Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
61 commits
Select commit Hold shift + click to select a range
798156e
Migrate from golang-external-secrets to openshift-external-secrets
butler54 Jun 30, 2026
85e4b43
Add clusterVersion variable for version-aware operator pins
butler54 Jun 30, 2026
332d9f9
Remove hardcoded LVMS channel from baremetal topologies
butler54 Jun 30, 2026
b0f1408
Templatize NFD operand image tag with clusterVersion
butler54 Jun 30, 2026
38952fb
Enable singleArgoCD mode for consolidated ArgoCD management
butler54 Jun 30, 2026
f228913
chore: switch chart refs to git-based for dev testing
butler54 Jun 30, 2026
7140192
chore: set clusterGroupName to baremetal for node-02 testing
butler54 Jun 30, 2026
d359540
fix: complete ESO migration — add operator subscription and fix chart…
butler54 Jun 30, 2026
4d8a1b5
fix: use external-secrets.io/v1 API in intel-dcap ESO templates
butler54 Jun 30, 2026
033cd87
chore: switch sandbox chart to git-based ref for ESO v1 fix testing
butler54 Jun 30, 2026
f9eebcf
fix: pass global.coco.secured to trustee chart for RVPS policy rendering
butler54 Jul 1, 2026
78a3722
fix: remove duplicate kbs.baremetal.enabled override in baremetal-gpu
butler54 Jul 1, 2026
cffc633
fix: add sync-wave ordering to CoCo workload deployments for Kyverno …
butler54 Jul 1, 2026
ad83778
fix: replace xxd with Python for PCR8 hash — eliminates custom contai…
butler54 Jul 1, 2026
3b04161
refactor: rename install-deps to get-azure-deps and restrict to Azure…
butler54 Jul 1, 2026
b01c25d
feat: add ansible playbook to push pull secret to KBS for authenticat…
butler54 Jul 1, 2026
0cdf1ac
feat: add authenticated registry credentials URI to initdata templates
butler54 Jul 1, 2026
4934ec0
feat: add push-pull-secret job to spoke and trusted-hub topologies
butler54 Jul 1, 2026
049211f
fix: pass pull secret as raw base64 — avoid Python repr encoding
butler54 Jul 1, 2026
95f2c56
fix: add ignoreDifferences for Kyverno v3.7 CRDs and SgxDevicePlugin
butler54 Jul 1, 2026
869bf5c
refactor: remove imperative pull-secret job — replaced by ACM policy …
butler54 Jul 1, 2026
f4ed4bf
rename: values-simple.yaml to values-azure.yaml
butler54 Jul 1, 2026
b2c8975
rename: values-spoke.yaml to values-azure-spoke.yaml
butler54 Jul 1, 2026
c9e33cd
refactor: update references to renamed topologies
butler54 Jul 1, 2026
a185de9
feat: add global.hardware.profile variable
butler54 Jul 1, 2026
d142217
feat: merge baremetal-gpu into baremetal with hardware profile gating
butler54 Jul 1, 2026
a1c6e38
feat: add hardware profile override files
butler54 Jul 1, 2026
a99a78a
remove: values-baremetal-gpu.yaml after merge
butler54 Jul 1, 2026
2798864
docs: update for hardware profile system
butler54 Jul 1, 2026
af91ba3
feat: add Makefile detect-hardware target
butler54 Jul 1, 2026
eca7843
docs: document secretStore propagation and update trusted-hub header
butler54 Jul 1, 2026
66319d5
fix: increase kata container creation timeout to 900s for authenticat…
butler54 Jul 1, 2026
fe14f41
chore: use debug-initdata for kbs-access to enable troubleshooting
butler54 Jul 1, 2026
83fadb1
feat(phase5-6): replace workloads with httpd and add signing policy
butler54 Jul 2, 2026
6b39ac4
fix(phase5): revert to insecure policy temporarily
butler54 Jul 2, 2026
805903b
fix(phase5): correct hello-openshift service port to 8080
butler54 Jul 2, 2026
61cd7d0
feat(phase6): implement redhat-secure policy baseline
butler54 Jul 2, 2026
c00a2be
fix(phase6): use KBS URI for GPG public key in redhat-secure policy
butler54 Jul 3, 2026
60caef8
fix(phase6): complete redhat-secure policy with both registries
butler54 Jul 3, 2026
d79fac0
feat(phase-06): fix KBS path mismatch and add GPG key caching
butler54 Jul 3, 2026
31559db
feat(phase-06): add Red Hat sigstore signature verification
butler54 Jul 3, 2026
d1349b9
feat(phase-06): enable sigstore signature verification
