├── fbc ├── .gitignore ├── icon.png ├── test-fbc │ ├── catalog-template.yaml │ └── Dockerfile ├── migrate.sh ├── v4.15 │ └── Dockerfile ├── v4.16 │ └── Dockerfile ├── v4.17 │ └── Dockerfile ├── v4.18 │ └── Dockerfile ├── v4.19 │ └── Dockerfile ├── v4.20 │ └── Dockerfile ├── README.md ├── duplicate.sh ├── update.sh └── render.sh ├── config ├── peerpods │ ├── podvm │ │ ├── bootc │ │ │ ├── .dockerignore │ │ │ ├── etc │ │ │ │ ├── sudoers.d │ │ │ │ │ └── wheel-nopasswd │ │ │ │ └── systemd │ │ │ │ │ └── system │ │ │ │ │ └── afterburn-checkin.service │ │ │ ├── usr │ │ │ │ └── lib │ │ │ │ │ └── bootc │ │ │ │ │ └── install │ │ │ │ │ └── 00-kargs.toml │ │ │ ├── config.toml │ │ │ ├── podvm-git-buildconfig.yaml │ │ │ └── Containerfile.rhel │ │ ├── Dockerfile.podvm-oci │ │ ├── rpms.in.yaml │ │ ├── ibmcloud-podvm-image-cm.yaml │ │ ├── libvirt-podvm-image-cm.yaml │ │ ├── gcp-podvm-image-cm.yaml │ │ ├── osc-podvm-gallery-delete-job.yaml │ │ ├── agent-policy │ │ │ ├── allow-all.rego │ │ │ ├── coco-policy.rego │ │ │ ├── allow-all-except-exec-process.rego │ │ │ └── README.md │ │ ├── aws-podvm-image-cm.yaml │ │ ├── azure-podvm-image-cm.yaml │ │ ├── ubi.repo │ │ ├── Dockerfile.podvm-builder │ │ ├── osc-podvm-delete-job.yaml │ │ ├── README.md │ │ └── ibmcloud-podvm-image-handler.sh │ ├── runtimeclass.yaml │ ├── peerpodscm.yaml │ ├── credentials-requests │ │ ├── credentials_request_azure.yaml │ │ ├── credentials_request_aws.yaml │ │ └── credentials_request_gcp.yaml │ ├── peerpodssecret.yaml │ └── default-non-cc-initdata.toml ├── prometheus │ ├── kustomization.yaml │ └── monitor.yaml ├── network-policy │ ├── kustomization.yaml │ ├── allow-metrics-traffic.yaml │ └── allow-webhook-traffic.yaml ├── certmanager │ ├── kustomization.yaml │ ├── kustomizeconfig.yaml │ └── certificate.yaml ├── webhook │ ├── kustomization.yaml │ ├── service.yaml │ ├── manifests.yaml │ └── kustomizeconfig.yaml ├── manifests │ ├── extension-crds │ │ ├── kustomization.yaml │ │ └── confidentialcontainers.org_peerpods.yaml │ └── kustomization.yaml ├── kata-monitor │ ├── kustomization.yaml │ ├── kata-monitor-service.yaml │ ├── kata-monitor-prometheus-rules.yaml │ └── kata-monitor-servicemonitor.yaml ├── rbac │ ├── katamonitor_sa.yaml │ ├── metrics_reader_role.yaml │ ├── role_binding.yaml │ ├── leader_election_role_binding.yaml │ ├── metrics_auth_role_binding.yaml │ ├── metrics_auth_role.yaml │ ├── leader_election_role.yaml │ ├── katamonitor.yaml │ ├── kataconfig_viewer_role.yaml │ ├── kustomization.yaml │ ├── kataconfig_editor_role.yaml │ └── caa_rbac.yaml ├── scorecard │ ├── bases │ │ └── config.yaml │ ├── patches │ │ ├── basic.config.yaml │ │ └── olm.config.yaml │ └── kustomization.yaml ├── samples │ ├── kustomization.yaml │ ├── kataconfiguration_v1_kataconfig.yaml │ ├── layered-image-deploy-cm.yaml │ ├── featuregates.yaml │ ├── example-fedora.yaml │ ├── _v1alpha1_peerpod.yaml │ ├── catalogsource.yaml │ └── deploy.yaml ├── default │ ├── manager_metrics_patch.yaml │ ├── metrics_service.yaml │ ├── manager_webhook_patch.yaml │ └── webhookcainjection_patch.yaml ├── manager │ ├── controller_manager_config.yaml │ └── kustomization.yaml ├── crd │ ├── patches │ │ ├── cainjection_in_kataconfigs.yaml │ │ └── webhook_in_kataconfigs.yaml │ ├── kustomizeconfig.yaml │ └── kustomization.yaml ├── metrics │ ├── metrics-service.yaml │ ├── kustomization.yaml │ ├── metrics-servicemonitor.yaml │ ├── metrics-deployment.yaml │ └── metrics-prometheus-rules.yaml └── baremetal │ └── kata-addon-artifacts.yaml ├── scripts ├── ami-helper │ └── ami-helper.sh ├── install-helpers │ └── baremetal-coco │ │ ├── intel-dcap │ │ ├── ns.yaml │ │ ├── pccs.yaml.in │ │ └── qgs.yaml │ │ ├── .gitignore │ │ ├── ns.yaml │ │ ├── nfd │ │ ├── ns.yaml │ │ ├── og.yaml │ │ ├── subs.yaml │ │ ├── nfd-cr.yaml │ │ ├── amd-rules.yaml │ │ └── intel-rules.yaml │ │ ├── layeredimage-cm-snp.yaml │ │ ├── og.yaml │ │ ├── layeredimage-cm-tdx.yaml │ │ ├── osc-fg-cm.yaml │ │ ├── osc_catalog.yaml │ │ ├── subs-ga.yaml │ │ ├── subs-upstream.yaml │ │ ├── intel-dpo │ │ ├── sgx_device_plugin.yaml │ │ └── install_operator.yaml │ │ └── image_mirroring.yaml ├── kata-install │ ├── 50-kata-remote │ ├── Dockerfile │ ├── osc-log-level.sh │ ├── lib.sh │ └── README.md ├── cm-helpers │ └── README.md ├── rvps-extraction │ ├── static-files │ │ └── HKD.crt │ └── RVPS_Reference.md └── bump-osc-version.sh ├── docs └── arch.png ├── .tekton ├── build-args.env ├── osc-fbc-4-15-push.yaml ├── osc-fbc-4-17-push.yaml ├── osc-fbc-4-16-push.yaml ├── osc-fbc-4-18-push.yaml ├── osc-fbc-4-19-push.yaml ├── osc-fbc-4-20-push.yaml ├── osc-fbc-4-15-pull-request.yaml ├── osc-fbc-4-17-pull-request.yaml ├── osc-fbc-4-16-pull-request.yaml ├── osc-fbc-4-18-pull-request.yaml ├── osc-fbc-4-19-pull-request.yaml └── osc-fbc-4-20-pull-request.yaml ├── bundle ├── manifests │ ├── monitor_v1_serviceaccount.yaml │ ├── metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml │ ├── webhook-service_v1_service.yaml │ ├── monitor-role_rbac.authorization.k8s.io_v1_role.yaml │ ├── operator-metrics-service_v1_service.yaml │ ├── prometheus-sandboxed-containers-rules_monitoring.coreos.com_v1_prometheusrule.yaml │ ├── metrics_v1_service.yaml │ ├── monitor-rolebinding_rbac.authorization.k8s.io_v1_rolebinding.yaml │ ├── controller-manager-metrics-svc_v1_service.yaml │ ├── operator-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml │ ├── openshift-sandboxed-containers-monitor_monitoring.coreos.com_v1_servicemonitor.yaml │ ├── manager-config_v1_configmap.yaml │ ├── osc-alerts_monitoring.coreos.com_v1_prometheusrule.yaml │ └── confidentialcontainers.org_peerpods.yaml ├── metadata │ └── annotations.yaml └── tests │ └── scorecard │ └── config.yaml ├── .gitmodules ├── must-gather ├── rpms.in.yaml ├── node-gather │ ├── node-gather-crd.yaml │ └── node-gather-ds.yaml ├── collection-scripts │ ├── gather_crds │ ├── gather_apiservices │ ├── gather │ ├── gather_audit_logs │ └── gather_images ├── Makefile ├── Dockerfile ├── README.md ├── must-gather-requirements.md ├── ubi.repo └── rpms.lock.yaml ├── .dockerignore ├── OWNERS ├── controllers ├── common.go ├── scc.go └── cm_event_handler.go ├── PULL_REQUEST_TEMPLATE.md ├── hack └── boilerplate.go.txt ├── controller-gen ├── PROJECT ├── api └── v1 │ └── groupversion_info.go ├── .gitignore ├── ISSUE_TEMPLATE.md ├── bundle.Dockerfile ├── Dockerfile ├── tests ├── make-test.yaml ├── show-snapshot.yaml └── osc-test-fbc-integration.yaml └── testbin └── setup-envtest.sh /fbc/.gitignore: -------------------------------------------------------------------------------- 1 | *.base64 2 | -------------------------------------------------------------------------------- /config/peerpods/podvm/bootc/.dockerignore: -------------------------------------------------------------------------------- 1 | output/ 2 | -------------------------------------------------------------------------------- /config/prometheus/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - monitor.yaml 3 | -------------------------------------------------------------------------------- /scripts/ami-helper/ami-helper.sh: -------------------------------------------------------------------------------- 1 | ../../config/peerpods/podvm/ami-helper.sh -------------------------------------------------------------------------------- /docs/arch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openshift/sandboxed-containers-operator/HEAD/docs/arch.png -------------------------------------------------------------------------------- /fbc/icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openshift/sandboxed-containers-operator/HEAD/fbc/icon.png -------------------------------------------------------------------------------- /.tekton/build-args.env: -------------------------------------------------------------------------------- 1 | CAA_SRC=https://github.com/openshift/cloud-api-adaptor 2 | CAA_REF=osc-release 3 | 4 | -------------------------------------------------------------------------------- /config/network-policy/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - allow-webhook-traffic.yaml 3 | - allow-metrics-traffic.yaml 4 | -------------------------------------------------------------------------------- /config/certmanager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - certificate.yaml 3 | 4 | configurations: 