feat: enable multi-cluster support as an option in the pattern

Signed-off-by: Chris Butler <chris.butler@redhat.com>

Author: butler54

.gitignore

@@ -16,7 +16,8 @@ install-config.yaml
 azure-env.sh
 .openshift*
 .DS_Store
-openshift-install
+openshift-install*
 node_modules
 .envrc
-.ansible/
+.ansible/
+__pycache__/

README.md

@@ -24,7 +24,7 @@ Future work includes:
 
 - Only currently is known to work with `azure` as the provider of confidential vms via peer-pods.
 - Only known to work today with everything on one cluster. The work to expand this is in flight.
-- If not using ARO you must either provide your own CA signed certs, or use let's encrypt.
+- Below version 3.1, if not using ARO you must either provide your own CA signed certs, or use let's encrypt.
 - Must be on 4.16.14 or later.
 
 ## Major versions

ansible/gen-certificate.yaml

@@ -0,0 +1,139 @@
+---
+- name: Generate self-signed TLS cert for KBS and push to Kubernetes Secret
+  hosts: localhost
+  connection: local
+  become: false
+  gather_facts: false
+  vars:
+    kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}"
+    hub_domain: "{{ global.hubClusterDomain | default('none')  | lower}}"
+    secret_name: kbs-tls-self-signed
+    common_name: "kbs-trustee-operator-system.{{ hub_domain }}"
+    days_valid: 365
+    renewal_threshold_days: 10
+    need_new_cert: false
+  pre_tasks:
+
+    - name: Check if TLS secret exists
+      kubernetes.core.k8s_info:
+        kubeconfig: "{{ kubeconfig }}"
+        api_version: v1
+        kind: Secret
+        name: "{{ secret_name }}"
+        namespace: "imperative"
+      register: existing_secret
+      ignore_errors: true
+
+    - name: Set fact that certificate doesn't exist
+      ansible.builtin.set_fact:
+        need_new_cert: true
+      when: existing_secret.resources | length == 0
+
+    - name: Extract existing certificate if secret exists
+      ansible.builtin.set_fact:
+        existing_cert_data: "{{ existing_secret.resources[0].data['tls.crt'] | b64decode }}"
+      when: existing_secret.resources | length > 0
+
+    - name: Create temporary file for existing certificate analysis
+      ansible.builtin.tempfile:
+        state: file
+        suffix: .crt
+      register: temp_cert_file
+      when: existing_secret.resources | length > 0
+
+    - name: Write existing certificate to temp file
+      ansible.builtin.copy:
+        content: "{{ existing_cert_data }}"
+        dest: "{{ temp_cert_file.path }}"
+        mode: "0600"
+      when: existing_secret.resources | length > 0
+
+    - name: Get certificate expiry date
+      community.crypto.x509_certificate_info:
+        path: "{{ temp_cert_file.path }}"
+      register: cert_info
+      when: existing_secret.resources | length > 0
+
+    - name: Calculate days until expiry
+      ansible.builtin.set_fact:
+        days_until_expiry: "{{ ((cert_info.not_after | to_datetime('%Y%m%d%H%M%SZ')) - now()).days }}"
+      when: existing_secret.resources | length > 0
+
+    - name: Set fact to generate new certificate if expiring soon
+      ansible.builtin.set_fact:
+        need_new_cert: true
+      when:
+        - existing_secret.resources | length > 0
+        - days_until_expiry | int <= renewal_threshold_days
+
+    - name: Clean up temporary certificate file
+      ansible.builtin.file:
+        path: "{{ temp_cert_file.path }}"
+        state: absent
+      when: existing_secret.resources | length > 0
+
+    - name: Display certificate status
+      ansible.builtin.debug:
+        msg: >
+          Certificate status:
+          {% if existing_secret.resources | length == 0 %}
+          No existing certificate found. Will generate new certificate.
+          {% elif need_new_cert %}
+          Certificate expires in {{ days_until_expiry }} days (threshold: {{ renewal_threshold_days }} days). Will generate new certificate.
+          {% else %}
+          Certificate is valid for {{ days_until_expiry }} more days. Skipping certificate generation.
+          {% endif %}
+
+    - name: Create temporary directory for cert generation
+      ansible.builtin.tempfile:
+        state: directory
+        prefix: kbs-cert-
+      register: tmpdir
+      when: need_new_cert
+
+  tasks:
+    - name: Generate private key
+      community.crypto.openssl_privatekey:
+        path: "{{ tmpdir.path }}/tls.key"
+        size: 4096
+      when: need_new_cert
+
+    - name: Generate CSR
+      community.crypto.openssl_csr:
+        path: "{{ tmpdir.path }}/tls.csr"
+        privatekey_path: "{{ tmpdir.path }}/tls.key"
+        common_name: "kbs-trustee-operator-system"
+        subject_alt_name:
+          - "DNS:{{ common_name }}"
+      when: need_new_cert
+
+    - name: Generate self-signed certificate
+      community.crypto.x509_certificate:
+        path: "{{ tmpdir.path }}/tls.crt"
+        privatekey_path: "{{ tmpdir.path }}/tls.key"
+        csr_path: "{{ tmpdir.path }}/tls.csr"
+        provider: selfsigned
+        selfsigned_not_after: "+{{ days_valid }}d"
+      when: need_new_cert
+
+    - name: Create or update TLS secret for KBS
+      kubernetes.core.k8s:
+        kubeconfig: "{{ kubeconfig }}"
+        state: present
+        definition:
+          apiVersion: v1
+          kind: Secret
+          metadata:
+            name: "{{ secret_name }}"
+            namespace: "imperative"
+          type: kubernetes.io/tls
+          stringData:
+            tls.crt: "{{ lookup('file', tmpdir.path + '/tls.crt') }}"
+            tls.key: "{{ lookup('file', tmpdir.path + '/tls.key') }}"
+      when: need_new_cert
+
+    - name: Cleanup temporary directory
+      ansible.builtin.file:
+        path: "{{ tmpdir.path }}"
+        state: absent
+      when: need_new_cert and tmpdir is defined

