coco: initial integration with ztvp

This adds initial integration for Confidential Containers and Trustee
Operators as a separated clustergroup.

Co-authored-by: Chris Butler <chris.butler@redhat.com>
Signed-off-by: Beraldo Leal <bleal@redhat.com>

Author: beraldoleal

ansible/azure-nat-gateway.yaml

@@ -0,0 +1,88 @@
+---
+
+- name: Configure Azure NAT Gateway
+  become: false
+  connection: local
+  hosts: localhost
+  gather_facts: false
+  vars:
+    kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}"
+    resource_prefix: "coco"
+  tasks:
+    - name: Get Azure credentials
+      kubernetes.core.k8s_info:
+        kind: Secret
+        namespace: openshift-cloud-controller-manager
+        name: azure-cloud-credentials
+      register: azure_credentials
+      retries: 20
+      delay: 5
+
+    - name: Get Azure configuration
+      kubernetes.core.k8s_info:
+        kind: ConfigMap
+        namespace: openshift-cloud-controller-manager
+        name: cloud-conf
+      register: azure_cloud_conf
+      retries: 20
+      delay: 5
+
+    - name: Set facts
+      ansible.builtin.set_fact:
+        azure_subscription_id: "{{ (azure_cloud_conf.resources[0]['data']['cloud.conf'] | from_json)['subscriptionId'] }}"
+        azure_tenant_id: "{{ (azure_cloud_conf.resources[0]['data']['cloud.conf'] | from_json)['tenantId'] }}"
+        azure_resource_group: "{{ (azure_cloud_conf.resources[0]['data']['cloud.conf'] | from_json)['vnetResourceGroup'] }}"
+        azure_client_id: "{{ azure_credentials.resources[0]['data']['azure_client_id'] | b64decode }}"
+        azure_client_secret: "{{ azure_credentials.resources[0]['data']['azure_client_secret'] | b64decode }}"
+        azure_vnet: "{{ (azure_cloud_conf.resources[0]['data']['cloud.conf'] | from_json)['vnetName'] }}"
+        azure_subnet: "{{ (azure_cloud_conf.resources[0]['data']['cloud.conf'] | from_json)['subnetName'] }}"
+        coco_public_ip_name: "{{ resource_prefix }}-pip"
+        coco_nat_gateway_name: "{{ resource_prefix }}-nat-gateway"
+      no_log: true
+
+    - name: Create Public IP for NAT Gateway
+      azure.azcollection.azure_rm_publicipaddress:
+        subscription_id: "{{ azure_subscription_id }}"
+        tenant: "{{ azure_tenant_id }}"
+        client_id: "{{ azure_client_id }}"
+        secret: "{{ azure_client_secret }}"
+        resource_group: "{{ azure_resource_group }}"
+        name: "{{ coco_public_ip_name }}"
+        sku: "standard"
+        allocation_method: "static"
+
+    - name: Retrieve Public IP for NAT Gateway
+      azure.azcollection.azure_rm_publicipaddress_info:
+        subscription_id: "{{ azure_subscription_id }}"
+        tenant: "{{ azure_tenant_id }}"
+        client_id: "{{ azure_client_id }}"
+        secret: "{{ azure_client_secret }}"
+        resource_group: "{{ azure_resource_group }}"
+        name: "{{ coco_public_ip_name }}"
+      register: coco_gw_public_ip
+
+    - name: Create NAT Gateway
+      azure.azcollection.azure_rm_natgateway:
+        subscription_id: "{{ azure_subscription_id }}"
+        tenant: "{{ azure_tenant_id }}"
+        client_id: "{{ azure_client_id }}"
+        secret: "{{ azure_client_secret }}"
+        resource_group: "{{ azure_resource_group }}"
+        name: "{{ coco_nat_gateway_name }}"
+        idle_timeout_in_minutes: 10
+        sku:
+          name: standard
+        public_ip_addresses:
+          - "{{ coco_gw_public_ip.publicipaddresses[0].id }}"
+      register: coco_natgw
+
+    - name: Update the worker subnet to associate NAT gateway
+      azure.azcollection.azure_rm_subnet:
+        subscription_id: "{{ azure_subscription_id }}"
+        tenant: "{{ azure_tenant_id }}"
+        client_id: "{{ azure_client_id }}"
+        secret: "{{ azure_client_secret }}"
+        resource_group: "{{ azure_resource_group }}"
+        name: "{{ azure_subnet }}"
+        virtual_network_name: "{{ azure_vnet }}"
+        nat_gateway: "{{ coco_nat_gateway_name }}"

