fix: add agents.md

Signed-off-by: Chris Butler <chris.butler@redhat.com>

Author: butler54

AGENTS.md

@@ -0,0 +1,150 @@
+# CoCo Pattern — AI Coding Assistant Guidance
+
+This is a [Validated Pattern](https://validatedpatterns.io/) for deploying confidential containers (CoCo) on OpenShift.
+This file provides rules and context for any AI coding assistant working in this repository.
+
+## Critical Rules
+
+- **DO NOT** edit anything under `/common/`. It is a read-only git subtree from the upstream validated patterns framework.
+- **DO NOT** commit secrets, credentials, or private keys. `values-secret.yaml.template` is a template only.
+- **DO NOT** use Kustomize. This project uses Helm exclusively.
+- **DO NOT** create charts with `apiVersion: v1`. Use `apiVersion: v2` (Helm 3+).
+- **DO NOT** place cloud-provider-specific logic in chart templates. Use `/overrides/` via `sharedValueFiles` instead.
+- **DO NOT** hardcode secrets in templates. Use External Secrets Operator with vault paths (see `charts/hub/trustee/templates/dynamic-eso.yaml` for reference).
+
+## Feature Development Precedence Order
+
+Use the **first** approach that fits your requirement:
+
+1. **Helm charts** — Declarative Kubernetes resources in `/charts/`, deployed by ArgoCD. Preferred for installing operators, configuring CRDs, and creating Kubernetes resources.
+2. **ACM policies** — Red Hat Advanced Cluster Management policies for propagating configuration from hub to spoke clusters and enforcing multi-cluster governance. Reference: `charts/hub/sandbox-policies/templates/`.
+3. **Imperative framework (Ansible)** — Playbooks in `/ansible/`, executed as Kubernetes Jobs on a 10-minute schedule. **Must be idempotent.** Use for API calls, runtime data lookups, and multi-step orchestration that cannot be expressed declaratively. Register playbooks in `clusterGroup.imperative.jobs` as an ordered list.
+4. **Out-of-band scripts** — `/scripts/` or `/rhdp/`. Last resort for one-time setup or local development tooling. These are not managed by GitOps.
+
+## Project Structure
+
+```
+├── ansible/                        # Ansible playbooks (imperative jobs)
+├── charts/
+│   ├── all/
+│   │   └── letsencrypt/            # Shared across cluster groups
+│   ├── coco-supported/
+│   │   ├── baremetal/              # Bare-metal TDX configuration
+│   │   ├── hello-openshift/        # Sample workloads
+│   │   ├── kbs-access/             # KBS access verification workload
+│   │   └── sandbox/                # Sandboxed containers runtime
+│   └── hub/
+│       ├── lvm-storage/            # LVM storage for bare-metal
+│       ├── sandbox-policies/       # ACM policies (hub → spoke)
+│       └── trustee/                # Trustee / KBS
+├── common/                         # READ-ONLY — upstream framework subtree
+├── overrides/                      # Cloud-provider value overrides
+│   ├── values-AWS.yaml
+│   ├── values-Azure.yaml
+│   └── values-IBMCloud.yaml
+├── rhdp/                           # Red Hat Demo Platform tooling
+├── scripts/                        # Utility scripts
+├── values-global.yaml              # Global configuration
+├── values-simple.yaml              # Cluster group: simple
+├── values-baremetal.yaml           # Cluster group: baremetal
+├── values-trusted-hub.yaml         # Cluster group: trusted-hub
+├── values-untrusted-spoke.yaml     # Cluster group: untrusted-spoke
+└── values-secret.yaml.template     # Secrets template (never commit filled-in copy)
+```
+
+## Companion Chart Repositories
+
+Several charts in this repo have companion repositories for independent versioning and reuse. Develop and test in this repo first (charts deploy via `path:`), then sync changes to the companion repo.
+
+| Local Path | Companion Repo | Purpose |
+|---|---|---|
+| `charts/hub/trustee/` | `trustee-chart` | Trustee / KBS on hub |
+| `charts/hub/sandbox-policies/` | `sandboxed-policies-chart` | ACM policies hub → spoke |
+| `charts/coco-supported/sandbox/` | `sandboxed-containers-chart` | Sandboxed runtime on spoke |
