diff --git a/README.md b/README.md index 02cf461a..8afd14a7 100644 --- a/README.md +++ b/README.md @@ -2,28 +2,30 @@ This is a validated pattern for deploying confidential containers on OpenShift. -The target operating model has two clusters: +There are two topologies for deploying this pattern: -- One in a "trusted" zone where the remote attestation, KMS and Key Broker infrastructure are deployed. -- A second where a subset of workloads are deployed in confidential containers. +1. *Default* using a single cluster. This breaks the RACI expected in a remote attestation architecture, however, makes it easier to test. This uses the `simple` `clusterGroup`. +2. A more secure operating model that has two clusters: + - One in a "trusted" zone where the remote attestation, KMS and Key Broker infrastructure are deployed. This is also the Advanced Cluster Manager Hub cluster. It uses the `trusted-hub` `clusterGroup`. + - A second where a subset of workloads are deployed in confidential containers. It uses the `spoke` `clusterGroup` The current version of this application the confidential containers assumes deployment to Azure. -On the platform a sample workload is deployed: +On the cluster where confidential workloads are deployed two sample applications are deployed: 1. Sample hello world applications to allow users to experiment with the policies for CoCo and the KBS (trustee). 2. A sample application `kbs-access` which presents secrets obtained from trustee to a web service. This is designed to allow users to test locked down environments. Future work includes: -1. Supporting a multiple cluster deployment -2. Supporting multiple infrastructure providers -3. Supporting a more sophisticated workload such as confidential AI inference with protected GPUs. +1. ~~Supporting a multiple cluster deployment~~ Done +2. Supporting multiple infrastructure providers - Work in Progress. +3. Supporting air-gapped deployments - Work in Progress. +4. Supporting a more sophisticated workload such as confidential AI inference with protected GPUs. ## Current constraints and assumptions - Only currently is known to work with `azure` as the provider of confidential vms via peer-pods. -- Only known to work today with everything on one cluster. The work to expand this is in flight. - Below version 3.1, if not using ARO you must either provide your own CA signed certs, or use let's encrypt. - Must be on 4.16.14 or later. @@ -61,9 +63,6 @@ The pattern has been tested on Azure for two installation methods: 1. Installing onto an ARO cluster 2. Self managed OpenShift install using the `openshift-install` CLI. -> [!IMPORTANT] -> You need an external CA signed certificate for to be added (e.g. with let's encrypt) to a self-managed install - ### `1.0.0` 1.0.0 supports OpenShift Sandboxed containers version `1.8.1` along with Trustee version `0.2.0`. @@ -73,18 +72,15 @@ The pattern has been tested on Azure for one installation method: 1. Self managed OpenShift install using the `openshift-install` CLI 2. Installing on top of an existing Azure Red Hat OpenShift (ARO) cluster -## Validated pattern flavours +## Changing deployment topoloiges -**Today the demo has one flavour**. -A number are planned based on various different hub cluster-groups. -You can change between behaviour by configuring [`global.main.clusterGroupName`](https://validatedpatterns.io/learn/values-files/) key in the `values-global.yaml` file. +**Today the demo has two deployment topologies** +The most important change is what `clusterGroup` is deployed to your main or 'hub' cluster. -`values-simple.yaml`: or the `simple` cluster group is the default for the pattern. -It deploys a hello-openshift application 3 times: +You can change between behaviour by configuring [`global.main.clusterGroupName`](https://validatedpatterns.io/learn/values-files/) key in the `values-global.yaml` file. -- A standard pod -- A kata container with peer-pods -- A confidential kata-container +- `values-simple.yaml`: or the `simple` cluster group is the default for the pattern. It deploys everything in one cluster. +-`values-trusted-hub`: or the `trusted-hub` cluster group can be configured as the main cluster group. A second cluster should be deployed with the `spoke` cluster group. Follow [instructions