ansible/init-data-gzipper.yaml

@@ -1,4 +1,4 @@
-- name: Collect AWS facts and set secrurity group policies
+- name: Gzip initdata
   become: false
   connection: local
   hosts: localhost
@@ -14,6 +14,24 @@
         state: directory
         suffix: initdata
       register: tmpdir
+    - name: Read KBS TLS secret from Kubernetes
+      kubernetes.core.k8s_info:
+        kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}"
+        api_version: v1
+        kind: Secret
+        name: kbs-tls-self-signed
+        namespace: imperative
+      register: kbs_secret_result
+
+    - name: Extract and decode certificate from secret
+      ansible.builtin.set_fact:
+        trustee_cert: "{{ kbs_secret_result.resources[0].data['tls.crt'] | b64decode }}"
+      when: kbs_secret_result.resources | length > 0
+
+    - name: Fail if certificate not found
+      ansible.builtin.fail:
+        msg: "KBS TLS certificate not found in secret 'kbs-tls-self-signed' in namespace 'imperative'"
+      when: kbs_secret_result.resources | length == 0
 
     - name: Define temp file paths
       ansible.builtin.set_fact:

ansible/initdata-default.toml.tpl

@@ -9,6 +9,9 @@ url = "https://kbs-trustee-operator-system.{{ hub_domain }}"
 
 [token_configs.kbs]
 url = "https://kbs-trustee-operator-system.{{ hub_domain }}"
+cert = """
+{{ trustee_cert }}
+"""
 '''
 
