feat!: add Kyverno-based cc_init_data injection for OSC 1.12 / Trustee 1.1

Replace broken io.katacontainers.config.agent.policy annotation with
Kyverno MutatingPolicy that injects cc_init_data from ConfigMaps into
pods with kata runtime classes.

- Add coco-kyverno-policies chart with MutatingPolicy, ValidatingPolicy,
  and ClusterPolicy for ConfigMap namespace propagation
- Update imperative job to generate both default and debug initdata
  ConfigMaps with Kyverno validation fields
- Update workload pod templates to use coco.io/initdata-configmap
  annotation instead of inline policy
- Update values-simple.yaml: OSC 1.12, Trustee 1.1, Kyverno Helm app
- Add conditional memory annotation for non-Azure platforms
- Delete insecure-policy.rego (policy now embedded in cc_init_data)

BREAKING CHANGE: Requires Kyverno and OSC 1.12 / Trustee 1.1.0

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: butler54

ansible/init-data-gzipper.yaml

@@ -9,6 +9,7 @@
     hub_domain: "{{ global.hubClusterDomain | default('none')  | lower}}"
     security_policy_flavour: "{{ global.coco.securityPolicyFlavour | default('insecure') }}"
     template_src: "initdata-default.toml.tpl"
+    debug_template_src: "initdata-debug.toml.tpl"
   tasks:
     - name: Create temporary working directory
       ansible.builtin.tempfile:
@@ -37,32 +38,82 @@
     - name: Define temp file paths
       ansible.builtin.set_fact:
         rendered_path: "{{ tmpdir.path }}/rendered.toml"
+        debug_rendered_path: "{{ tmpdir.path }}/debug-rendered.toml"
 
-    - name: Render template to temp file
+    - name: Render default template to temp file
       ansible.builtin.template:
         src: "{{ template_src }}"
         dest: "{{ rendered_path }}"
         mode: "0600"
 
+    - name: Render debug template to temp file
+      ansible.builtin.template:
+        src: "{{ debug_template_src }}"
+        dest: "{{ debug_rendered_path }}"
+        mode: "0600"
+
+    - name: Read raw aa.toml from rendered template
+      ansible.builtin.shell: |
+        set -o pipefail
+        python3 -c "
+        import tomllib
+        with open('{{ rendered_path }}', 'rb') as f:
+            data = tomllib.load(f)
+        print(data['data']['aa.toml'], end='')
+        "
+      register: raw_aa_toml
+      changed_when: false
+
+    - name: Read raw cdh.toml from rendered template
+      ansible.builtin.shell: |
+        set -o pipefail
+        python3 -c "
+        import tomllib
+        with open('{{ rendered_path }}', 'rb') as f:
+            data = tomllib.load(f)
+        print(data['data']['cdh.toml'], end='')
+        "
+      register: raw_cdh_toml
+      changed_when: false
 
-    - name: Gzip and base64 encode the rendered content
+    - name: Read raw policy.rego from default template
+      ansible.builtin.shell: |
+        set -o pipefail
+        python3 -c "
+        import tomllib
+        with open('{{ rendered_path }}', 'rb') as f:
+            data = tomllib.load(f)
+        print(data['data']['policy.rego'], end='')
+        "
+      register: raw_policy_rego
+      changed_when: false
+
+    - name: Read raw policy.rego from debug template
+      ansible.builtin.shell: |
+        set -o pipefail
+        python3 -c "
+        import tomllib
+        with open('{{ debug_rendered_path }}', 'rb') as f:
+            data = tomllib.load(f)
+        print(data['data']['policy.rego'], end='')
+        "
+      register: debug_raw_policy_rego
+      changed_when: false
+
+    - name: Gzip and base64 encode the default rendered content
       ansible.builtin.shell: |
         set -o pipefail
         cat "{{ rendered_path }}" | gzip | base64 -w0
       register: initdata_encoded
       changed_when: false
 
