coco: initial integration for Confidential Containers and Trustee operators (#80)

* coco: initial integration with ztvp

This adds initial integration for Confidential Containers and Trustee
Operators as a separated clustergroup.

Co-authored-by: Chris Butler <chris.butler@redhat.com>
Signed-off-by: Beraldo Leal <bleal@redhat.com>

* coco: add imperative job to configure x509pop

Add automated configuration for SPIRE Server x509pop NodeAttestor plugin
required for CoCo peer-pods attestation.

CoCo peer-pods run on untrusted cloud infrastructure. Using k8s_psat
would require trusting the cloud provider's cluster. Instead, pods
perform hardware TEE attestation to KBS to obtain x509 certificates as
cryptographic proof of running in genuine confidential hardware, then
use x509pop to register with SPIRE.

The Red Hat SPIRE Operator's SpireServer CRD does not expose x509pop
configuration, requiring a ConfigMap patch via this imperative job.

Signed-off-by: Beraldo Leal <bleal@redhat.com>

* coco: introducing the hello-coco app

Add hello-coco Helm chart demonstrating SPIRE agent deployment in
confidential containers using x509pop node attestation. The chart
deploys a test pod in a CoCo peer-pod (confidential VM with AMD SNP or
Intel TDX) that fetches SPIRE agent certificates from KBS after TEE
attestation, establishing hardware as the root of trust instead of
Kubernetes.

The pod contains three containers: init container fetches sealed
secrets from KBS, SPIRE agent uses x509pop for node attestation, and
test workload receives SPIFFE SVIDs via unix attestation. This
validates the complete integration flow between ZTVP and CoCo
components.

Note: This could be dropped, if we stick with only the todoapp.

Signed-off-by: Beraldo Leal <bleal@redhat.com>

* coco: update the values-secret template

Signed-off-by: Beraldo Leal <bleal@redhat.com>

* coco: add get-pcr.sh script for attestation measurements

* coco: add get-secrets-coco.sh

Signed-off-by: Beraldo Leal <bleal@redhat.com>

* coco: adding confidential documentation

Basic markdown file with deployment steps.

Signed-off-by: Beraldo Leal <bleal@redhat.com>

* coco: automate pull-secret via ESO cross-namespace

Peer-pods don't have access to the node's pull-secret, needed for
private repos. Use ESO kubernetes provider to sync pull-secret from
openshift-config to the workload namespace.

Signed-off-by: Beraldo Leal <bleal@redhat.com>

---------

Signed-off-by: Beraldo Leal <bleal@redhat.com>
Co-authored-by: Chris Butler <chris.butler@redhat.com>

