
+
+		BeforeEach(func() {
+			tpmHash = createTPMPassphraseSecret(vm)
+			config = fmt.Sprintf(`#cloud-config
+
+hostname: metal-{{ trunc 4 .MachineID }}
+users:
+- name: kairos
+  passwd: kairos
+
+install:
+  encrypted_partitions:
+  - COS_PERSISTENT
+  grub_options:
+    extra_cmdline: "rd.neednet=1"
+  reboot: false # we will reboot manually
+
+kcrypt:
+  challenger:
+    challenger_server: "http://%s"
+    nv_index: ""
+    c_index: ""
+    tpm_device: ""
+`, os.Getenv("KMS_ADDRESS"))
+		})
+
+		AfterEach(func() {
+			cmd := exec.Command("kubectl", "delete", "sealedvolume", tpmHash)
+			out, err := cmd.CombinedOutput()
+			Expect(err).ToNot(HaveOccurred(), out)
+		})
+
+		It("creates a passphrase and a key/pair to decrypt it", func() {
+			// Expect a LUKS partition
+			vm.Reboot(750)
+			vm.EventuallyConnects(1200)
+			out, err := vm.Sudo("blkid")
+			Expect(err).ToNot(HaveOccurred(), out)
+			Expect(out).To(MatchRegexp("TYPE=\"crypto_LUKS\" PARTLABEL=\"persistent\""), out)
+
+			// Expect a secret to be created
+			cmd := exec.Command("kubectl", "get", "secrets",
+				fmt.Sprintf("%s-cos-persistent", tpmHash),
+				"-o=go-template='{{.data.generated_by|base64decode}}'",
+			)
+
+			secretOut, err := cmd.CombinedOutput()
+			Expect(err).ToNot(HaveOccurred(), string(secretOut))
+			Expect(string(secretOut)).To(MatchRegexp("tpm"))
+		})
+	})
+
+	// https://kairos.io/docs/advanced/partition_encryption/#scenario-static-keys
+	When("using a remote key management server (static keys)", Label("remote-static"), func() {
+		var tpmHash string
+		var err error
+
+		BeforeEach(func() {
+			tpmHash, err = vm.Sudo("/system/discovery/kcrypt-discovery-challenger")
+			Expect(err).ToNot(HaveOccurred(), tpmHash)
+
+			kubectlApplyYaml(fmt.Sprintf(`---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: %[1]s
+  namespace: default
+type: Opaque
+stringData:
+  pass: "awesome-plaintext-passphrase"
+`, tpmHash))
+
+			kubectlApplyYaml(fmt.Sprintf(`---
+apiVersion: keyserver.kairos.io/v1alpha1
+kind: SealedVolume
+metadata:
+    name: %[1]s
+    namespace: default
+spec:
+  TPMHash: "%[1]s"
+  partitions:
+    - label: COS_PERSISTENT
+      secret:
+       name: %[1]s
+       path: pass
+  quarantined: false
+`, tpmHash))
+
+			config = fmt.Sprintf(`#cloud-config
+
+hostname: metal-{{ trunc 4 .MachineID }}
+users:
+- name: kairos
+  passwd: kairos
+
+install:
+  encrypted_partitions:
+  - COS_PERSISTENT
+  grub_options:
+    extra_cmdline: "rd.neednet=1"
+  reboot: false # we will reboot manually
+
+kcrypt:
+  challenger:
+    challenger_server: "http://%s"
+`, os.Getenv("KMS_ADDRESS"))
+		})
+
+		AfterEach(func() {
+			cmd := exec.Command("kubectl", "delete", "sealedvolume", tpmHash)
+			out, err := cmd.CombinedOutput()
+			Expect(err).ToNot(HaveOccurred(), out)
+
+			cmd = exec.Command("kubectl", "delete", "secret", tpmHash)
+			out, err = cmd.CombinedOutput()
+			Expect(err).ToNot(HaveOccurred(), out)
+		})
+
+		It("creates uses the existing passphrase to decrypt it", func() {
+			// Expect a LUKS partition
+			vm.Reboot()
+			vm.EventuallyConnects(1200)
+			out, err := vm.Sudo("blkid")
+			Expect(err).ToNot(HaveOccurred(), out)
+			Expect(out).To(MatchRegexp("TYPE=\"crypto_LUKS\" PARTLABEL=\"persistent\""), out)
+			Expect(out).To(MatchRegexp("/dev/mapper.*LABEL=\"COS_PERSISTENT\""), out)
+		})
+	})
+
+	When("the key management server is listening on https", func() {
+		var tpmHash string
+
+		BeforeEach(func() {
+			tpmHash = createTPMPassphraseSecret(vm)
+		})
+
+		AfterEach(func() {
+			cmd := exec.Command("kubectl", "delete", "sealedvolume", tpmHash)
+			out, err := cmd.CombinedOutput()
+			Expect(err).ToNot(HaveOccurred(), out)
+		})
+
+		When("the certificate is pinned on the configuration", Label("remote-https-pinned"), func() {
