feat: add custom init chart

Signed-off-by: Chris Butler <chris.butler@redhat.com>

Author: butler54

charts/coco-supported/custom-init/Chart.yaml

@@ -0,0 +1,8 @@
+apiVersion: v2
+description: A Helm chart which uses ACM to deploy a pod with custom init data including inferring the certificate.
+keywords:
+- pattern
+- upstream
+- sandbox
+name: custom-init
+version: 0.0.1

charts/coco-supported/custom-init/initdata.toml.tpl

@@ -0,0 +1,69 @@
+algorithm = "sha384"
+version = "0.1.0"
+
+[data]
+"aa.toml" = '''
+[token_configs]
+[token_configs.coco_as]
+url = 'https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}'
+
+
+[token_configs.kbs]
+url = 'https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}'
+cert = """
+acmmagickey_trustee_cert
+"""
+'''
+
+"cdh.toml"  = '''
+socket = 'unix:///run/confidential-containers/cdh.sock'
+credentials = []
+
+[kbc]
+name = 'cc_kbc'
+url = 'https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}'
+kbs_cert = """ 
+acmmagickey_trustee_cert
+"""
+'''
+
+"policy.rego" = '''
+package agent_policy
+
+default AddARPNeighborsRequest := true
+default AddSwapRequest := true
+default CloseStdinRequest := true
+default CopyFileRequest := true
+default CreateContainerRequest := true
+default CreateSandboxRequest := true
+default DestroySandboxRequest := true
+default ExecProcessRequest := true
+default GetMetricsRequest := true
+default GetOOMEventRequest := true
+default GuestDetailsRequest := true
+default ListInterfacesRequest := true
+default ListRoutesRequest := true
+default MemHotplugByProbeRequest := true
+default OnlineCPUMemRequest := true
+default PauseContainerRequest := true
+default PullImageRequest := true
+default ReadStreamRequest := true
+default RemoveContainerRequest := true
+default RemoveStaleVirtiofsShareMountsRequest := true
+default ReseedRandomDevRequest := true
+default ResumeContainerRequest := true
+default SetGuestDateTimeRequest := true
+default SetPolicyRequest := true
+default SignalProcessRequest := true
+default StartContainerRequest := true
+default StartTracingRequest := true
+default StatsContainerRequest := true
+default StopTracingRequest := true
+default TtyWinResizeRequest := true
+default UpdateContainerRequest := true
+default UpdateEphemeralMountsRequest := true
+default UpdateInterfaceRequest := true
+default UpdateRoutesRequest := true
+default WaitProcessRequest := true
+default WriteStreamRequest := true
+'''

charts/coco-supported/custom-init/templates/custom-initdata-injection.yaml

@@ -0,0 +1,77 @@
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  name: custominit-pod-policy
+spec:
+  remediationAction: enforce
+  disabled: false
+  policy-templates:
+  - objectDefinition:
+      apiVersion: policy.open-cluster-management.io/v1
+      kind: ConfigurationPolicy
+      metadata:
+        name: custominit-pod-cp
+      spec:
+        remediationAction: enforce
+        severity: medium
+        object-templates:
+
+        - complianceType: mustonlyhave
+          objectDefinition:
+            apiVersion: v1
+            kind: Pod
+            metadata:
+              name: custom
+              namespace: custom-init
+              annotations:
+                io.katacontainers.config.runtime.cc_init_data: '{{ `{{if (lookup "operator.openshift.io/v1" "IngressController" "openshift-ingress-operator" "default").spec.defaultCertificate.name }}{{ fromConfigMap "openshift-sandboxed-containers-operator" "initdata-placeholder" "initdata" | base64dec | replace "acmmagickey_trustee_cert" (fromSecret "openshift-ingress" (lookup "operator.openshift.io/v1" "IngressController" "openshift-ingress-operator" "default").spec.defaultCertificate.name "tls.crt" | base64dec) | base64enc }}{{ else }}{{ fromConfigMap "openshift-sandboxed-containers-operator" "initdata-placeholder" "initdata" | base64dec | replace "acmmagickey_trustee_cert" (fromSecret "openshift-ingress" "router-certs-default" "tls.crt" | base64dec) | base64enc }}{{ end }}` }}'
+                peerpods: "true"
+            spec:
+              runtimeClassName: kata-remote
+              containers:
+                - name: hello-openshift
+                  image: quay.io/openshift/origin-hello-openshift
+                  ports:
+                    - containerPort: 8888
+                  securityContext:
+                    privileged: false
+                    allowPrivilegeEscalation: false
+                    runAsNonRoot: true
+                    runAsUser: 1001
+                    capabilities:
+                      drop:
+                        - ALL
+                    seccompProfile:
+                      type: RuntimeDefault
+
+
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: PlacementBinding
+metadata:
+  name: custominit-placement-binding
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+placementRef:
+  name: custominit-placement-rule
+  kind: PlacementRule
+  apiGroup: apps.open-cluster-management.io
+subjects:
+  - name: custominit-pod-policy
+    kind: Policy
+    apiGroup: policy.open-cluster-management.io
+---
+apiVersion: apps.open-cluster-management.io/v1
+kind: PlacementRule
+metadata:
+  name: custominit-placement-rule
+spec:
+  clusterConditions:
+    - status: 'True'
+      type: ManagedClusterConditionAvailable
+  clusterSelector:
+    matchLabels:
+      cloud: Azure
+---
+{{- end }}