5 | - kustomizeconfig.yaml 6 | -------------------------------------------------------------------------------- /scripts/install-helpers/baremetal-coco/intel-dcap/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: intel-dcap 5 | -------------------------------------------------------------------------------- /config/webhook/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - manifests.yaml 3 | - service.yaml 4 | 5 | configurations: 6 | - kustomizeconfig.yaml 7 | -------------------------------------------------------------------------------- /scripts/install-helpers/baremetal-coco/.gitignore: -------------------------------------------------------------------------------- 1 | cluster-pull-secret.json 2 | cluster-pull-secret-mod.json 3 | 96-kata-kernel-config-mc.yaml 4 | -------------------------------------------------------------------------------- /scripts/install-helpers/baremetal-coco/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: openshift-sandboxed-containers-operator 5 | -------------------------------------------------------------------------------- /bundle/manifests/monitor_v1_serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | creationTimestamp: null 5 | name: monitor 6 | -------------------------------------------------------------------------------- /config/peerpods/podvm/bootc/etc/sudoers.d/wheel-nopasswd: -------------------------------------------------------------------------------- 1 | # Enable passwordless sudo for the wheel group 2 | %wheel ALL=(ALL) NOPASSWD: ALL 3 | -------------------------------------------------------------------------------- /config/peerpods/podvm/Dockerfile.podvm-oci: -------------------------------------------------------------------------------- 1 | FROM scratch 2 | 3 | ARG PODVM_IMAGE_SRC 4 | ENV PODVM_IMAGE_PATH="/image/podvm.qcow2" 5 | 6 | COPY $PODVM_IMAGE_SRC $PODVM_IMAGE_PATH 7 | -------------------------------------------------------------------------------- /config/manifests/extension-crds/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - confidentialcontainers.org_peerpods.yaml 5 | -------------------------------------------------------------------------------- /config/kata-monitor/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - kata-monitor-service.yaml 3 | - kata-monitor-servicemonitor.yaml 4 | - osc-dashboard.yaml 5 | - kata-monitor-prometheus-rules.yaml 6 | -------------------------------------------------------------------------------- /config/peerpods/podvm/bootc/usr/lib/bootc/install/00-kargs.toml: -------------------------------------------------------------------------------- 1 | [install.filesystem.root] 2 | type = "xfs" 3 | [install] 4 | kargs = ["console=ttyS0"] 5 | match-architectures = ["x86_64"] 6 | -------------------------------------------------------------------------------- /config/rbac/katamonitor_sa.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | creationTimestamp: null 5 | name: monitor 6 | namespace: openshift-sandboxed-containers-operator 7 | -------------------------------------------------------------------------------- /config/scorecard/bases/config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: scorecard.operatorframework.io/v1alpha3 2 | kind: Configuration 3 | metadata: 4 | name: config 5 | stages: 6 | - parallel: true 7 | tests: [] 8 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "config/peerpods/podvm/cloud-api-adaptor"] 2 | path = config/peerpods/podvm/cloud-api-adaptor 3 | url = https://github.com/openshift/cloud-api-adaptor/ 4 | branch = osc-release 5 | -------------------------------------------------------------------------------- /config/peerpods/podvm/bootc/config.toml: -------------------------------------------------------------------------------- 1 | [[customizations.filesystem]] 2 | mountpoint = "/" 3 | minsize = "5 GiB" 4 | 5 | [[customizations.filesystem]] 6 | mountpoint = "/var/kata-containers" 7 | minsize = "15 GiB" 8 | -------------------------------------------------------------------------------- /config/samples/kustomization.yaml: -------------------------------------------------------------------------------- 1 | ## Append samples you want in your CSV to this file as resources ## 2 | resources: 3 | - kataconfiguration_v1_kataconfig.yaml 4 | # +kubebuilder:scaffold:manifestskustomizesamples 5 | -------------------------------------------------------------------------------- /scripts/install-helpers/baremetal-coco/nfd/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: openshift-nfd 5 | labels: 6 | name: openshift-nfd 7 | openshift.io/cluster-monitoring: "true" 8 | -------------------------------------------------------------------------------- /config/default/manager_metrics_patch.yaml: -------------------------------------------------------------------------------- 1 | # This patch adds the args to allow exposing the metrics endpoint using HTTPS 2 | - op: add 3 | path: /spec/template/spec/containers/0/args/0 4 | value: --metrics-bind-address=:8443 5 | -------------------------------------------------------------------------------- /config/rbac/metrics_reader_role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: metrics-reader 5 | rules: 6 | - nonResourceURLs: 7 | - "/metrics" 8 | verbs: 9 | - get 10 | -------------------------------------------------------------------------------- /must-gather/rpms.in.yaml: -------------------------------------------------------------------------------- 1 | packages: [tar, rsync] 2 | contentOrigin: 3 | repofiles: ["./ubi.repo"] 4 | arches: 5 | - x86_64 6 | - s390x 7 | context: 8 | image: registry.access.redhat.com/ubi9/ubi-minimal:9.5-1741850109 9 | -------------------------------------------------------------------------------- /config/peerpods/runtimeclass.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: node.k8s.io/v1 3 | handler: kata-remote 4 | kind: RuntimeClass 5 | metadata: 6 | name: kata-remote 7 | overhead: 8 | podFixed: 9 | memory: "120Mi" 10 | cpu: "250m" 11 | -------------------------------------------------------------------------------- /config/samples/kataconfiguration_v1_kataconfig.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kataconfiguration.openshift.io/v1 2 | kind: KataConfig 3 | metadata: 4 | name: example-kataconfig 5 | #spec: 6 | # kataConfigPoolSelector: 7 | # matchLabels: 8 | # custom-kata1: test 9 | -------------------------------------------------------------------------------- /must-gather/node-gather/node-gather-crd.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: node-gather 6 | --- 7 | apiVersion: v1 8 | kind: ServiceAccount 9 | metadata: 10 | name: node-gather 11 | namespace: node-gather 12 | 13 | -------------------------------------------------------------------------------- /scripts/install-helpers/baremetal-coco/nfd/og.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1 2 | kind: OperatorGroup 3 | metadata: 4 | generateName: openshift-nfd- 5 | name: openshift-nfd 6 | namespace: openshift-nfd 7 | spec: 8 | targetNamespaces: 9 | - openshift-nfd 10 | -------------------------------------------------------------------------------- /.dockerignore: -------------------------------------------------------------------------------- 1 | .git 2 | vendor 3 | testbin 4 | images 5 | must-gather 6 | bin 7 | api/v1/zz_generated.deepcopy.go 8 | config/crd/bases/kataconfiguration.openshift.io_kataconfigs.yaml 9 | config/rbac/role.yaml 10 | config/webhook/manifests.yaml 11 | config/peerpods/podvm/bootc/output/ 12 | -------------------------------------------------------------------------------- /bundle/manifests/metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | creationTimestamp: null 5 | name: metrics-reader 6 | rules: 7 | - nonResourceURLs: 8 | - /metrics 9 | verbs: 10 | - get 11 | -------------------------------------------------------------------------------- /config/webhook/service.yaml: -------------------------------------------------------------------------------- 1 | 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: webhook-service 6 | namespace: system 7 | spec: 8 | ports: 9 | - port: 443 10 | protocol: TCP 11 | targetPort: 9443 12 | selector: 13 | control-plane: controller-manager 14 | -------------------------------------------------------------------------------- /scripts/install-helpers/baremetal-coco/layeredimage-cm-snp.