-    # This block runs a shell script that calculates a hash value (PCR8_HASH) derived from the contents of 'initdata.toml'.
-    # The script performs the following steps:
-    # 1. hash=$(sha256sum initdata.toml | cut -d' ' -f1): Computes the sha256 hash of 'initdata.toml' and assigns it to $hash.
-    # 2. initial_pcr=0000000000000000000000000000000000000000000000000000000000000000: Initializes a string of zeros as the initial PCR value.
-    # 3. PCR8_HASH=$(echo -n "$initial_pcr$hash" | xxd -r -p | sha256sum | cut -d' ' -f1):
-    #    Concatenates initial_pcr and $hash, converts from hex to binary,
-    #    computes its sha256 hash, and stores the result as PCR8_HASH.
-    # 4. echo $PCR8_HASH: Outputs the PCR hash value.
-    # The important part: The 'register: pcr8_hash' registers the **stdout of the command**,
-    #    which is the value output by 'echo $PCR8_HASH', as 'pcr8_hash.stdout' in Ansible.
-    # It does NOT register an environment variable, but rather the value actually printed by 'echo'.
+    - name: Gzip and base64 encode the debug rendered content
+      ansible.builtin.shell: |
+        set -o pipefail
+        cat "{{ debug_rendered_path }}" | gzip | base64 -w0
+      register: debug_initdata_encoded
+      changed_when: false
+
     - name: Register init data pcr into a var
       ansible.builtin.shell: |
         set -o pipefail
@@ -72,8 +123,16 @@
       register: pcr8_hash
       changed_when: false
 
+    - name: Register debug init data pcr into a var
+      ansible.builtin.shell: |
+        set -o pipefail
+        hash=$(sha256sum "{{ debug_rendered_path }}" | cut -d' ' -f1)
+        initial_pcr=0000000000000000000000000000000000000000000000000000000000000000
+        PCR8_HASH=$(echo -n "$initial_pcr$hash" | xxd -r -p | sha256sum | cut -d' ' -f1) && echo $PCR8_HASH
+      register: debug_pcr8_hash
+      changed_when: false
 
-    - name: Create/update ConfigMap with gzipped+base64 content
+    - name: Create/update default initdata ConfigMap
       kubernetes.core.k8s:
         kubeconfig: "{{ kubeconfig | default(omit) }}"
         state: present
@@ -83,6 +142,34 @@
           metadata:
             name: "initdata"
             namespace: "imperative"
+            labels:
+              coco.io/type: initdata
           data:
             INITDATA: "{{ initdata_encoded.stdout }}"
             PCR8_HASH: "{{ pcr8_hash.stdout }}"
+            version: "0.1.0"
+            algorithm: "sha256"
+            aa.toml: "{{ raw_aa_toml.stdout }}"
+            cdh.toml: "{{ raw_cdh_toml.stdout }}"
+            policy.rego: "{{ raw_policy_rego.stdout }}"
+
+    - name: Create/update debug initdata ConfigMap
+      kubernetes.core.k8s:
+        kubeconfig: "{{ kubeconfig | default(omit) }}"
+        state: present
+        definition:
+          apiVersion: v1
+          kind: ConfigMap
+          metadata:
+            name: "debug-initdata"
+            namespace: "imperative"
+            labels:
+              coco.io/type: initdata
+          data:
+            INITDATA: "{{ debug_initdata_encoded.stdout }}"
+            PCR8_HASH: "{{ debug_pcr8_hash.stdout }}"
+            version: "0.1.0"
+            algorithm: "sha256"
+            aa.toml: "{{ raw_aa_toml.stdout }}"
+            cdh.toml: "{{ raw_cdh_toml.stdout }}"
+            policy.rego: "{{ debug_raw_policy_rego.stdout }}"

…ted/hello-openshift/insecure-policy.rego ansible/initdata-debug.toml.tplcharts/coco-supported/hello-openshift/insecure-policy.rego renamed to ansible/initdata-debug.toml.tpl charts/coco-supported/hello-openshift/insecure-policy.rego renamed to ansible/initdata-debug.toml.tpl

