Skip to content

coco: initial integration for Confidential Containers and Trustee operators#80

Merged
sabre1041 merged 8 commits intovalidatedpatterns:mainfrom
beraldoleal:integration-v2
Mar 24, 2026
Merged

coco: initial integration for Confidential Containers and Trustee operators#80
sabre1041 merged 8 commits intovalidatedpatterns:mainfrom
beraldoleal:integration-v2

Conversation

@beraldoleal
Copy link
Copy Markdown
Contributor

@beraldoleal beraldoleal commented Dec 8, 2025
edited
Loading

Vide individual commits for messages.

bpradipt
bpradipt reviewed Dec 9, 2025
View reviewed changes
bpradipt
bpradipt reviewed Dec 9, 2025
View reviewed changes
bpradipt
bpradipt reviewed Dec 9, 2025
View reviewed changes
@butler54 butler54 mentioned this pull request Dec 9, 2025
Open
butler54
butler54 reviewed Dec 9, 2025
View reviewed changes
@beraldoleal beraldoleal force-pushed the integration-v2 branch 13 times, most recently from 29c9c84 to 341c962 Compare December 10, 2025 23:06
butler54
butler54 reviewed Dec 11, 2025
View reviewed changes
@beraldoleal beraldoleal force-pushed the integration-v2 branch 10 times, most recently from 5074bb3 to 74e2c74 Compare December 17, 2025 01:08
@beraldoleal beraldoleal marked this pull request as ready for review December 17, 2025 01:08
@beraldoleal beraldoleal force-pushed the integration-v2 branch 2 times, most recently from a67a701 to c40eff1 Compare March 6, 2026 14:58
@beraldoleal
Copy link
Copy Markdown
Contributor Author

beraldoleal commented Mar 6, 2026
edited
Loading

@sabre1041 @butler54 @bpradipt no more fork references. Its using now the official validatedpatterns/charts release versions.

butler54
butler54 requested changes Mar 10, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@butler54 butler54 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are a few hardcoded vars that definitely need to change.
The biggest question is the use of the imperative framework to generate certificates. If this can be moved to generation in cert manager I think that would be more 'kube friendly'

The justification for this is the imperative framework is always the second last option (the last option being a work done on the developer workstation.

ansible/azure-nat-gateway.yaml
Comment on lines +1 to +2
---

Copy link
Copy Markdown
Collaborator

@butler54 butler54 Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Flag for future work - We should create an issue to add this playbook to the VP ansible collection. @mhjacks

ansible/init-data-gzipper.yaml
Comment on lines +55 to +59
ansible.builtin.shell: |
hash=$(sha256sum "{{ rendered_path }}" | cut -d' ' -f1)
initial_pcr=0000000000000000000000000000000000000000000000000000000000000000
echo -n "$initial_pcr$hash" | python3 -c "import sys,hashlib; print(hashlib.sha256(bytes.fromhex(sys.stdin.read())).hexdigest())"
register: pcr8_hash
Copy link
Copy Markdown
Collaborator

@butler54 butler54 Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you get the python script to demonstrably work? This needs to be backported into the coco-pattern to avoid a custom container.

Copy link
Copy Markdown
Contributor Author

@beraldoleal beraldoleal Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, this works. And that is the plan.

@beraldoleal beraldoleal force-pushed the integration-v2 branch 3 times, most recently from ee81a09 to 107cf46 Compare March 12, 2026 13:28
sabre1041
sabre1041 requested changes Mar 16, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@sabre1041 sabre1041 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Initial set of feedbac

@beraldoleal
Copy link
Copy Markdown
Contributor Author

beraldoleal commented Mar 16, 2026

@sabre1041 thanks for the review, sent a force push with your suggestions. Feel free to reopen or send more comments.

butler54
butler54 reviewed Mar 16, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@butler54 butler54 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@beraldoleal.

The original intent of doing this offline was it was an 'as expected' deployment measured from a trusted zone as to what the RVPS values and the deployment should be.

I'm wondering whether rather than changing the script we could do this via a --online flag (e.g. check as deployed).

WDYT

@beraldoleal
Copy link
Copy Markdown
Contributor Author

beraldoleal commented Mar 16, 2026
edited
Loading

@beraldoleal.