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | osImageURL: "quay.io/openshift_sandboxed_containers/rhcos-layer/ocp-4.18:snp-0.2.0" 4 | kind: ConfigMap 5 | metadata: 6 | name: layered-image-deploy-cm 7 | namespace: openshift-sandboxed-containers-operator 8 | -------------------------------------------------------------------------------- /scripts/install-helpers/baremetal-coco/og.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1 2 | kind: OperatorGroup 3 | metadata: 4 | name: openshift-sandboxed-containers-operator 5 | namespace: openshift-sandboxed-containers-operator 6 | spec: 7 | targetNamespaces: 8 | - openshift-sandboxed-containers-operator 9 | -------------------------------------------------------------------------------- /config/scorecard/patches/basic.config.yaml: -------------------------------------------------------------------------------- 1 | - op: add 2 | path: /stages/0/tests/- 3 | value: 4 | entrypoint: 5 | - scorecard-test 6 | - basic-check-spec 7 | image: quay.io/operator-framework/scorecard-test:master 8 | labels: 9 | suite: basic 10 | test: basic-check-spec-test 11 | -------------------------------------------------------------------------------- /config/manager/controller_manager_config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 2 | kind: ControllerManagerConfig 3 | metrics: 4 | bindAddress: 127.0.0.1:8080 5 | webhook: 6 | port: 9443 7 | leaderElection: 8 | leaderElect: true 9 | resourceName: 290f4947.kataconfiguration.openshift.io 10 | -------------------------------------------------------------------------------- /config/samples/layered-image-deploy-cm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | osImageURL: "quay.io/openshift_sandboxed_containers/kata-ocp415:tdx" 4 | kernelArguments: "kvm_intel.tdx=1" 5 | 6 | kind: ConfigMap 7 | metadata: 8 | name: layered-image-deploy-cm 9 | namespace: openshift-sandboxed-containers-operator 10 | -------------------------------------------------------------------------------- /bundle/manifests/webhook-service_v1_service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | creationTimestamp: null 5 | name: webhook-service 6 | spec: 7 | ports: 8 | - port: 443 9 | protocol: TCP 10 | targetPort: 9443 11 | selector: 12 | control-plane: controller-manager 13 | status: 14 | loadBalancer: {} 15 | -------------------------------------------------------------------------------- /config/rbac/role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: manager-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: manager-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: default 12 | namespace: system 13 | -------------------------------------------------------------------------------- /scripts/install-helpers/baremetal-coco/nfd/subs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: Subscription 3 | metadata: 4 | name: nfd 5 | namespace: openshift-nfd 6 | spec: 7 | channel: "stable" 8 | installPlanApproval: Automatic 9 | name: nfd 10 | source: redhat-operators 11 | sourceNamespace: openshift-marketplace 12 | -------------------------------------------------------------------------------- /scripts/install-helpers/baremetal-coco/layeredimage-cm-tdx.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | osImageURL: "quay.io/openshift_sandboxed_containers/rhcos-layer/ocp-4.18:tdx-0.2.0" 4 | kernelArguments: "kvm_intel.tdx=1 nohibernate" 5 | kind: ConfigMap 6 | metadata: 7 | name: layered-image-deploy-cm 8 | namespace: openshift-sandboxed-containers-operator 9 | -------------------------------------------------------------------------------- /bundle/manifests/monitor-role_rbac.authorization.k8s.io_v1_role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: Role 3 | metadata: 4 | creationTimestamp: null 5 | name: monitor-role 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - services 11 | - endpoints 12 | - pods 13 | verbs: 14 | - get 15 | - list 16 | - watch 17 | -------------------------------------------------------------------------------- /config/rbac/leader_election_role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | name: leader-election-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: Role 8 | name: leader-election-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: default 12 | namespace: system 13 | -------------------------------------------------------------------------------- /OWNERS: -------------------------------------------------------------------------------- 1 | reviewers: 2 | - jensfr 3 | - pmores 4 | - bpradipt 5 | - gkurz 6 | - littlejawa 7 | - snir911 8 | - vvoronko 9 | - tbuskey 10 | - wainersm 11 | - c3d 12 | approvers: 13 | - jensfr 14 | - pmores 15 | - bpradipt 16 | - gkurz 17 | - littlejawa 18 | - snir911 19 | - vvoronko 20 | - tbuskey 21 | - wainersm 22 | - c3d 23 | -------------------------------------------------------------------------------- /config/peerpods/peerpodscm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: peer-pods-cm 5 | namespace: openshift-sandboxed-containers-operator 6 | data: 7 | #CLOUD_PROVIDER: "libvirt" 8 | #LIBVIRT_NET: "default 9 | #LIBVIRT_POOL: "default" 10 | #LIBVIRT_VOL_NAME: "default" 11 | #LIBVIRT_DIR_NAME: "/var/lib/libvirt/images/default" 12 | -------------------------------------------------------------------------------- /config/crd/patches/cainjection_in_kataconfigs.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | annotations: 6 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 7 | name: kataconfigs.kataconfiguration.openshift.io 8 | -------------------------------------------------------------------------------- /config/rbac/metrics_auth_role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: metrics-auth-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: metrics-auth-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: default 12 | namespace: system 13 | -------------------------------------------------------------------------------- /config/samples/featuregates.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: osc-feature-gates 5 | namespace: openshift-sandboxed-containers-operator 6 | data: 7 | # layeredImageDeployment allows deploying Kata using RHCOS layered image 8 | # This feature gate needs a ConfigMap named layered-image-deploy-cm 9 | layeredImageDeployment: "false" 10 | -------------------------------------------------------------------------------- /config/peerpods/podvm/bootc/etc/systemd/system/afterburn-checkin.service: -------------------------------------------------------------------------------- 1 | # As our image is generic, we don't set the cloud provider on the kernel command line. 2 | # Instead, we always run the unit, even if it is only needed on Azure right now. 3 | [Unit] 4 | ConditionKernelCommandLine= 5 | 6 | [Service] 7 | ExecStart= 8 | ExecStart=-/usr/bin/afterburn --provider=azure --check-in 9 | -------------------------------------------------------------------------------- /config/metrics/metrics-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: operator-metrics-service 5 | namespace: openshift-sandboxed-containers-operator 6 | labels: 7 | app: operator-metrics-server 8 | spec: 9 | selector: 10 | app: operator-metrics-server 11 | ports: 12 | - protocol: TCP 13 | port: 8091 14 | targetPort: 8091 15 | -------------------------------------------------------------------------------- /scripts/install-helpers/baremetal-coco/osc-fg-cm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: osc-feature-gates 5 | namespace: openshift-sandboxed-containers-operator 6 | data: 7 | # layeredImageDeployment allows deploying Kata using RHCOS layered image 8 | # This feature gate needs a ConfigMap named layered-image-deploy-cm 9 | layeredImageDeployment: "true" 10 | -------------------------------------------------------------------------------- /config/baremetal/kata-addon-artifacts.