fix: rewrite firmware collection to use veritas container approach (#94)

butler54 · claude · web-flow · commit f12a4a0cccc4 · 2026-06-02T10:44:23.000+08:00
* feat: add label-based exclusion for firmware collection pods Add exclude block to inject-coco-initdata Kyverno policy to skip pods with label coco.io/skip-initdata: "true". Update firmware collection script to add this label to the pod, preventing Kyverno from trying to inject init_data (which would fail since the pod doesn't have coco.io/initdata-configmap annotation). The firmware collection pod doesn't need init_data injection because it only collects measurements from the TEE device - it doesn't attest to KBS or request secrets. Fixes error: mutation policy inject-coco-initdata error: failed to evaluate preconditions: failed to substitute variables in condition key Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * fix: rewrite firmware collection to use veritas container approach Complete rewrite based on Red Hat documentation and veritas usage: - Runs veritas via podman container (quay.io/openshift_sandboxed_containers/coco-tools:1.12) - No cluster pods needed - computes firmware values locally from OCP release artifacts - Auto-detects OCP version from cluster or accepts --ocp-version flag - Extracts reference-values.json from veritas ConfigMap output - Saves to ~/.coco-pattern/firmware-reference-values.json - Uses --hw-xfam-allow x87,sse,avx to prevent attestation failures Previous approach was fundamentally wrong: - Tried to run veritas inside a kata pod on the cluster - Tried to "collect" from /dev/tdx_guest (doesn't work that way) - Veritas doesn't collect from running hardware - it computes expected values from OCP release artifacts (kata RPMs, edk2 firmware, etc.) Now follows the documented approach: https://docs.redhat.com/en/documentation/openshift_sandboxed_containers/1.12 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * fix: transform veritas array output to object format for RVPS policy Veritas outputs firmware reference values as a JSON array: [{"name": "mr_td", "value": [...]}, ...] But the trustee-chart RVPS ConfigurationPolicy template expects an object format: {"mr_td": [...], "rtmr_1": [...], ...} Transform the veritas output using jq: [.[] | {(.name): .value}] | add This fixes the RVPS policy error: can't evaluate field mr_td in type []interface {} Also added jq to prerequisites check. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * fix: add -r flag to yq for cross-version compatibility yq v3 (kislyuk/yq) outputs JSON strings with quotes by default, so the embedded JSON in the YAML ConfigMap stays quoted and jq receives a string instead of an array. Adding -r outputs the raw string, which both yq v3 and v4 handle correctly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: unify reference value collection for azure and baremetal Generalize collect-firmware-refvals.sh to support both platforms via --platform flag (baremetal default, azure optional). This replaces get-pcr.sh for Azure deployments — veritas pulls the same dm-verity image, verifies its signature via cosign, and extracts PCR values. Azure: outputs to ~/.coco-pattern/measurements.json (pcrStash secret) Baremetal: outputs to ~/.coco-pattern/firmware-reference-values.json Also adds yq -r fix for v3/v4 cross-compatibility and a new 'make collect-azure-refvals' Makefile target. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: update RHDP wrappers to use unified reference value collection Replace get-pcr.sh call with collect-firmware-refvals.sh --platform azure in wrapper.sh. Add missing reference value collection step to wrapper-multicluster.sh (was never collecting PCR values for Vault). Update RHDP README with prerequisites, env vars, and all deployment modes. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
diff --git a/Makefile b/Makefile
@@ -4,11 +4,11 @@
 
 include Makefile-common
 
-##@ Firmware Reference Values
+##@ Reference Value Collection
 .PHONY: collect-firmware-refvals
-collect-firmware-refvals: ## Collect firmware reference values from bare metal cluster
+collect-firmware-refvals: ## Collect firmware reference values (bare metal, default)
 	@scripts/collect-firmware-refvals.sh
 
-.PHONY: collect-firmware-refvals-merge
-collect-firmware-refvals-merge: ## Collect and merge with existing firmware refvals
-	@scripts/collect-firmware-refvals.sh --merge
+.PHONY: collect-azure-refvals
+collect-azure-refvals: ## Collect PCR reference values (Azure)
+	@scripts/collect-firmware-refvals.sh --platform azure
diff --git a/charts/all/coco-kyverno-policies/templates/inject-coco-initdata.yaml b/charts/all/coco-kyverno-policies/templates/inject-coco-initdata.yaml
@@ -24,6 +24,12 @@ spec:
                 - Pod
               operations:
                 - CREATE
+      exclude:
+        any:
+          - resources:
+              selector:
+                matchLabels:
+                  coco.io/skip-initdata: "true"
       preconditions:
         all:
           - key: "{{ "{{" }}request.object.spec.runtimeClassName || '' {{ "}}" }}"
diff --git a/rhdp/README.md b/rhdp/README.md
@@ -3,6 +3,27 @@
 Red Hat demo platform is a system for employees and red hat partners to generate test infrastructure.
 The scripts in this directory help users of that platform automate deployments.
 
