feat(WIP): update posture for 1.0.0 in a generic way

ansible/init-data-gzipper.yaml

@@ -1,4 +1,4 @@
-- name: Gzip initdata
+- name: Gzip initdata and register init data
   become: false
   connection: local
   hosts: localhost
@@ -7,6 +7,7 @@
     kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}"
     cluster_platform: "{{ global.clusterPlatform | default('none') | lower }}"
     hub_domain: "{{ global.hubClusterDomain | default('none')  | lower}}"
+    security_policy_flavour: "{{ global.coco.securityPolicyFlavour | default('insecure') }}"
     template_src: "initdata-default.toml.tpl"
   tasks:
     - name: Create temporary working directory
@@ -55,6 +56,22 @@
         path: "{{ gz_path }}"
       register: gz_slurped
 
+    # This block runs a shell script that calculates a hash value (PCR8_HASH) derived from the contents of 'initdata.toml'.
+    # The script performs the following steps:
+    # 1. hash=$(sha256sum initdata.toml | cut -d' ' -f1): Computes the sha256 hash of 'initdata.toml' and assigns it to $hash.
+    # 2. initial_pcr=000000000000000000000000000000000000000000000000000000000000000: Initializes a string of zeros as the initial PCR value.
+    # 3. PCR8_HASH=$(echo -n "$initial_pcr$hash" | xxd -r -p | sha256sum | cut -d' ' -f1): Concatenates initial_pcr and $hash, converts from hex to binary, computes its sha256 hash, and stores the result as PCR8_HASH.
+    # 4. echo $PCR8_HASH: Outputs the PCR hash value.
+    # The important part: The 'register: pcr8_hash' registers the **stdout of the command**, which is the value output by 'echo $PCR8_HASH', as 'pcr8_hash.stdout' in Ansible.
+    # It does NOT register an environment variable, but rather the value actually printed by 'echo'.
+    - name: Register init data pcr into a var
+      ansible.builtin.shell: |
+        hash=$(sha256sum initdata.toml | cut -d' ' -f1)
+        initial_pcr=000000000000000000000000000000000000000000000000000000000000000
+        PCR8_HASH=$(echo -n "$initial_pcr$hash" | xxd -r -p | sha256sum | cut -d' ' -f1) && echo $PCR8_HASH
+      register: pcr8_hash
+
+
     - name: Create/update ConfigMap with gzipped+base64 content
       kubernetes.core.k8s:
         kubeconfig: "{{ kubeconfig | default(omit) }}"
@@ -67,3 +84,4 @@
             namespace: "imperative"
           data:
             INITDATA: "{{ gz_slurped.content }}"
+            PCR8_HASH: "{{ pcr8_hash.stdout }}"

ansible/initdata-default.toml.tpl

@@ -24,6 +24,10 @@ url = "https://kbs.{{ hub_domain }}"
 kbs_cert = """ 
 {{ trustee_cert }}
 """
+
+
+[image]
+image_security_policy_uri = 'kbs:///default/security-policy/{{ security_policy_flavour }}'
 '''
 
 "policy.rego" = '''
@@ -36,7 +40,6 @@ default CopyFileRequest := true
 default CreateContainerRequest := true
 default CreateSandboxRequest := true
 default DestroySandboxRequest := true
-default ExecProcessRequest := false
 default GetMetricsRequest := true
 default GetOOMEventRequest := true
 default GuestDetailsRequest := true
@@ -52,7 +55,6 @@ default RemoveStaleVirtiofsShareMountsRequest := true
 default ReseedRandomDevRequest := true
 default ResumeContainerRequest := true
 default SetGuestDateTimeRequest := true
-default SetPolicyRequest := true
 default SignalProcessRequest := true
 default StartContainerRequest := true
 default StartTracingRequest := true
@@ -64,5 +66,20 @@ default UpdateEphemeralMountsRequest := true
 default UpdateInterfaceRequest := true
 default UpdateRoutesRequest := true
 default WaitProcessRequest := true
-default WriteStreamRequest := true
+default ExecProcessRequest := false
+default SetPolicyRequest := false
+default WriteStreamRequest := false
+
+ExecProcessRequest if {
+    input_command = concat(" ", input.process.Args)
+    some allowed_command in policy_data.allowed_commands
+    input_command == allowed_command
+}
+
+policy_data := {
+  "allowed_commands": [
+        "curl http://127.0.0.1:8006/cdh/resource/default/attestation-status/status",
+        "curl http://127.0.0.1:8006/cdh/resource/default/attestation-status/random"
+  ]
+}
 '''