@@ -1,3 +1,32 @@
+algorithm = "sha256"
+version = "0.1.0"
+
+[data]
+"aa.toml" = '''
+[token_configs]
+[token_configs.coco_as]
+url = "https://kbs.{{ hub_domain }}"
+
+[token_configs.kbs]
+url = "https://kbs.{{ hub_domain }}"
+cert = """{{ trustee_cert }}"""
+'''
+
+"cdh.toml"  = '''
+socket = 'unix:///run/confidential-containers/cdh.sock'
+credentials = []
+
+[kbc]
+name = "cc_kbc"
+url = "https://kbs.{{ hub_domain }}"
+kbs_cert = """{{ trustee_cert }}"""
+
+
+[image]
+image_security_policy_uri = 'kbs:///default/security-policy/{{ security_policy_flavour }}'
+'''
+
+"policy.rego" = '''
 package agent_policy
 
 default AddARPNeighborsRequest := true
@@ -35,4 +64,5 @@ default UpdateEphemeralMountsRequest := true
 default UpdateInterfaceRequest := true
 default UpdateRoutesRequest := true
 default WaitProcessRequest := true
-default WriteStreamRequest := true
+default WriteStreamRequest := true
+'''

charts/all/coco-kyverno-policies/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: coco-kyverno-policies
+description: Kyverno policies for CoCo cc_init_data injection and validation
+type: application
+version: 0.1.0
+appVersion: "1.0.0"

charts/all/coco-kyverno-policies/templates/initdata-namespace-propagation.yaml

@@ -0,0 +1,31 @@
+{{- range .Values.workloadNamespaces }}
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: propagate-initdata-to-{{ . }}
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+spec:
+  rules:
+    - name: copy-initdata
+      match:
+        any:
+          - resources:
+              kinds:
+                - ConfigMap
+              namespaces:
+                - {{ $.Values.initdataSourceNamespace }}
+              selector:
+                matchLabels:
+                  coco.io/type: initdata
+      generate:
+        synchronize: true
+        apiVersion: v1
+        kind: ConfigMap
+        name: "{{ "{{" }}request.object.metadata.name{{ "}}" }}"
+        namespace: {{ . }}
+        clone:
+          namespace: {{ $.Values.initdataSourceNamespace }}
+          name: "{{ "{{" }}request.object.metadata.name{{ "}}" }}"
+{{- end }}

charts/all/coco-kyverno-policies/templates/inject-coco-initdata.yaml

@@ -0,0 +1,52 @@
+apiVersion: policies.kyverno.io/v1
+kind: MutatingPolicy
+metadata:
+  name: inject-coco-initdata
+  annotations:
+    policies.kyverno.io/title: Inject CoCo InitData
+    policies.kyverno.io/category: Confidential Computing
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      Injects cc_init_data annotation into pods with a kata runtime class
+      by reading from a ConfigMap specified via the coco.io/initdata-configmap
+      annotation. Adapted from upstream kyverno inject-coco-initdata policy.
+    argocd.argoproj.io/sync-wave: "1"
+spec:
+  matchConstraints:
+    resourceRules:
+      - apiGroups: [""]
+        apiVersions: ["v1"]
+        operations: ["CREATE"]
+        resources: ["pods"]
+  matchConditions:
+    - name: has-kata-runtime
+      expression: >-
+        has(object.spec.runtimeClassName) &&
+        object.spec.runtimeClassName.startsWith("kata")
+    - name: has-initdata-configmap-annotation
+      expression: >-
+        has(object.metadata.annotations) &&
+        'coco.io/initdata-configmap' in object.metadata.annotations &&
+        object.metadata.annotations['coco.io/initdata-configmap'] != ''
+    - name: no-existing-cc-init-data
+      expression: >-
+        !has(object.metadata.annotations) ||
+        !('io.katacontainers.config.hypervisor.cc_init_data' in object.metadata.annotations)
+  variables:
+    - name: configMapName
+      expression: "object.metadata.annotations['coco.io/initdata-configmap']"
+    - name: configMap
+      expression: >-
+        namespaceObject.get('configmaps', variables.configMapName)
+  mutations:
+    - patchType: JSONPatch
+      jsonPatch:
+        expression: >-
+          [
+            JSONPatch{
+              op: "add",
+              path: "/metadata/annotations/io.katacontainers.config.hypervisor.cc_init_data",
+              value: variables.configMap.data['INITDATA']
+            }
+          ]

