coco: add imperative job to configure x509pop

Add automated configuration for SPIRE Server x509pop NodeAttestor plugin
required for CoCo peer-pods attestation.

CoCo peer-pods run on untrusted cloud infrastructure. Using k8s_psat
would require trusting the cloud provider's cluster. Instead, pods
perform hardware TEE attestation to KBS to obtain x509 certificates as
cryptographic proof of running in genuine confidential hardware, then
use x509pop to register with SPIRE.

The Red Hat SPIRE Operator's SpireServer CRD does not expose x509pop
configuration, requiring a ConfigMap patch via this imperative job.

Signed-off-by: Beraldo Leal <bleal@redhat.com>

Author: beraldoleal

ansible/configure-spire-server-x509pop.yaml

@@ -0,0 +1,156 @@
+---
+# Configure SPIRE Server to support x509pop node attestation for CoCo pods
+# The Red Hat SPIRE Operator's SpireServer CRD does not expose x509pop plugin configuration
+# This job patches the operator-generated ConfigMap and StatefulSet to add x509pop support
+#
+# IMPORTANT: This playbook enables "create-only mode" on the SpireServer CR to prevent
+# the operator from reverting our manual patches. This is done via the annotation:
+#   ztwim.openshift.io/create-only: "true"
+#
+# NOTE: The create-only mode is enabled AFTER verifying the ConfigMap has the correct
+# cluster name. This prevents a race condition where the operator hasn't fully reconciled
+# the ConfigMap before we lock it.
+
+- name: Configure SPIRE Server for x509pop attestation
+  become: false
+  connection: local
+  hosts: localhost
+  gather_facts: false
+  vars:
+    spire_namespace: "zero-trust-workload-identity-manager"
+    configmap_name: "spire-server"
+    statefulset_name: "spire-server"
+    ca_configmap_name: "spire-x509pop-ca"
+    ca_mount_path: "/run/spire/x509pop-ca"
+  tasks:
+    - name: Get SpireServer CR to determine expected cluster name
+      kubernetes.core.k8s_info:
+        api_version: operator.openshift.io/v1alpha1
+        kind: SpireServer
+        name: cluster
+        namespace: "{{ spire_namespace }}"
+      register: spire_server_cr
+      retries: 30
+      delay: 10
+      until: spire_server_cr.resources | length > 0
+
+    - name: Extract expected cluster name from SpireServer CR
+      ansible.builtin.set_fact:
+        expected_cluster_name: "{{ spire_server_cr.resources[0].spec.clusterName }}"
+
+    - name: Display expected cluster name
+      ansible.builtin.debug:
+        msg: "Expected cluster name from SpireServer CR: {{ expected_cluster_name }}"
+
+    - name: Wait for SPIRE Server ConfigMap with correct cluster name
+      kubernetes.core.k8s_info:
+        kind: ConfigMap
+        namespace: "{{ spire_namespace }}"
+        name: "{{ configmap_name }}"
+      register: spire_configmap
+      retries: 60
+      delay: 5
+      until: >
+        spire_configmap.resources | length > 0 and
+        (spire_configmap.resources[0].data['server.conf'] | from_json).plugins.NodeAttestor[0].k8s_psat.plugin_data.clusters[0][expected_cluster_name] is defined
+
+    - name: ConfigMap has correct cluster name
+      ansible.builtin.debug:
+        msg: "ConfigMap verified with correct cluster name: {{ expected_cluster_name }}"
+
+    - name: Get current SPIRE Server configuration
+      kubernetes.core.k8s_info:
+        kind: ConfigMap
+        namespace: "{{ spire_namespace }}"
+        name: "{{ configmap_name }}"
+      register: spire_config
+
+    - name: Parse server configuration
+      ansible.builtin.set_fact:
+        server_conf: "{{ spire_config.resources[0].data['server.conf'] | from_json }}"
+
+    - name: Check if x509pop already configured
+      ansible.builtin.set_fact:
+        x509pop_exists: "{{ server_conf.plugins.NodeAttestor | selectattr('x509pop', 'defined') | list | length > 0 }}"
+
+    - name: Add x509pop NodeAttestor plugin
+      kubernetes.core.k8s:
+        state: present
+        definition:
+          apiVersion: v1
+          kind: ConfigMap
+          metadata:
+            name: "{{ configmap_name }}"
+            namespace: "{{ spire_namespace }}"
+          data:
+            server.conf: "{{ server_conf | combine({'plugins': {'NodeAttestor': server_conf.plugins.NodeAttestor + [{'x509pop': {'plugin_data': {'ca_bundle_path': '/run/spire/x509pop-ca/ca-bundle.pem'}}}]}}, recursive=True) | to_json }}"
+      when: not x509pop_exists
+
+    - name: Wait for SPIRE Server StatefulSet to exist
+      kubernetes.core.k8s_info:
+        kind: StatefulSet
+        namespace: "{{ spire_namespace }}"
+        name: "{{ statefulset_name }}"
+      register: spire_statefulset
+      retries: 30
+      delay: 10
+      until: spire_statefulset.resources | length > 0
+
+    - name: Check if CA volume already mounted
+      ansible.builtin.set_fact:
+        ca_volume_exists: "{{ spire_statefulset.resources[0].spec.template.spec.volumes | selectattr('name', 'equalto', 'x509pop-ca') | list | length > 0 }}"
+
+    - name: Add CA volume to SPIRE Server StatefulSet
+      kubernetes.core.k8s:
+        state: patched
+        kind: StatefulSet
+        namespace: "{{ spire_namespace }}"
+        name: "{{ statefulset_name }}"
+        definition:
+          spec:
+            template:
+              spec:
+                volumes:
+                  - name: x509pop-ca
+                    configMap:
+                      name: "{{ ca_configmap_name }}"
+                containers:
+                  - name: spire-server
+                    volumeMounts:
+                      - name: x509pop-ca
+                        mountPath: "{{ ca_mount_path }}"
+                        readOnly: true
+      when: not ca_volume_exists
+
+    - name: Restart SPIRE Server to apply configuration
+      kubernetes.core.k8s:
+        state: absent
+        kind: Pod
+        namespace: "{{ spire_namespace }}"
+        label_selectors:
+          - app.kubernetes.io/name=server
+      when: (not x509pop_exists) or (not ca_volume_exists)
+
+    - name: Configuration status
+      ansible.builtin.debug:
+        msg: "{{ 'x509pop already configured' if (x509pop_exists and ca_volume_exists) else 'x509pop NodeAttestor plugin and CA volume mount configured successfully' }}"
+
+    - name: Enable create-only mode on SpireServer CR
+      ansible.builtin.debug:
+        msg: "Enabling create-only mode to prevent operator from reverting x509pop configuration"
+
+    - name: Set create-only annotation on SpireServer CR
+      kubernetes.core.k8s:
+        state: patched
+        api_version: operator.openshift.io/v1alpha1
+        kind: SpireServer
+        name: cluster
+        namespace: "{{ spire_namespace }}"
+        definition:
+          metadata:
+            annotations:
+              ztwim.openshift.io/create-only: "true"
+
+    - name: Final status
+      ansible.builtin.debug:
+        msg: "x509pop configuration complete. Create-only mode enabled to preserve manual patches."

