From cd497497c9b9b5c609dd0b99591be967b10807c9 Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Mon, 25 Aug 2025 09:42:49 +1000 Subject: [PATCH 1/9] feat!: update to general availability versions of sandboxed containers and trustee BREAKING CHANGE: pre GA releases will no longer work due to introduction of compressed initdata Signed-off-by: Chris Butler --- README.md | 19 ++++++- ansible/gzipper.py | 33 +++++++++++++ ansible/init-data-gzipper.yaml | 49 +++++++++++++++++++ .../initdata-default.toml.tpl | 6 +-- .../kbs-access/templates/secure-pod.yaml | 8 +-- .../sandbox/templates/peer-pods-cm.yaml | 3 +- charts/coco-supported/sandbox/values.yaml | 5 -- rhdp/wrapper.sh | 2 +- values-simple.yaml | 19 +++++-- 9 files changed, 121 insertions(+), 23 deletions(-) create mode 100644 ansible/gzipper.py create mode 100644 ansible/init-data-gzipper.yaml rename charts/coco-supported/sandbox/initdata.toml.tpl => ansible/initdata-default.toml.tpl (50%) diff --git a/README.md b/README.md index f9b62767..c1ae6f8d 100644 --- a/README.md +++ b/README.md @@ -29,9 +29,26 @@ Future work includes: ## Major versions +### `3.*` +Version `3.*` of the pattern is currently constrained to support the general availability releases of coco. + +- (OpenShift Sandboxed Containers Operator) `1.10.*` and above +- Trustee `0.4.*` + +This limits support to OpenShift 4.16 and higher. + +The pattern has been tested on Azure for two installation methods: + +1. Installing onto an ARO cluster +2. Self managed OpenShift install using the `openshift-install` CLI. + +#### Known limitations +[Additional configuration](https://issues.redhat.com/browse/KATA-4107) is required to pull secrets from authenticated registries. + + ### `2.*` -This is currently the `main` branch for the repository. Version 2.* of the pattern is currently constrained to support: +Version `2.*` of the pattern is currently constrained to support: - (OpenShift Sandboxed Containers Operator) `1.9.*` - Trustee `0.3.*` diff --git a/ansible/gzipper.py b/ansible/gzipper.py new file mode 100644 index 00000000..ae45a818 --- /dev/null +++ b/ansible/gzipper.py @@ -0,0 +1,33 @@ +#!/usr/bin/env python3 + +import gzip +import sys + +def main(): + if len(sys.argv) != 3: + print("Usage: python3 gzipper.py ") + sys.exit(1) + + input_file = sys.argv[1] + output_file = sys.argv[2] + + try: + # Read the input file + with open(input_file, 'rb') as f_in: + data = f_in.read() + + # Compress and write to output file + with gzip.open(output_file, 'wb') as f_out: + f_out.write(data) + + print(f"Successfully compressed '{input_file}' to '{output_file}'") + + except FileNotFoundError: + print(f"Error: File '{input_file}' not found") + sys.exit(1) + except Exception as e: + print(f"Error: {e}") + sys.exit(1) + +if __name__ == "__main__": + main() diff --git a/ansible/init-data-gzipper.yaml b/ansible/init-data-gzipper.yaml new file mode 100644 index 00000000..c79f39c9 --- /dev/null +++ b/ansible/init-data-gzipper.yaml @@ -0,0 +1,49 @@ +- name: Collect AWS facts and set secrurity group policies + become: false + connection: local + hosts: localhost + gather_facts: false + vars: + kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}" + cluster_platform: "{{ global.clusterPlatform | default('none') | lower }}" + hub_domain: "{{ global.hubClusterDomain | default('none') | lower}}" + template_src: "initdata-default.toml.tpl" + tasks: + - name: Create temporary working directory + ansible.builtin.tempfile: + state: directory + suffix: initdata + register: tmpdir + + - name: Define temp file paths + ansible.builtin.set_fact: + rendered_path: "{{ tmpdir.path }}/rendered.toml" + gz_path: "{{ tmpdir.path }}/rendered.toml.gz" + + - name: Render template to temp file + ansible.builtin.template: + src: "{{ template_src }}" + dest: "{{ rendered_path }}" + mode: "0600" + + - name: Gzip the rendered content + ansible.builtin.shell: | + python3 gzipper.py "{{ rendered_path }}" "{{ gz_path }}" + + - name: Read gzip as base64 + ansible.builtin.slurp: + path: "{{ gz_path }}" + register: gz_slurped + + - name: Create/update ConfigMap with gzipped+base64 content + kubernetes.core.k8s: + kubeconfig: "{{ kubeconfig | default(omit) }}" + state: present + definition: + apiVersion: v1 + kind: ConfigMap + metadata: + name: "initdata" + namespace: "imperative" + data: + INITDATA: "{{ gz_slurped.content }}" \ No newline at end of file diff --git a/charts/coco-supported/sandbox/initdata.toml.tpl b/ansible/initdata-default.toml.tpl similarity index 50% rename from charts/coco-supported/sandbox/initdata.toml.tpl rename to ansible/initdata-default.toml.tpl index 56796c13..271e3483 100644 --- a/charts/coco-supported/sandbox/initdata.toml.tpl +++ b/ansible/initdata-default.toml.tpl @@ -5,10 +5,10 @@ version = "0.1.0" "aa.toml" = ''' [token_configs] [token_configs.coco_as] -url = "https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}" +url = "https://kbs-trustee-operator-system.{{ hub_domain }}" [token_configs.kbs] -url = "https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}" +url = "https://kbs-trustee-operator-system.{{ hub_domain }}" ''' "cdh.toml" = ''' @@ -17,5 +17,5 @@ credentials = [] [kbc] name = "cc_kbc" -url = "https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}" +url = "https://kbs-trustee-operator-system.{{ hub_domain }}" ''' diff --git a/charts/coco-supported/kbs-access/templates/secure-pod.yaml b/charts/coco-supported/kbs-access/templates/secure-pod.yaml index f8f32fd7..663408bd 100644 --- a/charts/coco-supported/kbs-access/templates/secure-pod.yaml +++ b/charts/coco-supported/kbs-access/templates/secure-pod.yaml @@ -21,17 +21,11 @@ spec: name: kbsref initContainers: - name: curl - image: registry.redhat.io/ubi9/ubi:latest # Lightweight image with curl installed + image: registry.access.redhat.com/ubi9/ubi:latest # Lightweight image with curl installed command: ['sh', '-c', 'curl -s http://127.0.0.1:8006/cdh/resource/default/kbsres1/key3 > /output/kbsres1.txt'] volumeMounts: - name: output-volume mountPath: /output - # - name: hi - # image: registry.redhat.io/ubi9/ubi:latest # Lightweight image with curl installed - # command: ['sh', '-c', 'echo "hi" > /output/kbsres1.txt'] - # volumeMounts: - # - name: output-volume - # mountPath: /output volumes: - name: output-volume emptyDir: {} diff --git a/charts/coco-supported/sandbox/templates/peer-pods-cm.yaml b/charts/coco-supported/sandbox/templates/peer-pods-cm.yaml index 38910397..0fde7a10 100644 --- a/charts/coco-supported/sandbox/templates/peer-pods-cm.yaml +++ b/charts/coco-supported/sandbox/templates/peer-pods-cm.yaml @@ -37,7 +37,8 @@ spec: AZURE_NSG_ID: '/subscriptions/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).subscriptionId }}` }}/resourceGroups/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).resourceGroup }}` }}/providers/Microsoft.Network/networkSecurityGroups/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).securityGroupName }}` }}' DISABLECVM: "false" PROXY_TIMEOUT: "5m" - INITDATA: '{{ tpl ( .Files.Get "initdata.toml.tpl") . | b64enc }}' + INITDATA: '{{ `{{if (lookup "v1" "ConfigMap" "imperative" "initdata").metadata.name }}{{ fromConfigMap "imperative" "initdata" "INITDATA" }}{{ else }}{{ end }}` }}' + --- apiVersion: policy.open-cluster-management.io/v1 kind: PlacementBinding diff --git a/charts/coco-supported/sandbox/values.yaml b/charts/coco-supported/sandbox/values.yaml index 4d41d6d9..ad2f7c1d 100644 --- a/charts/coco-supported/sandbox/values.yaml +++ b/charts/coco-supported/sandbox/values.yaml @@ -1,11 +1,6 @@ global: cocoUpstream: true cocoConverged: true - azure: - clusterResGroup: '' - clusterSubnet: '' - clusterNSG: '' - clusterRegion: '' secretStore: name: vault-backend diff --git a/rhdp/wrapper.sh b/rhdp/wrapper.sh index 4304157b..16782aa3 100755 --- a/rhdp/wrapper.sh +++ b/rhdp/wrapper.sh @@ -89,7 +89,7 @@ echo "---------------------" export KUBECONFIG=`pwd`/openshift-install/auth/kubeconfig -./pattern.sh make install +#./pattern.sh make install echo "---------------------" echo "pattern install done" echo "---------------------" diff --git a/values-simple.yaml b/values-simple.yaml index ad2a1b41..635fa2b1 100644 --- a/values-simple.yaml +++ b/values-simple.yaml @@ -20,20 +20,25 @@ clusterGroup: acm: name: advanced-cluster-management namespace: open-cluster-management - channel: release-2.12 - + channel: release-2.13 sandbox: name: sandboxed-containers-operator namespace: openshift-sandboxed-containers-operator + source: redhat-operators channel: stable - version: "1.9.*" # 1.9.* matches with trustee 0.3.* + # correctly pin versions + installPlanApproval: Manual + csv: sandboxed-containers-operator.v1.10.1 trustee: name: trustee-operator namespace: trustee-operator-system source: redhat-operators channel: stable - version: "0.3.*" + # correctly pin versions + installPlanApproval: Manual + csv: trustee-operator.v0.4.1 + cert-manager: name: openshift-cert-manager-operator namespace: cert-manager-operator @@ -93,7 +98,7 @@ clusterGroup: # Default to 'safe' for ARO overrides: - name: letsencrypt.enabled - value: false + value: true hello-openshift: name: hello-openshift namespace: hello-openshift @@ -128,6 +133,10 @@ clusterGroup: playbook: ansible/azure-nat-gateway.yaml verbosity: -vvv timeout: 3600 + - name: init-data-gzipper + playbook: ansible/init-data-gzipper.yaml + verbosity: -vvv + timeout: 3600 managedClusterGroups: exampleRegion: name: group-one From 35fe393d439deba8b6e27465ae7a7a727648c45a Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Mon, 25 Aug 2025 10:54:28 +1000 Subject: [PATCH 2/9] fix: linting fixes Signed-off-by: Chris Butler --- ansible/init-data-gzipper.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/ansible/init-data-gzipper.yaml b/ansible/init-data-gzipper.yaml index c79f39c9..6de63202 100644 --- a/ansible/init-data-gzipper.yaml +++ b/ansible/init-data-gzipper.yaml @@ -26,9 +26,15 @@ dest: "{{ rendered_path }}" mode: "0600" + - name: Check if gzipped file already exists + ansible.builtin.stat: + path: "{{ gz_path }}" + register: gz_file_stat + - name: Gzip the rendered content ansible.builtin.shell: | python3 gzipper.py "{{ rendered_path }}" "{{ gz_path }}" + when: not gz_file_stat.stat.exists - name: Read gzip as base64 ansible.builtin.slurp: @@ -46,4 +52,4 @@ name: "initdata" namespace: "imperative" data: - INITDATA: "{{ gz_slurped.content }}" \ No newline at end of file + INITDATA: "{{ gz_slurped.content }}" From 50ba030d8e2949f93fb9ad847e227dfd383e472b Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Mon, 25 Aug 2025 11:00:19 +1000 Subject: [PATCH 3/9] fix: linting errors Signed-off-by: Chris Butler --- ansible/init-data-gzipper.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/ansible/init-data-gzipper.yaml b/ansible/init-data-gzipper.yaml index 6de63202..aceee1d7 100644 --- a/ansible/init-data-gzipper.yaml +++ b/ansible/init-data-gzipper.yaml @@ -26,15 +26,11 @@ dest: "{{ rendered_path }}" mode: "0600" - - name: Check if gzipped file already exists - ansible.builtin.stat: - path: "{{ gz_path }}" - register: gz_file_stat - name: Gzip the rendered content ansible.builtin.shell: | python3 gzipper.py "{{ rendered_path }}" "{{ gz_path }}" - when: not gz_file_stat.stat.exists + changed_when: true - name: Read gzip as base64 ansible.builtin.slurp: From fc2a584a6e5900d2f003b1353697e3c3fb150de4 Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Mon, 25 Aug 2025 12:11:23 +1000 Subject: [PATCH 4/9] fix: python and markdown linting Signed-off-by: Chris Butler --- README.md | 2 ++ ansible/gzipper.py | 14 ++++++++------ 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index c1ae6f8d..8b9b1115 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,7 @@ Future work includes: ## Major versions ### `3.*` + Version `3.