coco: add imperative job to configure x509pop

Add automated configuration for SPIRE Server x509pop NodeAttestor plugin
required for CoCo peer-pods attestation.

CoCo peer-pods run on untrusted cloud infrastructure. Using k8s_psat
would require trusting the cloud provider's cluster. Instead, pods
perform hardware TEE attestation to KBS to obtain x509 certificates as
cryptographic proof of running in genuine confidential hardware, then
use x509pop to register with SPIRE.

The Red Hat SPIRE Operator's SpireServer CRD does not expose x509pop
configuration, requiring a ConfigMap patch via this imperative job.

Signed-off-by: Beraldo Leal <bleal@redhat.com>

Author: beraldoleal

ansible/configure-spire-server-x509pop.yaml

@@ -0,0 +1,137 @@
+---
+# Configure SPIRE Server to support x509pop node attestation for CoCo pods
+# The Red Hat SPIRE Operator's SpireServer CRD does not expose x509pop plugin configuration
+# This job patches the operator-generated ConfigMap and StatefulSet to add x509pop support
+#
+# IMPORTANT: The operator must have CREATE_ONLY_MODE=true env var set (via subscription
+# config) to prevent it from reverting our manual patches. Without this, the operator
+# continuously reconciles and overwrites x509pop changes.
+# Note: In v0.2.0 (tech-preview) this was done via a CR annotation
+# (ztwim.openshift.io/create-only). In v1.0.0 (GA) it changed to the env var.
+
+- name: Configure SPIRE Server for x509pop attestation
+  become: false
+  connection: local
+  hosts: localhost
+  gather_facts: false
+  vars:
+    spire_namespace: "zero-trust-workload-identity-manager"
+    configmap_name: "spire-server"
+    statefulset_name: "spire-server"
+    ca_configmap_name: "spire-x509pop-ca"
+    ca_mount_path: "/run/spire/x509pop-ca"
+  tasks:
+    - name: Get ZeroTrustWorkloadIdentityManager CR to determine expected cluster name
+      kubernetes.core.k8s_info:
+        api_version: operator.openshift.io/v1alpha1
+        kind: ZeroTrustWorkloadIdentityManager
+        name: cluster
+      register: ztwim_cr
+      retries: 30
+      delay: 10
+      until: ztwim_cr.resources | length > 0
+
+    - name: Extract expected cluster name from ZTWIM CR
+      ansible.builtin.set_fact:
+        expected_cluster_name: "{{ ztwim_cr.resources[0].spec.clusterName }}"
+
+    - name: Display expected cluster name
+      ansible.builtin.debug:
+        msg: "Expected cluster name from ZTWIM CR: {{ expected_cluster_name }}"
+
+    - name: Wait for SPIRE Server ConfigMap with correct cluster name
+      kubernetes.core.k8s_info:
+        kind: ConfigMap
+        namespace: "{{ spire_namespace }}"
+        name: "{{ configmap_name }}"
+      register: spire_configmap
+      retries: 60
+      delay: 5
+      until: >
+        spire_configmap.resources | length > 0 and
+        (spire_configmap.resources[0].data['server.conf'] | from_json).plugins.NodeAttestor[0].k8s_psat.plugin_data.clusters[0][expected_cluster_name] is defined
+
+    - name: ConfigMap has correct cluster name
+      ansible.builtin.debug:
+        msg: "ConfigMap verified with correct cluster name: {{ expected_cluster_name }}"
+
+    - name: Get current SPIRE Server configuration
+      kubernetes.core.k8s_info:
+        kind: ConfigMap
+        namespace: "{{ spire_namespace }}"
+        name: "{{ configmap_name }}"
+      register: spire_config
+
+    - name: Parse server configuration
+      ansible.builtin.set_fact:
+        server_conf: "{{ spire_config.resources[0].data['server.conf'] | from_json }}"
+
+    - name: Check if x509pop already configured
+      ansible.builtin.set_fact:
+        x509pop_exists: "{{ server_conf.plugins.NodeAttestor | selectattr('x509pop', 'defined') | list | length > 0 }}"
+
+    - name: Add x509pop NodeAttestor plugin
+      kubernetes.core.k8s:
+        state: present
+        definition:
+          apiVersion: v1
+          kind: ConfigMap
+          metadata:
+            name: "{{ configmap_name }}"
+            namespace: "{{ spire_namespace }}"
+          data:
+            server.conf: "{{ server_conf | combine({'plugins': {'NodeAttestor': server_conf.plugins.NodeAttestor + [{'x509pop': {'plugin_data': {'ca_bundle_path': '/run/spire/x509pop-ca/ca-bundle.pem'}}}]}}, recursive=True) | to_json }}"
+      when: not x509pop_exists
+
+    - name: Wait for SPIRE Server StatefulSet to exist
+      kubernetes.core.k8s_info:
+        kind: StatefulSet
+        namespace: "{{ spire_namespace }}"
+        name: "{{ statefulset_name }}"
+      register: spire_statefulset
+      retries: 30
+      delay: 10
+      until: spire_statefulset.resources | length > 0
+
+    - name: Check if CA volume already mounted
+      ansible.builtin.set_fact:
+        ca_volume_exists: "{{ spire_statefulset.resources[0].spec.template.spec.volumes | selectattr('name', 'equalto', 'x509pop-ca') | list | length > 0 }}"
+
+    - name: Add CA volume to SPIRE Server StatefulSet
+      kubernetes.core.k8s:
+        state: patched
+        kind: StatefulSet
+        namespace: "{{ spire_namespace }}"
+        name: "{{ statefulset_name }}"
+        definition:
+          spec:
+            template:
+              spec:
+                volumes:
+                  - name: x509pop-ca
+                    configMap:
+                      name: "{{ ca_configmap_name }}"
+                containers:
+                  - name: spire-server
+                    volumeMounts:
+                      - name: x509pop-ca
+                        mountPath: "{{ ca_mount_path }}"
+                        readOnly: true
+      when: not ca_volume_exists
+
+    - name: Restart SPIRE Server to apply configuration
+      kubernetes.core.k8s:
+        state: absent
+        kind: Pod
+        namespace: "{{ spire_namespace }}"
+        label_selectors:
+          - app.kubernetes.io/name=server
+      when: (not x509pop_exists) or (not ca_volume_exists)
+
+    - name: Configuration status
+      ansible.builtin.debug:
+        msg: "{{ 'x509pop already configured' if (x509pop_exists and ca_volume_exists) else 'x509pop NodeAttestor plugin and CA volume mount configured successfully' }}"
+
+    - name: Final status
+      ansible.builtin.debug:
+        msg: "x509pop configuration complete. CREATE_ONLY_MODE env var on the operator prevents reverts."

