fix: update for 1.11 release

Signed-off-by: Chris Butler <chris.butler@redhat.com>

Author: butler54

charts/coco-supported/baremetal/templates/pccs-deployment.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -14,51 +15,43 @@ spec:
         app: pccs
         trustedservices.intel.com/cache: pccs
     spec:
-      serviceAccountName: pccs-service-account
       tolerations:
-      - effect: NoSchedule
-        key: node-role.kubernetes.io/master
-        operator: Exists
-      affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-            - matchExpressions:
-              - key: node-role.kubernetes.io/master
-                operator: Exists
-        # Prefer to schedule on the same node as existing PCCS pods
-        podAffinity:
-          preferredDuringSchedulingIgnoredDuringExecution:
-          - weight: 100
-            podAffinityTerm:
-              labelSelector:
-                matchLabels:
-                  app: pccs
-              topologyKey: kubernetes.io/hostname
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+          operator: Exists
+      nodeSelector:
+        kubernetes.io/hostname: master-03 # THIS IS REALLLY REALLY BAD
       initContainers:
-       - name: init-seclabel
-         image: registry.access.redhat.com/ubi9/ubi:latest
-         command: ["sh", "-c", "chcon -Rt container_file_t /var/cache/pccs"]
-         volumeMounts:
-         - name: host-database
-           mountPath: /var/cache/pccs
-         securityContext:
-           runAsUser: 0
-           runAsGroup: 0
-           privileged: true  # Required for chcon to work on host files
+        - name: init-seclabel
+          image: registry.access.redhat.com/ubi9/ubi:9.7-1764578509
+          command: [ "sh", "-c", "chcon -Rt container_file_t /var/cache/pccs" ]
+          volumeMounts:
+            - name: host-database
+              mountPath: /var/cache/pccs
+          securityContext:
+            runAsUser: 0
+            runAsGroup: 0
+            privileged: true  # Required for chcon to work on host files
       containers:
         - name: pccs
-          image: quay.io/openshift_sandboxed_containers/dcap/pccs:0.2.0
+          image: registry.redhat.io/openshift-sandboxed-containers/osc-pccs@sha256:352fac8fb229177e52a3bc132b1e2a1a2af9f924a35f5efb1ab4aaef25fca720
+          envFrom:
+            - secretRef:
+                name: pccs-secrets
+          env:
+            - name: "PCCS_LOG_LEVEL"
+              value: "info"
+            - name: "CLUSTER_HTTPS_PROXY"
+              value: ""
+            - name: "PCCS_FILL_MODE"
+              value: "LAZY"
           ports:
             - containerPort: 8042
               name: pccs-port
           volumeMounts:
             - name: pccs-tls
               mountPath: /opt/intel/pccs/ssl_key
               readOnly: true
-            - name: pccs-config
-              mountPath: /opt/intel/pccs/config
-              readOnly: true
             - name: host-database
               mountPath: /var/cache/pccs/
           securityContext:
@@ -67,9 +60,6 @@ spec:
         - name: pccs-tls
           secret:
             secretName: pccs-tls
-        - name: pccs-config
-          secret:
-            secretName: pccs-config
         - name: host-database
           hostPath:
             path: /var/cache/pccs/

charts/coco-supported/baremetal/templates/qgs-config-cm.yaml

@@ -1,9 +1,9 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: qgs-config
-  namespace: intel-dcap
-data:
-  qgs.conf: |
-    port = 4050
-    number_threads = 4
+# apiVersion: v1
+# kind: ConfigMap
+# metadata:
+#   name: qgs-config
+#   namespace: intel-dcap
+# data:
+#   qgs.conf: |
+#     port = 4050
+#     number_threads = 4

charts/coco-supported/baremetal/templates/qgs-ds.yaml

@@ -1,11 +1,7 @@
----
-apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   name: tdx-qgs
   namespace: intel-dcap
-  annotations:
-    argocd.argoproj.io/sync-wave: "2"
 spec:
   selector:
     matchLabels:
@@ -16,35 +12,75 @@ spec:
         app: tdx-qgs
       annotations:
         sgx.intel.com/quote-provider: tdx-qgs
+        qcnl-conf: '{"pccs_url": "https://pccs-service:8042/sgx/certification/v4/", "use_secure_cert": false, "pck_cache_expire_hours": 168}'
     spec:
-      serviceAccountName: tdx-qgs-service-account
       nodeSelector:
         intel.feature.node.kubernetes.io/tdx: 'true'
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet
+      initContainers:
+        - name: platform-registration
+          image: registry.redhat.io/openshift-sandboxed-containers/osc-tdx-qgs@sha256:2f8a49c51af8d801d0bc5a9ef4808afe5b6cc79157a1c618a0f8b3025b56d290
+          restartPolicy: Always
+          command: [ '/usr/bin/dcap-registration-flow' ]
+          env:
+            - name: PCCS_URL
+              value: "https://pccs-service:8042"
+            - name: SECURE_CERT
+              value: 'false'
+          envFrom:
+            - secretRef:
+                name: pccs-secrets
+          securityContext:
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: true
+            privileged: true
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - LINUX_IMMUTABLE
+          volumeMounts:
+            - name: efivars
+              mountPath: /sys/firmware/efi/efivars
       containers:
         - name: tdx-qgs
-          image: quay.io/openshift_sandboxed_containers/dcap/tdx-qgs:0.2.0
-          workingDir: /opt/intel/tdx-qgs
+          image: registry.redhat.io/openshift-sandboxed-containers/osc-tdx-qgs@sha256:2f8a49c51af8d801d0bc5a9ef4808afe5b6cc79157a1c618a0f8b3025b56d290
+          args:
+            - -p=4050
+            - -n=4
           securityContext:
             readOnlyRootFilesystem: true
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
           resources:
             limits:
               sgx.intel.com/epc: "512Ki"
               sgx.intel.com/enclave: 1
               sgx.intel.com/provision: 1
+          env:
+            - name: QCNL_CONF_PATH
+              value: "/run/dcap/qcnl_conf"
+            - name: XDG_CACHE_HOME
+              value: "/run/dcap/cache"
           volumeMounts:
-            - name: qgs-config
-              mountPath: /etc/qgs.conf
-              subPath: qgs.conf
-            - name: sgx-default-qcnl-conf
-              mountPath: /etc/sgx_default_qcnl.conf
-              subPath: sgx_default_qcnl.conf
+            - name: dcap-qcnl-cache
+              mountPath: /run/dcap/cache
+            - name: qcnl-config
+              mountPath: /run/dcap/
+              readOnly: true
       volumes:
-        - name: qgs-config
-          configMap:
-            name: qgs-config
-        - name: sgx-default-qcnl-conf
-          configMap:
-            name: sgx-default-qcnl-conf
+        - name: dcap-qcnl-cache
+          emptyDir:
+            sizeLimit: 50Mi
+        - name: qcnl-config
+          downwardAPI:
+            items:
+              - path: "qcnl_conf"
+                fieldRef:
+                  fieldPath: metadata.annotations['qcnl-conf']
+        - name: efivars
+          hostPath:
+            path: /sys/firmware/efi/efivars/