butler54 Jul 3, 2026
56d3f9f
fix(phase-06): use embedded keyData for sigstore verification
butler54 Jul 3, 2026
6b3fe46
revert(phase-06): back to insecure policy pending image-rs base64 fix
butler54 Jul 3, 2026
5623028
docs: document container signing blocker
butler54 Jul 4, 2026
2cb8826
feat(phase-08): add ArgoCD PreSync hooks to CoCo workload charts
butler54 Jul 4, 2026
e3ff5fd
fix(phase-08): change PreSync to Sync hooks, fix RBAC deployment, fix…
butler54 Jul 4, 2026
5a84234
fix(phase-08): use openshift/cli image with pre-installed oc
butler54 Jul 4, 2026
cbdbca7
fix(phase-08): use public registry for ose-cli image
butler54 Jul 4, 2026
a80ec1d
fix(phase-08): correct Kyverno ClusterPolicy ready check JSON path
butler54 Jul 4, 2026
d3daa6a
fix(phase-08): replace sync hooks with ConfigMap mounts for vault unl…
butler54 Jul 5, 2026
e99c949
fix(phase-08): add Application sync waves for vault unlock before MCO…
butler54 Jul 5, 2026
1304890
fix(imperative): disable duplicate serviceAccountCreate to fix ArgoCD…
butler54 Jul 5, 2026
cc66a28
fix(phase-08): add vault-unsealed sync hook before MCO-triggering apps
butler54 Jul 5, 2026
803a389
fix(phase-08): use vault HTTP API instead of oc exec in sync hook
butler54 Jul 5, 2026
141c4c2
fix(imperative): remove SA overrides, use chart defaults like all oth…
butler54 Jul 5, 2026
b048999
revert(imperative): restore SA overrides - config was correct, not a …
butler54 Jul 5, 2026
632f3c3
fix(phase-08): simplify vault sync hook to curl + grep
butler54 Jul 5, 2026
a5d02fa
fix(imperative): use chart defaults for SA - stop overriding serviceA…
butler54 Jul 5, 2026
44bced3
fix(imperative): keep both SAs but use admin SA for CronJobs
butler54 Jul 5, 2026
beaa8b9
fix(imperative): grant admin perms to imperative-sa via clusterRoleYaml
butler54 Jul 5, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .github/workflows/validate-defaults.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,9 @@ jobs:
with:
yq-version: v4.30.7

- name: Validate clusterGroupName is simple
- name: Validate clusterGroupName is azure
run: |
if [ "$(yq '.main.clusterGroupName' values-global.yaml)" != "simple" ]; then
echo "main.clusterGroupName must be 'simple'"
if [ "$(yq '.main.clusterGroupName' values-global.yaml)" != "azure" ]; then
echo "main.clusterGroupName must be 'azure'"
exit 1
fi
15 changes: 7 additions & 8 deletions AGENTS.md
Original file line number Diff line number Diff line change
Expand Up @@ -45,10 +45,10 @@ Use the **first** approach that fits your requirement:
├── rhdp/ # Red Hat Demo Platform tooling
├── scripts/ # Utility scripts
├── values-global.yaml # Global configuration
├── values-simple.yaml # Cluster group: simple
├── values-azure.yaml # Cluster group: azure
├── values-baremetal.yaml # Cluster group: baremetal
├── values-trusted-hub.yaml # Cluster group: trusted-hub
├── values-spoke.yaml # Cluster group: spoke
├── values-azure-spoke.yaml # Cluster group: azure-spoke
└── values-secret.yaml.template # Secrets template (never commit filled-in copy)
```

Expand All @@ -59,8 +59,8 @@ These charts are published independently and consumed from the `charts.validated
| Chart Name | Repository | Purpose |
|---|---|---|
| `trustee` | `validatedpatterns/trustee-chart` | Trustee / KBS configuration |
| `sandboxed-policies` | `validatedpatterns/sandboxed-policies-chart` | ACM policies hub → spoke |
| `sandboxed-containers` | `validatedpatterns/sandboxed-containers-chart` | Sandboxed runtime on spoke |
| `sandboxed-policies` | `validatedpatterns/sandboxed-policies-chart` | ACM policies hub → azure-spoke |
| `sandboxed-containers` | `validatedpatterns/sandboxed-containers-chart` | Sandboxed runtime on azure-spoke |

Changes to companion charts require a release (Git tag) before the pattern can consume them. Update the `chartVersion:` field in the values files to pick up new releases.

