fix: rewrite firmware collection to use veritas container approach

Makefile

@@ -4,11 +4,11 @@
 
 include Makefile-common
 
-##@ Firmware Reference Values
+##@ Reference Value Collection
 .PHONY: collect-firmware-refvals
-collect-firmware-refvals: ## Collect firmware reference values from bare metal cluster
+collect-firmware-refvals: ## Collect firmware reference values (bare metal, default)
 	@scripts/collect-firmware-refvals.sh
 
-.PHONY: collect-firmware-refvals-merge
-collect-firmware-refvals-merge: ## Collect and merge with existing firmware refvals
-	@scripts/collect-firmware-refvals.sh --merge
+.PHONY: collect-azure-refvals
+collect-azure-refvals: ## Collect PCR reference values (Azure)
+	@scripts/collect-firmware-refvals.sh --platform azure

charts/all/coco-kyverno-policies/templates/inject-coco-initdata.yaml

@@ -24,6 +24,12 @@ spec:
                 - Pod
               operations:
                 - CREATE
+      exclude:
+        any:
+          - resources:
+              selector:
+                matchLabels:
+                  coco.io/skip-initdata: "true"
       preconditions:
         all:
           - key: "{{ "{{" }}request.object.spec.runtimeClassName || '' {{ "}}" }}"

rhdp/README.md

@@ -3,6 +3,27 @@
 Red Hat demo platform is a system for employees and red hat partners to generate test infrastructure.
 The scripts in this directory help users of that platform automate deployments.
 
+## Prerequisites
+
+- `podman` installed and running (used for reference value collection)
+- `yq`, `jq` installed
+- OpenShift pull secret at `~/pull-secret.json`
+- SSH key at `~/.ssh/id_rsa` (RSA)
+- RHDP environment variables loaded (see below)
+
+## Environment variables
+
+Provided by your RHDP Azure Open Environment:
+
+```shell
+export GUID=
+export CLIENT_ID=
+export PASSWORD=
+export TENANT=
+export SUBSCRIPTION=
+export RESOURCEGROUP=
+```
+
 ## To deploy
 
 1. Stand up the 'Azure Subscription Based Blank Open Environment'
@@ -12,13 +33,23 @@ The scripts in this directory help users of that platform automate deployments.
 
 ### Single Cluster Deployment
 
-   1. `bash ./rhdp/wrapper.sh eastasia`
-   2. The wrapper script **requires** an azure region code this code SHOULD be the same as what was selected in RHDP.
+   1. Set `main.clusterGroupName: simple` in `values-global.yaml`
+   2. `bash ./rhdp/wrapper.sh eastasia`
+   3. The wrapper script **requires** an azure region code. This code SHOULD be the same as what was selected in RHDP.
+   4. Optionally use `--prefix` for custom cluster naming: `bash ./rhdp/wrapper.sh --prefix dev1 eastasia`
+
+The wrapper handles: cluster provisioning, secret generation, PCR reference value collection (via veritas), and pattern installation.
 
 ### Multi-Cluster Deployment (Hub and Spoke)
 
-   1. `bash ./rhdp/wrapper-multicluster.sh eastasia`
-   2. This creates two clusters: `coco-hub` and `coco-spoke` in the same region
-   3. The pattern is deployed only on the hub cluster
-   4. Hub cluster kubeconfig: `./openshift-install-hub/auth/kubeconfig`
-   5. Spoke cluster kubeconfig: `./openshift-install-spoke/auth/kubeconfig`
+   1. Set `main.clusterGroupName: trusted-hub` in `values-global.yaml`
+   2. `bash ./rhdp/wrapper-multicluster.sh eastasia`
+   3. This creates two clusters: `coco-hub` and `coco-spoke` in the same region
+   4. The pattern is deployed on the hub cluster; the spoke is imported into ACM
+   5. Hub cluster kubeconfig: `./openshift-install-hub/auth/kubeconfig`
+   6. Spoke cluster kubeconfig: `./openshift-install-spoke/auth/kubeconfig`
+
+### Cluster Only (no pattern install)
+
+   1. `bash ./rhdp/wrapper-cluster-only.sh eastasia`
+   2. Provisions the cluster without installing secrets or the pattern

rhdp/wrapper-multicluster.sh

@@ -144,6 +144,11 @@ echo "---------------------"
 echo "setting up secrets"
 bash ./scripts/gen-secrets.sh
 
+echo "---------------------"
+echo "retrieving PCR measurements"
+echo "---------------------"
+bash ./scripts/collect-firmware-refvals.sh --platform azure
+
 echo "---------------------"
 echo "starting pattern install on hub cluster"
 echo "---------------------"

rhdp/wrapper.sh

@@ -189,7 +189,7 @@ bash ./scripts/gen-secrets.sh
 echo "---------------------"
 echo "retrieving PCR measurements"
 echo "---------------------"
-bash ./scripts/get-pcr.sh
+bash ./scripts/collect-firmware-refvals.sh --platform azure
 
 sleep 60
 echo "---------------------"