+
+Large features may require coordinated changes across multiple companion repos. References are org-agnostic — contributors should fork all relevant repos as needed.
+
+## Cluster Groups
+
+Set via `main.clusterGroupName` in `values-global.yaml`.
+
+| Cluster Group | Values File | Role | Description |
+|---|---|---|---|
+| `simple` | `values-simple.yaml` | Hub (single cluster) | All components on one cluster |
+| `baremetal` | `values-baremetal.yaml` | Hub (single cluster) | TDX + LVM storage on bare metal |
+| `trusted-hub` | `values-trusted-hub.yaml` | Multi-cluster hub | Trustee + ACM policies |
+| `untrusted-spoke` | `values-untrusted-spoke.yaml` | Multi-cluster spoke | Sandbox runtime + workloads |
+
+## Values File Hierarchy
+
+Merge order (last wins):
+
+1. Chart defaults (`charts/<group>/<chart>/values.yaml`)
+2. `values-global.yaml`
+3. `values-<clustergroup>.yaml`
+4. `/overrides/values-{{ clusterPlatform }}.yaml` (via `sharedValueFiles`)
+5. `values-secret.yaml` (runtime only, never committed)
+
+Key conventions:
+
+- Global settings go under the `global:` key in `values-global.yaml`.
+- Subscriptions go under `clusterGroup.subscriptions:` in the cluster group values file.
+- Applications go under `clusterGroup.applications:` in the cluster group values file.
+- Local charts use `path:` (e.g., `path: charts/hub/trustee`). Shared framework charts use `chart:` + `chartVersion:`.
+- Imperative jobs go under `clusterGroup.imperative.jobs:` as an **ordered list** (not a hash — hashes lose ordering in Helm).
+
+## Helm Chart Conventions
+
+- Use `apiVersion: v2`. Place charts in `charts/<cluster-group>/<chart-name>/`.
+- Use ArgoCD sync-wave annotations to control deployment ordering.
+- Use `ExternalSecret` resources to pull secrets from vault. Reference: `charts/hub/trustee/templates/dynamic-eso.yaml`.
+- Use `.Values.global.clusterPlatform` for platform-conditional logic only when overrides files are insufficient.
+- Reference patterns:
+  - ESO integration: `charts/hub/trustee/templates/dynamic-eso.yaml`
+  - Template helpers: `charts/coco-supported/hello-openshift/templates/_helpers.tpl`
+
+## Ansible Playbook Conventions
+
+- Place playbooks in `/ansible/`. They **must be idempotent**.
+- Use `connection: local`, `hosts: localhost`, `become: false`.
+- Use `kubernetes.core.k8s` and `kubernetes.core.k8s_info` modules for cluster interaction.
+- Register playbooks in the cluster group values file under `clusterGroup.imperative.jobs` with `name`, `playbook`, `verbosity`, and `timeout` fields.
+
+## Git Workflow
+
+- **Fork-first**: ArgoCD reconciles against your fork. Clone and push to your own fork.
+- **Conventional commits**: Enforced by commitlint (`@commitlint/config-conventional`).
+- **Branch-based deployment**: The branch of your local checkout determines the ArgoCD deployment target.
+- **Changes require commit + push** to take effect — ArgoCD watches the remote.
+
+## Commands Reference
+
+All commands run via `./pattern.sh make <target>`:
+
+| Command | Purpose |
+|---|---|
+| `install` | Install the pattern and load secrets |
+| `show` | Render the starting template without installing |
+| `preview-all` | Preview all applications across cluster groups |
+| `validate-schema` | Validate values files against JSON schema |
+| `validate-cluster` | Validate cluster prerequisites |
+| `super-linter` | Run super-linter locally |
+| `load-secrets` | Load secrets into the configured backend |
+| `uninstall` | Uninstall the pattern |
+
+See the README for secrets backend configuration, RHDP environment variables, and additional maintenance commands.
+
+## Validation and CI
+
+CI runs the following checks on pull requests:
+
+- **JSON schema validation** — values files validated against `common/clustergroup` schema
+- **Super Linter** — multi-language linting
+- **Conventional PR title lint** — PR titles must follow conventional commit format
+
+Run locally before pushing:
+
+```bash
+./pattern.sh make preview-all
+./pattern.sh make validate-schema
+```

docs/dell-tdx-configuration.md

@@ -0,0 +1,149 @@
+# Enable Intel TDX on Dell PowerEdge via iDRAC
+
+This guide provides step-by-step instructions for enabling Intel Trust Domain Extensions (TDX) on Dell PowerEdge servers using the iDRAC console.
+
+## Prerequisites
+
+- Dell 16th Generation PowerEdge server:
+  - PowerEdge R660, R660xs
+  - PowerEdge R760, R760xs, R760xd2, R760XA
+  - PowerEdge R860, R960
+  - PowerEdge XE8640, XE9640, XE9680
+  - PowerEdge C6620, MX760c
+  - PowerEdge XR5610, XR7620, XR8610t, XR8620t
+  - PowerEdge T360, T560
+- 5th Gen Intel Xeon Scalable processor with TDX support
+- **8 or 16 DIMMs per socket** (required memory configuration)
+- Latest BIOS firmware installed
+
+## Step-by-Step Instructions (Order Matters)
+
+> **IMPORTANT:** Settings must be configured in this exact order. Some options (like "Multiple Keys") will be greyed out until prerequisite settings are applied. You may need to **save and reboot between steps** for dependent options to become available.
+
+### 1. Access BIOS Setup via iDRAC
+
+1. Log into the iDRAC web console
+2. Navigate to **Configuration → BIOS Settings**
+3. Alternatively, launch **Virtual Console** and press **F2** during POST to enter System Setup
+
+### 2. Configure Memory Settings (FIRST)
+
+Navigate to: **System BIOS → Memory Settings**
+
+| Setting                | Value       |
+| ---------------------- | ----------- |
+| **Node Interleaving**  | Disabled    |
+
+**Save and reboot** before proceeding.
+
+### 3. Configure Processor Prerequisites (SECOND)
+
+Navigate to: **System BIOS → Processor Settings**
+
+| Setting                          | Value    |
+| -------------------------------- | -------- |
+| **Logical Processor (x2APIC)**   | Enabled  |
+| **CPU Physical Address Limit**   | Disabled |
+
+**Save and reboot** before proceeding.
+
+### 4. Enable Memory Encryption - Multiple Keys (THIRD)
+
+Navigate to: **System BIOS → System Security**
+
+| Setting               | Value          |
+| --------------------- | -------------- |
+| **Memory Encryption** | Multiple Keys  |
+
+> If "Multiple Keys" is still greyed out, verify steps 2 and 3 were applied and the system was rebooted.
+
+**Save and reboot** before proceeding.
+
+### 5. Configure TDX Settings (FOURTH)
+
+Navigate to: **System BIOS → System Security** (or **Processor Settings** depending on BIOS version)
+
+| Setting                                           | Value   |
+| ------------------------------------------------- | ------- |
+| **Global Memory Integrity**                       | Disabled |
+| **Intel TDX (Trust Domain Extension)**            | Enabled |
+| **TME-MT/TDX Key Split**                          | 1       |
+| **TDX Secure Arbitration Mode Loader (SEAM)**     | Enabled |
+
+### 6. Configure SGX Settings (FIFTH)
+
+Navigate to: **System BIOS → Processor Settings → Software Guard Extensions (SGX)**
+
+| Setting              | Value                     |
+| -------------------- | ------------------------- |
+| **Intel SGX**        | Enabled                   |
+| **SGX Factory Reset** | Off                      |
+| **SGX PRMRR Size**   | As needed (e.g., 64GB)    |
+
