feat: remove lets encrypt and manually specify keys

charts/all/routingtests/Chart.yaml

@@ -0,0 +1,15 @@
+apiVersion: v2
+description: Example
+name: routing-tests
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.0.0"

charts/all/routingtests/templates/ingress-based-route.yaml

@@ -0,0 +1,17 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: test
+spec:
+  ingressClassName: openshift-default
+  rules:
+  - host: test.test.coco.t9t8p.azure.redhatworkshops.io
+    http:
+      paths:
+      - backend:
+          service:
+            name: standard
+            port:
+              number: 8888
+        path: /
+        pathType: Prefix

charts/all/routingtests/templates/standard-pod.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: standard
+  labels:
+    app: standard
+spec:
+  runtimeClassName: {{ .Values.global.runtimeClass }}
+  containers:
+    - name: hello-openshift
+      image: quay.io/openshift/origin-hello-openshift
+      ports:
+        - containerPort: 8888
+      securityContext:
+        privileged: false
+        allowPrivilegeEscalation: false
+        runAsNonRoot: true
+        runAsUser: 1001
+        capabilities:
+          drop:
+            - ALL
+        seccompProfile:
+          type: RuntimeDefault

charts/all/routingtests/templates/standard-route.yaml

@@ -0,0 +1,12 @@
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: defacto-standards
+spec:
+  port:
+    targetPort: 8888
+  to:
+    kind: Service
+    name: standard
+    weight: 100
+  wildcardPolicy: None

charts/all/routingtests/templates/standard-svc.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: standard
+spec:
+  ports:
+  - name: 8888-tcp
+    port: 8888
+    protocol: TCP
+    targetPort: 8888
+  selector:
+    app: standard
+  sessionAffinity: None
+  type: ClusterIP

charts/all/routingtests/values.yaml

@@ -0,0 +1,17 @@
+
+secretStore:
+  name: vault-backend
+  kind: ClusterSecretStore
+
+# Secret provisioned for the AWS Controller for Kubernetes - S3 
+# Begin global parameters
+
+
+dsp:
+  name: science-project
+  description: "My science project"
+  notebookStorage: '20Gi'
+  pushSecret: true
+
+# https://github.com/openshift-ai-examples/openshift-ai-examples/blob/main/openshift-ai-deploy-llm/manifests/3-notebook-template.yaml
+

charts/coco-supported/custom-init/Chart.yaml

@@ -0,0 +1,8 @@
+apiVersion: v2
+description: A Helm chart which uses ACM to deploy a pod with custom init data including inferring the certificate.
+keywords:
+- pattern
+- upstream
+- sandbox
+name: custom-init
+version: 0.0.1

charts/coco-supported/custom-init/initdata.toml.tpl

@@ -0,0 +1,69 @@
+algorithm = "sha384"
+version = "0.1.0"
+
+[data]
+"aa.toml" = '''
+[token_configs]
+[token_configs.coco_as]
+url = 'https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}'
+
+
+[token_configs.kbs]
+url = 'https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}'
+cert = """
+acmmagickey_trustee_cert
+"""
+'''
+
+"cdh.toml"  = '''
+socket = 'unix:///run/confidential-containers/cdh.sock'
+credentials = []
+
+[kbc]
+name = 'cc_kbc'
+url = 'https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}'
+kbs_cert = """ 
+acmmagickey_trustee_cert
+"""
+'''
+
+"policy.rego" = '''
+package agent_policy
+
+default AddARPNeighborsRequest := true
+default AddSwapRequest := true
+default CloseStdinRequest := true
+default CopyFileRequest := true
+default CreateContainerRequest := true
+default CreateSandboxRequest := true
+default DestroySandboxRequest := true
+default ExecProcessRequest := true
+default GetMetricsRequest := true
+default GetOOMEventRequest := true
+default GuestDetailsRequest := true
+default ListInterfacesRequest := true
+default ListRoutesRequest := true
+default MemHotplugByProbeRequest := true
+default OnlineCPUMemRequest := true
+default PauseContainerRequest := true
+default PullImageRequest := true
+default ReadStreamRequest := true
+default RemoveContainerRequest := true
+default RemoveStaleVirtiofsShareMountsRequest := true
+default ReseedRandomDevRequest := true
+default ResumeContainerRequest := true
+default SetGuestDateTimeRequest := true
+default SetPolicyRequest := true
+default SignalProcessRequest := true
+default StartContainerRequest := true
+default StartTracingRequest := true
+default StatsContainerRequest := true
+default StopTracingRequest := true
+default TtyWinResizeRequest := true
+default UpdateContainerRequest := true
+default UpdateEphemeralMountsRequest := true
+default UpdateInterfaceRequest := true
+default UpdateRoutesRequest := true
+default WaitProcessRequest := true
+default WriteStreamRequest := true
+'''