Expand All @@ -70,11 +70,10 @@ Set via `main.clusterGroupName` in `values-global.yaml`.

| Cluster Group | Values File | Role | Description |
|---|---|---|---|
| `simple` | `values-simple.yaml` | Hub (single cluster) | All components on one Azure cluster |
| `baremetal` | `values-baremetal.yaml` | Hub (single cluster) | TDX/SNP + LVM storage on bare metal |
| `baremetal-gpu` | `values-baremetal-gpu.yaml` | Hub (single cluster) | Bare metal + NVIDIA H100 GPU support |
| `azure` | `values-azure.yaml` | Hub (single cluster) | All components on one Azure cluster |
| `baremetal` | `values-baremetal.yaml` | Hub (single cluster) | Bare metal (hardware profile gated: intel-tdx, amd-snp, intel-tdx-gpu, amd-snp-gpu) |
| `trusted-hub` | `values-trusted-hub.yaml` | Multi-cluster hub | Trustee + ACM policies |
| `spoke` | `values-spoke.yaml` | Multi-cluster spoke | Sandbox runtime + workloads |
| `azure-spoke` | `values-azure-spoke.yaml` | Multi-cluster spoke | Sandbox runtime + workloads (Azure) |

## Values File Hierarchy

Expand Down
53 changes: 53 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,25 @@

include Makefile-common

##@ GPG Key Management
.PHONY: cache-gpg-keys
cache-gpg-keys: ## Download and cache Red Hat GPG public keys to ~/.coco-pattern/

.PHONY: cache-sigstore-keys
cache-sigstore-keys: ## Download and cache Red Hat sigstore public keys to ~/.coco-pattern/
@echo "Fetching Red Hat sigstore public keys..."
@mkdir -p ~/.coco-pattern
@cp keys/SIGSTORE-redhat-release3 ~/.coco-pattern/SIGSTORE-redhat-release3
@echo "Sigstore key cached at ~/.coco-pattern/SIGSTORE-redhat-release3"
@echo "Key fingerprint: E60D446E63405576"
@echo "Fetching Red Hat GPG public keys..."
@mkdir -p ~/.coco-pattern
@curl -fsSL https://access.redhat.com/security/data/fd431d51.txt -o ~/.coco-pattern/RPM-GPG-KEY-redhat-release
@echo "GPG key cached at ~/.coco-pattern/RPM-GPG-KEY-redhat-release"
@echo "Key fingerprint (verify this matches Red Hat official):"
@gpg --import-options show-only --import < ~/.coco-pattern/RPM-GPG-KEY-redhat-release 2>/dev/null | grep -A1 "^pub" || echo "Install gpg to verify fingerprint"


##@ Reference Value Collection
.PHONY: collect-firmware-refvals
collect-firmware-refvals: ## Collect firmware reference values (bare metal, default)
Expand All @@ -12,3 +31,37 @@ collect-firmware-refvals: ## Collect firmware reference values (bare metal, defa
.PHONY: collect-azure-refvals
collect-azure-refvals: ## Collect PCR reference values (Azure)
@scripts/collect-firmware-refvals.sh --platform azure

##@ Hardware Detection
.PHONY: detect-hardware
detect-hardware: ## Detect hardware profile from cluster nodes (requires KUBECONFIG or oc login)
@echo "Detecting hardware profile from cluster nodes..."