Author: beraldoleal

ansible/azure-nat-gateway.yaml

@@ -0,0 +1,88 @@
+---
+
+- name: Configure Azure NAT Gateway
+  become: false
+  connection: local
+  hosts: localhost
+  gather_facts: false
+  vars:
+    kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}"
+    resource_prefix: "coco"
+  tasks:
+    - name: Get Azure credentials # noqa: syntax-check[unknown-module]
+      kubernetes.core.k8s_info:
+        kind: Secret
+        namespace: openshift-cloud-controller-manager
+        name: azure-cloud-credentials
+      register: azure_credentials
+      retries: 20
+      delay: 5
+
+    - name: Get Azure configuration # noqa: syntax-check[unknown-module]
+      kubernetes.core.k8s_info:
+        kind: ConfigMap
+        namespace: openshift-cloud-controller-manager
+        name: cloud-conf
+      register: azure_cloud_conf
+      retries: 20
+      delay: 5
+
+    - name: Set facts
+      ansible.builtin.set_fact:
+        azure_subscription_id: "{{ (azure_cloud_conf.resources[0]['data']['cloud.conf'] | from_json)['subscriptionId'] }}"
+        azure_tenant_id: "{{ (azure_cloud_conf.resources[0]['data']['cloud.conf'] | from_json)['tenantId'] }}"
+        azure_resource_group: "{{ (azure_cloud_conf.resources[0]['data']['cloud.conf'] | from_json)['vnetResourceGroup'] }}"
+        azure_client_id: "{{ azure_credentials.resources[0]['data']['azure_client_id'] | b64decode }}"
+        azure_client_secret: "{{ azure_credentials.resources[0]['data']['azure_client_secret'] | b64decode }}"
+        azure_vnet: "{{ (azure_cloud_conf.resources[0]['data']['cloud.conf'] | from_json)['vnetName'] }}"
+        azure_subnet: "{{ (azure_cloud_conf.resources[0]['data']['cloud.conf'] | from_json)['subnetName'] }}"
+        coco_public_ip_name: "{{ resource_prefix }}-pip"
+        coco_nat_gateway_name: "{{ resource_prefix }}-nat-gateway"
+      no_log: true
+
+    - name: Create Public IP for NAT Gateway
+      azure.azcollection.azure_rm_publicipaddress:
+        subscription_id: "{{ azure_subscription_id }}"
+        tenant: "{{ azure_tenant_id }}"
+        client_id: "{{ azure_client_id }}"
+        secret: "{{ azure_client_secret }}"
+        resource_group: "{{ azure_resource_group }}"
+        name: "{{ coco_public_ip_name }}"
+        sku: "standard"
+        allocation_method: "static"
+
+    - name: Retrieve Public IP for NAT Gateway
+      azure.azcollection.azure_rm_publicipaddress_info:
+        subscription_id: "{{ azure_subscription_id }}"
+        tenant: "{{ azure_tenant_id }}"
+        client_id: "{{ azure_client_id }}"
+        secret: "{{ azure_client_secret }}"
+        resource_group: "{{ azure_resource_group }}"
+        name: "{{ coco_public_ip_name }}"
+      register: coco_gw_public_ip
+
+    - name: Create NAT Gateway
+      azure.azcollection.azure_rm_natgateway:
+        subscription_id: "{{ azure_subscription_id }}"
+        tenant: "{{ azure_tenant_id }}"
+        client_id: "{{ azure_client_id }}"
+        secret: "{{ azure_client_secret }}"
+        resource_group: "{{ azure_resource_group }}"
+        name: "{{ coco_nat_gateway_name }}"
+        idle_timeout_in_minutes: 10
+        sku:
+          name: standard
+        public_ip_addresses:
+          - "{{ coco_gw_public_ip.publicipaddresses[0].id }}"
+      register: coco_natgw
+
+    - name: Update the worker subnet to associate NAT gateway
+      azure.azcollection.azure_rm_subnet:
+        subscription_id: "{{ azure_subscription_id }}"
+        tenant: "{{ azure_tenant_id }}"
+        client_id: "{{ azure_client_id }}"
+        secret: "{{ azure_client_secret }}"
+        resource_group: "{{ azure_resource_group }}"
+        name: "{{ azure_subnet }}"
+        virtual_network_name: "{{ azure_vnet }}"
+        nat_gateway: "{{ coco_nat_gateway_name }}"