charts/coco-supported/custom-init/templates/custom-initdata-injection.yaml

@@ -0,0 +1,79 @@
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  name: custominit-pod-policy
+spec:
+  remediationAction: enforce
+  disabled: false
+  policy-templates:
+  - objectDefinition:
+      apiVersion: policy.open-cluster-management.io/v1
+      kind: ConfigurationPolicy
+      metadata:
+        name: custominit-pod-cp
+      spec:
+        remediationAction: enforce
+        severity: medium
+        object-templates:
+
+        - complianceType: mustonlyhave
+          objectDefinition:
+            apiVersion: v1
+            kind: Pod
+            metadata:
+              name: custom
+              namespace: custom-init
+              labels:
+                app: custom
+              annotations:
+                io.katacontainers.config.runtime.cc_init_data: '{{ `{{if (lookup "operator.openshift.io/v1" "IngressController" "openshift-ingress-operator" "default").spec.defaultCertificate.name }}{{ fromConfigMap "openshift-sandboxed-containers-operator" "initdata-placeholder" "initdata" | base64dec | replace "acmmagickey_trustee_cert" (fromSecret "openshift-ingress" (lookup "operator.openshift.io/v1" "IngressController" "openshift-ingress-operator" "default").spec.defaultCertificate.name "tls.crt" | base64dec) | base64enc }}{{ else }}{{ fromConfigMap "openshift-sandboxed-containers-operator" "initdata-placeholder" "initdata" | base64dec | replace "acmmagickey_trustee_cert" (fromSecret "openshift-ingress" "router-certs-default" "tls.crt" | base64dec) | base64enc }}{{ end }}` }}'
+                peerpods: "true"
+            spec:
+              runtimeClassName: kata-remote
+              containers:
+                - name: hello-openshift
+                  image: quay.io/openshift/origin-hello-openshift
+                  ports:
+                    - containerPort: 8888
+                  securityContext:
+                    privileged: false
+                    allowPrivilegeEscalation: false
+                    runAsNonRoot: true
+                    runAsUser: 1001
+                    capabilities:
+                      drop:
+                        - ALL
+                    seccompProfile:
+                      type: RuntimeDefault
+
+
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: PlacementBinding
+metadata:
+  name: custominit-placement-binding
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+placementRef:
+  name: custominit-placement-rule
+  kind: PlacementRule
+  apiGroup: apps.open-cluster-management.io
+subjects:
+  - name: custominit-pod-policy
+    kind: Policy
+    apiGroup: policy.open-cluster-management.io
+---
+apiVersion: apps.open-cluster-management.io/v1
+kind: PlacementRule
+metadata:
+  name: custominit-placement-rule
+spec:
+  clusterConditions:
+    - status: 'True'
+      type: ManagedClusterConditionAvailable
+  clusterSelector:
+    matchLabels:
+      cloud: Azure
+---
+{{- end }}

charts/coco-supported/custom-init/templates/custom-route.yaml

@@ -0,0 +1,13 @@
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: custom
+  namespace: custom-init
+spec:
+  port:
+    targetPort: 8888
+  to:
+    kind: Service
+    name: custom
+    weight: 100
+  wildcardPolicy: None

charts/coco-supported/custom-init/templates/custom-svc.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: custom
+  namespace: custom-init
+spec:
+  ports:
+  - name: 8888-tcp
+    port: 8888
+    protocol: TCP
+    targetPort: 8888
+  selector:
+    app: custom
+  sessionAffinity: None
+  type: ClusterIP

charts/coco-supported/hello-openshift/templates/secure-route.yaml

@@ -9,4 +9,4 @@ spec:
     kind: Service
     name: secure
     weight: 100
-  wildcardPolicy: None
+  wildcardPolicy: None

charts/coco-supported/sandbox/initdata.toml.tpl

@@ -5,17 +5,65 @@ version = "0.1.0"
 "aa.toml" = '''
 [token_configs]
 [token_configs.coco_as]
-url = "https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}"
+url = 'https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}'
+
 
 [token_configs.kbs]
-url = "https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}"
+url = 'https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}'
+cert = """
+acmmagickey_trustee_cert
+"""
 '''
 
 "cdh.toml"  = '''
 socket = 'unix:///run/confidential-containers/cdh.sock'
 credentials = []
 
 [kbc]
-name = "cc_kbc"
-url = "https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}"
+name = 'cc_kbc'
+url = 'https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}'
+kbs_cert = """ 
+acmmagickey_trustee_cert
+"""
+'''
+
+"policy.rego" = '''
+package agent_policy
+
+default AddARPNeighborsRequest := true
+default AddSwapRequest := true
+default CloseStdinRequest := true
+default CopyFileRequest := true
+default CreateContainerRequest := true
+default CreateSandboxRequest := true
+default DestroySandboxRequest := true
+default ExecProcessRequest := true
+default GetMetricsRequest := true
+default GetOOMEventRequest := true
+default GuestDetailsRequest := true
+default ListInterfacesRequest := true
+default ListRoutesRequest := true
+default MemHotplugByProbeRequest := true
+default OnlineCPUMemRequest := true
+default PauseContainerRequest := true
+default PullImageRequest := true
+default ReadStreamRequest := true
+default RemoveContainerRequest := true
+default RemoveStaleVirtiofsShareMountsRequest := true
+default ReseedRandomDevRequest := true
+default ResumeContainerRequest := true
+default SetGuestDateTimeRequest := true
+default SetPolicyRequest := true
+default SignalProcessRequest := true
+default StartContainerRequest := true
+default StartTracingRequest := true
+default StatsContainerRequest := true
+default StopTracingRequest := true
+default TtyWinResizeRequest := true
+default UpdateContainerRequest := true
+default UpdateEphemeralMountsRequest := true
+default UpdateInterfaceRequest := true
+default UpdateRoutesRequest := true
+default WaitProcessRequest := true
+default WriteStreamRequest := true
 '''

charts/coco-supported/sandbox/templates/initdata-placeholder.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata: 
+  name: initdata-placeholder
+data:
+  initdata: '{{ tpl ( .Files.Get "initdata.toml.tpl") . | b64enc }}' # keep as b64
+
+

charts/coco-supported/sandbox/templates/kata-config.yaml

@@ -7,4 +7,5 @@ metadata:
   name: default-kata-config
 spec:
   enablePeerPods: true
+  logLevel: debug
 {{ end }}