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: kata-addon-artifacts 5 | namespace: openshift-sandboxed-containers-operator 6 | data: 7 | addonImage: "quay.io/openshift_sandboxed_containers/kata-se-artifacts:v1.0" 8 | 9 | # Path within the container image where kernel is located 10 | kernelPath: "/artifacts/kernel/vmlinuz" 11 | -------------------------------------------------------------------------------- /config/kata-monitor/kata-monitor-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: metrics 5 | namespace: openshift-sandboxed-containers-operator 6 | labels: 7 | name: openshift-sandboxed-containers-monitor 8 | spec: 9 | selector: 10 | name: openshift-sandboxed-containers-monitor 11 | ports: 12 | - name: metrics 13 | port: 8090 14 | protocol: TCP 15 | -------------------------------------------------------------------------------- /scripts/kata-install/50-kata-remote: -------------------------------------------------------------------------------- 1 | [crio.runtime.runtimes.kata-remote] 2 | runtime_path = "/usr/bin/containerd-shim-kata-v2" 3 | runtime_type = "vm" 4 | runtime_root = "/run/vc" 5 | runtime_config_path = "/opt/kata/configuration-remote.toml" 6 | privileged_without_host_devices = true 7 | runtime_pull_image = true 8 | allowed_annotations = [ 9 | "io.kubernetes.cri-o.Devices", 10 | ] 11 | -------------------------------------------------------------------------------- /bundle/manifests/operator-metrics-service_v1_service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | creationTimestamp: null 5 | labels: 6 | app: operator-metrics-server 7 | name: operator-metrics-service 8 | spec: 9 | ports: 10 | - port: 8091 11 | protocol: TCP 12 | targetPort: 8091 13 | selector: 14 | app: operator-metrics-server 15 | status: 16 | loadBalancer: {} 17 | -------------------------------------------------------------------------------- /bundle/manifests/prometheus-sandboxed-containers-rules_monitoring.coreos.com_v1_prometheusrule.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: monitoring.coreos.com/v1 2 | kind: PrometheusRule 3 | metadata: 4 | name: prometheus-sandboxed-containers-rules 5 | spec: 6 | groups: 7 | - name: kata_monitor_rules 8 | rules: 9 | - expr: sum(kata_monitor_running_shim_count) 10 | record: cluster:kata_monitor_running_shim_count:sum 11 | -------------------------------------------------------------------------------- /must-gather/collection-scripts/gather_crds: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Resource list 4 | resources=() 5 | 6 | for i in $(/usr/bin/oc get crd | grep kata | awk '{print $1}') 7 | do 8 | resources+=("crd/$i") 9 | done 10 | 11 | # Run the collection of resources using must-gather 12 | for resource in "${resources[@]}"; do 13 | /usr/bin/oc adm inspect --dest-dir must-gather "${resource}" 14 | done 15 | 16 | exit 0 17 | -------------------------------------------------------------------------------- /bundle/manifests/metrics_v1_service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | creationTimestamp: null 5 | labels: 6 | name: openshift-sandboxed-containers-monitor 7 | name: metrics 8 | spec: 9 | ports: 10 | - name: metrics 11 | port: 8090 12 | protocol: TCP 13 | targetPort: 0 14 | selector: 15 | name: openshift-sandboxed-containers-monitor 16 | status: 17 | loadBalancer: {} 18 | -------------------------------------------------------------------------------- /config/metrics/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - metrics-deployment.yaml 3 | - metrics-service.yaml 4 | - metrics-servicemonitor.yaml 5 | - metrics-prometheus-rules.yaml 6 | 7 | apiVersion: kustomize.config.k8s.io/v1beta1 8 | kind: Kustomization 9 | images: 10 | - name: metrics-server 11 | newName: quay.io/openshift_sandboxed_containers/openshift-sandboxed-containers-operator 12 | newTag: v1.11.1 ## OSC_VERSION 13 | -------------------------------------------------------------------------------- /bundle/manifests/monitor-rolebinding_rbac.authorization.k8s.io_v1_rolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | creationTimestamp: null 5 | name: monitor-rolebinding 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: Role 9 | name: monitor-role 10 | subjects: 11 | - kind: ServiceAccount 12 | name: prometheus-k8s 13 | namespace: openshift-monitoring 14 | -------------------------------------------------------------------------------- /config/rbac/metrics_auth_role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: metrics-auth-role 5 | rules: 6 | - apiGroups: 7 | - authentication.k8s.io 8 | resources: 9 | - tokenreviews 10 | verbs: 11 | - create 12 | - apiGroups: 13 | - authorization.k8s.io 14 | resources: 15 | - subjectaccessreviews 16 | verbs: 17 | - create 18 | -------------------------------------------------------------------------------- /config/samples/example-fedora.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: example-fedora 5 | labels: 6 | app: example-fedora-app 7 | namespace: default 8 | spec: 9 | containers: 10 | - name: example-fedora 11 | image: fedora:30 12 | ports: 13 | - containerPort: 8080 14 | command: ["python3"] 15 | args: [ "-m", "http.server", "8080"] 16 | runtimeClassName: kata 17 | -------------------------------------------------------------------------------- /config/kata-monitor/kata-monitor-prometheus-rules.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: monitoring.coreos.com/v1 2 | kind: PrometheusRule 3 | metadata: 4 | name: prometheus-sandboxed-containers-rules 5 | namespace: openshift-sandboxed-containers-operator 6 | spec: 7 | groups: 8 | - name: kata_monitor_rules 9 | rules: 10 | - record: cluster:kata_monitor_running_shim_count:sum 11 | expr: sum(kata_monitor_running_shim_count) 12 | -------------------------------------------------------------------------------- /config/samples/_v1alpha1_peerpod.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: confidentialcontainers.org/v1alpha1 2 | kind: PeerPod 3 | metadata: 4 | labels: 5 | app.kubernetes.io/name: peerpod 6 | app.kubernetes.io/instance: peerpod-sample 7 | app.kubernetes.io/part-of: peerpod-ctrl 8 | app.kubernetes.io/managed-by: kustomize 9 | app.kubernetes.io/created-by: peerpod-ctrl 10 | name: peerpod-sample 11 | spec: 12 | # TODO(user): Add fields here 13 | -------------------------------------------------------------------------------- /bundle/manifests/controller-manager-metrics-svc_v1_service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | creationTimestamp: null 5 | labels: 6 | control-plane: controller-manager 7 | name: controller-manager-metrics-svc 8 | spec: 9 | ports: 10 | - name: https 11 | port: 8443 12 | protocol: TCP 13 | targetPort: https 14 | selector: 15 | control-plane: controller-manager 16 | status: 17 | loadBalancer: {} 18 | -------------------------------------------------------------------------------- /bundle/manifests/operator-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: monitoring.coreos.com/v1 2 | kind: ServiceMonitor 3 | metadata: 4 | labels: 5 | release: prometheus-operator 6 | name: operator-metrics-monitor 7 | spec: 8 | endpoints: 9 | - interval: 30s 10 | path: /metrics 11 | port: "8091" 12 | scrapeTimeout: 10s 13 | selector: 14 | matchLabels: 15 | app: operator-metrics-server 16 | -------------------------------------------------------------------------------- /config/samples/catalogsource.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: CatalogSource 3 | metadata: 4 | name: kataconfig-catalog 5 | namespace: openshift-marketplace 6 | spec: 7 | sourceType: grpc 8 | image: quay.io/openshift_sandboxed-containers/openshift-sandboxed-containers-catalog:latest 9 | displayName: Kata container Operators 10 | publisher: Red Hat 11 | updateStrategy: 12 | registryPoll: 13 | interval: 30m 14 | -------------------------------------------------------------------------------- /bundle/manifests/openshift-sandboxed-containers-monitor_monitoring.coreos.com_v1_servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: monitoring.coreos.com/v1 2 | kind: ServiceMonitor 3 | metadata: 4 | name: openshift-sandboxed-containers-monitor 5 | spec: 6 | endpoints: 7 | - port: metrics 8 | namespaceSelector: 9 | matchNames: 10 | - openshift-sandboxed-containers-operator 11 | selector: 12 | matchLabels: 13 | name: openshift-sandboxed-containers-monitor 14 | -------------------------------------------------------------------------------- /scripts/install-helpers/baremetal-coco/osc_catalog.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: CatalogSource 3 | metadata: 4 | name: osc-upstream-catalog 5 | namespace: openshift-marketplace 6 | spec: 7 | displayName: OSC Upstream Operator Catalog 8 | sourceType: grpc 9 | image: quay.io/openshift_sandboxed_containers/openshift-sandboxed-containers-operator-catalog:1.9.0-28 10 | updateStrategy: 11 | registryPoll: 12 | interval: 5m 13 | -------------------------------------------------------------------------------- /config/metrics/metrics-servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: monitoring.coreos.com/v1 2 | kind: ServiceMonitor 3 | metadata: 4 | name: operator-metrics-monitor 5 | namespace: openshift-sandboxed-containers-operator 6 | labels: 7 | release: prometheus-operator 8 | spec: 9 | selector: 10 | matchLabels: 11 | app: operator-metrics-server 12 | endpoints: 13 | - port: "8091" 14 | path: /metrics 15 | interval: 30s 16 | scrapeTimeout: 10s 17 | -------------------------------------------------------------------------------- /config/kata-monitor/kata-monitor-servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: monitoring.coreos.com/v1 2 | kind: ServiceMonitor 3 | metadata: 4 | name: openshift-sandboxed-containers-monitor 5 | namespace: openshift-sandboxed-containers-operator 6 | spec: 7 | namespaceSelector: 8 | matchNames: 9 | - openshift-sandboxed-containers-operator 10 | selector: 11 | matchLabels: 12 | name: openshift-sandboxed-containers-monitor 13 | endpoints: 14 | - port: metrics 15 | -------------------------------------------------------------------------------- /config/manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - manager.yaml 3 | 4 | generatorOptions: 5 | disableNameSuffixHash: true 6 | 7 | configMapGenerator: 8 | - files: 9 | - controller_manager_config.yaml 10 | name: manager-config 11 | apiVersion: kustomize.config.k8s.io/v1beta1 12 | kind: Kustomization 13 | images: 14 | - name: controller 15 | newName: quay.io/openshift_sandboxed_containers/openshift-sandboxed-containers-operator 16 | newTag: v1.11.1 ## OSC_VERSION 17 | -------------------------------------------------------------------------------- /bundle/manifests/manager-config_v1_configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | controller_manager_config.yaml: | 4 | apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 5 | kind: ControllerManagerConfig 6 | metrics: 7 | bindAddress: 127.0.0.1:8080 8 | webhook: 9 | port: 9443 10 | leaderElection: 11 | leaderElect: true 12 | resourceName: 290f4947.kataconfiguration.openshift.io 13 | kind: ConfigMap 14 | metadata: 15 | name: manager-config 16 | -------------------------------------------------------------------------------- /config/default/metrics_service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | labels: 5 | control-plane: controller-manager 6 | app.kubernetes.io/name: 7 | app.kubernetes.io/managed-by: kustomize 8 | name: controller-manager-metrics-service 9 | namespace: system 10 | spec: 11 | ports: 12 | - name: https 13 | port: 8443 14 | protocol: TCP 15 | targetPort: 8443 16 | selector: 17 | control-plane: controller-manager 18 | -------------------------------------------------------------------------------- /config/scorecard/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - bases/config.yaml 3 | patchesJson6902: 4 | - path: patches/basic.config.yaml 5 | target: 6 | group: scorecard.operatorframework.io 7 | version: v1alpha3 8 | kind: Configuration 9 | name: config 10 | - path: patches/olm.config.yaml 11 | target: 12 | group: scorecard.operatorframework.io 13 | version: v1alpha3 14 | kind: Configuration 15 | name: config 16 | # +kubebuilder:scaffold:patchesJson6902 17 | -------------------------------------------------------------------------------- /controllers/common.go: -------------------------------------------------------------------------------- 1 | package controllers 2 | 3 | const ( 4 | // https://sdk.operatorframework.io/docs/upgrading-sdk-version/v1.4.0/ 5 | // https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#finalizers 6 | kataConfigFinalizer = "kataconfiguration.openshift.io/finalizer" 7 | ) 8 | 9 | func contains(list []string, s string) bool { 10 | for _, v := range list { 11 | if v == s { 12 | return true 13 | } 14 | } 15 | return false 16 | } 17 | -------------------------------------------------------------------------------- /scripts/install-helpers/baremetal-coco/subs-ga.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: Subscription 3 | metadata: 4 | name: openshift-sandboxed-containers-operator 5 | namespace: openshift-sandboxed-containers-operator 6 | spec: 7 | channel: stable 8 | installPlanApproval: Manual 9 | name: sandboxed-containers-operator 10 | source: redhat-operators 11 | sourceNamespace: openshift-marketplace 12 | # Leave version resolution to channel; do not pin startingCSV 13 | -------------------------------------------------------------------------------- /config/certmanager/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # This configuration is for teaching kustomize how to update name ref and var substitution 2 | nameReference: 3 | - kind: Issuer 4 | group: cert-manager.io 5 | fieldSpecs: 6 | - kind: Certificate 7 | group: cert-manager.io 8 | path: spec/issuerRef/name 9 | 10 | varReference: 11 | - kind: Certificate 12 | group: cert-manager.io 13 | path: spec/commonName 14 | - kind: Certificate 15 | group: cert-manager.io 16 | path: spec/dnsNames 17 | -------------------------------------------------------------------------------- /scripts/install-helpers/baremetal-coco/nfd/nfd-cr.yaml: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2022 - 2023 Intel Corporation 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | apiVersion: nfd.openshift.io/v1 5 | kind: NodeFeatureDiscovery 6 | metadata: 7 | name: nfd-instance 8 | namespace: openshift-nfd 9 | spec: 10 | operand: 11 | image: registry.redhat.io/openshift4/ose-node-feature-discovery-rhel9:v4.16 12 | imagePullPolicy: Always 13 | servicePort: 12000 14 | workerConfig: 15 | configData: | 16 | -------------------------------------------------------------------------------- /config/prometheus/monitor.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Prometheus Monitor Service (Metrics) 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: ServiceMonitor 5 | metadata: 6 | labels: 7 | control-plane: controller-manager 8 | name: controller-manager-metrics-monitor 9 | namespace: system 10 | spec: 11 | endpoints: 12 | - path: /metrics 13 | port: https # Ensure this is the name of the port that exposes HTTPS metrics 14 | selector: 15 | matchLabels: 16 | control-plane: controller-manager 17 | -------------------------------------------------------------------------------- /scripts/install-helpers/baremetal-coco/subs-upstream.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: Subscription 3 | metadata: 4 | name: openshift-sandboxed-containers-operator 5 | namespace: openshift-sandboxed-containers-operator 6 | spec: 7 | channel: stable 8 | installPlanApproval: Automatic 9 | name: sandboxed-containers-operator 10 | source: osc-upstream-catalog 11 | sourceNamespace: openshift-marketplace 12 | # Leave version resolution to channel; do not pin startingCSV 13 | -------------------------------------------------------------------------------- /PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 7 | **- Description of the problem which is fixed/What is the use case** 8 | 9 | **- What I did** 10 | 11 | **- How to verify it** 12 | 13 | **- Description for the changelog** 14 | 18 | -------------------------------------------------------------------------------- /config/crd/patches/webhook_in_kataconfigs.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables conversion webhook for CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | name: kataconfigs.kataconfiguration.openshift.io 6 | spec: 7 | conversion: 8 | strategy: Webhook 9 | webhook: 10 | clientConfig: 11 | service: 12 | namespace: system 13 | name: webhook-service 14 | path: /convert 15 | conversionReviewVersions: 16 | - v1 17 | 18 | -------------------------------------------------------------------------------- /scripts/install-helpers/baremetal-coco/intel-dpo/sgx_device_plugin.yaml: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Intel Corporation 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | apiVersion: deviceplugin.intel.com/v1 5 | kind: SgxDevicePlugin 6 | metadata: 7 | name: sgxdeviceplugin-sample 8 | spec: 9 | image: registry.connect.redhat.com/intel/intel-sgx-plugin@sha256:f2c77521c6dae6b4db1896a5784ba8b06a5ebb2a01684184fc90143cfcca7bf4 10 | enclaveLimit: 110 11 | provisionLimit: 110 12 | logLevel: 4 13 | nodeSelector: 14 | intel.feature.node.kubernetes.io/sgx: "true" 15 | -------------------------------------------------------------------------------- /scripts/install-helpers/baremetal-coco/nfd/amd-rules.