+			BeforeEach(func() {
+				cert := getChallengerServerCert()
+				kcryptConfig := createConfigWithCert(fmt.Sprintf("https://%s", os.Getenv("KMS_ADDRESS")), cert)
+				kcryptConfigBytes, err := yaml.Marshal(kcryptConfig)
+				Expect(err).ToNot(HaveOccurred())
+				config = fmt.Sprintf(`#cloud-config
+
+hostname: metal-{{ trunc 4 .MachineID }}
+users:
+- name: kairos
+  passwd: kairos
+
+install:
+  encrypted_partitions:
+  - COS_PERSISTENT
+  grub_options:
+    extra_cmdline: "rd.neednet=1"
+  reboot: false # we will reboot manually
+
+%s
+
+`, string(kcryptConfigBytes))
+			})
+
+			It("successfully talks to the server", func() {
+				vm.Reboot()
+				vm.EventuallyConnects(1200)
+				out, err := vm.Sudo("blkid")
+				Expect(err).ToNot(HaveOccurred(), out)
+				Expect(out).To(MatchRegexp("TYPE=\"crypto_LUKS\" PARTLABEL=\"persistent\""), out)
+				Expect(out).To(MatchRegexp("/dev/mapper.*LABEL=\"COS_PERSISTENT\""), out)
+			})
+		})
+
+		When("the no certificate is set in the configuration", Label("remote-https-bad-cert"), func() {
+			BeforeEach(func() {
+				expectedInstallationSuccess = false
+
+				config = fmt.Sprintf(`#cloud-config
+
+hostname: metal-{{ trunc 4 .MachineID }}
+users:
+- name: kairos
+  passwd: kairos
+
+install:
+  encrypted_partitions:
+  - COS_PERSISTENT
+  grub_options:
+    extra_cmdline: "rd.neednet=1"
+  reboot: false # we will reboot manually
+
+kcrypt:
+  challenger:
+    challenger_server: "https://%s"
+`, os.Getenv("KMS_ADDRESS"))
+			})
+
+			It("fails to talk to the server", func() {
+				out, err := vm.Sudo("cat manual-install.txt")
+				Expect(err).ToNot(HaveOccurred(), out)
+				Expect(out).To(MatchRegexp("failed to verify certificate: x509: certificate signed by unknown authority"))
+			})
+		})
+	})
+})
+
+func printInstallationOutput(message string, callerSkip ...int) {
+	fmt.Printf("This is the installation output in case it's useful:\n%s\n", installationOutput)
+
+	// Ensures the correct line numbers are reported
+	Fail(message, callerSkip[0]+1)
+}
+
+func kubectlApplyYaml(yamlData string) {
+	yamlFile, err := os.CreateTemp("", "")
+	Expect(err).ToNot(HaveOccurred())
+	defer os.Remove(yamlFile.Name())
+
+	err = os.WriteFile(yamlFile.Name(), []byte(yamlData), 0744)
+	Expect(err).ToNot(HaveOccurred())
+
+	cmd := exec.Command("kubectl", "apply", "-f", yamlFile.Name())
+	out, err := cmd.CombinedOutput()
+	Expect(err).ToNot(HaveOccurred(), out)
+}
+
+func getChallengerServerCert() string {
+	cmd := exec.Command(
+		"kubectl", "get", "secret", "-n", "default", "kms-tls",
+		"-o", `go-template={{ index .data "ca.crt" | base64decode }}`)
+	out, err := cmd.CombinedOutput()
+	Expect(err).ToNot(HaveOccurred(), string(out))
+
+	return string(out)
+}
+
+func createConfigWithCert(server, cert string) client.Config {
+	c := client.Config{}
+	c.Kcrypt.Challenger.Server = server
+	c.Kcrypt.Challenger.Certificate = cert
+
+	return c
+}
+
+func createTPMPassphraseSecret(vm VM) string {
+	tpmHash, err := vm.Sudo("/system/discovery/kcrypt-discovery-challenger")
+	Expect(err).ToNot(HaveOccurred(), tpmHash)
+
+	kubectlApplyYaml(fmt.Sprintf(`---
+apiVersion: keyserver.kairos.io/v1alpha1
+kind: SealedVolume
+metadata:
+  name: "%[1]s"
+  namespace: default
+spec:
+  TPMHash: "%[1]s"
+  partitions:
+    - label: COS_PERSISTENT
+  quarantined: false
+`, strings.TrimSpace(tpmHash)))
+
+	return tpmHash
+}
+
+// We run the simple-mdns-server (https://github.com/kairos-io/simple-mdns-server/)
+// inside a VM next to the one we test. The server advertises the KMS as running on 10.0.2.2
+// (the host machine). This is a "hack" and is needed because of how the default
+// networking in qemu works. We need to be within the same network and that
+// network is only available withing another VM.