ansible/configure-spire-server-x509pop.yaml

@@ -0,0 +1,144 @@
+---
+# Configure SPIRE Server to support x509pop node attestation for CoCo pods
+# The Red Hat SPIRE Operator's SpireServer CRD does not expose x509pop plugin configuration
+# This job patches the operator-generated ConfigMap and StatefulSet to add x509pop support
+#
+# IMPORTANT: The operator must have CREATE_ONLY_MODE=true env var set (via subscription
+# config) to prevent it from reverting our manual patches. Without this, the operator
+# continuously reconciles and overwrites x509pop changes.
+# Note: In v0.2.0 (tech-preview) this was done via a CR annotation
+# (ztwim.openshift.io/create-only). In v1.0.0 (GA) it changed to the env var.
+
+- name: Configure SPIRE Server for x509pop attestation
+  become: false
+  connection: local
+  hosts: localhost
+  gather_facts: false
+  vars:
+    spire_namespace: "zero-trust-workload-identity-manager"
+    configmap_name: "spire-server"
+    statefulset_name: "spire-server"
+    ca_configmap_name: "spire-x509pop-ca"
+    ca_mount_path: "/run/spire/x509pop-ca"
+  tasks:
+    - name: Get ZeroTrustWorkloadIdentityManager CR to determine expected cluster name # noqa: syntax-check[unknown-module]
+      kubernetes.core.k8s_info:
+        api_version: operator.openshift.io/v1alpha1
+        kind: ZeroTrustWorkloadIdentityManager
+        name: cluster
+      register: ztwim_cr
+      retries: 30
+      delay: 10
+      until: ztwim_cr.resources | length > 0
+
+    - name: Extract expected cluster name from ZTWIM CR
+      ansible.builtin.set_fact:
+        expected_cluster_name: "{{ ztwim_cr.resources[0].spec.clusterName }}"
+
+    - name: Display expected cluster name
+      ansible.builtin.debug:
+        msg: "Expected cluster name from ZTWIM CR: {{ expected_cluster_name }}"
+
+    - name: Wait for SPIRE Server ConfigMap with correct cluster name # noqa: syntax-check[unknown-module]
+      kubernetes.core.k8s_info:
+        kind: ConfigMap
+        namespace: "{{ spire_namespace }}"
+        name: "{{ configmap_name }}"
+      register: spire_configmap
+      retries: 60
+      delay: 5
+      until: >
+        spire_configmap.resources | length > 0 and
+        (spire_configmap.resources[0].data['server.conf'] | from_json
+        ).plugins.NodeAttestor[0].k8s_psat.plugin_data.clusters[0][expected_cluster_name] is defined
+
+    - name: ConfigMap has correct cluster name
+      ansible.builtin.debug:
+        msg: "ConfigMap verified with correct cluster name: {{ expected_cluster_name }}"
+
+    - name: Get current SPIRE Server configuration # noqa: syntax-check[unknown-module]
+      kubernetes.core.k8s_info:
+        kind: ConfigMap
+        namespace: "{{ spire_namespace }}"
+        name: "{{ configmap_name }}"
+      register: spire_config
+
+    - name: Parse server configuration
+      ansible.builtin.set_fact:
+        server_conf: "{{ spire_config.resources[0].data['server.conf'] | from_json }}"
+
+    - name: Check if x509pop already configured
+      ansible.builtin.set_fact:
+        x509pop_exists: "{{ server_conf.plugins.NodeAttestor | selectattr('x509pop', 'defined') | list | length > 0 }}"
+
+    - name: Add x509pop NodeAttestor plugin # noqa: syntax-check[unknown-module]
+      kubernetes.core.k8s:
+        state: present
+        definition:
+          apiVersion: v1
+          kind: ConfigMap
+          metadata:
+            name: "{{ configmap_name }}"
+            namespace: "{{ spire_namespace }}"
+          data:
+            server.conf: >-
+              {{ server_conf | combine({'plugins': {'NodeAttestor':
+              server_conf.plugins.NodeAttestor + [{'x509pop': {'plugin_data':
+              {'ca_bundle_path': '/run/spire/x509pop-ca/ca-bundle.pem'}}}]}},
+              recursive=True) | to_json }}
+      when: not x509pop_exists
+
+    - name: Wait for SPIRE Server StatefulSet to exist # noqa: syntax-check[unknown-module]
+      kubernetes.core.k8s_info:
+        kind: StatefulSet
+        namespace: "{{ spire_namespace }}"
+        name: "{{ statefulset_name }}"
+      register: spire_statefulset
+      retries: 30
+      delay: 10
+      until: spire_statefulset.resources | length > 0
+
+    - name: Check if CA volume already mounted
+      ansible.builtin.set_fact:
+        ca_volume_exists: "{{ spire_statefulset.resources[0].spec.template.spec.volumes | selectattr('name', 'equalto', 'x509pop-ca') | list | length > 0 }}"
+
+    - name: Add CA volume to SPIRE Server StatefulSet # noqa: syntax-check[unknown-module]
+      kubernetes.core.k8s:
+        state: patched
+        kind: StatefulSet
+        namespace: "{{ spire_namespace }}"
+        name: "{{ statefulset_name }}"
+        definition:
+          spec:
+            template:
+              spec:
+                volumes:
+                  - name: x509pop-ca
+                    configMap:
+                      name: "{{ ca_configmap_name }}"
+                containers:
+                  - name: spire-server
+                    volumeMounts:
+                      - name: x509pop-ca
+                        mountPath: "{{ ca_mount_path }}"
+                        readOnly: true
+      when: not ca_volume_exists
+
+    - name: Restart SPIRE Server to apply configuration # noqa: syntax-check[unknown-module]
+      kubernetes.core.k8s:
+        state: absent
+        kind: Pod
+        namespace: "{{ spire_namespace }}"
+        label_selectors:
+          - app.kubernetes.io/name=server
+      when: (not x509pop_exists) or (not ca_volume_exists)
+
+    - name: Configuration status
+      ansible.builtin.debug:
+        msg: >-
+          {{ 'x509pop already configured' if (x509pop_exists and ca_volume_exists)
+          else 'x509pop NodeAttestor plugin and CA volume mount configured successfully' }}
+
+    - name: Final status
+      ansible.builtin.debug:
+        msg: "x509pop configuration complete. CREATE_ONLY_MODE env var on the operator prevents reverts."