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: nfd.openshift.io/v1alpha1 2 | kind: NodeFeatureRule 3 | metadata: 4 | name: amd-sev-snp 5 | namespace: openshift-nfd 6 | spec: 7 | rules: 8 | - name: "amd.sev-snp" 9 | labels: 10 | "amd.feature.node.kubernetes.io/snp": "true" 11 | extendedResources: 12 | sev-snp.amd.com/esids: "@cpu.security.sev.encrypted_state_ids" 13 | matchFeatures: 14 | - feature: cpu.security 15 | matchExpressions: 16 | sev.snp.enabled: { op: Exists } 17 | -------------------------------------------------------------------------------- /config/crd/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # This file is for teaching kustomize how to substitute name and namespace reference in CRD 2 | nameReference: 3 | - kind: Service 4 | version: v1 5 | fieldSpecs: 6 | - kind: CustomResourceDefinition 7 | group: apiextensions.k8s.io 8 | path: spec/conversion/webhookClientConfig/service/name 9 | 10 | namespace: 11 | - kind: CustomResourceDefinition 12 | group: apiextensions.k8s.io 13 | path: spec/conversion/webhookClientConfig/service/namespace 14 | create: false 15 | 16 | varReference: 17 | - path: metadata/annotations 18 | -------------------------------------------------------------------------------- /hack/boilerplate.go.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ -------------------------------------------------------------------------------- /config/peerpods/podvm/rpms.in.yaml: -------------------------------------------------------------------------------- 1 | packages: 2 | - curl 3 | - git 4 | - make 5 | - unzip 6 | - skopeo 7 | - jq 8 | - qemu-img 9 | - podman 10 | 11 | contentOrigin: 12 | repofiles: 13 | - ./ubi.repo 14 | - ./redhat.repo 15 | 16 | arches: 17 | - x86_64 18 | - s390x 19 | 20 | context: 21 | containerfile: Dockerfile.podvm-builder 22 | 23 | # Tell DNF it may erase already installed packages when resolving the 24 | # transaction. Defaults to false. 25 | # NOTE: our podvm builder scripts are using this option, so we need 26 | # to do the same for rpm-lockfile-prototype 27 | allowerasing: true 28 | -------------------------------------------------------------------------------- /must-gather/Makefile: -------------------------------------------------------------------------------- 1 | IMAGE_REGISTRY ?= quay.io 2 | IMAGE_TAG ?= latest 3 | 4 | build: podman-build podman-push 5 | 6 | # check 7 | check: 8 | shellcheck collection-scripts/* 9 | 10 | ensure-must-gather-image-is-set: 11 | ifndef MUST_GATHER_IMAGE 12 | $(error MUST_GATHER_IMAGE is not set.) 13 | endif 14 | 15 | podman-build: ensure-must-gather-image-is-set 16 | podman build --squash-all --no-cache . -t ${IMAGE_REGISTRY}/${MUST_GATHER_IMAGE}:${IMAGE_TAG} 17 | 18 | podman-push: ensure-must-gather-image-is-set 19 | podman push ${IMAGE_REGISTRY}/${MUST_GATHER_IMAGE}:${IMAGE_TAG} 20 | 21 | .PHONY: build podman-build podman-push 22 | -------------------------------------------------------------------------------- /scripts/kata-install/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM registry.access.redhat.com/ubi9/skopeo:9.7-1764607501 2 | 3 | RUN mkdir -p /files 4 | 5 | ADD 50-kata-remote configuration-remote.toml /files/ 6 | 7 | RUN mkdir -p /scripts 8 | 9 | ADD osc-kata-install.sh osc-configs-script.sh osc-log-level.sh lib.sh osc-kata-addons-install.sh /scripts/ 10 | 11 | # Multi-arch umoci support (amd64 and s390x) 12 | ARG TARGETARCH=amd64 13 | RUN curl -sSL "https://github.com/opencontainers/umoci/releases/download/v0.5.0/umoci.linux.${TARGETARCH}" -o "/usr/local/bin/umoci" &&\ 14 | chmod +x "/usr/local/bin/umoci" 15 | 16 | CMD ["/scripts/osc-kata-install.sh"] 17 | -------------------------------------------------------------------------------- /config/default/manager_webhook_patch.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: controller-manager 5 | namespace: system 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | - name: manager 11 | ports: 12 | - containerPort: 9443 13 | name: webhook-server 14 | protocol: TCP 15 | volumeMounts: 16 | - mountPath: /tmp/k8s-webhook-server/serving-certs 17 | name: cert 18 | readOnly: true 19 | volumes: 20 | - name: cert 21 | secret: 22 | defaultMode: 420 23 | secretName: webhook-server-cert 24 | -------------------------------------------------------------------------------- /config/peerpods/credentials-requests/credentials_request_azure.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cloudcredential.openshift.io/v1 2 | kind: CredentialsRequest 3 | metadata: 4 | name: openshift-sandboxed-containers-azure 5 | namespace: openshift-cloud-credential-operator 6 | spec: 7 | secretRef: 8 | name: cco-secret 9 | namespace: openshift-sandboxed-containers-operator 10 | providerSpec: 11 | apiVersion: cloudcredential.openshift.io/v1 12 | kind: AzureProviderSpec 13 | roleBindings: 14 | - role: Reader 15 | - role: Virtual Machine Contributor 16 | - role: Network Contributor 17 | - role: Storage Account Contributor 18 | -------------------------------------------------------------------------------- /config/rbac/leader_election_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions to do leader election. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: leader-election-role 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - configmaps 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - create 16 | - update 17 | - patch 18 | - delete 19 | - apiGroups: 20 | - coordination.k8s.io 21 | resources: 22 | - leases 23 | verbs: 24 | - get 25 | - list 26 | - watch 27 | - create 28 | - update 29 | - patch 30 | - delete 31 | - apiGroups: 32 | - "" 33 | resources: 34 | - events 35 | verbs: 36 | - create 37 | - patch 38 | -------------------------------------------------------------------------------- /config/webhook/manifests.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: admissionregistration.k8s.io/v1 3 | kind: ValidatingWebhookConfiguration 4 | metadata: 5 | name: validating-webhook-configuration 6 | webhooks: 7 | - admissionReviewVersions: 8 | - v1 9 | clientConfig: 10 | service: 11 | name: webhook-service 12 | namespace: system 13 | path: /validate-kataconfiguration-openshift-io-v1-kataconfig 14 | failurePolicy: Fail 15 | name: vkataconfig.kb.io 16 | rules: 17 | - apiGroups: 18 | - kataconfiguration.openshift.io 19 | apiVersions: 20 | - v1 21 | operations: 22 | - CREATE 23 | resources: 24 | - kataconfigs 25 | sideEffects: None 26 | -------------------------------------------------------------------------------- /must-gather/collection-scripts/gather_apiservices: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | BASE_COLLECTION_PATH="/must-gather" 4 | 5 | # Resource list 6 | resources=() 7 | 8 | for i in $(/usr/bin/oc get apiservices --all-namespaces | grep kata | awk '{ print $1 }') 9 | do 10 | resources+=("$i") 11 | done 12 | 13 | # we use nested loops to nicely output objects partitioned per namespace, kind 14 | for resource in "${resources[@]}"; do 15 | apiservice_collection_path=${BASE_COLLECTION_PATH}/apiservices/ 16 | 17 | mkdir -p ${apiservice_collection_path} 18 | 19 | /usr/bin/oc get apiservice "${resource}" -o yaml > "${apiservice_collection_path}/${resource}.yaml" 20 | done 21 | 22 | exit 0 23 | -------------------------------------------------------------------------------- /config/peerpods/podvm/ibmcloud-podvm-image-cm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: ibmcloud-podvm-image-cm 5 | namespace: openshift-sandboxed-containers-operator 6 | # these are just placeholders for now 7 | data: 8 | # Booleans 9 | INSTALL_PACKAGES: "no" 10 | DOWNLOAD_SOURCES: "no" 11 | CONFIDENTIAL_COMPUTE_ENABLED: "no" 12 | DISABLE_CLOUD_CONFIG: "true" 13 | ENABLE_NVIDIA_GPU: "no" 14 | UPDATE_PEERPODS_CM: "yes" 15 | BOOT_FIPS: "no" 16 | 17 | # precreated artifacts 18 | #COS_BUCKET_NAME: existing-bucket-name 19 | PODVM_IMAGE_URI: bootc::image-registry.openshift-image-registry.svc:5000/openshift-sandboxed-containers-operator/podvm-bootc 20 | -------------------------------------------------------------------------------- /fbc/test-fbc/catalog-template.