+// https://wiki.qemu.org/Documentation/Networking
+func deploySimpleMDNSServer(hostname string) VM {
+	opts := DefaultVMOptions()
+	opts.Memory = "2000"
+	opts.CPUS = "1"
+	opts.EmulateTPM = false
+	_, vm := startVM(opts)
+	vm.EventuallyConnects(1200)
+
+	out, err := vm.Sudo(`curl -s https://api.github.com/repos/kairos-io/simple-mdns-server/releases/latest | jq -r .assets[].browser_download_url | grep $(uname -m) | xargs curl -L -o sms.tar.gz`)
+	Expect(err).ToNot(HaveOccurred(), string(out))
+
+	out, err = vm.Sudo("tar xvf sms.tar.gz")
+	Expect(err).ToNot(HaveOccurred(), string(out))
+
+	// Start the simple-mdns-server in the background
+	out, err = vm.Sudo(fmt.Sprintf(
+		"/bin/bash -c './simple-mdns-server --port 80 --address 10.0.2.2 --serviceType _kcrypt._tcp --hostName %s &'", hostname))
+	Expect(err).ToNot(HaveOccurred(), string(out))
+
+	return vm
+}
--- a/tests/suite_test.go
+++ b/tests/suite_test.go
@@ -0,0 +1,234 @@
+package e2e_test
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"os"
+	"os/exec"
+	"path"
+	"strconv"
+	"testing"
+
+	"github.com/google/uuid"
+	process "github.com/mudler/go-processmanager"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	. "github.com/spectrocloud/peg/matcher"
+	machine "github.com/spectrocloud/peg/pkg/machine"
+	"github.com/spectrocloud/peg/pkg/machine/types"
+)
+
+func TestE2e(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "kcrypt-challenger e2e test Suite")
+}
+
+type VMOptions struct {
+	ISO        string
+	User       string
+	Password   string
+	Memory     string
+	CPUS       string
+	RunSpicy   bool
+	UseKVM     bool
+	EmulateTPM bool
+}
+
+func DefaultVMOptions() VMOptions {
+	var err error
+
+	memory := os.Getenv("MEMORY")
+	if memory == "" {
+		memory = "2096"
+	}
+	cpus := os.Getenv("CPUS")
+	if cpus == "" {
+		cpus = "2"
+	}
+
+	runSpicy := false
+	if s := os.Getenv("MACHINE_SPICY"); s != "" {
+		runSpicy, err = strconv.ParseBool(os.Getenv("MACHINE_SPICY"))
+		Expect(err).ToNot(HaveOccurred())
+	}
+
+	useKVM := false
+	if envKVM := os.Getenv("KVM"); envKVM != "" {
+		useKVM, err = strconv.ParseBool(os.Getenv("KVM"))
+		Expect(err).ToNot(HaveOccurred())
+	}
+
+	return VMOptions{
+		ISO:        os.Getenv("ISO"),
+		User:       user(),
+		Password:   pass(),
+		Memory:     memory,
+		CPUS:       cpus,
+		RunSpicy:   runSpicy,
+		UseKVM:     useKVM,
+		EmulateTPM: true,
+	}
+}
+
+func user() string {
+	user := os.Getenv("SSH_USER")
+	if user == "" {
+		user = "kairos"
+	}
+	return user
+}
+
+func pass() string {
+	pass := os.Getenv("SSH_PASS")
+	if pass == "" {
+		pass = "kairos"
+	}
+
+	return pass
+}
+
+func startVM(vmOpts VMOptions) (context.Context, VM) {
+	if vmOpts.ISO == "" {
+		fmt.Println("ISO missing")
+		os.Exit(1)
+	}
+
+	vmName := uuid.New().String()
+
+	stateDir, err := os.MkdirTemp("", "")
+	Expect(err).ToNot(HaveOccurred())
+
+	if vmOpts.EmulateTPM {
+		emulateTPM(stateDir)
+	}
+
+	sshPort, err := getFreePort()
+	Expect(err).ToNot(HaveOccurred())
+
+	opts := []types.MachineOption{
+		types.QEMUEngine,
+		types.WithISO(vmOpts.ISO),
+		types.WithMemory(vmOpts.Memory),
+		types.WithCPU(vmOpts.CPUS),
+		types.WithSSHPort(strconv.Itoa(sshPort)),
+		types.WithID(vmName),
+		types.WithSSHUser(vmOpts.User),
+		types.WithSSHPass(vmOpts.Password),
+		types.OnFailure(func(p *process.Process) {
+			defer GinkgoRecover()
+
+			var stdout, stderr, serial, status string
+