 "cdh.toml"  = '''
@@ -18,4 +21,48 @@ credentials = []
 [kbc]
 name = "cc_kbc"
 url = "https://kbs-trustee-operator-system.{{ hub_domain }}"
+kbs_cert = """ 
+{{ trustee_cert }}
+"""
 '''
+
+"policy.rego" = '''
+package agent_policy
+
+default AddARPNeighborsRequest := true
+default AddSwapRequest := true
+default CloseStdinRequest := true
+default CopyFileRequest := true
+default CreateContainerRequest := true
+default CreateSandboxRequest := true
+default DestroySandboxRequest := true
+default ExecProcessRequest := false
+default GetMetricsRequest := true
+default GetOOMEventRequest := true
+default GuestDetailsRequest := true
+default ListInterfacesRequest := true
+default ListRoutesRequest := true
+default MemHotplugByProbeRequest := true
+default OnlineCPUMemRequest := true
+default PauseContainerRequest := true
+default PullImageRequest := true
+default ReadStreamRequest := false
+default RemoveContainerRequest := true
+default RemoveStaleVirtiofsShareMountsRequest := true
+default ReseedRandomDevRequest := true
+default ResumeContainerRequest := true
+default SetGuestDateTimeRequest := true
+default SetPolicyRequest := true
+default SignalProcessRequest := true
+default StartContainerRequest := true
+default StartTracingRequest := true
+default StatsContainerRequest := true
+default StopTracingRequest := true
+default TtyWinResizeRequest := true
+default UpdateContainerRequest := true
+default UpdateEphemeralMountsRequest := true
+default UpdateInterfaceRequest := true
+default UpdateRoutesRequest := true
+default WaitProcessRequest := true
+default WriteStreamRequest := true
+'''

charts/all/letsencrypt/values.yaml

@@ -3,6 +3,8 @@
 global:
   ## -- String containing the domain including the apps. prefix. Gets set by the Validated Pattern framework
   localClusterDomain: "apps.example.com"
+  ## -- String defining the cluster platform: "Azure" or "AWS" (overridden by values-global.yaml)
+  clusterPlatform: ""
 
 
 # -- This section contains all the parameters for the letsencrypt chart in
@@ -55,7 +57,7 @@ letsencrypt:
   azure:
     secretStoreKey: 'secret/data/global/azure'
 
-
+# Secret store configuration (overridden by values-global.yaml)
 secretStore:
-  name: vault-backend
-  kind: ClusterSecretStore
+  name: ""
+  kind: ""

charts/coco-supported/hello-openshift/templates/_helpers.tpl

@@ -0,0 +1,63 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "hello-openshift.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "hello-openshift.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "hello-openshift.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "hello-openshift.labels" -}}
+helm.sh/chart: {{ include "hello-openshift.chart" . }}
+{{ include "hello-openshift.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "hello-openshift.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "hello-openshift.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Determine runtime class name based on cluster platform
+Returns "kata-remote" for Azure/AWS, "kata-cc" for other platforms
+*/}}
+{{- define "hello-openshift.runtimeClassName" -}}
+{{- if or (eq .Values.global.clusterPlatform "Azure") (eq .Values.global.clusterPlatform "AWS") -}}
+kata-remote
+{{- else -}}
+kata-cc
+{{- end -}}
+{{- end }}

charts/coco-supported/hello-openshift/templates/insecure-policy-pod.yaml

@@ -7,7 +7,7 @@ metadata:
   annotations:
     io.katacontainers.config.agent.policy: '{{ tpl ( .Files.Get "insecure-policy.rego") . | b64enc }}'
 spec:
-  runtimeClassName: kata-remote
+  runtimeClassName: {{ include "hello-openshift.runtimeClassName" . }}
   containers:
     - name: hello-openshift
       image: quay.io/openshift/origin-hello-openshift

charts/coco-supported/hello-openshift/templates/secure-pod.yaml

@@ -7,7 +7,7 @@ metadata:
   annotations:
     peerpods: "true"
 spec:
-  runtimeClassName: kata-remote
+  runtimeClassName: {{ include "hello-openshift.runtimeClassName" . }}
   containers:
     - name: hello-openshift
       image: quay.io/openshift/origin-hello-openshift

charts/coco-supported/hello-openshift/templates/standard-pod.yaml

@@ -5,7 +5,6 @@ metadata:
   labels:
     app: standard
 spec:
-  runtimeClassName: {{ .Values.global.runtimeClass }}
   containers:
     - name: hello-openshift
       image: quay.io/openshift/origin-hello-openshift