ansible/generate-certificate.yaml

@@ -0,0 +1,230 @@
+---
+# Generic certificate generation task
+# Can generate both CA certificates and agent certificates
+# Parameters:
+#   cert_name: Name for the certificate (e.g., "x509pop-ca", "qtodo-agent")
+#   cert_type: "ca" or "agent"
+#   namespace: Kubernetes namespace to store certificate
+#   output_configmap: Create ConfigMap with cert (true/false)
+#   output_secret: Create Secret with key (true/false)
+#   cert_dir: Temporary directory for cert generation
+#   For agent certs only:
+#     ca_cert_path: Path to CA certificate file
+#     ca_key_path: Path to CA private key file
+#   Certificate details:
+#     common_name: Certificate CN
+#     organization: Certificate O
+#     country: Certificate C
+#     validity_days: Certificate validity period
+#     key_usage: List of key usage extensions
+#     extended_key_usage: List of extended key usage (optional, for agent certs)
+
+- name: "Set certificate paths for {{ cert_name }}"
+  ansible.builtin.set_fact:
+    key_path: "{{ cert_dir }}/{{ cert_name }}-key.pem"
+    cert_path: "{{ cert_dir }}/{{ cert_name }}-cert.pem"
+    csr_path: "{{ cert_dir }}/{{ cert_name }}.csr"
+
+- name: "Check if {{ cert_name }} already exists"
+  kubernetes.core.k8s_info:
+    kind: "{{ 'ConfigMap' if output_configmap else 'Secret' }}"
+    namespace: "{{ namespace }}"
+    name: "{{ cert_name if output_configmap else (key_secret_name | default(cert_name + '-key')) }}"
+  register: existing_cert
+
+- name: "Skip {{ cert_name }} - already exists"
+  ansible.builtin.debug:
+    msg: "Certificate {{ cert_name }} already exists, skipping"
+  when: existing_cert.resources | length > 0
+
+- name: "Generate private key for {{ cert_name }}"
+  community.crypto.openssl_privatekey:
+    path: "{{ key_path }}"
+    size: "{{ 4096 if cert_type == 'ca' else 2048 }}"
+  when: existing_cert.resources | length == 0
+
+- name: "Generate CSR for CA certificate {{ cert_name }}"
+  community.crypto.openssl_csr:
+    path: "{{ csr_path }}"
+    privatekey_path: "{{ key_path }}"
+    common_name: "{{ common_name }}"
+    organization_name: "{{ organization }}"
+    country_name: "{{ country }}"
+    basic_constraints:
+      - "CA:TRUE"
+    basic_constraints_critical: true
+    key_usage: "{{ key_usage }}"
+    key_usage_critical: true
+  when:
+    - existing_cert.resources | length == 0
+    - cert_type == "ca"
+
+- name: "Generate self-signed CA certificate for {{ cert_name }}"
+  community.crypto.x509_certificate:
+    path: "{{ cert_path }}"
+    csr_path: "{{ csr_path }}"
+    privatekey_path: "{{ key_path }}"
+    provider: selfsigned
+    selfsigned_not_after: "+{{ validity_days }}d"
+  when:
+    - existing_cert.resources | length == 0
+    - cert_type == "ca"
+
+- name: "Generate CSR for {{ cert_name }}"
+  community.crypto.openssl_csr:
+    path: "{{ csr_path }}"
+    privatekey_path: "{{ key_path }}"
+    common_name: "{{ common_name }}"
+    organization_name: "{{ organization }}"
+    country_name: "{{ country }}"
+    key_usage: "{{ key_usage }}"
+    key_usage_critical: true
+    extended_key_usage: "{{ extended_key_usage | default(omit) }}"
+  when:
+    - existing_cert.resources | length == 0
+    - cert_type == "agent"
+
+- name: "Sign agent certificate for {{ cert_name }}"
+  community.crypto.x509_certificate:
+    path: "{{ cert_path }}"
+    csr_path: "{{ csr_path }}"
+    provider: ownca
+    ownca_path: "{{ ca_cert_path }}"
+    ownca_privatekey_path: "{{ ca_key_path }}"
+    ownca_not_after: "+{{ validity_days }}d"
+  when:
+    - existing_cert.resources | length == 0
+    - cert_type == "agent"
+
+- name: "Create ConfigMap with certificate for {{ cert_name }}"
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: ConfigMap