@echo "---"
@CPU_VENDOR=$$(oc get nodes -o jsonpath='{.items[0].metadata.labels.feature\.node\.kubernetes\.io/cpu-model\.vendor_id}' 2>/dev/null) && \
TDX_ENABLED=$$(oc get nodes -o jsonpath='{.items[0].metadata.labels.feature\.node\.kubernetes\.io/cpu-security\.tdx\.enabled}' 2>/dev/null) && \
SNP_ENABLED=$$(oc get nodes -o jsonpath='{.items[0].metadata.labels.feature\.node\.kubernetes\.io/cpu-security\.sev\.snp}' 2>/dev/null) && \
GPU_PRESENT=$$(oc get nodes -o jsonpath='{.items[0].metadata.labels.nvidia\.com/gpu\.present}' 2>/dev/null) && \
echo "CPU Vendor: $${CPU_VENDOR:-unknown}" && \
echo "TDX Enabled: $${TDX_ENABLED:-false}" && \
echo "SNP Enabled: $${SNP_ENABLED:-false}" && \
echo "GPU Present: $${GPU_PRESENT:-false}" && \
echo "---" && \
if [ "$${CPU_VENDOR}" = "Intel" ] && [ "$${TDX_ENABLED}" = "true" ]; then \
if [ "$${GPU_PRESENT}" = "true" ]; then \
echo "Recommended profile: intel-tdx-gpu"; \
else \
echo "Recommended profile: intel-tdx"; \
fi; \
elif [ "$${CPU_VENDOR}" = "AuthenticAMD" ] || [ "$${SNP_ENABLED}" = "true" ]; then \
if [ "$${GPU_PRESENT}" = "true" ]; then \
echo "Recommended profile: amd-snp-gpu"; \
else \
echo "Recommended profile: amd-snp"; \
fi; \
else \
echo "Could not determine hardware profile."; \
echo "Ensure NFD operator is running and node labels are populated."; \
echo "Set global.hardware.profile manually in values-global.yaml"; \
fi && \
echo "" && \
echo "To apply: edit values-global.yaml and set global.hardware.profile to the recommended value."
47 changes: 24 additions & 23 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,17 +8,21 @@ Confidential containers use hardware-backed Trusted Execution Environments (TEEs

The pattern provides four deployment topologies:

1. **Single cluster** (`simple` clusterGroup) — deploys all components (Trustee, Vault, ACM, sandboxed containers, workloads) in one cluster on Azure. This breaks the RACI separation expected in a remote attestation architecture but simplifies testing and demonstrations.
1. **Single cluster** (`azure` clusterGroup) — deploys all components (Trustee, Vault, ACM, sandboxed containers, workloads) in one cluster on Azure. This breaks the RACI separation expected in a remote attestation architecture but simplifies testing and demonstrations.

2. **Multi-cluster** (`trusted-hub` + `spoke` clusterGroups) — separates the trusted zone from the untrusted workload zone:
2. **Multi-cluster** (`trusted-hub` + `azure-spoke` clusterGroups) — separates the trusted zone from the untrusted workload zone:
- **Hub** (`trusted-hub`): Runs Trustee (KBS + attestation service), HashiCorp Vault, ACM, and cert-manager. This cluster is the trust anchor.
- **Spoke** (`spoke`): Runs the sandboxed containers operator and confidential workloads. The spoke is imported into ACM and managed from the hub.
- **Spoke** (`azure-spoke`): Runs the sandboxed containers operator and confidential workloads. The spoke is imported into ACM and managed from the hub.

3. **Bare metal** (`baremetal` clusterGroup) — deploys all components on bare metal hardware with Intel TDX or AMD SEV-SNP support. NFD (Node Feature Discovery) auto-detects the CPU architecture and configures the appropriate runtime. Supports SNO (Single Node OpenShift) and multi-node clusters.

4. **Bare metal with GPU** (`baremetal-gpu` clusterGroup) — extends the bare metal topology with NVIDIA H100 confidential GPU support. Adds the NVIDIA GPU Operator, IOMMU kernel configuration, and a sample CUDA workload for CC GPU verification. Requires NVIDIA H100 GPUs with confidential computing firmware.
Hardware-specific operators (GPU, Intel device plugins, DCAP) are controlled by `global.hardware.profile`:
- `intel-tdx` — Intel TDX without GPU
- `amd-snp` — AMD SEV-SNP without GPU
- `intel-tdx-gpu` — Intel TDX with NVIDIA H100 GPU
- `amd-snp-gpu` — AMD SEV-SNP with NVIDIA H100 GPU

The topology is controlled by the `main.clusterGroupName` field in `values-global.yaml`.
The topology is controlled by the `main.clusterGroupName` field in `values-global.yaml`. For bare metal deployments, also set `global.hardware.profile` to match your hardware configuration.

Azure deployments use peer-pods, which provision confidential VMs (`Standard_DCas_v5` family) directly on the Azure hypervisor. Bare metal deployments use layered images and hardware TEE features directly.

Expand Down Expand Up @@ -81,7 +85,7 @@ These scripts generate the cryptographic material and attestation reference valu

### Single cluster deployment (Azure)

1. Set `main.clusterGroupName: simple` in `values-global.yaml`
1. Set `main.clusterGroupName: azure` in `values-global.yaml`
2. Ensure your Azure configuration is populated in `values-global.yaml` (see `global.azure.*` fields)
3. `./pattern.sh make install`
4. Wait for the cluster to reboot all nodes (the sandboxed containers operator triggers a MachineConfig update). Monitor progress in the ArgoCD UI.
Expand All @@ -92,17 +96,20 @@ These scripts generate the cryptographic material and attestation reference valu
2. Deploy the hub cluster: `./pattern.sh make install`
3. Wait for ACM (`MultiClusterHub`) to reach `Running` state on the hub
4. Provision a second OpenShift 4.19.28+ cluster on Azure for the spoke
5. Import the spoke into ACM with label `clusterGroup=spoke`
5. Import the spoke into ACM with label `clusterGroup=azure-spoke`
(see [importing a cluster](https://validatedpatterns.io/learn/importing-a-cluster/))
6. ACM will automatically deploy the `spoke` clusterGroup applications (sandboxed containers, workloads) to the imported cluster
6. ACM will automatically deploy the `azure-spoke` clusterGroup applications (sandboxed containers, workloads) to the imported cluster

### Bare metal deployment

1. Set `main.clusterGroupName: baremetal` in `values-global.yaml`
2. Run `bash scripts/gen-secrets.sh` to generate KBS keys and PCCS secrets
3. For Intel TDX: uncomment the PCCS secrets in `~/values-secret-coco-pattern.yaml` and provide your Intel PCS API key
4. `./pattern.sh make install`
5. Wait for the cluster to reboot nodes (MachineConfig updates for TDX kernel parameters and vsock)
2. Set `global.hardware.profile` to match your hardware (default: `intel-tdx`)
- Run `make detect-hardware` after NFD is deployed to detect your hardware profile automatically
- Options: `intel-tdx`, `amd-snp`, `intel-tdx-gpu`, `amd-snp-gpu`
3. Run `bash scripts/gen-secrets.sh` to generate KBS keys and PCCS secrets
4. For Intel TDX: uncomment the PCCS secrets in `~/values-secret-coco-pattern.yaml` and provide your Intel PCS API key
5. `./pattern.sh make install`
6. Wait for the cluster to reboot nodes (MachineConfig updates for TDX/SEV-SNP kernel parameters and vsock)

> **Note:** Bare metal support is currently tested on SNO (Single Node OpenShift) configurations. Multi-node bare metal clusters are expected to work but have not been validated yet.

Expand All @@ -117,20 +124,14 @@ The system auto-detects your hardware:

Optional: pin PCCS to a specific node with `bash scripts/get-pccs-node.sh` and set `baremetal.pccs.nodeSelector` in the baremetal chart values.