overrides/values-trustee.yaml

@@ -6,4 +6,9 @@ kbs:
     - name: "kbsres1" # name is the name of the k8s secret that will be presented to trustee and accessible via the CDH
       key: "secret/data/hub/kbsres1" # this is the path to the secret in vault. 
     - name: "passphrase"
-      key: "secret/data/hub/passphrase"
+      key: "secret/data/hub/passphrase"
+# Override the default values for the coco pattern this is because when testing against a branch strange stuff happens
+# FIXME: Don't commit this to main
+global:
+  coco:
+    secured: true # true or false. If true, the cluster will be secured. If false, the cluster will be insecure.

rhdp/rhdp-cluster-define.py

@@ -13,8 +13,22 @@
 from typing_extensions import Annotated
 
 
-def get_default_cluster_configs() -> List[Dict]:
-    """Get default cluster configurations"""
+def get_default_cluster_configs(prefix: str = "") -> List[Dict]:
+    """Get default cluster configurations
+
+    Args:
+        prefix: Optional prefix to add to cluster name and directory
+    """
+    if prefix:
+        return [
+            {
+                "name": f"coco-{prefix}",
+                "directory": f"openshift-install-{prefix}",
+                "cluster_network_cidr": "10.128.0.0/14",
+                "machine_network_cidr": "10.0.0.0/16",
+                "service_network_cidr": "172.30.0.0/16",
+            }
+        ]
     return [
         {
             "name": "coco",
@@ -135,23 +149,35 @@ def run(
     multicluster: Annotated[
         bool, typer.Option("--multicluster", help="Deploy hub and spoke clusters")
     ] = False,
+    prefix: Annotated[
+        str, typer.Option("--prefix", help="Prefix for cluster name and directory")
+    ] = "",
 ):
     """
     Region flag requires an azure region key which can be (authoritatively)
     requested with: "az account list-locations -o table".
 
     Use --multicluster flag to deploy both hub (coco-hub) and spoke (coco-spoke)
     clusters.
+
+    Use --prefix to add a prefix to cluster name and install directory, enabling
+    multiple cluster deployments (e.g., --prefix cluster1 creates coco-cluster1
+    in openshift-install-cluster1).
     """
     validate_dir()
 
     # Choose cluster configurations based on multicluster flag
     if multicluster:
+        if prefix:
+            rprint("WARNING: --prefix is ignored when using --multicluster")
         cluster_configs = get_multicluster_configs()
         rprint("Setting up multicluster deployment (hub and spoke)")
     else:
-        cluster_configs = get_default_cluster_configs()
-        rprint("Setting up single cluster deployment")
+        cluster_configs = get_default_cluster_configs(prefix)
+        if prefix:
+            rprint(f"Setting up single cluster deployment with prefix: {prefix}")
+        else:
+            rprint("Setting up single cluster deployment")
 
