A central operation of the setup is to download the NBDE server's advertisement. On a basal technical level this fails as at least during our tests there is no running NBDE server (it just invokes the server role within the client role context). But this is also wrong conceptually: The intention is that container builds happen in standard infra pipelines, far away from actual production networks and NBDE servers, and container images also should not have secrets baked in.

For container support the whole library/nbde_client_clevis.py and half of the playbook logic would have to be split out into standalone code, and be postponed to a first-boot unit similar to the certificate role (see RHEL-93207). This is quite a large endeavour which also could really benefit from some SME help.