+			if stdoutBytes, err := os.ReadFile(p.StdoutPath()); err != nil {
+				stdout = fmt.Sprintf("Error reading stdout file: %s\n", err)
+			} else {
+				stdout = string(stdoutBytes)
+			}
+
+			if stderrBytes, err := os.ReadFile(p.StderrPath()); err != nil {
+				stderr = fmt.Sprintf("Error reading stderr file: %s\n", err)
+			} else {
+				stderr = string(stderrBytes)
+			}
+
+			if status, err = p.ExitCode(); err != nil {
+				status = fmt.Sprintf("Error reading exit code file: %s\n", err)
+			}
+
+			if serialBytes, err := os.ReadFile(path.Join(p.StateDir(), "serial.log")); err != nil {
+				serial = fmt.Sprintf("Error reading serial log file: %s\n", err)
+			} else {
+				serial = string(serialBytes)
+			}
+
+			Fail(fmt.Sprintf("\nVM Aborted.\nstdout: %s\nstderr: %s\nserial: %s\nExit status: %s\n",
+				stdout, stderr, serial, status))
+		}),
+		types.WithStateDir(stateDir),
+		// Serial output to file: https://superuser.com/a/1412150
+		func(m *types.MachineConfig) error {
+			if vmOpts.EmulateTPM {
+				m.Args = append(m.Args,
+					"-chardev", fmt.Sprintf("socket,id=chrtpm,path=%s/swtpm-sock", path.Join(stateDir, "tpm")),
+					"-tpmdev", "emulator,id=tpm0,chardev=chrtpm", "-device", "tpm-tis,tpmdev=tpm0")
+			}
+			m.Args = append(m.Args,
+				"-chardev", fmt.Sprintf("stdio,mux=on,id=char0,logfile=%s,signal=off", path.Join(stateDir, "serial.log")),
+				"-serial", "chardev:char0",
+				"-mon", "chardev=char0",
+			)
+			return nil
+		},
+	}
+
+	// Set this to true to debug.
+	// You can connect to it with "spicy" or other tool.
+	var spicePort int
+	if vmOpts.RunSpicy {
+		spicePort, err = getFreePort()
+		Expect(err).ToNot(HaveOccurred())
+		fmt.Printf("Spice port = %d\n", spicePort)
+		opts = append(opts, types.WithDisplay(fmt.Sprintf("-spice port=%d,addr=127.0.0.1,disable-ticketing", spicePort)))
+	}
+
+	if vmOpts.UseKVM {
+		opts = append(opts, func(m *types.MachineConfig) error {
+			m.Args = append(m.Args,
+				"-enable-kvm",
+			)
+			return nil
+		})
+	}
+
+	m, err := machine.New(opts...)
+	Expect(err).ToNot(HaveOccurred())
+
+	vm := NewVM(m, stateDir)
+
+	ctx, err := vm.Start(context.Background())
+	Expect(err).ToNot(HaveOccurred())
+
+	if vmOpts.RunSpicy {
+		cmd := exec.Command("spicy",
+			"-h", "127.0.0.1",
+			"-p", strconv.Itoa(spicePort))
+		err = cmd.Start()
+		Expect(err).ToNot(HaveOccurred())
+	}
+
+	return ctx, vm
+}
+
+// return the PID of the swtpm (to be killed later) and the state directory
+func emulateTPM(stateDir string) {
+	t := path.Join(stateDir, "tpm")
+	err := os.MkdirAll(t, os.ModePerm)
+	Expect(err).ToNot(HaveOccurred())
+
+	cmd := exec.Command("swtpm",
+		"socket",
+		"--tpmstate", fmt.Sprintf("dir=%s", t),
+		"--ctrl", fmt.Sprintf("type=unixio,path=%s/swtpm-sock", t),
+		"--tpm2", "--log", "level=20")
+	err = cmd.Start()
+	Expect(err).ToNot(HaveOccurred())
+
+	err = os.WriteFile(path.Join(t, "pid"), []byte(strconv.Itoa(cmd.Process.Pid)), 0744)
+	Expect(err).ToNot(HaveOccurred())
+}
+
+// https://gist.github.com/sevkin/96bdae9274465b2d09191384f86ef39d
+// GetFreePort asks the kernel for a free open port that is ready to use.
+func getFreePort() (port int, err error) {
+	var a *net.TCPAddr
+	if a, err = net.ResolveTCPAddr("tcp", "localhost:0"); err == nil {
+		var l *net.TCPListener
+		if l, err = net.ListenTCP("tcp", a); err == nil {
+			defer l.Close()
+			return l.Addr().(*net.TCPAddr).Port, nil
+		}
+	}
+	return
+}