### Bare metal GPU deployment

1. Set `main.clusterGroupName: baremetal-gpu` in `values-global.yaml`
2. Run `bash scripts/gen-secrets.sh` to generate KBS keys and PCCS secrets
3. For Intel TDX: uncomment the PCCS secrets in `~/values-secret-coco-pattern.yaml` and provide your Intel PCS API key
4. `./pattern.sh make install`
5. Wait for the cluster to reboot nodes (MachineConfig updates for TDX/SEV-SNP kernel parameters, vsock, and IOMMU)
6. Approve the GPU Operator install plan when it appears (uses `installPlanApproval: Manual`)

> **Note:** The `baremetal-gpu` topology deploys IOMMU MachineConfig on all nodes and will trigger reboots. For clusters without GPUs, use the `baremetal` topology instead. The GPU workload deployment will remain Pending on non-GPU systems but is otherwise harmless.
For GPU-enabled deployments (`intel-tdx-gpu` or `amd-snp-gpu` profiles):
- IOMMU MachineConfig is deployed on all nodes and will trigger reboots
- Approve the GPU Operator install plan when it appears (uses `installPlanApproval: Manual`)
- A sample CUDA workload (`gpu-workload`) is deployed for CC GPU verification

## Sample applications

Two sample applications are deployed on the cluster running confidential workloads (the single cluster in `simple` mode, or the spoke in multi-cluster mode):
Two sample applications are deployed on the cluster running confidential workloads (the single cluster in `azure` mode, or the spoke in multi-cluster mode):

- **hello-openshift**: Three pods demonstrating CoCo security boundaries:
- `standard` — a regular Kubernetes pod (no confidential computing)
Expand Down
2 changes: 1 addition & 1 deletion ansible/install-deps.yaml → ansible/get-azure-deps.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
- name: Retrieve Credentials for AAP on OpenShift
- name: Install Azure collection dependencies
become: false
connection: local
hosts: localhost
Expand Down
4 changes: 2 additions & 2 deletions ansible/init-data-gzipper.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -132,15 +132,15 @@
ansible.builtin.shell: |
set -o pipefail
initial_pcr=0000000000000000000000000000000000000000000000000000000000000000
PCR8_HASH=$(echo -n "${initial_pcr}{{ raw_hash.stdout }}" | xxd -r -p | sha256sum | cut -d' ' -f1) && echo $PCR8_HASH
PCR8_HASH=$(echo -n "${initial_pcr}{{ raw_hash.stdout }}" | python3 -c "import sys,hashlib; print(hashlib.sha256(bytes.fromhex(sys.stdin.read())).hexdigest())") && echo $PCR8_HASH

Check failure on line 135 in ansible/init-data-gzipper.yaml

View workflow job for this annotation

GitHub Actions / build

yaml[line-length]

Line too long (187 > 160 characters)
register: pcr8_hash
changed_when: false

- name: Register debug init data pcr into a var
ansible.builtin.shell: |
set -o pipefail
initial_pcr=0000000000000000000000000000000000000000000000000000000000000000
PCR8_HASH=$(echo -n "${initial_pcr}{{ debug_raw_hash.stdout }}" | xxd -r -p | sha256sum | cut -d' ' -f1) && echo $PCR8_HASH
PCR8_HASH=$(echo -n "${initial_pcr}{{ debug_raw_hash.stdout }}" | python3 -c "import sys,hashlib; print(hashlib.sha256(bytes.fromhex(sys.stdin.read())).hexdigest())") && echo $PCR8_HASH

Check failure on line 143 in ansible/init-data-gzipper.yaml

View workflow job for this annotation

GitHub Actions / build

yaml[line-length]

Line too long (193 > 160 characters)
register: debug_pcr8_hash
changed_when: false

Expand Down
1 change: 1 addition & 0 deletions ansible/initdata-debug.toml.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ kbs_cert = """{{ trustee_cert }}"""

[image]
image_security_policy_uri = 'kbs:///default/security-policy/{{ security_policy_flavour }}'
authenticated_registry_credentials_uri = 'kbs:///default/credential/regcred'
'''

"policy.rego" = '''
Expand Down
1 change: 1 addition & 0 deletions ansible/initdata-default.toml.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ kbs_cert = """{{ trustee_cert }}"""