+      metadata:
+        name: "{{ cert_name }}"
+        namespace: "{{ namespace }}"
+      data:
+        ca-bundle.pem: "{{ lookup('file', cert_path) }}"
+  when:
+    - existing_cert.resources | length == 0
+    - output_configmap | default(false)
+
+- name: "Check if {{ cert_name }} key secret exists"
+  kubernetes.core.k8s_info:
+    kind: Secret
+    namespace: "{{ namespace }}"
+    name: "{{ key_secret_name | default(cert_name + '-key') }}"
+  register: existing_key_secret
+  when: output_secret | default(false)
+
+- name: "Create Secret with CA private key for {{ cert_name }}"
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: "{{ key_secret_name | default(cert_name + '-key') }}"
+        namespace: "{{ namespace }}"
+      type: Opaque
+      stringData:
+        ca-key.pem: "{{ lookup('file', key_path) }}"
+  when:
+    - output_secret | default(false)
+    - (existing_key_secret.resources | default([])) | length == 0
+    - cert_type == 'ca'
+
+- name: "Create Secret with agent private key for {{ cert_name }}"
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: "{{ key_secret_name | default(cert_name + '-key') }}"
+        namespace: "{{ namespace }}"
+      type: Opaque
+      stringData:
+        key: "{{ lookup('file', key_path) }}"
+  when:
+    - output_secret | default(false)
+    - (existing_key_secret.resources | default([])) | length == 0
+    - cert_type == 'agent'
+
+- name: "Create Secret with certificate for {{ cert_name }}"
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: "{{ cert_secret_name | default(cert_name) }}"
+        namespace: "{{ namespace }}"
+      type: Opaque
+      stringData:
+        cert: "{{ lookup('file', cert_path) }}"
+  when:
+    - existing_cert.resources | length == 0
+    - cert_type == "agent"
+    - not (output_configmap | default(false))
+
+# Push agent certificates to Vault for KBS to serve
+- name: "Create PushSecret for certificate {{ cert_secret_name | default(cert_name) }}"
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: external-secrets.io/v1alpha1
+      kind: PushSecret
+      metadata:
+        name: "push-{{ cert_secret_name | default(cert_name) }}"
+        namespace: "{{ namespace }}"
+      spec:
+        updatePolicy: Replace
+        deletionPolicy: Delete
+        refreshInterval: 10s
+        secretStoreRefs:
+          - name: vault-backend
+            kind: ClusterSecretStore
+        selector:
+          secret:
+            name: "{{ cert_secret_name | default(cert_name) }}"
+        data:
+          - match:
+              secretKey: cert
+              remoteRef:
+                remoteKey: "pushsecrets/{{ cert_secret_name | default(cert_name) }}"
+                property: cert
+  when:
+    - cert_type == "agent"
+    - not (output_configmap | default(false))
+
+- name: "Create PushSecret for private key {{ key_secret_name | default(cert_name + '-key') }}"
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: external-secrets.io/v1alpha1
+      kind: PushSecret
+      metadata:
+        name: "push-{{ key_secret_name | default(cert_name + '-key') }}"
+        namespace: "{{ namespace }}"
+      spec:
+        updatePolicy: Replace
+        deletionPolicy: Delete
+        refreshInterval: 10s
+        secretStoreRefs:
+          - name: vault-backend
+            kind: ClusterSecretStore
+        selector:
+          secret:
+            name: "{{ key_secret_name | default(cert_name + '-key') }}"
+        data:
+          - match:
+              secretKey: key
+              remoteRef:
+                remoteKey: "pushsecrets/{{ key_secret_name | default(cert_name + '-key') }}"
+                property: key
+  when:
+    - cert_type == "agent"
+    - output_secret | default(false)