feat!: update to general availability versions of sandboxed containers and trustee (#54)

butler54 · web-flow · commit bbeb442d6082 · 2025-08-29T12:23:34.000+10:00
* feat!: update to general availability versions of sandboxed containers and trustee

BREAKING CHANGE: pre GA releases will no longer work due to introduction of compressed initdata

Signed-off-by: Chris Butler &lt;chris.butler@redhat.com&gt;

* fix: linting fixes

Signed-off-by: Chris Butler &lt;chris.butler@redhat.com&gt;

* fix: linting errors

Signed-off-by: Chris Butler &lt;chris.butler@redhat.com&gt;

* fix: python and markdown linting

Signed-off-by: Chris Butler &lt;chris.butler@redhat.com&gt;

* chore: markdown fixes

Signed-off-by: Chris Butler &lt;chris.butler@redhat.com&gt;

* fix: remove gzipper and use newly available gzip

Signed-off-by: Chris Butler &lt;chris.butler@redhat.com&gt;

* fix: remove manual approval until a better solution is made

Signed-off-by: Chris Butler &lt;chris.butler@redhat.com&gt;

* chore: revert LE to default for cluster

Signed-off-by: Chris Butler &lt;chris.butler@redhat.com&gt;

* fix: ensure pinning of csvs

Signed-off-by: Chris Butler &lt;chris.butler@redhat.com&gt;

---------

Signed-off-by: Chris Butler &lt;chris.butler@redhat.com&gt;
diff --git a/README.md b/README.md
@@ -29,9 +29,27 @@ Future work includes:
 
 ## Major versions
 
+### `3.*`
+
+Version `3.*` of the pattern is currently constrained to support the general availability releases of coco.
+
+- (OpenShift Sandboxed Containers Operator) `1.10.*` and above
+- Trustee `0.4.*`
+
+This limits support to OpenShift 4.16 and higher.
+
+The pattern has been tested on Azure for two installation methods:
+
+1. Installing onto an ARO cluster
+2. Self managed OpenShift install using the `openshift-install` CLI.
+
+#### Known limitations
+
+[Additional configuration](https://issues.redhat.com/browse/KATA-4107) is required to pull secrets from authenticated registries.
+
 ### `2.*`
 
-This is currently the `main` branch for the repository. Version 2.* of the pattern is currently constrained to support:
+Version `2.*` of the pattern is currently constrained to support:
 
 - (OpenShift Sandboxed Containers Operator) `1.9.*`
 - Trustee `0.3.*`
diff --git a/ansible/init-data-gzipper.yaml b/ansible/init-data-gzipper.yaml
@@ -0,0 +1,51 @@
+- name: Collect AWS facts and set secrurity group policies
+  become: false
+  connection: local
+  hosts: localhost
+  gather_facts: false
+  vars:
+    kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}"
+    cluster_platform: "{{ global.clusterPlatform | default('none') | lower }}"
+    hub_domain: "{{ global.hubClusterDomain | default('none')  | lower}}"
+    template_src: "initdata-default.toml.tpl"
+  tasks:
+    - name: Create temporary working directory
+      ansible.builtin.tempfile:
+        state: directory
+        suffix: initdata
+      register: tmpdir
+
+    - name: Define temp file paths
+      ansible.builtin.set_fact:
+        rendered_path: "{{ tmpdir.path }}/rendered.toml"
+        gz_path: "{{ tmpdir.path }}/rendered.toml.gz"
+
+    - name: Render template to temp file
+      ansible.builtin.template:
+        src: "{{ template_src }}"
+        dest: "{{ rendered_path }}"
+        mode: "0600"
+
+
+    - name: Gzip the rendered content
+      ansible.builtin.shell: |
+        gzip -c "{{ rendered_path }}" > "{{ gz_path }}"
+      changed_when: true
+
+    - name: Read gzip as base64
+      ansible.builtin.slurp:
+        path: "{{ gz_path }}"
+      register: gz_slurped
+
+    - name: Create/update ConfigMap with gzipped+base64 content
+      kubernetes.core.k8s:
+        kubeconfig: "{{ kubeconfig | default(omit) }}"
+        state: present
+        definition:
+          apiVersion: v1
+          kind: ConfigMap
+          metadata:
+            name: "initdata"
+            namespace: "imperative"
+          data:
+            INITDATA: "{{ gz_slurped.content }}"
diff --git a/ansible/initdata-default.toml.tpl b/ansible/initdata-default.toml.tpl
@@ -5,10 +5,10 @@ version = "0.1.0"
 "aa.toml" = '''
 [token_configs]
 [token_configs.coco_as]
-url = "https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}"
+url = "https://kbs-trustee-operator-system.{{ hub_domain }}"
 
 [token_configs.kbs]
-url = "https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}"
+url = "https://kbs-trustee-operator-system.{{ hub_domain }}"
 '''
 