here](https://validatedpatterns.io/learn/importing-a-cluster/) to add the second cluster. ## Setup instructions @@ -110,12 +106,12 @@ This only has to be done once. > [!NOTE] > Once generated this script will not override secrets. Be careful when doing multiple tests. -#### Configuring let's encrypt +#### Configuring let's encrypt (deprecated) > [!IMPORTANT] > Ensure you have password login available to the cluster. Let's encrypt will replace the API certificate in addition to the certificates to user with routes. -Trustee requires a trusted CA issued certificate. Let's Encrypt is included for environments without a trusted cert on OpenShift's routes. +Trustee (guest agents) requires that Trustee uses a Mozilla trusted CA issued certificate, or a specific certificate which is known in advance. Today the pattern uses specific self signed certs. Let's encrypt was an option for getting a trusted certificate onto OpenShift's routes, and therefore Trustee. Ths functionality will be removed at a later date. If you need a Let's Encrypt certificate to be issued the `letsencrypt` application configuration needs to be changed as below. diff --git a/ansible/gen-certificate.yaml b/ansible/gen-certificate.yaml deleted file mode 100644 index b676388c..00000000 --- a/ansible/gen-certificate.yaml +++ /dev/null @@ -1,139 +0,0 @@ ---- -- name: Generate self-signed TLS cert for KBS and push to Kubernetes Secret - hosts: localhost - connection: local - become: false - gather_facts: false - vars: - kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}" - hub_domain: "{{ global.hubClusterDomain | default('none') | lower}}" - secret_name: kbs-tls-self-signed - common_name: "kbs-trustee-operator-system.{{ hub_domain }}" - days_valid: 365 - renewal_threshold_days: 10 - need_new_cert: false - pre_tasks: - - - name: Check if TLS secret exists - kubernetes.core.k8s_info: - kubeconfig: "{{ kubeconfig }}" - api_version: v1 - kind: Secret - name: "{{ secret_name }}" - namespace: "imperative" - register: existing_secret - ignore_errors: true - - - name: Set fact that certificate doesn't exist - ansible.builtin.set_fact: - need_new_cert: true - when: existing_secret.resources | length == 0 - - - name: Extract existing certificate if secret exists - ansible.builtin.set_fact: - existing_cert_data: "{{ existing_secret.resources[0].data['tls.crt'] | b64decode }}" - when: existing_secret.resources | length > 0 - - - name: Create temporary file for existing certificate analysis - ansible.builtin.tempfile: - state: file - suffix: .crt - register: temp_cert_file - when: existing_secret.resources | length > 0 - - - name: Write existing certificate to temp file - ansible.builtin.copy: - content: "{{ existing_cert_data }}" - dest: "{{ temp_cert_file.path }}" - mode: "0600" - when: existing_secret.resources | length > 0 - - - name: Get certificate expiry date - community.crypto.x509_certificate_info: - path: "{{ temp_cert_file.path }}" - register: cert_info - when: existing_secret.resources | length > 0 - - - name: Calculate days until expiry - ansible.builtin.set_fact: - days_until_expiry: "{{ ((cert_info.not_after | to_datetime('%Y%m%d%H%M%SZ')) - now()).days }}" - when: existing_secret.resources | length > 0 - - - name: Set fact to generate new certificate if expiring soon - ansible.builtin.set_fact: - need_new_cert: true - when: - - existing_secret.resources | length > 0 - - days_until_expiry | int <= renewal_threshold_days - - - name: Clean up temporary certificate file - ansible.builtin.file: - path: "{{ temp_cert_file.path }}" - state: absent - when: existing_secret.resources | length > 0 - - - name: Display certificate status - ansible.builtin.debug: - msg: > - Certificate status: - {% if existing_secret.resources | length == 0 %} - No existing certificate found. Will generate new certificate. - {% elif need_new_cert %} - Certificate expires in {{ days_until_expiry }} days (threshold: {{ renewal_threshold_days }} days). Will generate new certificate. - {% else %} - Certificate is valid for {{ days_until_expiry }} more days. Skipping certificate generation. - {% endif %} - - - name: Create temporary directory for cert generation - ansible.builtin.tempfile: - state: directory - prefix: kbs-cert- - register: tmpdir - when: need_new_cert - - tasks: - - name: Generate