rust: Update minimum toolchain to 1.88

bgartzi · Yair Podemsky · Yair Podemsky · commit 4131b91e62cc · 2026-02-10T10:19:29.000+02:00
Minimum rust version was set to 1.85. Fedora is way above that threshold
at the moment. Future EL releases will be above that as well.

While on it, fix some of the linter errors that arise from the minimum
version update.

Co-authored-by: Yair Podemsky &lt;ypodemsk@redhat.com&gt;
Signed-off-by: Beñat Gartzia Arruabarrena &lt;bgartzia@redhat.com&gt;
diff --git a/attestation-key-register/src/main.rs b/attestation-key-register/src/main.rs
@@ -42,7 +42,7 @@ async fn handle_registration(
     client: Client,
     addr: Option<SocketAddr>,
 ) -> Result<impl warp::Reply, Infallible> {
-    info!("Received registration request: {:?}", registration);
+    info!("Received registration request: {registration:?}");
 
     let api: Api<AttestationKey> = Api::default_namespaced(client);
 
@@ -52,8 +52,7 @@ async fn handle_registration(
                 if key.spec.public_key == registration.public_key {
                     let existing_name = key.metadata.name.unwrap_or_default();
                     error!(
-                        "Duplicate public key detected: already exists in AttestationKey '{}'",
-                        existing_name
+                        "Duplicate public key detected: already exists in AttestationKey '{existing_name}'"
                     );
                     return Ok(reply::with_status(
                         reply::json(&serde_json::json!({
@@ -66,11 +65,11 @@ async fn handle_registration(
             }
         }
         Err(e) => {
-            error!("Failed to list AttestationKeys: {}", e);
+            error!("Failed to list AttestationKeys: {e}");
             return Ok(reply::with_status(
                 reply::json(&serde_json::json!({
                     "status": "error",
-                    "message": format!("Failed to check for existing keys: {}", e),
+                    "message": format!("Failed to check for existing keys: {e}"),
                 })),
                 StatusCode::INTERNAL_SERVER_ERROR,
             ));
@@ -108,11 +107,11 @@ async fn handle_registration(
             ))
         }
         Err(e) => {
-            error!("Failed to create AttestationKey: {}", e);
+            error!("Failed to create AttestationKey: {e}");
             Ok(reply::with_status(
                 reply::json(&serde_json::json!({
                     "status": "error",
-                    "message": format!("Failed to create AttestationKey: {}", e),
+                    "message": format!("Failed to create AttestationKey: {e}"),
                 })),
                 StatusCode::INTERNAL_SERVER_ERROR,
             ))
@@ -147,7 +146,7 @@ async fn main() -> anyhow::Result<()> {
         .and_then(handle_registration);
 
     let addr = SocketAddr::from(([0, 0, 0, 0], args.port));
-    info!("Listening on {}", addr);
+    info!("Listening on {addr}");
 
     warp::serve(register).run(addr).await;
 
diff --git a/operator/src/attestation_key_register.rs b/operator/src/attestation_key_register.rs
@@ -133,13 +133,13 @@ async fn ak_reconcile(
     client: Arc<Client>,
 ) -> Result<Action, ControllerError> {
     let ak_name = ak.metadata.name.clone().unwrap_or_default();
-    info!("Attestation Key reconciliation for: {}", ak_name);
+    info!("Attestation Key reconciliation for: {ak_name}");
 
     let client = Arc::unwrap_or_clone(client);
     let machines: Api<Machine> = Api::default_namespaced(client.clone());
     let lp = ListParams::default();
     let machine_list: ObjectList<Machine> = machines.list(&lp).await.map_err(|e| {
-        eprintln!("Error fetching machine list: {}", e);
+        eprintln!("Error fetching machine list: {e}");
         ControllerError::Anyhow(e.into())
     })?;
     for machine in &machine_list.items {
@@ -180,15 +180,15 @@ async fn machine_reconcile(
     let aks: Api<AttestationKey> = Api::default_namespaced(client.clone());
     let lp = ListParams::default();
     let ak_list: ObjectList<AttestationKey> = aks.list(&lp).await.map_err(|e| {
-        eprintln!("Error fetching attestation key list: {}", e);
+        eprintln!("Error fetching attestation key list: {e}");
         ControllerError::Anyhow(e.into())
     })?;
     for ak in ak_list.items {
-        if let Some(ak_address) = &ak.spec.address {
-            if *ak_address == machine_address {
-                approve_ak(&ak, &machine, client.clone()).await?;
-                return Ok(Action::await_change());
-            }
+        if let Some(ak_address) = &ak.spec.address
+            && *ak_address == machine_address
+        {
+            approve_ak(&ak, &machine, client.clone()).await?;
+            return Ok(Action::await_change());
         }
     }
     Ok(Action::await_change())
@@ -313,10 +313,7 @@ async fn secret_reconcile(
         return Ok(Action::await_change());
     }
 