ansible/azure-requirements.txt

@@ -0,0 +1,5 @@
+azure-identity>=1.19.0
+azure-mgmt-core>=1.4.0
+azure-mgmt-managementgroups>=1.0.0
+azure-mgmt-network>=25.0.0
+azure-mgmt-resource>=23.0.0

ansible/init-data-gzipper.yaml

@@ -0,0 +1,73 @@
+- name: Gzip initdata
+  become: false
+  connection: local
+  hosts: localhost
+  gather_facts: false
+  vars:
+    kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}"
+    cluster_platform: "{{ global.clusterPlatform | default('none') | lower }}"
+    hub_domain: "{{ global.hubClusterDomain | default('none')  | lower}}"
+    image_security_policy: "{{ coco.imageSecurityPolicy | default('insecure') }}"
+    template_src: "initdata-default.toml.tpl"
+  tasks:
+    - name: Create temporary working directory
+      ansible.builtin.tempfile:
+        state: directory
+        suffix: initdata
+      register: tmpdir
+    - name: Read KBS TLS secret from Kubernetes
+      kubernetes.core.k8s_info:
+        kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}"
+        api_version: v1
+        kind: Secret
+        name: kbs-tls-self-signed
+        namespace: imperative
+      register: kbs_secret_result
+
+    - name: Extract and decode certificate from secret
+      ansible.builtin.set_fact:
+        trustee_cert: "{{ kbs_secret_result.resources[0].data['tls.crt'] | b64decode }}"
+      when: kbs_secret_result.resources | length > 0
+
+    - name: Fail if certificate not found
+      ansible.builtin.fail:
+        msg: "KBS TLS certificate not found in secret 'kbs-tls-self-signed' in namespace 'imperative'"
+      when: kbs_secret_result.resources | length == 0
+
+    - name: Define temp file paths
+      ansible.builtin.set_fact:
+        rendered_path: "{{ tmpdir.path }}/rendered.toml"
+
+    - name: Render template to temp file
+      ansible.builtin.template:
+        src: "{{ template_src }}"
+        dest: "{{ rendered_path }}"
+        mode: "0600"
+
+
+    - name: Gzip and base64 encode the rendered content
+      ansible.builtin.shell: |
+        cat "{{ rendered_path }}" | gzip | base64 -w0
+      register: initdata_encoded
+      changed_when: false
+
+    - name: Compute PCR8 hash from initdata
+      ansible.builtin.shell: |
+        hash=$(sha256sum "{{ rendered_path }}" | cut -d' ' -f1)
+        initial_pcr=0000000000000000000000000000000000000000000000000000000000000000
+        echo -n "$initial_pcr$hash" | python3 -c "import sys,hashlib; print(hashlib.sha256(bytes.fromhex(sys.stdin.read())).hexdigest())"
+      register: pcr8_hash
+
+    - name: Create/update ConfigMap with gzipped+base64 content
+      kubernetes.core.k8s:
+        kubeconfig: "{{ kubeconfig | default(omit) }}"
+        state: present
+        definition:
+          apiVersion: v1
+          kind: ConfigMap
+          metadata:
+            name: "initdata"
+            namespace: "imperative"
+          data:
+            INITDATA: "{{ initdata_encoded.stdout }}"
+            PCR8_HASH: "{{ pcr8_hash.stdout }}"