private key - community.crypto.openssl_privatekey: - path: "{{ tmpdir.path }}/tls.key" - size: 4096 - when: need_new_cert - - - name: Generate CSR - community.crypto.openssl_csr: - path: "{{ tmpdir.path }}/tls.csr" - privatekey_path: "{{ tmpdir.path }}/tls.key" - common_name: "kbs-trustee-operator-system" - subject_alt_name: - - "DNS:{{ common_name }}" - when: need_new_cert - - - name: Generate self-signed certificate - community.crypto.x509_certificate: - path: "{{ tmpdir.path }}/tls.crt" - privatekey_path: "{{ tmpdir.path }}/tls.key" - csr_path: "{{ tmpdir.path }}/tls.csr" - provider: selfsigned - selfsigned_not_after: "+{{ days_valid }}d" - when: need_new_cert - - - name: Create or update TLS secret for KBS - kubernetes.core.k8s: - kubeconfig: "{{ kubeconfig }}" - state: present - definition: - apiVersion: v1 - kind: Secret - metadata: - name: "{{ secret_name }}" - namespace: "imperative" - type: kubernetes.io/tls - stringData: - tls.crt: "{{ lookup('file', tmpdir.path + '/tls.crt') }}" - tls.key: "{{ lookup('file', tmpdir.path + '/tls.key') }}" - when: need_new_cert - - - name: Cleanup temporary directory - ansible.builtin.file: - path: "{{ tmpdir.path }}" - state: absent - when: need_new_cert and tmpdir is defined diff --git a/ansible/initdata-default.toml.tpl b/ansible/initdata-default.toml.tpl index fccb7dee..9cadbc1c 100644 --- a/ansible/initdata-default.toml.tpl +++ b/ansible/initdata-default.toml.tpl @@ -5,10 +5,10 @@ version = "0.1.0" "aa.toml" = ''' [token_configs] [token_configs.coco_as] -url = "https://kbs-trustee-operator-system.{{ hub_domain }}" +url = "https://kbs.{{ hub_domain }}" [token_configs.kbs] -url = "https://kbs-trustee-operator-system.{{ hub_domain }}" +url = "https://kbs.{{ hub_domain }}" cert = """ {{ trustee_cert }} """ @@ -20,7 +20,7 @@ credentials = [] [kbc] name = "cc_kbc" -url = "https://kbs-trustee-operator-system.{{ hub_domain }}" +url = "https://kbs.{{ hub_domain }}" kbs_cert = """ {{ trustee_cert }} """ diff --git a/charts/coco-supported/sandbox/Chart.yaml b/charts/coco-supported/sandbox/Chart.yaml deleted file mode 100644 index bdd27271..00000000 --- a/charts/coco-supported/sandbox/Chart.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v2 -description: A Helm chart to deploy sandbox containers and uses upstream where required. -keywords: -- pattern -- upstream -- sandbox -name: sandbox -version: 0.0.1 diff --git a/charts/coco-supported/sandbox/templates/feature-gate.yaml b/charts/coco-supported/sandbox/templates/feature-gate.yaml deleted file mode 100644 index 0ab80f99..00000000 --- a/charts/coco-supported/sandbox/templates/feature-gate.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - annotations: - argocd.argoproj.io/sync-wave: "1" - name: osc-feature-gates - namespace: openshift-sandboxed-containers-operator -data: - confidential: "true" diff --git a/charts/coco-supported/sandbox/templates/kata-config.yaml b/charts/coco-supported/sandbox/templates/kata-config.yaml deleted file mode 100644 index 2e398911..00000000 --- a/charts/coco-supported/sandbox/templates/kata-config.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: kataconfiguration.openshift.io/v1 -kind: KataConfig -metadata: - annotations: - argocd.argoproj.io/sync-wave: "100" - name: default-kata-config -spec: - enablePeerPods: {{ if or (eq .Values.global.clusterPlatform "Azure") (eq .Values.global.clusterPlatform "AWS") }}true{{ else }}false{{ end }} \ No newline at end of file diff --git a/charts/coco-supported/sandbox/templates/ssh-key-eso.yaml b/charts/coco-supported/sandbox/templates/ssh-key-eso.yaml deleted file mode 100644 index 7d13ab45..00000000 --- a/charts/coco-supported/sandbox/templates/ssh-key-eso.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if and (ne .Values.global.secretStore.backend "none") (eq .Values.global.clusterPlatform "Azure") }} ---- -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - annotations: - argocd.argoproj.io/sync-wave: "1" - name: ssh-key-secret-eso - namespace: openshift-sandboxed-containers-operator -spec: - refreshInterval: 15s - secretStoreRef: - name: {{ .Values.secretStore.name }} - kind: {{ .Values.secretStore.kind }} - target: - name: ssh-key-secret - template: - type: Opaque - dataFrom: - - extract: - key: {{ .Values.sandbox.sshKey }} -{{- end }} \ No newline at end of file diff --git a/charts/coco-supported/sandbox/values.yaml b/charts/coco-supported/sandbox/values.yaml deleted file mode 100644 index 51130b76..00000000 --- a/charts/coco-supported/sandbox/values.