     cleanup(pathlib.Path.cwd(), cluster_configs)
     setup_install(

rhdp/wrapper.sh

@@ -14,13 +14,56 @@ get_python_cmd() {
     fi
 } 
 
-if [ "$#" -ne 1 ]; then
-    echo "Error: Exactly one argument is required."
-    echo "Usage: $0 {azure-region-code}"
+# Parse arguments
+AZUREREGION=""
+PREFIX=""
+
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --prefix)
+            PREFIX="$2"
+            shift 2
+            ;;
+        --prefix=*)
+            PREFIX="${1#*=}"
+            shift
+            ;;
+        -*)
+            echo "Error: Unknown option $1"
+            echo "Usage: $0 [--prefix <prefix>] {azure-region-code}"
+            echo "Example: $0 eastasia"
+            echo "Example: $0 --prefix cluster1 eastasia"
+            exit 1
+            ;;
+        *)
+            if [ -z "$AZUREREGION" ]; then
+                AZUREREGION="$1"
+            else
+                echo "Error: Too many positional arguments."
+                echo "Usage: $0 [--prefix <prefix>] {azure-region-code}"
+                exit 1
+            fi
+            shift
+            ;;
+    esac
+done
+
+if [ -z "$AZUREREGION" ]; then
+    echo "Error: Azure region is required."
+    echo "Usage: $0 [--prefix <prefix>] {azure-region-code}"
     echo "Example: $0 eastasia"
+    echo "Example: $0 --prefix cluster1 eastasia"
     exit 1
 fi
-AZUREREGION=$1
+
+# Set install directory based on prefix
+if [ -n "$PREFIX" ]; then
+    INSTALL_DIR="openshift-install-${PREFIX}"
+    echo "Using prefix: $PREFIX"
+    echo "Install directory: $INSTALL_DIR"
+else
+    INSTALL_DIR="openshift-install"
+fi
 
 echo "---------------------"
 echo "Validating configuration"
@@ -113,15 +156,19 @@ echo "---------------------"
 echo "defining cluster"
 echo "---------------------"
 PYTHON_CMD=$(get_python_cmd)
-$PYTHON_CMD rhdp/rhdp-cluster-define.py ${AZUREREGION}
+if [ -n "$PREFIX" ]; then
+    $PYTHON_CMD rhdp/rhdp-cluster-define.py --prefix "${PREFIX}" ${AZUREREGION}
+else
+    $PYTHON_CMD rhdp/rhdp-cluster-define.py ${AZUREREGION}
+fi
 echo "---------------------"
 echo "cluster defined"
 echo "---------------------"
 sleep 10
 echo "---------------------"
 echo "openshift-install"
 echo "---------------------"
-openshift-install create cluster --dir=./openshift-install
+openshift-install create cluster --dir=./${INSTALL_DIR}
 echo "openshift-install done"
 echo "---------------------"
 echo "setting up secrets"
@@ -133,7 +180,7 @@ sleep 60
 echo "---------------------"
 echo "pattern install"
 echo "---------------------"
-export KUBECONFIG="$(pwd)/openshift-install/auth/kubeconfig"
+export KUBECONFIG="$(pwd)/${INSTALL_DIR}/auth/kubeconfig"
 
 
 ./pattern.sh make install

scripts/gen-secrets.sh

@@ -4,28 +4,13 @@ echo "Creating secrets as required"
 echo 
 
 COCO_SECRETS_DIR="${HOME}/.coco-pattern"
-SECURITY_POLICY_FILE="${COCO_SECRETS_DIR}/security-policy-config.json"
-SSH_KEY_FILE="${COCO_SECRETS_DIR}/id_rsa"
 KBS_PRIVATE_KEY="${COCO_SECRETS_DIR}/kbsPrivateKey"
 KBS_PUBLIC_KEY="${COCO_SECRETS_DIR}/kbsPublicKey"
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 VALUES_FILE="${HOME}/values-secret-coco-pattern.yaml"
 
 mkdir -p ${COCO_SECRETS_DIR}
 
-if [ ! -f "${SECURITY_POLICY_FILE}" ]; then
-echo "Creating security policy"
-cat > ${SECURITY_POLICY_FILE} <<EOF
-{
-  "default": [
-  {
-    "type": "insecureAcceptAnything"
-  }],
-  "transports": {}
-}
-EOF
-
-fi
 
 if [ ! -f "${KBS_PRIVATE_KEY}" ]; then
     echo "Creating kbs keys"
@@ -34,13 +19,6 @@ if [ ! -f "${KBS_PRIVATE_KEY}" ]; then
     openssl pkey -in "${KBS_PRIVATE_KEY}" -pubout -out "${KBS_PUBLIC_KEY}"
 fi
 
-if [ ! -f "${SSH_KEY_FILE}" ]; then
-    echo "Creating ssh keys"
-    rm -f "${SSH_KEY_FILE}.pub"
-    ssh-keygen -f "${SSH_KEY_FILE}" -N ""
-fi
-
-
 ## Copy a sample values file if this stuff doesn't exist
 
 if [ ! -f "${VALUES_FILE}" ]; then