+## Prerequisites
+
+- `podman` installed and running (used for reference value collection)
+- `yq`, `jq` installed
+- OpenShift pull secret at `~/pull-secret.json`
+- SSH key at `~/.ssh/id_rsa` (RSA)
+- RHDP environment variables loaded (see below)
+
+## Environment variables
+
+Provided by your RHDP Azure Open Environment:
+
+```shell
+export GUID=
+export CLIENT_ID=
+export PASSWORD=
+export TENANT=
+export SUBSCRIPTION=
+export RESOURCEGROUP=
+```
+
 ## To deploy
 
 1. Stand up the 'Azure Subscription Based Blank Open Environment'
@@ -12,13 +33,23 @@ The scripts in this directory help users of that platform automate deployments.
 
 ### Single Cluster Deployment
 
-   1. `bash ./rhdp/wrapper.sh eastasia`
-   2. The wrapper script **requires** an azure region code this code SHOULD be the same as what was selected in RHDP.
+   1. Set `main.clusterGroupName: simple` in `values-global.yaml`
+   2. `bash ./rhdp/wrapper.sh eastasia`
+   3. The wrapper script **requires** an azure region code. This code SHOULD be the same as what was selected in RHDP.
+   4. Optionally use `--prefix` for custom cluster naming: `bash ./rhdp/wrapper.sh --prefix dev1 eastasia`
+
+The wrapper handles: cluster provisioning, secret generation, PCR reference value collection (via veritas), and pattern installation.
 
 ### Multi-Cluster Deployment (Hub and Spoke)
 
-   1. `bash ./rhdp/wrapper-multicluster.sh eastasia`
-   2. This creates two clusters: `coco-hub` and `coco-spoke` in the same region
-   3. The pattern is deployed only on the hub cluster
-   4. Hub cluster kubeconfig: `./openshift-install-hub/auth/kubeconfig`
-   5. Spoke cluster kubeconfig: `./openshift-install-spoke/auth/kubeconfig`
+   1. Set `main.clusterGroupName: trusted-hub` in `values-global.yaml`
+   2. `bash ./rhdp/wrapper-multicluster.sh eastasia`
+   3. This creates two clusters: `coco-hub` and `coco-spoke` in the same region
+   4. The pattern is deployed on the hub cluster; the spoke is imported into ACM
+   5. Hub cluster kubeconfig: `./openshift-install-hub/auth/kubeconfig`
+   6. Spoke cluster kubeconfig: `./openshift-install-spoke/auth/kubeconfig`
+
+### Cluster Only (no pattern install)
+
+   1. `bash ./rhdp/wrapper-cluster-only.sh eastasia`
+   2. Provisions the cluster without installing secrets or the pattern
diff --git a/rhdp/wrapper-multicluster.sh b/rhdp/wrapper-multicluster.sh
@@ -144,6 +144,11 @@ echo "---------------------"
 echo "setting up secrets"
 bash ./scripts/gen-secrets.sh
 
+echo "---------------------"
+echo "retrieving PCR measurements"
+echo "---------------------"
+bash ./scripts/collect-firmware-refvals.sh --platform azure
+
 echo "---------------------"
 echo "starting pattern install on hub cluster"
 echo "---------------------"
diff --git a/rhdp/wrapper.sh b/rhdp/wrapper.sh
@@ -189,7 +189,7 @@ bash ./scripts/gen-secrets.sh
 echo "---------------------"
 echo "retrieving PCR measurements"
 echo "---------------------"
-bash ./scripts/get-pcr.sh
+bash ./scripts/collect-firmware-refvals.sh --platform azure
 
 sleep 60
 echo "---------------------"
diff --git a/scripts/collect-firmware-refvals.sh b/scripts/collect-firmware-refvals.sh