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | entries: 3 | - defaultChannel: stable 4 | icon: 5 | base64data: "" 6 | mediatype: image/png 7 | name: sandboxed-containers-operator 8 | schema: olm.package 9 | - entries: 10 | - name: sandboxed-containers-operator.v1.11.1 11 | replaces: sandboxed-containers-operator.v1.11.0 12 | skipRange: '>=1.1.0 <1.11.1' 13 | name: stable 14 | package: sandboxed-containers-operator 15 | schema: olm.channel 16 | - image: registry.redhat.io/openshift-sandboxed-containers/osc-operator-bundle@sha256:7b2035904ec464fe32c55ace525f573a491b046b5ef7cd5721d7a67cfc8dae25 17 | schema: olm.bundle 18 | schema: olm.template.basic 19 | -------------------------------------------------------------------------------- /config/default/webhookcainjection_patch.yaml: -------------------------------------------------------------------------------- 1 | # This patch add annotation to admission webhook config and 2 | # the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. 3 | #apiVersion: admissionregistration.k8s.io/v1 4 | #kind: MutatingWebhookConfiguration 5 | #metadata: 6 | # name: mutating-webhook-configuration 7 | # annotations: 8 | # cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 9 | #--- 10 | apiVersion: admissionregistration.k8s.io/v1 11 | kind: ValidatingWebhookConfiguration 12 | metadata: 13 | name: validating-webhook-configuration 14 | annotations: 15 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 16 | -------------------------------------------------------------------------------- /config/rbac/katamonitor.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: monitor-role 6 | namespace: openshift-sandboxed-containers-operator 7 | rules: 8 | - apiGroups: 9 | - "" 10 | resources: 11 | - services 12 | - endpoints 13 | - pods 14 | verbs: 15 | - get 16 | - list 17 | - watch 18 | --- 19 | apiVersion: rbac.authorization.k8s.io/v1 20 | kind: RoleBinding 21 | metadata: 22 | name: monitor-rolebinding 23 | namespace: openshift-sandboxed-containers-operator 24 | roleRef: 25 | apiGroup: rbac.authorization.k8s.io 26 | kind: Role 27 | name: monitor-role 28 | subjects: 29 | - kind: ServiceAccount 30 | name: prometheus-k8s 31 | namespace: openshift-monitoring 32 | -------------------------------------------------------------------------------- /controller-gen: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This is a hack to enable hermetic builds for the operator. 4 | # Rather than installing controller-gen, we declare it as a dependency in the 5 | # go.mod file. Cachi2/Hermeto will then get the sources as part of the prefetch 6 | # phase. 7 | # Once the sources are in, we can use "go run" to build and run the tool from 8 | # its sources, without needing access to the network. 9 | # 10 | # In order to keep the Makefile untouched (as it is partly generated from 11 | # operator-sdk), we put this script in the location where the Makefile expect 12 | # to find controller-gen. 13 | # Makefile will then NOT install the tool, and just run the script instead. 14 | 15 | go tool sigs.k8s.io/controller-tools/cmd/controller-gen $@ 16 | -------------------------------------------------------------------------------- /config/peerpods/peerpodssecret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: peer-pods-secret 5 | namespace: openshift-sandboxed-containers-operator 6 | type: Opaque 7 | stringData: 8 | #CLOUD_PROVIDER: "libvirt" 9 | #LIBVIRT_URI: "qemu+ssh://root@192.168.122.1/system?no_verify=1" 10 | #REDHAT_OFFLINE_TOKEN: "" #Required to download rhel base image : Download token from https://access.redhat.com/management/api 11 | #HOST_KEY_CERTS: "" #Download the certificate from https://www.ibm.com/support/resourcelink/api/content/public/host-key-documents.html and make sure the certficate lines are aligned 12 | # Example: 13 | # HOST_KEY_CERTS: | 14 | # -----BEGIN CERTIFICATE----- 15 | # xxx 16 | # xxx 17 | # -----END CERTIFICATE----- 18 | -------------------------------------------------------------------------------- /config/metrics/metrics-deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: operator-metrics-server 5 | namespace: openshift-sandboxed-containers-operator 6 | labels: 7 | app: operator-metrics-server 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: operator-metrics-server 13 | template: 14 | metadata: 15 | labels: 16 | app: operator-metrics-server 17 | spec: 18 | containers: 19 | - name: metrics-server 20 | image: metrics-server:latest 21 | command: ["/metrics-server"] 22 | ports: 23 | - containerPort: 8091 24 | resources: 25 | requests: 26 | memory: "64Mi" 27 | cpu: "50m" 28 | -------------------------------------------------------------------------------- /config/rbac/kataconfig_viewer_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to view kataconfigs. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: kataconfig-viewer-role 6 | rules: 7 | - apiGroups: 8 | - kataconfiguration.openshift.io 9 | - peerpodconfiguration.confidentialcontainers.org 10 | - confidentialcontainers.org 11 | resources: 12 | - kataconfigs 13 | - peerpodconfigs 14 | - peerpods 15 | verbs: 16 | - get 17 | - list 18 | - watch 19 | - apiGroups: 20 | - peerpodconfiguration.confidentialcontainers.org 21 | - kataconfiguration.openshift.io 22 | - confidentialcontainers.org 23 | resources: 24 | - kataconfigs/status 25 | - peerpodconfigs/status 26 | - peerpods/status 27 | verbs: 28 | - get 29 | -------------------------------------------------------------------------------- /config/rbac/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - role.yaml 3 | - role_binding.yaml 4 | - leader_election_role.yaml 5 | - leader_election_role_binding.yaml 6 | - katamonitor.yaml 7 | - katamonitor_sa.yaml 8 | # The following RBAC configurations are used to protect 9 | # the metrics endpoint with authn/authz. These configurations 10 | # ensure that only authorized users and service accounts 11 | # can access the metrics endpoint. Comment the following 12 | # permissions if you want to disable this protection. 13 | # More info: https://book.kubebuilder.io/reference/metrics.html 14 | - metrics_auth_role.yaml 15 | - metrics_auth_role_binding.yaml 16 | - metrics_reader_role.yaml 17 | # the following is custom rbac manifests required for 18 | # cloud-api-adaptor when peerpod-ctrl is used 19 | - caa_rbac.yaml 20 | -------------------------------------------------------------------------------- /scripts/install-helpers/baremetal-coco/intel-dpo/install_operator.yaml: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Intel Corporation 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | apiVersion: operators.coreos.com/v1alpha2 5 | kind: OperatorGroup 6 | metadata: 7 | name: global-operators 8 | namespace: openshift-operators 9 | --- 10 | apiVersion: operators.coreos.com/v1alpha1 11 | kind: Subscription 12 | metadata: 13 | labels: 14 | operators.coreos.com/intel-device-plugins-operator.openshiftoperators: "" 15 | name: intel-device-plugins-operator 16 | namespace: openshift-operators 17 | spec: 18 | channel: alpha 19 | installPlanApproval: Automatic 20 | name: intel-device-plugins-operator 21 | source: certified-operators 22 | sourceNamespace: openshift-marketplace 23 | startingCSV: intel-device-plugins-operator.v0.32.1 24 | -------------------------------------------------------------------------------- /config/rbac/kataconfig_editor_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to edit kataconfigs. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: kataconfig-editor-role 6 | rules: 7 | - apiGroups: 8 | - kataconfiguration.openshift.io 9 | - peerpodconfiguration.confidentialcontainers.org 10 | - confidentialcontainers.org 11 | resources: 12 | - kataconfigs 13 | - peerpodconfigs 14 | - peerpods 15 | verbs: 16 | - create 17 | - delete 18 | - get 19 | - list 20 | - patch 21 | - update 22 | - watch 23 | - apiGroups: 24 | - kataconfiguration.openshift.io 25 | - peerpodconfiguration.confidentialcontainers.org 26 | - confidentialcontainers.org 27 | resources: 28 | - kataconfigs/status 29 | - peerpodconfigs/status 30 | - peerpods/status 31 | verbs: 32 | - get 33 | -------------------------------------------------------------------------------- /bundle/manifests/osc-alerts_monitoring.coreos.com_v1_prometheusrule.