ansible/generate-certificate.yaml

@@ -0,0 +1,230 @@
+---
+# Generic certificate generation task
+# Can generate both CA certificates and agent certificates
+# Parameters:
+#   cert_name: Name for the certificate (e.g., "x509pop-ca", "qtodo-agent")
+#   cert_type: "ca" or "agent"
+#   namespace: Kubernetes namespace to store certificate
+#   output_configmap: Create ConfigMap with cert (true/false)
+#   output_secret: Create Secret with key (true/false)
+#   cert_dir: Temporary directory for cert generation
+#   For agent certs only:
+#     ca_cert_path: Path to CA certificate file
+#     ca_key_path: Path to CA private key file
+#   Certificate details:
+#     common_name: Certificate CN
+#     organization: Certificate O
+#     country: Certificate C
+#     validity_days: Certificate validity period
+#     key_usage: List of key usage extensions
+#     extended_key_usage: List of extended key usage (optional, for agent certs)
+
+- name: "Set certificate paths for {{ cert_name }}"
+  ansible.builtin.set_fact:
+    key_path: "{{ cert_dir }}/{{ cert_name }}-key.pem"
+    cert_path: "{{ cert_dir }}/{{ cert_name }}-cert.pem"
+    csr_path: "{{ cert_dir }}/{{ cert_name }}.csr"
+
+- name: "Check if {{ cert_name }} already exists"
+  kubernetes.core.k8s_info:
+    kind: "{{ 'ConfigMap' if output_configmap else 'Secret' }}"
+    namespace: "{{ namespace }}"
+    name: "{{ cert_name if output_configmap else (key_secret_name | default(cert_name + '-key')) }}"
+  register: existing_cert
+
+- name: "Skip {{ cert_name }} - already exists"
+  ansible.builtin.debug:
+    msg: "Certificate {{ cert_name }} already exists, skipping"
+  when: existing_cert.resources | length > 0
+
+- name: "Generate private key for {{ cert_name }}"
+  community.crypto.openssl_privatekey:
+    path: "{{ key_path }}"
+    size: "{{ 4096 if cert_type == 'ca' else 2048 }}"
+  when: existing_cert.resources | length == 0
+
+- name: "Generate CSR for CA certificate {{ cert_name }}"
+  community.crypto.openssl_csr:
+    path: "{{ csr_path }}"
+    privatekey_path: "{{ key_path }}"
+    common_name: "{{ common_name }}"
+    organization_name: "{{ organization }}"
+    country_name: "{{ country }}"
+    basic_constraints:
+      - "CA:TRUE"
+    basic_constraints_critical: true
+    key_usage: "{{ key_usage }}"
+    key_usage_critical: true
+  when:
+    - existing_cert.resources | length == 0
+    - cert_type == "ca"
+
+- name: "Generate self-signed CA certificate for {{ cert_name }}"
+  community.crypto.x509_certificate:
+    path: "{{ cert_path }}"
+    csr_path: "{{ csr_path }}"
+    privatekey_path: "{{ key_path }}"
+    provider: selfsigned
+    selfsigned_not_after: "+{{ validity_days }}d"
+  when:
+    - existing_cert.resources | length == 0
+    - cert_type == "ca"
+
+- name: "Generate CSR for {{ cert_name }}"
+  community.crypto.openssl_csr:
+    path: "{{ csr_path }}"
+    privatekey_path: "{{ key_path }}"
+    common_name: "{{ common_name }}"
+    organization_name: "{{ organization }}"
+    country_name: "{{ country }}"
+    key_usage: "{{ key_usage }}"
+    key_usage_critical: true
+    extended_key_usage: "{{ extended_key_usage | default(omit) }}"
+  when:
+    - existing_cert.resources | length == 0
+    - cert_type == "agent"
+
+- name: "Sign agent certificate for {{ cert_name }}"
+  community.crypto.x509_certificate:
+    path: "{{ cert_path }}"
+    csr_path: "{{ csr_path }}"
+    provider: ownca
+    ownca_path: "{{ ca_cert_path }}"
+    ownca_privatekey_path: "{{ ca_key_path }}"
+    ownca_not_after: "+{{ validity_days }}d"
+  when:
+    - existing_cert.resources | length == 0
+    - cert_type == "agent"
+
+- name: "Create ConfigMap with certificate for {{ cert_name }}"
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: ConfigMap
+      metadata:
+        name: "{{ cert_name }}"
+        namespace: "{{ namespace }}"
+      data:
+        ca-bundle.pem: "{{ lookup('file', cert_path) }}"
+  when:
+    - existing_cert.resources | length == 0
+    - output_configmap | default(false)
+
+- name: "Check if {{ cert_name }} key secret exists"
+  kubernetes.core.k8s_info:
+    kind: Secret
+    namespace: "{{ namespace }}"
+    name: "{{ key_secret_name | default(cert_name + '-key') }}"
+  register: existing_key_secret
+  when: output_secret | default(false)
+
+- name: "Create Secret with CA private key for {{ cert_name }}"
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: "{{ key_secret_name | default(cert_name + '-key') }}"
+        namespace: "{{ namespace }}"
+      type: Opaque
+      stringData:
+        ca-key.pem: "{{ lookup('file', key_path) }}"
+  when:
+    - output_secret | default(false)
+    - (existing_key_secret.resources | default([])) | length == 0
+    - cert_type == 'ca'
+
+- name: "Create Secret with agent private key for {{ cert_name }}"
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: "{{ key_secret_name | default(cert_name + '-key') }}"
+        namespace: "{{ namespace }}"
+      type: Opaque
+      stringData:
+        key: "{{ lookup('file', key_path) }}"
+  when:
+    - output_secret | default(false)
+    - (existing_key_secret.resources | default([])) | length == 0
+    - cert_type == 'agent'
+
+- name: "Create Secret with certificate for {{ cert_name }}"
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: "{{ cert_secret_name | default(cert_name) }}"
+        namespace: "{{ namespace }}"
+      type: Opaque
+      stringData:
+        cert: "{{ lookup('file', cert_path) }}"
+  when:
+    - existing_cert.resources | length == 0
+    - cert_type == "agent"
+    - not (output_configmap | default(false))
+
+# Push agent certificates to Vault for KBS to serve
+- name: "Create PushSecret for certificate {{ cert_secret_name | default(cert_name) }}"
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: external-secrets.io/v1alpha1
+      kind: PushSecret
+      metadata:
+        name: "push-{{ cert_secret_name | default(cert_name) }}"
+        namespace: "{{ namespace }}"
+      spec:
+        updatePolicy: Replace
+        deletionPolicy: Delete
+        refreshInterval: 10s
+        secretStoreRefs:
+          - name: vault-backend
+            kind: ClusterSecretStore
+        selector:
+          secret:
+            name: "{{ cert_secret_name | default(cert_name) }}"
+        data:
+          - match:
+              secretKey: cert
+              remoteRef:
+                remoteKey: "pushsecrets/{{ cert_secret_name | default(cert_name) }}"
+                property: cert
+  when:
+    - cert_type == "agent"
+    - not (output_configmap | default(false))
+
+- name: "Create PushSecret for private key {{ key_secret_name | default(cert_name + '-key') }}"
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: external-secrets.io/v1alpha1
+      kind: PushSecret
+      metadata:
+        name: "push-{{ key_secret_name | default(cert_name + '-key') }}"
+        namespace: "{{ namespace }}"
+      spec:
+        updatePolicy: Replace
+        deletionPolicy: Delete
+        refreshInterval: 10s
+        secretStoreRefs:
+          - name: vault-backend
+            kind: ClusterSecretStore
+        selector:
+          secret:
+            name: "{{ key_secret_name | default(cert_name + '-key') }}"
+        data:
+          - match:
+              secretKey: key
+              remoteRef:
+                remoteKey: "pushsecrets/{{ key_secret_name | default(cert_name + '-key') }}"
+                property: key
+  when:
+    - cert_type == "agent"
+    - output_secret | default(false)