feat: segregated gpu bm from bm for ease of testing

Signed-off-by: Chris Butler <chris.butler@redhat.com>

Author: butler54

ansible/reconcile-kataconfig-gpu.yaml

@@ -3,7 +3,7 @@
   hosts: localhost
   connection: local
   become: false
-  gather_facts: false
+  gather_facts: true
   tasks:
     - name: Check for nodes with NVIDIA GPU labels
       kubernetes.core.k8s_info:

charts/hub/storage/templates/hostpathprovisioner.yaml

@@ -1,4 +1,4 @@
-{{- if eq .Values.global.storageProvider "hpp" }}
+{{- if eq .Values.global.baremetalStorageProvider "hpp" }}
 apiVersion: hostpathprovisioner.kubevirt.io/v1beta1
 kind: HostPathProvisioner
 metadata:

charts/hub/storage/templates/hpp-storageclass.yaml

@@ -1,4 +1,4 @@
-{{- if eq .Values.global.storageProvider "hpp" }}
+{{- if eq .Values.global.baremetalStorageProvider "hpp" }}
 apiVersion: storage.k8s.io/v1
 kind: StorageClass
 metadata:

charts/hub/storage/templates/lvmcluster.yaml

@@ -1,4 +1,4 @@
-{{- if eq .Values.global.storageProvider "lvm" }}
+{{- if eq .Values.global.baremetalStorageProvider "lvm" }}
 apiVersion: lvm.topolvm.io/v1alpha1
 kind: LVMCluster
 metadata:

charts/hub/storage/values.yaml

@@ -1,5 +1,5 @@
 global:
-  storageProvider: hpp
+  baremetalStorageProvider: hpp
 
 lvmCluster:
   name: "lvmcluster"

scripts/gen-secrets.sh

@@ -46,13 +46,13 @@ if [ ! -f "${PCCS_USER_TOKEN_FILE}" ]; then
 	echo "Creating PCCS user token"
 	echo "usertoken" > "${PCCS_USER_TOKEN_FILE}"
 fi
-echo -n "usertoken" | sha512sum | tr -d '[:space:]-' > "${COCO_SECRETS_DIR}/pccs_user_token_hash"
+tr -d '\n' < "${PCCS_USER_TOKEN_FILE}" | sha512sum | tr -d '[:space:]-' > "${COCO_SECRETS_DIR}/pccs_user_token_hash"
 
 if [ ! -f "${PCCS_ADMIN_TOKEN_FILE}" ]; then
 	echo "Creating PCCS admin token"
 	echo "admintoken" > "${PCCS_ADMIN_TOKEN_FILE}"
 fi
-echo -n "admintoken" | sha512sum | tr -d '[:space:]-' > "${COCO_SECRETS_DIR}/pccs_admin_token_hash"
+tr -d '\n' < "${PCCS_ADMIN_TOKEN_FILE}" | sha512sum | tr -d '[:space:]-' > "${COCO_SECRETS_DIR}/pccs_admin_token_hash"
 