[image]
image_security_policy_uri = 'kbs:///default/security-policy/{{ security_policy_flavour }}'
authenticated_registry_credentials_uri = 'kbs:///default/credential/regcred'
'''

"policy.rego" = '''
Expand Down
2 changes: 1 addition & 1 deletion charts/all/baremetal/templates/nfd-instance.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ metadata:
namespace: openshift-nfd
spec:
operand:
image: registry.redhat.io/openshift4/ose-node-feature-discovery-rhel9:v4.20
image: registry.redhat.io/openshift4/ose-node-feature-discovery-rhel9:v{{ .Values.global.clusterVersion }}
imagePullPolicy: Always
servicePort: 12000
workerConfig:
Expand Down
2 changes: 1 addition & 1 deletion charts/all/intel-dcap/templates/pccs-secrets-eso.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---
apiVersion: "external-secrets.io/v1beta1"
apiVersion: "external-secrets.io/v1"
kind: ExternalSecret
metadata:
name: pccs-secrets-eso
Expand Down
2 changes: 1 addition & 1 deletion charts/all/intel-dcap/templates/pccs-tls-eso.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---
apiVersion: "external-secrets.io/v1beta1"
apiVersion: "external-secrets.io/v1"
kind: ExternalSecret
metadata:
name: pccs-tls-eso
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,15 @@ spec:
- |
/opt/cuda-samples/Samples/0_Introduction/vectorAdd/build/vectorAdd
sleep 36000
volumeMounts:
- name: initdata
mountPath: /opt/confidential-containers/initdata
readOnly: true
resources:
limits:
nvidia.com/pgpu: 1
volumes:
- name: initdata
configMap:
name: debug-initdata
optional: false
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@ spec:
image: quay.io/openshift/origin-hello-openshift
ports:
- containerPort: 8888
volumeMounts:
- name: initdata
mountPath: /opt/confidential-containers/initdata
readOnly: true
securityContext:
privileged: false
allowPrivilegeEscalation: false
Expand All @@ -31,3 +35,8 @@ spec:
- ALL
seccompProfile:
type: RuntimeDefault
volumes:
- name: initdata
configMap:
name: debug-initdata
optional: false
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: secure-web-content
labels:
app: secure
annotations:
argocd.argoproj.io/sync-wave: "5"
data:
index.html: |
<!DOCTYPE html>
<html>
<head>
<title>Hello OpenShift</title>
</head>
<body>
<h1>Hello, OpenShift!</h1>
<p>This confidential container is running on Red Hat httpd.</p>
</body>
</html>
Original file line number Diff line number Diff line change
Expand Up @@ -16,13 +16,20 @@ spec:
annotations:
peerpods: "true"
coco.io/initdata-configmap: initdata
io.katacontainers.config.runtime.create_container_timeout: "900"
spec:
runtimeClassName: {{ include "hello-openshift.runtimeClassName" . }}
containers:
- name: hello-openshift
image: quay.io/openshift/origin-hello-openshift
image: registry.redhat.io/ubi9/httpd-24@sha256:68a91ff691092f455fea682330c499588747231c16516cd4f35aff821e6847f2
ports:
- containerPort: 8888
- containerPort: 8080
volumeMounts:
- name: web-content
mountPath: /var/www/html
- name: initdata
mountPath: /opt/confidential-containers/initdata
readOnly: true
securityContext:
privileged: false
allowPrivilegeEscalation: false
Expand All @@ -32,3 +39,11 @@ spec:
- ALL
seccompProfile:
type: RuntimeDefault
volumes:
- name: web-content
configMap:
name: secure-web-content
- name: initdata
configMap:
name: initdata
optional: false
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,10 @@ metadata:
name: secure
spec:
ports:
- name: 8888-tcp
port: 8888
- name: 8080-tcp
port: 8080
protocol: TCP
targetPort: 8888
targetPort: 8080
selector:
app: secure
sessionAffinity: None
Expand Down
7 changes: 7 additions & 0 deletions charts/coco-supported/kbs-access-curl/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: v2
description: Demonstrates accessing keys within the KBS using httpd to serve the secret.
keywords:
- pattern
- confidential-containers
name: kbs-access-curl
version: 0.1.0
Loading
Loading