*` of the pattern is currently constrained to support the general availability releases of coco. - (OpenShift Sandboxed Containers Operator) `1.10.*` and above @@ -43,6 +44,7 @@ The pattern has been tested on Azure for two installation methods: 2. Self managed OpenShift install using the `openshift-install` CLI. #### Known limitations + [Additional configuration](https://issues.redhat.com/browse/KATA-4107) is required to pull secrets from authenticated registries. diff --git a/ansible/gzipper.py b/ansible/gzipper.py index ae45a818..e504cf93 100644 --- a/ansible/gzipper.py +++ b/ansible/gzipper.py @@ -3,6 +3,7 @@ import gzip import sys + def main(): if len(sys.argv) != 3: print("Usage: python3 gzipper.py ") @@ -10,18 +11,18 @@ def main(): input_file = sys.argv[1] output_file = sys.argv[2] - + try: # Read the input file - with open(input_file, 'rb') as f_in: + with open(input_file, "rb") as f_in: data = f_in.read() - + # Compress and write to output file - with gzip.open(output_file, 'wb') as f_out: + with gzip.open(output_file, "wb") as f_out: f_out.write(data) - + print(f"Successfully compressed '{input_file}' to '{output_file}'") - + except FileNotFoundError: print(f"Error: File '{input_file}' not found") sys.exit(1) @@ -29,5 +30,6 @@ def main(): print(f"Error: {e}") sys.exit(1) + if __name__ == "__main__": main() From 2216e70cd876493cf6ac6371e4e294ddc3d629b0 Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Mon, 25 Aug 2025 12:14:30 +1000 Subject: [PATCH 5/9] chore: markdown fixes Signed-off-by: Chris Butler --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 8b9b1115..67a67879 100644 --- a/README.md +++ b/README.md @@ -47,7 +47,6 @@ The pattern has been tested on Azure for two installation methods: [Additional configuration](https://issues.redhat.com/browse/KATA-4107) is required to pull secrets from authenticated registries. - ### `2.*` Version `2.*` of the pattern is currently constrained to support: From 58aab09f07ceed0e0271864a4fbbf2fa02587c22 Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Tue, 26 Aug 2025 08:24:57 +1000 Subject: [PATCH 6/9] fix: remove gzipper and use newly available gzip Signed-off-by: Chris Butler --- ansible/gzipper.py | 35 ---------------------------------- ansible/init-data-gzipper.yaml | 2 +- 2 files changed, 1 insertion(+), 36 deletions(-) delete mode 100644 ansible/gzipper.py diff --git a/ansible/gzipper.py b/ansible/gzipper.py deleted file mode 100644 index e504cf93..00000000 --- a/ansible/gzipper.py +++ /dev/null @@ -1,35 +0,0 @@ -#!/usr/bin/env python3 - -import gzip -import sys - - -def main(): - if len(sys.argv) != 3: - print("Usage: python3 gzipper.py ") - sys.exit(1) - - input_file = sys.argv[1] - output_file = sys.argv[2] - - try: - # Read the input file - with open(input_file, "rb") as f_in: - data = f_in.read() - - # Compress and write to output file - with gzip.open(output_file, "wb") as f_out: - f_out.write(data) - - print(f"Successfully compressed '{input_file}' to '{output_file}'") - - except FileNotFoundError: - print(f"Error: File '{input_file}' not found") - sys.exit(1) - except Exception as e: - print(f"Error: {e}") - sys.exit(1) - - -if __name__ == "__main__": - main() diff --git a/ansible/init-data-gzipper.yaml b/ansible/init-data-gzipper.yaml index aceee1d7..c0ac9584 100644 --- a/ansible/init-data-gzipper.yaml +++ b/ansible/init-data-gzipper.yaml @@ -29,7 +29,7 @@ - name: Gzip the rendered content ansible.builtin.shell: | - python3 gzipper.py "{{ rendered_path }}" "{{ gz_path }}" + gzip -c "{{ rendered_path }}" > "{{ gz_path }}" changed_when: true - name: Read gzip as base64 From ca8694df4a6b316f561aa330d3695a79a5206fb1 Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Wed, 27 Aug 2025 10:29:06 +1000 Subject: [PATCH 7/9] fix: remove manual approval until a better solution is made Signed-off-by: Chris Butler --- ansible/install-deps.yaml | 4 ++++ rhdp/wrapper.sh | 2 +- values-simple.yaml | 8 ++++---- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/ansible/install-deps.yaml b/ansible/install-deps.yaml index 4c3b15ba..8a927b90 100644 --- a/ansible/install-deps.yaml +++ b/ansible/install-deps.yaml @@ -8,6 +8,10 @@ community.general.ansible_galaxy_install: type: collection name: azure.azcollection + - name: Ensure community.crypto collection is installed + community.general.ansible_galaxy_install: + type: collection + name: community.crypto - name: Install a Python package ansible.builtin.pip: requirements: "~/.ansible/collections/ansible_collections/azure/azcollection/requirements.txt" diff --git a/rhdp/wrapper.sh b/rhdp/wrapper.sh index 16782aa3..4304157b 100755 --- a/rhdp/wrapper.sh +++ b/rhdp/wrapper.sh @@ -89,7 +89,7 @@ echo "---------------------" export KUBECONFIG=`pwd`/openshift-install/auth/kubeconfig -#./pattern.sh make install +./pattern.sh make install echo "---------------------" echo "pattern install done" echo "---------------------" diff --git a/values-simple.yaml b/values-simple.yaml index 635fa2b1..89e9bb08 100644 --- a/values-simple.yaml +++ b/values-simple.yaml @@ -26,16 +26,16 @@ clusterGroup: namespace: openshift-sandboxed-containers-operator source: redhat-operators channel: stable - # correctly pin versions - installPlanApproval: Manual + # TODO: Resolve a mechanism to allow install plans to be pinned but not have to manually approve them the first time + # installPlanApproval: Manual csv: sandboxed-containers-operator.v1.10.1 trustee: name: trustee-operator namespace: trustee-operator-system source: redhat-operators channel: stable - # correctly pin versions - installPlanApproval: Manual + # TODO: Resolve a mechanism to allow install plans to be pinned but not have to manually approve them the first time + # installPlanApproval: Manual csv: trustee-operator.v0.4.1 From 15b5963dc7d26855ba77b1191761f7831fba50ce Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Wed, 27 Aug 2025 12:03:28 +1000 Subject: [PATCH 8/9] chore: revert LE to default for cluster Signed-off-by: Chris Butler --- values-simple.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/values-simple.yaml b/values-simple.yaml index 89e9bb08..8cddb8b3 100644 --- a/values-simple.yaml +++ b/values-simple.yaml @@ -98,7 +98,7 @@ clusterGroup: # Default to 'safe' for ARO overrides: - name: letsencrypt.enabled - value: true + value: false hello-openshift: name: hello-openshift namespace: hello-openshift From a752b318983d426b4d83182cb24c73b334e5707e Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Fri, 29 Aug 2025 12:21:11 +1000 Subject: [PATCH 9/9] fix: ensure pinning of csvs Signed-off-by: Chris Butler --- values-global.yaml | 1 + values-simple.yaml | 6 ++---- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/values-global.yaml b/values-global.yaml index 91306c45..84790c7e 100644 --- a/values-global.yaml +++ b/values-global.yaml @@ -4,6 +4,7 @@ global: useCSV: false syncPolicy: Automatic installPlanApproval: Automatic + autoApproveManualInstallPlans: true # This defines whether or not to use upstream resources for CoCo. # Defines whether or not the hub cluster can be used for confidential containers coco: diff --git a/values-simple.yaml b/values-simple.yaml index 8cddb8b3..e6f87fb9 100644 --- a/values-simple.yaml +++ b/values-simple.yaml @@ -26,16 +26,14 @@ clusterGroup: namespace: openshift-sandboxed-containers-operator source: redhat-operators channel: stable - # TODO: Resolve a mechanism to allow install plans to be pinned but not have to manually approve them the first time - # installPlanApproval: Manual + installPlanApproval: Manual csv: sandboxed-containers-operator.v1.10.1 trustee: name: trustee-operator namespace: trustee-operator-system source: redhat-operators channel: stable - # TODO: Resolve a mechanism to allow install plans to be pinned but not have to manually approve them the first time - # installPlanApproval: Manual + installPlanApproval: Manual csv: trustee-operator.v0.4.1