 ## Copy a sample values file if this stuff doesn't exist
 

values-baremetal-gpu.yaml

@@ -0,0 +1,297 @@
+# Bare metal deployment for confidential containers WITH NVIDIA GPU support.
+# Supports Intel TDX and AMD SEV-SNP via auto-detection (NFD).
+# Includes NVIDIA H100 confidential GPU components (GPU Operator, IOMMU, CC Manager).
+# Set main.clusterGroupName: baremetal in values-global.yaml to use.
+
+clusterGroup:
+  name: baremetal
+  isHubCluster: true
+  namespaces:
+  - open-cluster-management
+  - vault
+  - golang-external-secrets
+  - openshift-sandboxed-containers-operator
+  - trustee-operator-system
+  - cert-manager-operator
+  - cert-manager
+  - hello-openshift
+  - kbs-access
+  - openshift-cnv
+  - openshift-storage
+  - openshift-nfd
+  - baremetal
+  - intel-dcap
+  - nvidia-gpu-operator
+  - gpu-workload
+  - kyverno
+
+  subscriptions:
+    acm:
+      name: advanced-cluster-management
+      namespace: open-cluster-management
+    sandbox:
+      name: sandboxed-containers-operator
+      namespace: openshift-sandboxed-containers-operator
+      source: redhat-operators
+      channel: stable
+      installPlanApproval: Manual
+      csv: sandboxed-containers-operator.v1.12.0
+    trustee:
+      name: trustee-operator
+      namespace: trustee-operator-system
+      source: redhat-operators
+      channel: stable
+      installPlanApproval: Manual
+      csv: trustee-operator.v1.1.0
+    cert-manager:
+      name: openshift-cert-manager-operator
+      namespace: cert-manager-operator
+      channel: stable-v1
+    lvm-operator:
+      name: lvms-operator
+      namespace: openshift-storage
+      source: redhat-operators
+      channel: stable-4.20
+      installPlanApproval: Automatic
+    cnv:
+      name: kubevirt-hyperconverged
+      namespace: openshift-cnv
+      source: redhat-operators
+      channel: stable
+      installPlanApproval: Automatic
+    nfd:
+      name: nfd
+      namespace: openshift-nfd
+      channel: stable
+    gpu-operator:
+      name: gpu-operator-certified
+      namespace: nvidia-gpu-operator
+      source: certified-operators
+      channel: v26.3
+      installPlanApproval: Manual
+      csv: gpu-operator-certified.v26.3.0
+    intel-device-plugins:
+      name: intel-device-plugins-operator
+      namespace: openshift-operators
+      source: certified-operators
+      channel: stable
+  projects:
+  - hub
+  - vault
+  - trustee
+  - golang-external-secrets
+  - sandbox
+  - workloads
+  - default
+
+  # Explicitly mention the cluster-state based overrides we plan to use for this pattern.
+  # We can use self-referential variables because the chart calls the tpl function with these variables defined
+  sharedValueFiles:
+  - '/overrides/values-{{ $.Values.global.clusterPlatform }}.yaml'
+  - '/overrides/values-storage-{{ $.Values.global.baremetalStorageProvider }}.yaml'
+
+  applications:
+    acm:
+      name: acm
+      namespace: open-cluster-management
+      project: hub
+      chart: acm
+      chartVersion: 0.1.*
+
+    vault:
+      name: vault
+      namespace: vault
+      project: vault
+      chart: hashicorp-vault
+      chartVersion: 0.1.*
+
+    secrets-operator:
+      name: golang-external-secrets
+      namespace: golang-external-secrets
+      project: golang-external-secrets
+      chart: golang-external-secrets
+      chartVersion: 0.1.*
+
+    trustee:
+      name: trustee
+      namespace: trustee-operator-system
+      project: trustee
+      repoURL: https://github.com/butler54/trustee-chart.git
+      targetRevision: feature/baremetal-attestation
+      path: .
+      overrides:
+        - name: global.coco.secured
+          value: "true"
+        - name: kbs.admin.format
+          value: "v1.1"
+        - name: kbs.https.enabled
+          value: "false"
+        - name: kbs.secretResources[0].name
+          value: kbsres1
+        - name: kbs.secretResources[0].key
+          value: secret/data/hub/kbsres1
+        - name: kbs.tdx.enabled
+          value: "true"
+        - name: kbs.tdx.collateralService
+          value: "https://pccs-service.intel-dcap.svc.cluster.local:8042/sgx/certification/v4/"
+        - name: kbs.secretResources[1].name
+          value: passphrase
+        - name: kbs.secretResources[1].key
+          value: secret/data/hub/passphrase
+        - name: kbs.gpu.enabled
+          value: "true"
+
+    storage:
+      name: storage
+      namespace: openshift-storage
+      project: hub
+      path: charts/hub/storage