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Chart-specific values -# Common values are inherited from values-global.yaml - -# Global values used by this chart (overridden by values-global.yaml) -global: - clusterPlatform: "" # Cluster platform: "Azure" or "AWS" - -# Secret store configuration (overridden by values-global.yaml) -secretStore: - name: "" - kind: "" - -# Sandbox-specific configuration -sandbox: - sshKey: secret/data/global/sshKey - # These variables today limit to one cluster - # revise using imperative framework to infer from cluster vars - # Strongly advised to override in values-global.yaml or values-{cluster-group}.yaml diff --git a/charts/hub/sandbox-policies/Chart.yaml b/charts/hub/sandbox-policies/Chart.yaml deleted file mode 100644 index 9baf60a2..00000000 --- a/charts/hub/sandbox-policies/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v2 -description: Deploy and configure policies for sandboxed containers and propagate data from the hub cluster to the managed clusters. -keywords: -- pattern -name: sandbox-policies -version: 0.0.1 diff --git a/charts/hub/sandbox-policies/README.md b/charts/hub/sandbox-policies/README.md deleted file mode 100644 index b99b39f8..00000000 --- a/charts/hub/sandbox-policies/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# Sandboxed policies - -Configure and propagate the policies, in particular the initdata, from the 'hub' cluster to the spoke cluster. diff --git a/charts/hub/sandbox-policies/templates/hub-to-spoke-initdata-policy.yaml b/charts/hub/sandbox-policies/templates/hub-to-spoke-initdata-policy.yaml deleted file mode 100644 index 784429dc..00000000 --- a/charts/hub/sandbox-policies/templates/hub-to-spoke-initdata-policy.yaml +++ /dev/null @@ -1,68 +0,0 @@ ---- -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: hub-to-spoke-initdata-policy - namespace: imperative - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: hub-to-spoke-initdata-cp - namespace: imperative - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - imperative - object-templates: - - complianceType: mustonlyhave - objectDefinition: - apiVersion: v1 - kind: ConfigMap - metadata: - name: initdata - namespace: imperative - data: - INITDATA: '{{ `{{hub fromConfigMap "imperative" "initdata" "INITDATA" hub}}` }}' - ---- -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: hub-to-spoke-initdata-placement-binding - namespace: imperative - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: hub-to-spoke-initdata-placement-rule - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: hub-to-spoke-initdata-policy - kind: Policy - apiGroup: policy.open-cluster-management.io - ---- -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: hub-to-spoke-initdata-placement-rule - namespace: imperative -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - # Only apply to spoke clusters (exclude local-cluster which is typically the hub) - - key: name - operator: NotIn - values: ["local-cluster"] \ No newline at end of file diff --git a/charts/hub/sandbox-policies/templates/peer-pods-cm.yaml b/charts/hub/sandbox-policies/templates/peer-pods-cm.yaml deleted file mode 100644 index e4608fe6..00000000 --- a/charts/hub/sandbox-policies/templates/peer-pods-cm.yaml +++ /dev/null @@ -1,68 +0,0 @@ ---- -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: peerpods-cm-policy -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: peerpods-cm-cp - spec: - remediationAction: enforce - severity: medium - object-templates: - - - complianceType: mustonlyhave - objectDefinition: - apiVersion: v1 - kind: ConfigMap - metadata: - name: peer-pods-cm - namespace: openshift-sandboxed-containers-operator - data: - CLOUD_PROVIDER: "azure" - VXLAN_PORT: "9000" - AZURE_IMAGE_ID: '{{ `{{if (lookup "v1" "ConfigMap" "openshift-sandboxed-containers-operator" "peer-pods-cm").metadata.name }}{{ fromConfigMap "openshift-sandboxed-containers-operator" "peer-pods-cm" "AZURE_IMAGE_ID" }}{{ else }}{{ end }}` }}' - AZURE_INSTANCE_SIZE: "{{ .Values.global.coco.azure.defaultVMFlavour }}" - AZURE_INSTANCE_SIZES: "{{ .Values.global.coco.azure.VMFlavours }}" - AZURE_RESOURCE_GROUP: '{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).vnetResourceGroup }}` }}' - AZURE_REGION: '{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).location }}` }}' - AZURE_SUBNET_ID: '/subscriptions/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).subscriptionId }}` }}/resourceGroups/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).vnetResourceGroup }}` }}/providers/Microsoft.Network/virtualNetworks/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).vnetName }}` }}/subnets/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).subnetName }}` }}' - AZURE_NSG_ID: '/subscriptions/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).subscriptionId }}` }}/resourceGroups/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).resourceGroup }}` }}/providers/Microsoft.Network/networkSecurityGroups/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).securityGroupName }}` }}' - DISABLECVM: "false" - PROXY_TIMEOUT: "5m" - INITDATA: '{{ `{{ fromConfigMap "imperative" "initdata" "INITDATA" }}` }}' - ---- -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: peerpods-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: peerpods-placement-rule - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: peerpods-cm-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: peerpods-placement-rule -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchLabels: - cloud: Azure ---- diff --git a/charts/hub/sandbox-policies/values.yaml b/charts/hub/sandbox-policies/values.yaml deleted file mode 100644 index f78457ec..00000000 --- a/charts/hub/sandbox-policies/values.yaml +++ /dev/null @@ -1,11 +0,0 @@ - -# Chart-specific values -# Common values are inherited from values-global.yaml - -# Global values used by this chart (overridden by values-global.yaml) -global: - clusterPlatform: "" # Cluster platform: "Azure" or "AWS" - coco: - azure: - defaultVMFlavour: "Standard_DC2as_v5" - VMFlavours: "Standard_DC2as_v5,Standard_DC4as_v5,Standard_DC8as_v5,Standard_DC16as_v5" \ No newline at end of file diff --git a/charts/hub/trustee/Chart.yaml b/charts/hub/trustee/Chart.yaml deleted file mode 100644 index eb84efe2..00000000 --- a/charts/hub/trustee/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v2 -description: Deploy and configure trustee on the hub cluster. If upstream operatorhub's catalog source is configured to pull trustee down. -keywords: -- pattern -name: trustee -version: 0.0.1 diff --git a/charts/hub/trustee/README.md b/charts/hub/trustee/README.md deleted file mode 100644 index e69de29b..00000000 diff --git a/charts/hub/trustee/templates/dynamic-eso.yaml b/charts/hub/trustee/templates/dynamic-eso.yaml deleted file mode 100644 index be0c6639..00000000 --- a/charts/hub/trustee/templates/dynamic-eso.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if ne .Values.global.secretStore.backend "none" }} -{{- range .Values.kbs.secretResources }} ---- -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - annotations: - argocd.argoproj.io/sync-wave: "1" - name: {{ .name }}-eso - namespace: trustee-operator-system -spec: - refreshInterval: 15s - secretStoreRef: - name: {{ $.Values.secretStore.name }} - kind: {{ $.Values.secretStore.kind }} - target: - name: {{ .name }} - template: - type: Opaque - dataFrom: - - extract: - key: {{ .key }} -{{- end }} -{{- end }} - diff --git a/charts/hub/trustee/templates/kbs-config-map.yaml b/charts/hub/trustee/templates/kbs-config-map.yaml deleted file mode 100644 index df4072a5..00000000 --- a/charts/hub/trustee/templates/kbs-config-map.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: kbs-config - namespace: trustee-operator-system -data: - kbs-config.toml: | - [http_server] - sockets = ["0.0.0.0:8080"] - insecure_http = false - private_key = "/etc/https-key/tls.key" - certificate = "/etc/https-cert/tls.crt" - [admin] - insecure_api = true - auth_public_key = "/etc/auth-secret/publicKey" - - [attestation_token] - insecure_key = true - attestation_token_type = "CoCo" - - [attestation_service] - type = "coco_as_builtin" - work_dir = "/opt/confidential-containers/attestation-service" - policy_engine = "opa" - - [attestation_service.attestation_token_broker] - type = "Ear" - policy_dir = "/opt/confidential-containers/attestation-service/policies" - - [attestation_service.attestation_token_config] - duration_min = 5 - - [attestation_service.rvps_config] - type = "BuiltIn" - - [attestation_service.rvps_config.storage] - type = "LocalJson" - file_path = "/opt/confidential-containers/rvps/reference-values/reference-values.json" - - [[plugins]] - name = "resource" - type = "LocalFs" - dir_path = "/opt/confidential-containers/kbs/repository" - - [policy_engine] - policy_path = "/opt/confidential-containers/opa/policy.rego" \ No newline at end of file diff --git a/charts/hub/trustee/templates/kbs-operator-keys.yaml b/charts/hub/trustee/templates/kbs-operator-keys.yaml deleted file mode 100644 index b7e60409..00000000 --- a/charts/hub/trustee/templates/kbs-operator-keys.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if ne .Values.global.secretStore.backend "none" }} ---- -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - annotations: - argocd.argoproj.io/sync-wave: "1" - name: kbs-auth-public-key-eso - namespace: trustee-operator-system -spec: - refreshInterval: 15s - secretStoreRef: - name: {{ .Values.secretStore.name }} - kind: {{ .Values.secretStore.kind }} - data: - target: - name: kbs-auth-public-key - template: - type: Opaque - dataFrom: - - extract: - key: {{ .Values.kbs.publicKey }} -{{- end }} \ No newline at end of file diff --git a/charts/hub/trustee/templates/kbs-route.yaml b/charts/hub/trustee/templates/kbs-route.yaml deleted file mode 100644 index fb70395b..00000000 --- a/charts/hub/trustee/templates/kbs-route.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# Single cluster deploy don't use the route yet. ---- -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - name: kbs - namespace: trustee-operator-system -spec: - port: - targetPort: 8080 - to: - kind: Service - name: kbs-service - weight: 100 - tls: - termination: passthrough diff --git a/charts/hub/trustee/templates/kbs.yaml b/charts/hub/trustee/templates/kbs.yaml deleted file mode 100644 index 4623cc2c..00000000 --- a/charts/hub/trustee/templates/kbs.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: confidentialcontainers.org/v1alpha1 -kind: KbsConfig -metadata: - name: kbsconfig - namespace: trustee-operator-system -spec: - kbsConfigMapName: kbs-config - kbsAuthSecretName: kbs-auth-public-key - kbsDeploymentType: AllInOneDeployment - kbsRvpsRefValuesConfigMapName: rvps-reference-values - kbsSecretResources: - {{- range .Values.kbs.secretResources }} - - "{{ .name }}" - {{- end }} - - "security-policy" - kbsHttpsKeySecretName: kbs-https-key - kbsHttpsCertSecretName: kbs-https-certificate - kbsResourcePolicyConfigMapName: resource-policy - - # TDX specific configuration (optional) - # tdxConfigSpec: - # kbsTdxConfigMapName: tdx-config - - # IBM SE specific configuration (optional) - # ibmSEConfigSpec: - # certStorePvc: - - # Override attestation policy (optional) - # kbsAttestationPolicyConfigMapName: attestation-policy - - # Inject environment variables (optional) - # Enable DEBUG logging in trustee pods - KbsEnvVars: - RUST_LOG: debug - - # service type (optional, it defaults to ClusterIP) - kbsServiceType: ClusterIP diff --git a/charts/hub/trustee/templates/push-secret.yaml b/charts/hub/trustee/templates/push-secret.yaml deleted file mode 100644 index c970b27e..00000000 --- a/charts/hub/trustee/templates/push-secret.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- -apiVersion: external-secrets.io/v1alpha1 -kind: PushSecret -metadata: - name: push-certs - namespace: imperative -spec: - updatePolicy: Replace # Policy to overwrite existing secrets in the provider on sync - deletionPolicy: Delete # the provider' secret will be deleted if the PushSecret is deleted - refreshInterval: 10s # Refresh interval for which push secret will reconcile - secretStoreRefs: # A list of secret stores to push secrets to - - name: {{ .Values.secretStore.name }} - kind: {{ .Values.secretStore.kind }} - selector: - secret: - name: kbs-tls-self-signed # Source Kubernetes secret to be pushed - data: - - match: - secretKey: tls.key # Source Kubernetes secret key to be pushed - remoteRef: - remoteKey: "pushsecrets/kbs-tls-self-signed" # Remote reference (where the secret is going to be pushed) - property: key - - match: - secretKey: tls.crt # Source Kubernetes secret key to be pushed - remoteRef: - remoteKey: "pushsecrets/kbs-tls-self-signed" - property: certificate # Remote reference (where the secret is going to be pushed diff --git a/charts/hub/trustee/templates/reference-values.yaml b/charts/hub/trustee/templates/reference-values.yaml deleted file mode 100644 index 7d62d19f..00000000 --- a/charts/hub/trustee/templates/reference-values.