feat: refactor to infer the correct kbs certificate

Signed-off-by: Chris Butler <chris.butler@redhat.com>

Author: butler54

charts/coco-supported/sandbox/initdata.toml.tpl

@@ -1,3 +1,4 @@
+```toml
 algorithm = "sha384"
 version = "0.1.0"
 
@@ -7,15 +8,63 @@ version = "0.1.0"
 [token_configs.coco_as]
 url = "https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}"
 
+
 [token_configs.kbs]
 url = "https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}"
+cert = """
+acmmagickey_trustee_cert
+"""
 '''
 
 "cdh.toml"  = '''
 socket = 'unix:///run/confidential-containers/cdh.sock'
 credentials = []
 
 [kbc]
-name = "cc_kbc"
-url = "https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}"
+name = 'cc_kbc'
+url = '<url>:<port>'
+kbs_cert = """ 
+acmmagickey_trustee_cert
+"""
+
+"policy.rego" = '''
+package agent_policy
+
+default AddARPNeighborsRequest := true
+default AddSwapRequest := true
+default CloseStdinRequest := true
+default CopyFileRequest := true
+default CreateContainerRequest := true
+default CreateSandboxRequest := true
+default DestroySandboxRequest := true
+default ExecProcessRequest := true
+default GetMetricsRequest := true
+default GetOOMEventRequest := true
+default GuestDetailsRequest := true
+default ListInterfacesRequest := true
+default ListRoutesRequest := true
+default MemHotplugByProbeRequest := true
+default OnlineCPUMemRequest := true
+default PauseContainerRequest := true
+default PullImageRequest := true
+default ReadStreamRequest := true
+default RemoveContainerRequest := true
+default RemoveStaleVirtiofsShareMountsRequest := true
+default ReseedRandomDevRequest := true
+default ResumeContainerRequest := true
+default SetGuestDateTimeRequest := true
+default SetPolicyRequest := true
+default SignalProcessRequest := true
+default StartContainerRequest := true
+default StartTracingRequest := true
+default StatsContainerRequest := true
+default StopTracingRequest := true
+default TtyWinResizeRequest := true
+default UpdateContainerRequest := true
+default UpdateEphemeralMountsRequest := true
+default UpdateInterfaceRequest := true
+default UpdateRoutesRequest := true
+default WaitProcessRequest := true
+default WriteStreamRequest := true
 '''
+```

charts/coco-supported/sandbox/templates/initdata-placeholder.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata: 
+  name: initdata-placeholder
+data:
+  initdata: '{{ tpl ( .Files.Get "initdata.toml.tpl") . | b64enc }}' # keep as b64
+
+

charts/coco-supported/sandbox/templates/peer-pods-cm.yaml

@@ -37,7 +37,8 @@ spec:
               AZURE_NSG_ID: '/subscriptions/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).subscriptionId }}` }}/resourceGroups/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).resourceGroup }}` }}/providers/Microsoft.Network/networkSecurityGroups/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).securityGroupName }}` }}'
               DISABLECVM: "false"
               PROXY_TIMEOUT: "5m"
-              INITDATA: '{{ tpl ( .Files.Get "initdata.toml.tpl") . | b64enc }}'
+              INITDATA: '{{ `{{if (lookup "operator.openshift.io/v1" "IngressController" "openshift-ingress-operator" "default").spec.defaultCertificate.name }}{{ fromConfigMap "openshift-sandboxed-containers-operator" "initdata-placeholder" "initdata" | base64dec | replace "acmmagickey_trustee_cert" (fromSecret "openshift-ingress" (lookup "operator.openshift.io/v1" "IngressController" "openshift-ingress-operator" "default").spec.defaultCertificate.name "tls.crt" | base64dec) | base64enc }}{{ else }}{{ fromConfigMap "openshift-sandboxed-containers-operator" "initdata-placeholder" "initdata" | base64dec | replace "acmmagickey_trustee_cert" (fromSecret "openshift-ingress" "router-certs-default" "tls.crt" | base64dec) | base64enc }}{{ end }}` }}'
+
 ---
 apiVersion: policy.open-cluster-management.io/v1
 kind: PlacementBinding