+
+    baremetal:
+      name: baremetal
+      namespace: baremetal
+      project: hub
+      path: charts/all/baremetal
+
+    sandbox:
+      name: sandbox
+      namespace: openshift-sandboxed-containers-operator
+      project: sandbox
+      chart: sandboxed-containers
+      chartVersion: 0.2.*
+      overrides:
+        - name: global.secretStore.backend
+          value: vault
+        - name: secretStore.name
+          value: vault-backend
+        - name: secretStore.kind
+          value: ClusterSecretStore
+        - name: enablePeerPods
+          value: "false"
+
+
+    intel-dcap:
+      name: intel-dcap
+      namespace: intel-dcap
+      project: hub
+      path: charts/all/intel-dcap
+      overrides:
+        - name: secretStore.name
+          value: vault-backend
+        - name: secretStore.kind
+          value: ClusterSecretStore
+
+    nvidia-gpu:
+      name: nvidia-gpu
+      namespace: nvidia-gpu-operator
+      project: hub
+      path: charts/all/nvidia-gpu
+
+    gpu-workload:
+      name: gpu-workload
+      namespace: gpu-workload
+      project: workloads
+      path: charts/coco-supported/gpu-workload
+      syncPolicy:
+        automated:
+          prune: true
+
+    sandbox-policies:
+      name: sandbox-policies
+      namespace: openshift-sandboxed-containers-operator
+      chart: sandboxed-policies
+      chartVersion: 0.1.*
+
+    kbs-access:
+      name: kbs-access
+      namespace: kbs-access
+      project: workloads
+      path: charts/coco-supported/kbs-access
+      syncPolicy:
+        automated:
+          prune: true
+      overrides:
+        - name: defaultMemory
+          value: "8192"
+
+    hello-openshift:
+      name: hello-openshift
+      namespace: hello-openshift
+      project: workloads
+      path: charts/coco-supported/hello-openshift
+      syncPolicy:
+        automated:
+          prune: true
+
+    kyverno:
+      name: kyverno
+      namespace: kyverno
+      project: hub
+      repoURL: https://kyverno.github.io/kyverno/
+      chart: kyverno
+      chartVersion: 3.7.*
+      syncPolicy:
+        automated: {}
+        retry:
+          limit: 20
+        syncOptions:
+          - ServerSideApply=true
+      overrides:
+        - name: admissionController.container.securityContext
+          value: "null"
+        - name: admissionController.initContainer.securityContext
+          value: "null"
+        - name: backgroundController.securityContext
+          value: "null"
+        - name: cleanupController.securityContext
+          value: "null"
+        - name: reportsController.securityContext
+          value: "null"
+        - name: crds.migration.securityContext
+          value: "null"
+        - name: webhooksCleanup.securityContext
+          value: "null"
+        - name: test.securityContext
+          value: "null"
+        - name: crds.groups.wgpolicyk8s.policyreports
+          value: "false"
+        - name: crds.groups.wgpolicyk8s.clusterpolicyreports
+          value: "false"
+        - name: reportsController.enabled
+          value: "false"
+
+    coco-kyverno-policies:
+      name: coco-kyverno-policies
+      namespace: openshift-sandboxed-containers-operator
+      project: sandbox
+      path: charts/all/coco-kyverno-policies
+
+  imperative:
+    # NOTE: We *must* use lists and not hashes. As hashes lose ordering once parsed by helm
+    # The default schedule is every 10 minutes: imperative.schedule
+    # Total timeout of all jobs is 1h: imperative.activeDeadlineSeconds
+    # imagePullPolicy is set to always: imperative.imagePullPolicy
+    # For additional overrides that apply to the jobs, please refer to
+    # https://validatedpatterns.io/imperative-actions/#additional-job-customizations
+    image: ghcr.io/butler54/imperative-container:latest
+    serviceAccountCreate: true
+    adminServiceAccountCreate: true
+    serviceAccountName: imperative-admin-sa
+    jobs:
+    - name: install-deps
+      playbook: ansible/install-deps.yaml
+      verbosity: -vvv
+      timeout: 3600
+    - name: init-data-gzipper
+      playbook: ansible/init-data-gzipper.yaml
+      verbosity: -vvv
+      timeout: 3600
+    - name: reconcile-kataconfig-gpu
+      playbook: ansible/reconcile-kataconfig-gpu.yaml
+      verbosity: -vvv
+      timeout: 600
+    # Required for tech preview only.
+    # - name: detect-runtime-class
+    #   playbook: ansible/detect-runtime-class.yaml
+    #   verbosity: -vvv
+    #   timeout: 600