charts/coco-supported/custom-init/templates/custom-route.yaml

@@ -0,0 +1,13 @@
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: custom
+  namespace: custom-init
+spec:
+  port:
+    targetPort: 8888
+  to:
+    kind: Service
+    name: custom
+    weight: 100
+  wildcardPolicy: None

charts/coco-supported/custom-init/templates/custom-svc.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: custom
+  namespace: custom-init
+spec:
+  ports:
+  - name: 8888-tcp
+    port: 8888
+    protocol: TCP
+    targetPort: 8888
+  selector:
+    app: custom
+  sessionAffinity: None
+  type: ClusterIP

charts/coco-supported/custom-init/values.yaml

@@ -9,4 +9,4 @@ spec:
     kind: Service
     name: secure
     weight: 100
-  wildcardPolicy: None
+  wildcardPolicy: None

charts/coco-supported/hello-openshift/templates/secure-route.yaml

@@ -28,7 +28,12 @@ spec:
             data:
               CLOUD_PROVIDER: "azure"
               VXLAN_PORT: "9000"
+              # IF 
+{{- if .Values.sandbox.peerPodImage }}
+              AZURE_IMAGE_ID: {{ .Values.sandbox.peerPodImage }}
+{{- else }}
               AZURE_IMAGE_ID: '{{ `{{if (lookup "v1" "ConfigMap" "openshift-sandboxed-containers-operator" "peer-pods-cm").metadata.name }}{{ fromConfigMap "openshift-sandboxed-containers-operator" "peer-pods-cm" "AZURE_IMAGE_ID" }}{{ else }}{{ end }}` }}'
+{{- end }}
               AZURE_INSTANCE_SIZE: "{{ .Values.global.coco.azure.defaultVMFlavour }}" 
               AZURE_INSTANCE_SIZES: "Standard_DC2as_v5,Standard_DC4as_v5,Standard_DC8as_v5,Standard_DC16as_v5"
               AZURE_RESOURCE_GROUP: '{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).vnetResourceGroup }}` }}'

charts/coco-supported/sandbox/templates/peer-pods-cm.yaml

@@ -11,13 +11,13 @@ secretStore:
   name: vault-backend
   kind: ClusterSecretStore
 
-
-
 sandbox:
   deploy: true
   sshKey: secret/data/global/sshKey
   azure: true
-  peerpodsCreds: secret/data/global/azure
+  # Peer pod image defined, if required to avoid rebuilds.
+  #peerPodImage: ""
+  peerPodImage: '/CommunityGalleries/cococommunity-42d8482d-92cd-415b-b332-7648bd978eff/Images/peerpod-podvm-fedora-debug/Versions/0.12.0'
   # These variables today limit to one cluster
   # revise using imperative framework to infer from cluster vars
   # Strongly advised to override in values-global.yaml or values-{cluster-group}.yaml

charts/coco-supported/sandbox/values.yaml

@@ -14,6 +14,7 @@ clusterGroup:
   - cert-manager
   - kbs-access
   - encrypted-storage
+  - custom-init
   subscriptions:
     # ACM is kept anticipating 
     acm:
@@ -94,6 +95,11 @@ clusterGroup:
       namespace: kbs-access
       project: workloads
       path: charts/coco-supported/kbs-access
+    custom-init:
+      name: custom-init
+      namespace: custom-init
+      project: workloads
+      path: charts/coco-supported/custom-init
 
   imperative:
     # NOTE: We *must* use lists and not hashes. As hashes lose ordering once parsed by helm