fix: align ClusterPolicy with Red Hat OCP 4.21 CC GPU reference

Rewrite ClusterPolicy to match the official Red Hat OCP 4.21.9+
documentation for NVIDIA confidential GPU support. Key changes:

- Remove hardcoded cc-manager v0.1.0 (was from old v25.3.x line,
  caused IntelRootPort crash) — let GPU Operator manage its versions
- Remove hardcoded CC_CAPABLE_DEVICE_IDS and sandbox device plugin
  image/version — operator fills in correct defaults
- Disable host-side components not needed for CC passthrough (driver,
  dcgm, toolkit, migManager) — driver runs inside kata VM via initrd
- Add kataSandboxDevicePlugin env vars (P_GPU_ALIAS, NVSWITCH_ALIAS)
- Add vfioManager BIND_NVSWITCHES env var
- Add both amd_iommu=on and intel_iommu=on to IOMMU MachineConfig

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: butler54

charts/all/nvidia-gpu/templates/cluster-policy.yaml

@@ -6,138 +6,108 @@ metadata:
   annotations:
     argocd.argoproj.io/sync-wave: "110"
 spec:
-  operator:
-    defaultRuntime: crio
-    runtimeClass: nvidia
-    use_ocp_driver_toolkit: true
-
+  ccManager:
+    defaultMode: {{ .Values.ccManager.defaultMode | quote }}
+    enabled: {{ .Values.ccManager.enabled }}
+  cdi:
+    default: false
+    enabled: true
+    nriPluginEnabled: false
   daemonsets:
     rollingUpdate:
-      maxUnavailable: "1"
+      maxUnavailable: '1'
     updateStrategy: RollingUpdate
-
+  dcgm:
+    enabled: false
+  dcgmExporter:
+    config:
+      name: ''
+    enabled: false
+    serviceMonitor:
+      enabled: true
+  devicePlugin:
+    config:
+      default: ''
+      name: ''
+    enabled: false
+    mps:
+      root: /run/nvidia/mps
   driver:
-    enabled: true
-    useNvidiaDriverCRD: false
+    certConfig:
+      name: ''
+    enabled: false
+    kernelModuleConfig:
+      name: ''
     kernelModuleType: auto
     licensingConfig:
+      configMapName: ''
       nlsEnabled: true
-      secretName: ""
-    certConfig:
-      name: ""
-    kernelModuleConfig:
-      name: ""
     repoConfig:
-      configMapName: ""
-    virtualTopology:
-      config: ""
+      configMapName: ''
     upgradePolicy:
       autoUpgrade: true
-      maxParallelUpgrades: 1
-      maxUnavailable: 25%
       drain:
         deleteEmptyDir: false
         enable: false
         force: false
         timeoutSeconds: 300
+      maxParallelUpgrades: 1
+      maxUnavailable: 25%
       podDeletion:
         deleteEmptyDir: false
         force: false
         timeoutSeconds: 300
       waitForCompletion:
         timeoutSeconds: 0
-
-  devicePlugin:
+    useNvidiaDriverCRD: false
+    useOpenKernelModules: false
+    virtualTopology:
+      config: ''
+  gdrcopy:
+    enabled: false
+  gds:
     enabled: false
-    config:
-      name: ""
-      default: ""
-    mps:
-      root: /run/nvidia/mps
-
-  dcgm:
-    enabled: true
-
-  dcgmExporter:
-    enabled: true
-    config:
-      name: ""
-    serviceMonitor:
-      enabled: true
-
   gfd:
     enabled: true
-
+  kataManager:
+    enabled: false
+  mig:
+    strategy: single
+  migManager:
+    enabled: false
   nodeStatusExporter:
     enabled: true
-
-  toolkit:
-    enabled: true
-    installDir: /usr/local/nvidia
-
-  validator:
-    plugin:
-      env: []
-
+  operator:
+    defaultRuntime: crio
+    initContainer: {}
+    runtimeClass: nvidia
+    use_ocp_driver_toolkit: true
+  kataSandboxDevicePlugin:
+    enabled: {{ .Values.kataSandboxDevicePlugin.enabled }}
+    env:
+      - name: P_GPU_ALIAS
+        value: pgpu
+      - name: NVSWITCH_ALIAS
+        value: nvswitch
   sandboxWorkloads:
+    defaultWorkload: vm-passthrough
     enabled: true
     mode: kata
-    defaultWorkload: vm-passthrough
-
-  kataManager:
+  toolkit:
     enabled: false
-    config:
-      artifactsDir: /opt/nvidia-gpu-operator/artifacts/runtimeclasses
-
-  ccManager:
-    enabled: {{ .Values.ccManager.enabled }}
-    defaultMode: {{ .Values.ccManager.defaultMode | quote }}
-    repository: nvcr.io/nvidia/cloud-native
-    image: k8s-cc-manager
-    version: v0.1.0
-    env:
-      - name: CC_CAPABLE_DEVICE_IDS
-        value: {{ .Values.ccManager.deviceIDs | quote }}
-
-  kataSandboxDevicePlugin:
-    enabled: {{ .Values.kataSandboxDevicePlugin.enabled }}
-    repository: {{ .Values.kataSandboxDevicePlugin.repository }}
-    image: {{ .Values.kataSandboxDevicePlugin.image }}
-    version: {{ .Values.kataSandboxDevicePlugin.version | quote }}
-
-  sandboxDevicePlugin:
-    enabled: true
-
+    installDir: /usr/local/nvidia
+  validator:
+    plugin:
+      env:
+        - name: WITH_WORKLOAD
+          value: 'false'
   vfioManager:
     enabled: true
-
-  vgpuManager:
-    enabled: false
-
+    env:
+      - name: BIND_NVSWITCHES
+        value: 'true'
   vgpuDeviceManager:
-    enabled: true
-    config:
-      default: default
-
-  gdrcopy:
     enabled: false
-
-  gds:
+  vgpuManager:
     enabled: false
-
-  mig:
-    strategy: single
-
-  migManager:
-    enabled: true
-    config:
-      default: all-disabled
-
-  cdi:
-    default: false
-    enabled: true
-    nriPluginEnabled: false
-
-  nfd:
-    nodefeaturerules: true
 {{- end }}

charts/all/nvidia-gpu/templates/iommu-mco.yaml

@@ -9,7 +9,7 @@ metadata:
   name: 100-iommu-{{ . }}
 spec:
   kernelArguments:
+  - amd_iommu=on
   - intel_iommu=on
-  - iommu=pt
 {{- end }}
 {{- end }}

charts/all/nvidia-gpu/values.yaml

@@ -3,13 +3,9 @@ enabled: true
 ccManager:
   enabled: true
   defaultMode: "on"
-  deviceIDs: "0x2331,0x2322"
 
 kataSandboxDevicePlugin:
   enabled: true
-  repository: nvcr.io/nvidia/cloud-native
-  image: nvidia-sandbox-device-plugin
-  version: "v0.0.2"
 
 iommu:
   enabled: true