The original intent of doing this offline was it was an 'as expected' deployment measured from a trusted zone as to what the RVPS values and the deployment should be.

I'm wondering whether rather than changing the script we could do this via a --online flag (e.g. check as deployed).

WDYT

I see, well then I would say to use --osc-version instead. Doesn't query the cluster and its intent based. But then we will start creating two things to do the same calculation, so maybe evaluate the usage of veritas here? If straight forward good, if not we can stick with get-pcr.sh --osc-version for now and evaluate using it later? wdyt?

@beraldoleal beraldoleal force-pushed the integration-v2 branch 2 times, most recently from 198af38 to 007efa8 Compare March 17, 2026 15:07
beraldoleal and others added 8 commits March 20, 2026 17:38
@beraldoleal @butler54
coco: initial integration with ztvp
e838384 
This adds initial integration for Confidential Containers and Trustee
Operators as a separated clustergroup.

Co-authored-by: Chris Butler <chris.butler@redhat.com>
Signed-off-by: Beraldo Leal <bleal@redhat.com>
@beraldoleal
coco: add imperative job to configure x509pop
cfc9bea 
Add automated configuration for SPIRE Server x509pop NodeAttestor plugin
required for CoCo peer-pods attestation.

CoCo peer-pods run on untrusted cloud infrastructure. Using k8s_psat
would require trusting the cloud provider's cluster. Instead, pods
perform hardware TEE attestation to KBS to obtain x509 certificates as
cryptographic proof of running in genuine confidential hardware, then
use x509pop to register with SPIRE.

The Red Hat SPIRE Operator's SpireServer CRD does not expose x509pop
configuration, requiring a ConfigMap patch via this imperative job.

Signed-off-by: Beraldo Leal <bleal@redhat.com>
@beraldoleal
coco: introducing the hello-coco app
f162f96 
Add hello-coco Helm chart demonstrating SPIRE agent deployment in
confidential containers using x509pop node attestation. The chart
deploys a test pod in a CoCo peer-pod (confidential VM with AMD SNP or
Intel TDX) that fetches SPIRE agent certificates from KBS after TEE
attestation, establishing hardware as the root of trust instead of
Kubernetes.

The pod contains three containers: init container fetches sealed
secrets from KBS, SPIRE agent uses x509pop for node attestation, and
test workload receives SPIFFE SVIDs via unix attestation. This
validates the complete integration flow between ZTVP and CoCo
components.

Note: This could be dropped, if we stick with only the todoapp.

Signed-off-by: Beraldo Leal <bleal@redhat.com>
@beraldoleal
coco: update the values-secret template
97c2e35 
Signed-off-by: Beraldo Leal <bleal@redhat.com>
@beraldoleal
coco: add get-pcr.sh script for attestation measurements
651fd68
@beraldoleal
coco: add get-secrets-coco.sh
6e1f10e 
Signed-off-by: Beraldo Leal <bleal@redhat.com>
@beraldoleal
coco: adding confidential documentation
157d5f7 
Basic markdown file with deployment steps.

Signed-off-by: Beraldo Leal <bleal@redhat.com>
@beraldoleal
coco: automate pull-secret via ESO cross-namespace
c937b96 
Peer-pods don't have access to the node's pull-secret, needed for
private repos. Use ESO kubernetes provider to sync pull-secret from
openshift-config to the workload namespace.

Signed-off-by: Beraldo Leal <bleal@redhat.com>
sabre1041
sabre1041 approved these changes Mar 23, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@sabre1041 sabre1041 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@beraldoleal @butler54 This is looking good at this point. There is one minor issue with duplicate resources being created as part of the as part of the imperative actions. It is not a blocking issue that blocks this integration from moving forward. @beraldoleal please do create an issue for us to track.

Thanks a lot guys and great work!

@butler54 butler54 self-requested a review March 24, 2026 06:47
@sabre1041 sabre1041 merged commit acb4b99 into validatedpatterns:main Mar 24, 2026
3 checks passed
This was referenced Mar 26, 2026
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sabre1041 sabre1041 sabre1041 approved these changes

@butler54 butler54 butler54 approved these changes

@bpradipt bpradipt Awaiting requested review from bpradipt

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@beraldoleal @sabre1041 @bpradipt @butler54