-    info!(
-        "Secret reconciliation for AttestationKey secret: {}",
-        secret_name
-    );
+    info!("Secret reconciliation for AttestationKey secret: {secret_name}");
 
     let secrets: Api<Secret> = Api::default_namespaced(Arc::unwrap_or_clone(client.clone()));
     finalizer(&secrets, ATTESTATION_KEY_SECRET_FINALIZER, secret, |ev| async move {
@@ -328,15 +325,14 @@ async fn secret_reconcile(
                     .await
                     .map(|_| Action::await_change())
                     .map_err(|e| {
-                        eprintln!("Error updating attestation key volumes on secret apply: {}", e);
+                        eprintln!("Error updating attestation key volumes on secret apply: {e}");
                         finalizer::Error::<ControllerError>::ApplyFailed(e.into())
                     })
             }
             Event::Cleanup(secret) => {
                 let secret_name = secret.metadata.name.clone().unwrap_or_default();
                 info!(
-                    "AttestationKey secret {} is being deleted, updating trustee deployment volumes",
-                    secret_name
+                    "AttestationKey secret {secret_name} is being deleted, updating trustee deployment volumes"
                 );
                 let client = Arc::unwrap_or_clone(client);
                 // Update trustee deployment - secrets with deletion_timestamp will be filtered out
@@ -345,8 +341,7 @@ async fn secret_reconcile(
                     .map(|_| Action::await_change())
                     .map_err(|e| {
                         eprintln!(
-                            "Error updating attestation key volumes during secret deletion: {}",
-                            e
+                            "Error updating attestation key volumes during secret deletion: {e}"
                         );
                         finalizer::Error::<ControllerError>::CleanupFailed(e.into())
                     })
diff --git a/operator/src/reference_values.rs b/operator/src/reference_values.rs
@@ -297,13 +297,13 @@ pub async fn handle_new_image(
     let config_maps: Api<ConfigMap> = Api::default_namespaced(ctx.client.clone());
     let mut image_pcrs_map = config_maps.get(PCR_CONFIG_MAP).await?;
     let mut image_pcrs = get_image_pcrs(image_pcrs_map.clone())?;
-    if let Some(pcr) = image_pcrs.0.get(resource_name) {
-        if pcr.reference == boot_image {
-            info!("Image {boot_image} was to be allowed, but already was allowed");
-            return trustee::update_reference_values(ctx)
-                .await
-                .map(|_| COMMITTED_REASON);
-        }
+    if let Some(pcr) = image_pcrs.0.get(resource_name)
+        && pcr.reference == boot_image
+    {
+        info!("Image {boot_image} was to be allowed, but already was allowed");
+        return trustee::update_reference_values(ctx)
+            .await
+            .map(|_| COMMITTED_REASON);
     }
     let image_ref: oci_client::Reference = boot_image.parse()?;
     if image_ref.digest().is_none() {
diff --git a/operator/src/trustee.rs b/operator/src/trustee.rs
@@ -256,7 +256,7 @@ pub async fn update_attestation_keys(client: Client) -> Result<()> {
                     name: secret_name.to_string(),
                     items: Some(vec![KeyToPath {
                         key: "public_key".to_string(),
-                        path: format!("{}.pub", secret_name),
+                        path: format!("{secret_name}.pub"),
                         ..Default::default()
                     }]),
                     ..Default::default()
diff --git a/test_utils/src/lib.rs b/test_utils/src/lib.rs
@@ -370,13 +370,12 @@ impl TestContext {
                 async move {
                     let deployment = api.get(&name).await?;
 
-                    if let Some(status) = &deployment.status {
-                        if let Some(available_replicas) = status.available_replicas {
-                            if available_replicas == 1 {
-                                test_info!(&tn, "{} deployment has 1 available replica", name);
-                                return Ok(());
-                            }
-                        }
+                    if let Some(status) = &deployment.status
+                        && let Some(available_replicas) = status.available_replicas
+                        && available_replicas == 1
+                    {
+                        test_info!(&tn, "{} deployment has 1 available replica", name);
+                        return Ok(());
                     }
 