 "cdh.toml"  = '''
@@ -17,5 +17,5 @@ credentials = []
 
 [kbc]
 name = "cc_kbc"
-url = "https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}"
+url = "https://kbs-trustee-operator-system.{{ hub_domain }}"
 '''
diff --git a/ansible/install-deps.yaml b/ansible/install-deps.yaml
@@ -8,6 +8,10 @@
       community.general.ansible_galaxy_install:
         type: collection
         name: azure.azcollection
+    - name: Ensure community.crypto collection is installed
+      community.general.ansible_galaxy_install:
+        type: collection
+        name: community.crypto
     - name: Install a Python package
       ansible.builtin.pip:
         requirements: "~/.ansible/collections/ansible_collections/azure/azcollection/requirements.txt"
diff --git a/charts/coco-supported/kbs-access/templates/secure-pod.yaml b/charts/coco-supported/kbs-access/templates/secure-pod.yaml
@@ -21,17 +21,11 @@ spec:
           name: kbsref
   initContainers:
   - name: curl
-    image: registry.redhat.io/ubi9/ubi:latest # Lightweight image with curl installed
+    image: registry.access.redhat.com/ubi9/ubi:latest # Lightweight image with curl installed
     command: ['sh', '-c', 'curl -s http://127.0.0.1:8006/cdh/resource/default/kbsres1/key3 > /output/kbsres1.txt']
     volumeMounts:
     - name: output-volume
       mountPath: /output
-  # - name: hi
-  #   image: registry.redhat.io/ubi9/ubi:latest # Lightweight image with curl installed
-  #   command: ['sh', '-c', 'echo "hi" > /output/kbsres1.txt']
-  #   volumeMounts:
-  #   - name: output-volume
-  #     mountPath: /output
   volumes:
   - name: output-volume
     emptyDir: {}
diff --git a/charts/coco-supported/sandbox/templates/peer-pods-cm.yaml b/charts/coco-supported/sandbox/templates/peer-pods-cm.yaml
@@ -37,7 +37,8 @@ spec:
               AZURE_NSG_ID: '/subscriptions/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).subscriptionId }}` }}/resourceGroups/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).resourceGroup }}` }}/providers/Microsoft.Network/networkSecurityGroups/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).securityGroupName }}` }}'
               DISABLECVM: "false"
               PROXY_TIMEOUT: "5m"
-              INITDATA: '{{ tpl ( .Files.Get "initdata.toml.tpl") . | b64enc }}'
+              INITDATA: '{{ `{{if (lookup "v1" "ConfigMap" "imperative" "initdata").metadata.name }}{{ fromConfigMap "imperative" "initdata" "INITDATA" }}{{ else }}{{ end }}` }}'
+
 ---
 apiVersion: policy.open-cluster-management.io/v1
 kind: PlacementBinding
diff --git a/charts/coco-supported/sandbox/values.yaml b/charts/coco-supported/sandbox/values.yaml
@@ -1,11 +1,6 @@
 global:
   cocoUpstream: true
   cocoConverged: true
-  azure:
-    clusterResGroup: ''
-    clusterSubnet: ''
-    clusterNSG: ''
-    clusterRegion: ''
 
 secretStore:
   name: vault-backend
diff --git a/values-global.yaml b/values-global.yaml
@@ -4,6 +4,7 @@ global:
     useCSV: false
     syncPolicy: Automatic
     installPlanApproval: Automatic
+    autoApproveManualInstallPlans: true
   # This defines whether or not to use upstream resources for CoCo.
   # Defines whether or not the hub cluster can be used for confidential containers
   coco:
diff --git a/values-simple.yaml b/values-simple.yaml
@@ -20,20 +20,23 @@ clusterGroup:
     acm:
       name: advanced-cluster-management
       namespace: open-cluster-management
-      channel: release-2.12
-
+      channel: release-2.13
     sandbox:
       name: sandboxed-containers-operator
       namespace: openshift-sandboxed-containers-operator
+      source: redhat-operators
       channel: stable
-      version: "1.9.*" # 1.9.* matches with trustee 0.3.*
+      installPlanApproval: Manual 
+      csv: sandboxed-containers-operator.v1.10.1
     trustee:
       name: trustee-operator
       namespace: trustee-operator-system
       source: redhat-operators
       channel: stable
-      version: "0.3.*"
+      installPlanApproval: Manual
+      csv: trustee-operator.v0.4.1
 
+      
     cert-manager:
       name: openshift-cert-manager-operator
       namespace: cert-manager-operator
@@ -128,6 +131,10 @@ clusterGroup:
       playbook: ansible/azure-nat-gateway.yaml
       verbosity: -vvv
       timeout: 3600
+    - name: init-data-gzipper
+      playbook: ansible/init-data-gzipper.yaml
+      verbosity: -vvv
+      timeout: 3600
   managedClusterGroups:
     exampleRegion:
       name: group-one