charts/coco-supported/baremetal/templates/qgs-rbac.yaml

@@ -1,51 +1,51 @@
----
-# ServiceAccount for TDX QGS DaemonSet
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: tdx-qgs-service-account
-  namespace: intel-dcap
-  annotations:
-    argocd.argoproj.io/sync-wave: "1"
----
-# Security Context Constraint for TDX QGS
-apiVersion: security.openshift.io/v1
-kind: SecurityContextConstraints
-metadata:
-  name: tdx-qgs-scc
-  annotations:
-    kubernetes.io/description: "SCC for Intel TDX Quote Generation Service requiring host network access and SGX devices"
-    argocd.argoproj.io/sync-wave: "1"
-allowHostDirVolumePlugin: false
-allowHostIPC: false
-allowHostNetwork: true
-allowHostPID: false
-allowHostPorts: false
-allowPrivilegedContainer: false
-allowedCapabilities: null
-defaultAddCapabilities: null
-fsGroup:
-  type: MustRunAs
-priority: null
-readOnlyRootFilesystem: false
-requiredDropCapabilities:
-- KILL
-- MKNOD
-- SETPCAP
-- SYS_CHROOT
-runAsUser:
-  type: MustRunAs
-  uid: 1001
-seLinuxContext:
-  type: MustRunAs
-supplementalGroups:
-  type: RunAsAny
-users:
-- system:serviceaccount:intel-dcap:tdx-qgs-service-account
-volumes:
-- configMap
-- downwardAPI
-- emptyDir
-- persistentVolumeClaim
-- projected
-- secret
+# ---
+# # ServiceAccount for TDX QGS DaemonSet
+# apiVersion: v1
+# kind: ServiceAccount
+# metadata:
+#   name: tdx-qgs-service-account
+#   namespace: intel-dcap
+#   annotations:
+#     argocd.argoproj.io/sync-wave: "1"
+# ---
+# # Security Context Constraint for TDX QGS
+# apiVersion: security.openshift.io/v1
+# kind: SecurityContextConstraints
+# metadata:
+#   name: tdx-qgs-scc
+#   annotations:
+#     kubernetes.io/description: "SCC for Intel TDX Quote Generation Service requiring host network access and SGX devices"
+#     argocd.argoproj.io/sync-wave: "1"
+# allowHostDirVolumePlugin: false
+# allowHostIPC: false
+# allowHostNetwork: true
+# allowHostPID: false
+# allowHostPorts: false
+# allowPrivilegedContainer: false
+# allowedCapabilities: null
+# defaultAddCapabilities: null
+# fsGroup:
+#   type: MustRunAs
+# priority: null
+# readOnlyRootFilesystem: false
+# requiredDropCapabilities:
+# - KILL
+# - MKNOD
+# - SETPCAP
+# - SYS_CHROOT
+# runAsUser:
+#   type: MustRunAs
+#   uid: 1001
+# seLinuxContext:
+#   type: MustRunAs
+# supplementalGroups:
+#   type: RunAsAny
+# users:
+# - system:serviceaccount:intel-dcap:tdx-qgs-service-account
+# volumes:
+# - configMap
+# - downwardAPI
+# - emptyDir
+# - persistentVolumeClaim
+# - projected
+# - secret

charts/coco-supported/baremetal/templates/qgs-sgx-cm.yaml

@@ -1,16 +1,16 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: sgx-default-qcnl-conf
-  namespace: intel-dcap
-data:
-  sgx_default_qcnl.conf: |
-    {
-      "pccs_url": "https://pccs-service:8042/sgx/certification/v4/",
-      "use_secure_cert": false,
-      "retry_times": 6,
-      "retry_delay": 10,
-      "pck_cache_expire_hours": 168,
-      "verify_collateral_cache_expire_hours": 168,
-      "local_cache_only": false
-    }
+# apiVersion: v1
+# kind: ConfigMap
+# metadata:
+#   name: sgx-default-qcnl-conf
+#   namespace: intel-dcap
+# data:
+#   sgx_default_qcnl.conf: |
+#     {
+#       "pccs_url": "https://pccs-service:8042/sgx/certification/v4/",
+#       "use_secure_cert": false,
+#       "retry_times": 6,
+#       "retry_delay": 10,
+#       "pck_cache_expire_hours": 168,
+#       "verify_collateral_cache_expire_hours": 168,
+#       "local_cache_only": false
+#     }