charts/all/coco-kyverno-policies/templates/validate-initdata-configmap.yaml

@@ -0,0 +1,46 @@
+apiVersion: policies.kyverno.io/v1
+kind: ValidatingPolicy
+metadata:
+  name: validate-initdata-configmap
+  annotations:
+    policies.kyverno.io/title: Validate InitData ConfigMap Required Fields
+    policies.kyverno.io/category: Confidential Computing
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: ConfigMap
+    policies.kyverno.io/description: >-
+      Validates that ConfigMaps with label coco.io/type=initdata contain
+      all required fields with proper values.
+    argocd.argoproj.io/sync-wave: "1"
+spec:
+  evaluation:
+    background:
+      enabled: true
+  matchConstraints:
+    resourceRules:
+      - apiGroups: [""]
+        apiVersions: ["v1"]
+        operations: ["CREATE", "UPDATE"]
+        resources: ["configmaps"]
+  matchConditions:
+    - name: has-initdata-label
+      expression: >-
+        has(object.metadata.labels) &&
+        'coco.io/type' in object.metadata.labels &&
+        object.metadata.labels['coco.io/type'] == 'initdata'
+  variables:
+    - name: configData
+      expression: "object.data.orValue({})"
+    - name: allowedAlgorithms
+      expression: "['sha256', 'sha384', 'sha512']"
+  validationActions: ["Audit"]
+  validations:
+    - expression: "'version' in variables.configData && variables.configData['version'] != ''"
+      messageExpression: "'ConfigMap must contain a non-empty version field'"
+    - expression: "'algorithm' in variables.configData && variables.configData['algorithm'] in variables.allowedAlgorithms"
+      messageExpression: "'ConfigMap must contain an algorithm field with value sha256, sha384, or sha512, found: ' + ('algorithm' in variables.configData ? variables.configData['algorithm'] : 'missing')"
+    - expression: "'policy.rego' in variables.configData && variables.configData['policy.rego'] != ''"
+      messageExpression: "'ConfigMap must contain a non-empty policy.rego field'"
+    - expression: "'aa.toml' in variables.configData && variables.configData['aa.toml'] != ''"
+      messageExpression: "'ConfigMap must contain a non-empty aa.toml field'"
+    - expression: "'cdh.toml' in variables.configData && variables.configData['cdh.toml'] != ''"
+      messageExpression: "'ConfigMap must contain a non-empty cdh.toml field'"

charts/all/coco-kyverno-policies/values.yaml

@@ -0,0 +1,5 @@
+workloadNamespaces:
+  - hello-openshift
+  - kbs-access
+
+initdataSourceNamespace: imperative

charts/coco-supported/hello-openshift/templates/insecure-policy-pod.yaml

@@ -5,7 +5,7 @@ metadata:
   labels:
     app: insecure-policy
   annotations:
-    io.katacontainers.config.agent.policy: '{{ tpl ( .Files.Get "insecure-policy.rego") . | b64enc }}'
+    coco.io/initdata-configmap: initdata
 spec:
   runtimeClassName: {{ include "hello-openshift.runtimeClassName" . }}
   containers:

charts/coco-supported/hello-openshift/templates/secure-pod.yaml

@@ -6,6 +6,7 @@ metadata:
     app: secure
   annotations:
     peerpods: "true"
+    coco.io/initdata-configmap: initdata
 spec:
   runtimeClassName: {{ include "hello-openshift.runtimeClassName" . }}
   containers:

charts/coco-supported/kbs-access/templates/secure-pod.yaml

@@ -6,6 +6,10 @@ metadata:
     app: secure
   annotations:
     peerpods: "true"
+    coco.io/initdata-configmap: initdata
+    {{- if .Values.defaultMemory }}
+    io.katacontainers.config.hypervisor.default_memory: {{ .Values.defaultMemory | quote }}
+    {{- end }}
 spec:
   runtimeClassName: kata-remote
   containers: