feat!: update to general availability versions of sandboxed containers and trustee

README.md

@@ -29,9 +29,27 @@ Future work includes:
 
 ## Major versions
 
+### `3.*`
+
+Version `3.*` of the pattern is currently constrained to support the general availability releases of coco.
+
+- (OpenShift Sandboxed Containers Operator) `1.10.*` and above
+- Trustee `0.4.*`
+
+This limits support to OpenShift 4.16 and higher.
+
+The pattern has been tested on Azure for two installation methods:
+
+1. Installing onto an ARO cluster
+2. Self managed OpenShift install using the `openshift-install` CLI.
+
+#### Known limitations
+
+[Additional configuration](https://issues.redhat.com/browse/KATA-4107) is required to pull secrets from authenticated registries.
+
 ### `2.*`
 
-This is currently the `main` branch for the repository. Version 2.* of the pattern is currently constrained to support:
+Version `2.*` of the pattern is currently constrained to support:
 
 - (OpenShift Sandboxed Containers Operator) `1.9.*`
 - Trustee `0.3.*`

ansible/gzipper.py

@@ -0,0 +1,35 @@
+#!/usr/bin/env python3
+
+import gzip
+import sys
+
+
+def main():
+    if len(sys.argv) != 3:
+        print("Usage: python3 gzipper.py <file_to_gzip> <gzipped_file_name>")
+        sys.exit(1)
+
+    input_file = sys.argv[1]
+    output_file = sys.argv[2]
+
+    try:
+        # Read the input file
+        with open(input_file, "rb") as f_in:
+            data = f_in.read()
+
+        # Compress and write to output file
+        with gzip.open(output_file, "wb") as f_out:
+            f_out.write(data)
+
+        print(f"Successfully compressed '{input_file}' to '{output_file}'")
+
+    except FileNotFoundError:
+        print(f"Error: File '{input_file}' not found")
+        sys.exit(1)
+    except Exception as e:
+        print(f"Error: {e}")
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    main()

ansible/init-data-gzipper.yaml

@@ -0,0 +1,51 @@
+- name: Collect AWS facts and set secrurity group policies
+  become: false
+  connection: local
+  hosts: localhost
+  gather_facts: false
+  vars:
+    kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}"
+    cluster_platform: "{{ global.clusterPlatform | default('none') | lower }}"
+    hub_domain: "{{ global.hubClusterDomain | default('none')  | lower}}"
+    template_src: "initdata-default.toml.tpl"
+  tasks:
+    - name: Create temporary working directory
+      ansible.builtin.tempfile:
+        state: directory
+        suffix: initdata
+      register: tmpdir
+
+    - name: Define temp file paths
+      ansible.builtin.set_fact:
+        rendered_path: "{{ tmpdir.path }}/rendered.toml"
+        gz_path: "{{ tmpdir.path }}/rendered.toml.gz"
+
+    - name: Render template to temp file
+      ansible.builtin.template:
+        src: "{{ template_src }}"
+        dest: "{{ rendered_path }}"
+        mode: "0600"
+
+
+    - name: Gzip the rendered content
+      ansible.builtin.shell: |
+        python3 gzipper.py "{{ rendered_path }}" "{{ gz_path }}"
+      changed_when: true
+
+    - name: Read gzip as base64
+      ansible.builtin.slurp:
+        path: "{{ gz_path }}"
+      register: gz_slurped
+
+    - name: Create/update ConfigMap with gzipped+base64 content
+      kubernetes.core.k8s:
+        kubeconfig: "{{ kubeconfig | default(omit) }}"
+        state: present
+        definition:
+          apiVersion: v1
+          kind: ConfigMap
+          metadata:
+            name: "initdata"
+            namespace: "imperative"
+          data:
+            INITDATA: "{{ gz_slurped.content }}"

charts/coco-supported/sandbox/initdata.toml.tpl → ansible/initdata-default.toml.tpl

@@ -5,10 +5,10 @@ version = "0.1.0"
 "aa.toml" = '''
 [token_configs]
 [token_configs.coco_as]
-url = "https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}"
+url = "https://kbs-trustee-operator-system.{{ hub_domain }}"
 
 [token_configs.kbs]
-url = "https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}"
+url = "https://kbs-trustee-operator-system.{{ hub_domain }}"
 '''
 