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - annotations: - argocd.argoproj.io/sync-wave: "1" - name: rvps-reference-values - namespace: trustee-operator-system -data: - reference-values.json: | - [ - ] - -# No reference values yet - # [ - # { - # "name": "sample.svn", - # "expired": "2025-01-01T00:00:00Z", - # "hash-value": [ - # { - # "alg": "sha256", - # "value": "1" - # } - # ] - # } - # ] diff --git a/charts/hub/trustee/templates/resource-policy.yaml b/charts/hub/trustee/templates/resource-policy.yaml deleted file mode 100644 index 963e1666..00000000 --- a/charts/hub/trustee/templates/resource-policy.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: resource-policy - namespace: trustee-operator-system -data: - policy.rego: | - package policy - default allow = true \ No newline at end of file diff --git a/charts/hub/trustee/templates/securityPolicy-eso.yaml b/charts/hub/trustee/templates/securityPolicy-eso.yaml deleted file mode 100644 index cb5ea7c0..00000000 --- a/charts/hub/trustee/templates/securityPolicy-eso.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if ne .Values.global.secretStore.backend "none" }} ---- -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - annotations: - argocd.argoproj.io/sync-wave: "1" - name: securitypolicy-eso - namespace: trustee-operator-system -spec: - refreshInterval: 15s - secretStoreRef: - name: {{ .Values.secretStore.name }} - kind: {{ .Values.secretStore.kind }} - data: - target: - name: security-policy - template: - type: generic - dataFrom: - - extract: - key: {{ .Values.kbs.securityPolicy }} -{{- end }} \ No newline at end of file diff --git a/charts/hub/trustee/templates/tls-cert-eso.yaml b/charts/hub/trustee/templates/tls-cert-eso.yaml deleted file mode 100644 index 0e62533d..00000000 --- a/charts/hub/trustee/templates/tls-cert-eso.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if ne .Values.global.secretStore.backend "none" }} ---- -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - annotations: - argocd.argoproj.io/sync-wave: "1" - name: tls-cert-eso - namespace: trustee-operator-system -spec: - refreshInterval: 15s - secretStoreRef: - name: {{ .Values.secretStore.name }} - kind: {{ .Values.secretStore.kind }} - target: - name: kbs-https-certificate - template: - type: Opaque - data: - - secretKey: tls.crt - remoteRef: - key: 'secret/data/pushsecrets/kbs-tls-self-signed' - property: certificate -{{- end }} diff --git a/charts/hub/trustee/templates/tls-key-eso.yaml b/charts/hub/trustee/templates/tls-key-eso.yaml deleted file mode 100644 index 308f9b03..00000000 --- a/charts/hub/trustee/templates/tls-key-eso.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if ne .Values.global.secretStore.backend "none" }} ---- -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - annotations: - argocd.argoproj.io/sync-wave: "1" - name: tls-key-eso - namespace: trustee-operator-system -spec: - refreshInterval: 15s - secretStoreRef: - name: {{ .Values.secretStore.name }} - kind: {{ .Values.secretStore.kind }} - target: - name: kbs-https-key - template: - type: Opaque - data: - - secretKey: tls.key - remoteRef: - key: 'secret/data/pushsecrets/kbs-tls-self-signed' - property: key -{{- end }} - - diff --git a/charts/hub/trustee/values.yaml b/charts/hub/trustee/values.yaml deleted file mode 100644 index 2cebc838..00000000 --- a/charts/hub/trustee/values.