                     Err(anyhow!(
@@ -485,36 +484,36 @@ impl TestContext {
         let ns = self.test_namespace.clone();
         let sa_src = workspace_root.join("config/rbac/service_account.yaml");
         let sa_content = std::fs::read_to_string(&sa_src)?
-            .replace("namespace: system", &format!("namespace: {}", ns));
+            .replace("namespace: system", &format!("namespace: {ns}"));
         let sa_dst = rbac_temp_dir.join("service_account.yaml");
         std::fs::write(&sa_dst, sa_content)?;
 
         let role_path = rbac_temp_dir.join("role.yaml");
         let role_content = std::fs::read_to_string(&role_path)?.replace(
             "name: trusted-cluster-operator-role",
-            &format!("name: {}-trusted-cluster-operator-role", ns),
+            &format!("name: {ns}-trusted-cluster-operator-role"),
         );
         std::fs::write(&role_path, role_content)?;
 
         let rb_src = workspace_root.join("config/rbac/role_binding.yaml");
         let rb = "name: manager-rolebinding";
         let role = "name: trusted-cluster-operator-role";
         let rb_content = std::fs::read_to_string(&rb_src)?
-            .replace(rb, &format!("name: {}-manager-rolebinding", ns))
-            .replace(role, &format!("name: {}-trusted-cluster-operator-role", ns))
-            .replace("namespace: system", &format!("namespace: {}", ns));
+            .replace(rb, &format!("name: {ns}-manager-rolebinding"))
+            .replace(role, &format!("name: {ns}-trusted-cluster-operator-role"))
+            .replace("namespace: system", &format!("namespace: {ns}"));
         let rb_dst = rbac_temp_dir.join("role_binding.yaml");
         std::fs::write(&rb_dst, rb_content)?;
 
         let le_role_src = workspace_root.join("config/rbac/leader_election_role.yaml");
         let le_role_content = std::fs::read_to_string(&le_role_src)?
-            .replace("namespace: system", &format!("namespace: {}", ns));
+            .replace("namespace: system", &format!("namespace: {ns}"));
         let le_role_dst = rbac_temp_dir.join("leader_election_role.yaml");
         std::fs::write(&le_role_dst, le_role_content)?;
 
         let le_rb_src = workspace_root.join("config/rbac/leader_election_role_binding.yaml");
         let le_rb_content = std::fs::read_to_string(&le_rb_src)?
-            .replace("namespace: system", &format!("namespace: {}", ns));
+            .replace("namespace: system", &format!("namespace: {ns}"));
         let le_rb_dst = rbac_temp_dir.join("leader_election_role_binding.yaml");
         std::fs::write(&le_rb_dst, le_rb_content)?;
 
@@ -570,13 +569,13 @@ impl TestContext {
         let cr_content = std::fs::read_to_string(&cr_manifest_path)?;
         let mut cr_value: serde_yaml::Value = serde_yaml::from_str(&cr_content)?;
 
-        if let Some(spec) = cr_value.get_mut("spec") {
-            if let Some(spec_map) = spec.as_mapping_mut() {
-                spec_map.insert(
-                    serde_yaml::Value::String("publicTrusteeAddr".to_string()),
-                    serde_yaml::Value::String(trustee_addr.clone()),
-                );
-            }
+        if let Some(spec) = cr_value.get_mut("spec")
+            && let Some(spec_map) = spec.as_mapping_mut()
+        {
+            spec_map.insert(
+                serde_yaml::Value::String("publicTrusteeAddr".to_string()),
+                serde_yaml::Value::String(trustee_addr.clone()),
+            );
         }
 
         let updated_content = serde_yaml::to_string(&cr_value)?;
diff --git a/tests/attestation.rs b/tests/attestation.rs
@@ -38,16 +38,17 @@ impl SingleAttestationContext {
     async fn new(vm_name: &str, test_ctx: &TestContext) -> Result<Self> {
         let client = test_ctx.client();
         let namespace = test_ctx.namespace();
+
         let backend = virt::create_backend(client.clone(), namespace, vm_name)?;
 
-        test_ctx.info(format!("Creating VM: {}", vm_name));
+        test_ctx.info(format!("Creating VM: {vm_name}"));
         backend.create_vm().await?;
 