 "cdh.toml"  = '''
@@ -17,5 +17,5 @@ credentials = []
 
 [kbc]
 name = "cc_kbc"
-url = "https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}"
+url = "https://kbs-trustee-operator-system.{{ hub_domain }}"
 '''

charts/coco-supported/kbs-access/templates/secure-pod.yaml

@@ -21,17 +21,11 @@ spec:
           name: kbsref
   initContainers:
   - name: curl
-    image: registry.redhat.io/ubi9/ubi:latest # Lightweight image with curl installed
+    image: registry.access.redhat.com/ubi9/ubi:latest # Lightweight image with curl installed
     command: ['sh', '-c', 'curl -s http://127.0.0.1:8006/cdh/resource/default/kbsres1/key3 > /output/kbsres1.txt']
     volumeMounts:
     - name: output-volume
       mountPath: /output
-  # - name: hi
-  #   image: registry.redhat.io/ubi9/ubi:latest # Lightweight image with curl installed
-  #   command: ['sh', '-c', 'echo "hi" > /output/kbsres1.txt']
-  #   volumeMounts:
-  #   - name: output-volume
-  #     mountPath: /output
   volumes:
   - name: output-volume
     emptyDir: {}

charts/coco-supported/sandbox/templates/peer-pods-cm.yaml

@@ -37,7 +37,8 @@ spec:
               AZURE_NSG_ID: '/subscriptions/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).subscriptionId }}` }}/resourceGroups/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).resourceGroup }}` }}/providers/Microsoft.Network/networkSecurityGroups/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).securityGroupName }}` }}'
               DISABLECVM: "false"
               PROXY_TIMEOUT: "5m"
-              INITDATA: '{{ tpl ( .Files.Get "initdata.toml.tpl") . | b64enc }}'
+              INITDATA: '{{ `{{if (lookup "v1" "ConfigMap" "imperative" "initdata").metadata.name }}{{ fromConfigMap "imperative" "initdata" "INITDATA" }}{{ else }}{{ end }}` }}'
+
 ---
 apiVersion: policy.open-cluster-management.io/v1
 kind: PlacementBinding

charts/coco-supported/sandbox/values.yaml

@@ -1,11 +1,6 @@
 global:
   cocoUpstream: true
   cocoConverged: true
-  azure:
-    clusterResGroup: ''
-    clusterSubnet: ''
-    clusterNSG: ''
-    clusterRegion: ''
 
 secretStore:
   name: vault-backend

rhdp/wrapper.sh

@@ -89,7 +89,7 @@ echo "---------------------"
 export KUBECONFIG=`pwd`/openshift-install/auth/kubeconfig
 
 
-./pattern.sh make install
+#./pattern.sh make install
 echo "---------------------"
 echo "pattern install done"
 echo "---------------------"

values-simple.yaml

@@ -20,20 +20,25 @@ clusterGroup:
     acm:
       name: advanced-cluster-management
       namespace: open-cluster-management
-      channel: release-2.12
-
+      channel: release-2.13
     sandbox:
       name: sandboxed-containers-operator
       namespace: openshift-sandboxed-containers-operator
+      source: redhat-operators
       channel: stable
-      version: "1.9.*" # 1.9.* matches with trustee 0.3.*
+      # correctly pin versions
+      installPlanApproval: Manual
+      csv: sandboxed-containers-operator.v1.10.1
     trustee:
       name: trustee-operator
       namespace: trustee-operator-system
       source: redhat-operators
       channel: stable
-      version: "0.3.*"
+       # correctly pin versions
+      installPlanApproval: Manual
+      csv: trustee-operator.v0.4.1
 
+
     cert-manager:
       name: openshift-cert-manager-operator
       namespace: cert-manager-operator
@@ -93,7 +98,7 @@ clusterGroup:
       # Default to 'safe' for ARO
       overrides:
       - name: letsencrypt.enabled
-        value: false
+        value: true
     hello-openshift:
       name: hello-openshift
       namespace: hello-openshift
@@ -128,6 +133,10 @@ clusterGroup:
       playbook: ansible/azure-nat-gateway.yaml
       verbosity: -vvv
       timeout: 3600
+    - name: init-data-gzipper
+      playbook: ansible/init-data-gzipper.yaml
+      verbosity: -vvv
+      timeout: 3600
   managedClusterGroups:
     exampleRegion:
       name: group-one