+### 7. Final Save and Reboot
+
+1. Press **Escape** to exit menus
+2. Select **Save Changes and Exit**
+3. System will reboot with TDX enabled
+
+## Configuration Summary (Order of Operations)
+
+```
+1. Disable Node Interleaving          → Save & Reboot
+2. Enable x2APIC Mode                 → Save & Reboot
+3. Disable CPU Physical Address Limit → Save & Reboot
+4. Set Memory Encryption = Multiple Keys → Save & Reboot
+5. Disable Global Memory Integrity
+6. Enable Intel TDX
+7. Set TME-MT/TDX Key Split = 1
+8. Enable SEAM Loader
+9. Enable Intel SGX                   → Final Save & Reboot
+```
+
+## Verification
+
+After the OS boots, verify TDX is enabled:
+
+```bash
+# Check kernel messages for TDX
+dmesg | grep -i tdx
+# Should show: "virt/tdx: BIOS enabled: private KeyID range: [X, Y)"
+
+# Check for TDX module
+ls /sys/firmware/tdx_seam/
+```
+
+## Troubleshooting
+
+### "Multiple Keys" Option is Greyed Out
+
+This is typically caused by:
+
+1. **Node Interleaving is Enabled** - Must be disabled first
+2. **x2APIC Mode is Disabled** - Must be enabled first
+3. **CPU Physical Address Limit is Enabled** - Must be disabled first
+4. **System not rebooted** - Some changes require reboot before dependent options appear
+5. **Insufficient DIMMs** - Requires 8 or 16 DIMMs per socket
+
+### Settings Not Available
+
+If TDX-related settings are not visible:
+
+1. Ensure BIOS firmware is updated to the latest version
+2. Verify your processor supports TDX (5th Gen Xeon Scalable required)
+3. Contact Dell support for BIOS with TDX support
+
+### TDX Not Detected by OS
+
+If the OS doesn't detect TDX after configuration:
+
+1. Verify all settings are correctly applied in the order specified
+2. Ensure the OS/kernel supports TDX (Linux 6.2+ recommended)
+3. Check that Memory Encryption is set to "Multiple Keys" (not "Single Key")
+
+## References
+
+- [Dell: Enable Intel TDX on Dell 16G Intel Servers](https://www.dell.com/support/kbdoc/en-us/000226452/enableinteltdxondell16g)
+- [Intel TDX Enabling Guide - Hardware Setup](https://cc-enabling.trustedservices.intel.com/intel-tdx-enabling-guide/04/hardware_setup/)
+- [Dell Info Hub: Enable Intel TDX in BIOS](https://infohub.delltechnologies.com/en-us/l/securing-ai-workloads-on-dell-poweredge-with-intel-xeon-processors-using-intel-trust-domain-extensions/appendix-b-enable-intel-r-tdx-in-bios/)
+- [Linux Kernel TDX Documentation](https://docs.kernel.org/arch/x86/tdx.html)

values-simple.yaml

@@ -110,8 +110,8 @@ clusterGroup:
       targetRevision: remove-ssh
       path: ./
       overrides:
-        - name: global.coco.enableSSHDebug
-          value: "true"
+        # - name: global.coco.enableSSHDebug
+        #   value: "true"
         - name: global.secretStore.backend
           value: vault
         - name: secretStore.name
@@ -126,8 +126,8 @@ clusterGroup:
       targetRevision: rootvolume
       path: ./
       overrides:
-        - name: global.coco.enableSSHDebug
-          value: "true"
+        # - name: global.coco.enableSSHDebug
+        #   value: "true"
         - name: global.coco.azure.defaultVMFlavour
           value: Standard_DC2as_v5
         - name: global.coco.azure.VMFlavours