-        test_ctx.info(format!("Waiting for VM {} to reach Running state", vm_name));
+        test_ctx.info(format!("Waiting for VM {vm_name} to reach Running state"));
         backend.wait_for_running(600).await?;
-        test_ctx.info(format!("VM {} is Running", vm_name));
+        ttest_ctx.info(format!("VM {vm_name} is Running"));
 
-        test_ctx.info(format!("Waiting for SSH access to VM {}", vm_name));
+        test_ctx.info(format!("Waiting for SSH access to VM {vm_name}"));
         backend.wait_for_vm_ssh_ready(600).await?;
         test_ctx.info("SSH access is ready");
 
@@ -162,29 +163,29 @@ async fn test_vm_reboot_attestation() -> anyhow::Result<()> {
     // Perform multiple reboots
     let num_reboots = 3;
     for i in 1..=num_reboots {
-        test_ctx.info(format!("Performing reboot {} of {}", i, num_reboots));
+        test_ctx.info(format!("Performing reboot {i} of {num_reboots}"));
 
         // Reboot the VM via SSH
         let _reboot_result = att_ctx.backend.ssh_exec("sudo systemctl reboot").await;
 
-        test_ctx.info(format!("Waiting for lack of SSH access after reboot {}", i));
+        test_ctx.info(format!("Waiting for lack of SSH access after reboot {i}"));
         att_ctx.backend.wait_for_vm_ssh_unavail(30).await?;
 
-        test_ctx.info(format!("Waiting for SSH access after reboot {}", i));
+        test_ctx.info(format!("Waiting for SSH access after reboot {i}"));
         att_ctx.backend.wait_for_vm_ssh_ready(300).await?;
 
         // Verify encrypted root is still present after reboot
-        test_ctx.info(format!("Verifying encrypted root after reboot {}", i));
+        test_ctx.info(format!("Verifying encrypted root after reboot {i}"));
         let has_encrypted_root = att_ctx.verify_encrypted_root().await?;
         assert!(
             has_encrypted_root,
             "VM should have encrypted root device after reboot {i}"
         );
-        test_ctx.info(format!("Reboot {}: attestation successful", i));
+        test_ctx.info(format!("Reboot {i}: attestation successful"));
     }
 
     test_ctx.info(format!(
-        "VM successfully rebooted {num_reboots} times with encrypted root device maintained",
+        "VM successfully rebooted {num_reboots} times with encrypted root device maintained"
     ));
     att_ctx.cleanup().await?;
     test_ctx.cleanup().await?;
diff --git a/tests/trusted_execution_cluster.rs b/tests/trusted_execution_cluster.rs
@@ -60,14 +60,12 @@ async fn test_image_pcrs_configmap_updates() -> anyhow::Result<()> {
             async move {
                 let cm = api.get("image-pcrs").await?;
 
-                if let Some(data) = &cm.data {
-                    if let Some(image_pcrs_json) = data.get("image-pcrs.json") {
-                        if let Ok(image_pcrs) = serde_json::from_str::<ImagePcrs>(image_pcrs_json) {
-                            if !image_pcrs.0.is_empty() {
-                                return Ok(());
-                            }
-                        }
-                    }
+                if let Some(data) = &cm.data
+                    && let Some(image_pcrs_json) = data.get("image-pcrs.json")
+                    && let Ok(image_pcrs) = serde_json::from_str::<ImagePcrs>(image_pcrs_json)
+                    && !image_pcrs.0.is_empty()
+                {
+                    return Ok(());
                 }
 
                 Err(anyhow::anyhow!("image-pcrs ConfigMap not yet populated with image-pcrs.json data"))
@@ -167,12 +165,11 @@ async fn test_image_disallow() -> anyhow::Result<()> {
         let api = configmap_api.clone();
         async move {
             let cm = api.get("trustee-data").await?;
-            if let Some(data) = &cm.data {
-                if let Some(reference_values_json) = data.get("reference-values.json") {
-                    if !reference_values_json.contains(EXPECTED_PCR4) {
-                        return Ok(());
-                    }
-                }
+            if let Some(data) = &cm.data
+                && let Some(reference_values_json) = data.get("reference-values.json")
+                && !reference_values_json.contains(EXPECTED_PCR4)
+            {
+                return Ok(());
             }
             Err(anyhow::anyhow!("Reference value not yet removed"))
         }