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Chart-specific values -# Common values are inherited from values-global.yaml - - - -# Secret store configuration (overridden by values-global.yaml) -secretStore: - name: "" - kind: "" - -# KBS (Key Broker Service) configuration -kbs: - # Do you do internal HTTPS for the KBS - https: - enabled: false - certAuth: - enabled: false - - # Static secret (remains unchanged) - securityPolicy: secret/data/hub/securityPolicyConfig - - # Static TLS-related secrets (different structure, remain static) - publicKey: secret/data/hub/kbsPublicKey - privateKey: secret/data/global/kbsPrivateKey - - # Dynamic secret resources list - add new secrets here - # Each entry generates an ESO and gets added to kbsSecretResources - secretResources: - - name: "kbsres1" - key: "secret/data/hub/kbsres1" - - name: "passphrase" - key: "secret/data/hub/passphrase" diff --git a/overrides/values-trustee.yaml b/overrides/values-trustee.yaml new file mode 100644 index 00000000..ee42e416 --- /dev/null +++ b/overrides/values-trustee.yaml @@ -0,0 +1,9 @@ +# Override the default values for the trustee chart +# This lists the secret resources that are uploaded to your chosen ESO backend (today by default, Vault). +# it does not contain the secrets themselves +kbs: + secretResources: + - name: "kbsres1" # name is the name of the k8s secret that will be presented to trustee and accessible via the CDH + key: "secret/data/hub/kbsres1" # this is the path to the secret in vault. + - name: "passphrase" + key: "secret/data/hub/passphrase" \ No newline at end of file diff --git a/values-simple.yaml b/values-simple.yaml index a1f42781..c8487700 100644 --- a/values-simple.yaml +++ b/values-simple.yaml @@ -78,17 +78,22 @@ clusterGroup: name: trustee namespace: trustee-operator-system #upstream config project: trustee - path: charts/hub/trustee + chart: trustee + chartVersion: 0.1.* + # Use the override file to specify the list of secrets accessible to trustee from the ESO backend (today by default, Vault). + extraValueFiles: + - '$patternref/overrides/values-trustee.yaml' sandbox: name: sandbox namespace: openshift-sandboxed-containers-operator #upstream config project: sandbox - path: charts/coco-supported/sandbox + chart: sandboxed-containers + chartVersion: 0.0.* sandbox-policies: name: sandbox-policies namespace: openshift-sandboxed-containers-operator #upstream config - project: sandbox - path: charts/hub/sandbox-policies + chart: sandboxed-policies + chartVersion: 0.0.* # Letsencrypt is not required anymore for trustee. # It's only here if you need it for your needs. @@ -113,6 +118,7 @@ clusterGroup: project: workloads path: charts/coco-supported/kbs-access + imperative: # NOTE: We *must* use lists and not hashes. As hashes lose ordering once parsed by helm # The default schedule is every 10 minutes: imperative.schedule @@ -135,10 +141,6 @@ clusterGroup: playbook: ansible/azure-nat-gateway.yaml verbosity: -vvv timeout: 3600 - - name: gen-certificate - playbook: ansible/gen-certificate.yaml - verbosity: -vvv - timeout: 3600 - name: init-data-gzipper playbook: ansible/init-data-gzipper.yaml verbosity: -vvv diff --git a/values-spoke.yaml b/values-spoke.yaml index 39501fe4..6e0877c4 100644 --- a/values-spoke.yaml +++ b/values-spoke.yaml @@ -48,8 +48,9 @@ clusterGroup: name: sandbox namespace: openshift-sandboxed-containers-operator #upstream config project: sandbox - path: charts/coco-supported/sandbox - + chart: sandboxed-containers + chartVersion: 0.0.* + hello-openshift: name: hello-openshift namespace: hello-openshift diff --git a/values-trusted-hub.yaml b/values-trusted-hub.yaml index df40bd07..d7314208 100644 --- a/values-trusted-hub.yaml +++ b/values-trusted-hub.yaml @@ -16,7 +16,6 @@ clusterGroup: acm: name: advanced-cluster-management namespace: open-cluster-management - channel: release-2.13 trustee: name: trustee-operator namespace: trustee-operator-system @@ -67,12 +66,17 @@ clusterGroup: name: trustee namespace: trustee-operator-system #upstream config project: trustee - path: charts/hub/trustee + chart: trustee + chartVersion: 0.1.* + # Use the override file to specify the list of secrets accessible to trustee from the ESO backend (today by default, Vault). + extraValueFiles: + - '$patternref/overrides/values-trustee.yaml' sandbox-policies: name: sandbox-policies namespace: openshift-sandboxed-containers-operator #upstream config - project: sandbox - path: charts/hub/sandbox-policies + chart: sandboxed-policies + chartVersion: 0.0.* + imperative: @@ -87,10 +91,6 @@ clusterGroup: playbook: ansible/install-deps.yaml verbosity: -vvv timeout: 3600 - - name: gen-certificate - playbook: ansible/gen-certificate.yaml - verbosity: -vvv - timeout: 3600 - name: init-data-gzipper playbook: ansible/init-data-gzipper.yaml verbosity: -vvv