ansible/initdata-default.toml.tpl

@@ -0,0 +1,93 @@
+# NOTE: PodVMs run in separate VMs outside the cluster network, so they cannot
+# resolve cluster-internal service DNS (*.svc.cluster.local). Therefore, we must
+# use the external KBS route even for same-cluster deployments.
+# For multi-cluster deployments, this also points to the trusted cluster's KBS.
+
+algorithm = "sha256"
+version = "0.1.0"
+
+[data]
+"aa.toml" = '''
+[token_configs]
+[token_configs.coco_as]
+url = "https://kbs.{{ hub_domain }}"
+
+[token_configs.kbs]
+url = "https://kbs.{{ hub_domain }}"
+cert = """{{ trustee_cert }}"""
+'''
+
+"cdh.toml"  = '''
+socket = 'unix:///run/confidential-containers/cdh.sock'
+credentials = []
+
+[kbc]
+name = "cc_kbc"
+url = "https://kbs.{{ hub_domain }}"
+kbs_cert = """{{ trustee_cert }}"""
+
+[image]
+# Container image signature verification policy
+# Options: insecure, reject, signed (configured via coco.imageSecurityPolicy in values)
+image_security_policy_uri = "kbs:///default/security-policy/{{ image_security_policy }}"
+'''
+
+"policy.rego" = '''
+package agent_policy
+
+import future.keywords.in
+import future.keywords.if
+import future.keywords.every
+
+default AddARPNeighborsRequest := true
+default AddSwapRequest := true
+default CloseStdinRequest := true
+default CopyFileRequest := true
+default CreateContainerRequest := true
+default CreateSandboxRequest := true
+default DestroySandboxRequest := true
+default GetMetricsRequest := true
+default GetOOMEventRequest := true
+default GuestDetailsRequest := true
+default ListInterfacesRequest := true
+default ListRoutesRequest := true
+default MemHotplugByProbeRequest := true
+default OnlineCPUMemRequest := true
+default PauseContainerRequest := true
+default PullImageRequest := true
+default ReadStreamRequest := true
+default RemoveContainerRequest := true
+default RemoveStaleVirtiofsShareMountsRequest := true
+default ReseedRandomDevRequest := true
+default ResumeContainerRequest := true
+default SetGuestDateTimeRequest := true
+default SignalProcessRequest := true
+default StartContainerRequest := true
+default StartTracingRequest := true
+default StatsContainerRequest := true
+default StopTracingRequest := true
+default TtyWinResizeRequest := true
+default UpdateContainerRequest := true
+default UpdateEphemeralMountsRequest := true
+default UpdateInterfaceRequest := true
+default UpdateRoutesRequest := true
+default WaitProcessRequest := true
+# FIXME: ExecProcessRequest and WriteStreamRequest are temporarily restricted
+# with a whitelist. This needs proper hardening before production use.
+default ExecProcessRequest := false
+default SetPolicyRequest := true
+default WriteStreamRequest := false
+
+ExecProcessRequest if {
+    input_command = concat(" ", input.process.Args)
+    some allowed_command in policy_data.allowed_commands
+    input_command == allowed_command
+}
+
+policy_data := {
+  "allowed_commands": [
+        "curl http://127.0.0.1:8006/cdh/resource/default/attestation-status/status",
+        "curl http://127.0.0.1:8006/cdh/resource/default/attestation-status/random"
+  ]
+}
+'''

ansible/install-deps.yaml

@@ -0,0 +1,18 @@
+- name: Retrieve Credentials for AAP on OpenShift
+  become: false
+  connection: local
+  hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Ensure collection is installed
+      community.general.ansible_galaxy_install:
+        type: collection
+        name: azure.azcollection
+    - name: Ensure community.crypto collection is installed
+      community.general.ansible_galaxy_install:
+        type: collection
+        name: community.crypto
+    - name: Install Azure SDK
+      ansible.builtin.pip:
+        requirements: "~/.ansible/collections/ansible_collections/azure/azcollection/requirements.txt"
+        extra_args: --user

overrides/values-Azure.yaml

@@ -0,0 +1,8 @@
+# Azure platform-specific configuration
+
+# CoCo confidential computing configuration for Azure
+global:
+  coco:
+    azure:
+      defaultVMFlavour: "Standard_DC2eds_v5"
+      VMFlavours: "Standard_DC2eds_v5,Standard_DC4eds_v5,Standard_DC8eds_v5,Standard_DC16eds_v5"

overrides/values-sandbox.yaml

@@ -0,0 +1,8 @@
+# Override the default values for the sandboxed-containers chart
+# Configures External Secrets Operator integration for Azure SSH keys
+
+# Secret store configuration for External Secrets Operator
+# Points to the ClusterSecretStore that knows how to connect to Vault
+secretStore:
+  name: vault-backend
+  kind: ClusterSecretStore

overrides/values-trustee.yaml

@@ -0,0 +1,24 @@
+# Override the default values for the trustee chart
+# This lists the secret resources that are uploaded to your chosen ESO backend (default: Vault).
+# It does not contain the secrets themselves, only references to Vault paths.
+#
+# NOTE: When adding new CoCo workloads to coco.workloads, you must also add
+# corresponding spire-cert-{workload} and spire-key-{workload} entries here
+
+# Secret store configuration for External Secrets Operator
+# Points to the ClusterSecretStore that knows how to connect to Vault
+secretStore:
+  name: vault-backend
+  kind: ClusterSecretStore
+
+kbs:
+  secretResources:
+    - name: "attestation-status"
+      key: "secret/data/hub/attestationStatus"
+    - name: "passphrase"
+      key: "secret/data/hub/passphrase"
+    # SPIRE x509pop certificates per workload type
+    - name: "spire-cert-qtodo"
+      key: "secret/data/pushsecrets/spire-cert-qtodo"
+    - name: "spire-key-qtodo"
+      key: "secret/data/pushsecrets/spire-key-qtodo"