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: monitoring.coreos.com/v1 2 | kind: PrometheusRule 3 | metadata: 4 | name: osc-alerts 5 | spec: 6 | groups: 7 | - name: osc_alerts 8 | rules: 9 | - alert: KataRemoteWorkloadFailureHigh 10 | annotations: 11 | description: The failure ratio of kata-remote workloads is above 25% for more 12 | than 30 minutes. This may indicate issues with the runtime or configuration. 13 | summary: High Kata Remote Workload Failure Ratio 14 | expr: kata_remote_workload_failure_ratio > 25 15 | for: 30m 16 | labels: 17 | severity: warning 18 | - alert: kata_active_instance 19 | annotations: 20 | summary: Kata instance alive signal 21 | expr: vector(1) 22 | labels: 23 | purpose: alive_signal 24 | severity: info 25 | -------------------------------------------------------------------------------- /bundle/metadata/annotations.yaml: -------------------------------------------------------------------------------- 1 | annotations: 2 | # Core bundle annotations. 3 | operators.operatorframework.io.bundle.mediatype.v1: registry+v1 4 | operators.operatorframework.io.bundle.manifests.v1: manifests/ 5 | operators.operatorframework.io.bundle.metadata.v1: metadata/ 6 | operators.operatorframework.io.bundle.package.v1: sandboxed-containers-operator 7 | operators.operatorframework.io.bundle.channels.v1: stable 8 | operators.operatorframework.io.bundle.channel.default.v1: stable 9 | operators.operatorframework.io.metrics.builder: operator-sdk-v1.39.1 10 | operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 11 | operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v4 12 | 13 | # Annotations for testing. 14 | operators.operatorframework.io.test.mediatype.v1: scorecard+v1 15 | operators.operatorframework.io.test.config.v1: tests/scorecard/ 16 | -------------------------------------------------------------------------------- /config/metrics/metrics-prometheus-rules.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: monitoring.coreos.com/v1 2 | kind: PrometheusRule 3 | metadata: 4 | name: osc-alerts 5 | namespace: openshift-sandboxed-containers-operator 6 | spec: 7 | groups: 8 | - name: osc_alerts 9 | rules: 10 | - alert: KataRemoteWorkloadFailureHigh 11 | expr: kata_remote_workload_failure_ratio > 25 12 | for: 30m 13 | labels: 14 | severity: warning 15 | annotations: 16 | summary: "High Kata Remote Workload Failure Ratio" 17 | description: "The failure ratio of kata-remote workloads is above 25% for more than 30 minutes. This may indicate issues with the runtime or configuration." 18 | 19 | - alert: kata_active_instance 20 | expr: vector(1) 21 | labels: 22 | severity: info 23 | purpose: "alive_signal" 24 | annotations: 25 | summary: "Kata instance alive signal" 26 | -------------------------------------------------------------------------------- /config/webhook/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # the following config is for teaching kustomize where to look at when substituting vars. 2 | # It requires kustomize v2.1.0 or newer to work properly. 3 | nameReference: 4 | - kind: Service 5 | version: v1 6 | fieldSpecs: 7 | - kind: MutatingWebhookConfiguration 8 | group: admissionregistration.k8s.io 9 | path: webhooks/clientConfig/service/name 10 | - kind: ValidatingWebhookConfiguration 11 | group: admissionregistration.k8s.io 12 | path: webhooks/clientConfig/service/name 13 | 14 | namespace: 15 | - kind: MutatingWebhookConfiguration 16 | group: admissionregistration.k8s.io 17 | path: webhooks/clientConfig/service/namespace 18 | create: true 19 | - kind: ValidatingWebhookConfiguration 20 | group: admissionregistration.k8s.io 21 | path: webhooks/clientConfig/service/namespace 22 | create: true 23 | 24 | varReference: 25 | - path: metadata/annotations 26 | -------------------------------------------------------------------------------- /fbc/migrate.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -xe 4 | 5 | OCP_VERSION=$1 6 | 7 | test -n "${OCP_VERSION}" 8 | mkdir -p ${OCP_VERSION} 9 | cd ${OCP_VERSION} 10 | 11 | mkdir -p migrate/ 12 | opm migrate registry.redhat.io/redhat/redhat-operator-index:${OCP_VERSION} ./migrate/ 13 | 14 | # Generate a catalog template: 15 | mkdir -p catalog/sandboxed-containers-operator/ 16 | opm alpha convert-template basic -o yaml migrate/sandboxed-containers-operator/catalog.json > catalog-template.yaml 17 | 18 | # Generate a Dockerfile: 19 | opm generate dockerfile . \ 20 | --base-image "brew.registry.redhat.io/rh-osbs/openshift-ose-operator-registry-rhel9:${OCP_VERSION}" \ 21 | --builder-image "brew.registry.redhat.io/rh-osbs/openshift-ose-operator-registry-rhel9:${OCP_VERSION}" 22 | 23 | mv ./.*Dockerfile Dockerfile 24 | 25 | # Patch the Dockerfile to avoid copying in unwanted files 26 | sed -i 's@^ADD . /configs@ADD catalog/ /configs@' Dockerfile 27 | 28 | rm -r migrate 29 | -------------------------------------------------------------------------------- /fbc/v4.15/Dockerfile: -------------------------------------------------------------------------------- 1 | # The builder image is expected to contain 2 | # /bin/opm (with serve subcommand) 3 | FROM brew.registry.redhat.io/rh-osbs/openshift-ose-operator-registry-rhel9:v4.15 as builder 4 | 5 | # Copy FBC root into image at /configs and pre-populate serve cache 6 | ADD catalog/ /configs 7 | RUN ["/bin/opm", "serve", "/configs", "--cache-dir=/tmp/cache", "--cache-only"] 8 | 9 | FROM brew.registry.redhat.io/rh-osbs/openshift-ose-operator-registry-rhel9:v4.15 10 | # The base image is expected to contain 11 | # /bin/opm (with serve subcommand) and /bin/grpc_health_probe 12 | 13 | # Configure the entrypoint and command 14 | ENTRYPOINT ["/bin/opm"] 15 | CMD ["serve", "/configs", "--cache-dir=/tmp/cache"] 16 | 17 | COPY --from=builder /configs /configs 18 | COPY --from=builder /tmp/cache /tmp/cache 19 | 20 | # Set FBC-specific label for the location of the FBC root directory 21 | # in the image 22 | LABEL operators.operatorframework.io.index.configs.v1=/configs 23 | -------------------------------------------------------------------------------- /fbc/v4.16/Dockerfile: -------------------------------------------------------------------------------- 1 | # The builder image is expected to contain 2 | # /bin/opm (with serve subcommand) 3 | FROM brew.registry.redhat.io/rh-osbs/openshift-ose-operator-registry-rhel9:v4.16 as builder 4 | 5 | # Copy FBC root into image at /configs and pre-populate serve cache 6 | ADD catalog/ /configs 7 | RUN ["/bin/opm", "serve", "/configs", "--cache-dir=/tmp/cache", "--cache-only"] 8 | 9 | FROM brew.registry.redhat.io/rh-osbs/openshift-ose-operator-registry-rhel9:v4.16 10 | # The base image is expected to contain 11 | # /bin/opm (with serve subcommand) and /bin/grpc_health_probe 12 | 13 | # Configure the entrypoint and command 14 | ENTRYPOINT ["/bin/opm"] 15 | CMD ["serve", "/configs", "--cache-dir=/tmp/cache"] 16 | 17 | COPY --from=builder /configs /configs 18 | COPY --from=builder /tmp/cache /tmp/cache 19 | 20 | # Set FBC-specific label for the location of the FBC root directory 21 | # in the image 22 | LABEL operators.operatorframework.io.index.configs.v1=/configs 23 | -------------------------------------------------------------------------------- /fbc/v4.17/Dockerfile: -------------------------------------------------------------------------------- 1 | # The builder image is expected to contain 2 | # /bin/opm (with serve subcommand) 3 | FROM brew.registry.redhat.io/rh-osbs/openshift-ose-operator-registry-rhel9:v4.17 as builder 4 | 5 | # Copy FBC root into image at /configs and pre-populate serve cache 6 | ADD catalog/ /configs 7 | RUN ["/bin/opm", "serve", "/configs", "--cache-dir=/tmp/cache", "--cache-only"] 8 | 9 | FROM brew.registry.redhat.io/rh-osbs/openshift-ose-operator-registry-rhel9:v4.17 10 | # The base image is expected to contain 11 | # /bin/opm (with serve subcommand) and /bin/grpc_health_probe 12 | 13 | # Configure the entrypoint and command 14 | ENTRYPOINT ["/bin/opm"] 15 | CMD ["serve", "/configs", "--cache-dir=/tmp/cache"] 16 | 17 | COPY --from=builder /configs /configs 18 | COPY --from=builder /tmp/cache /tmp/cache 19 | 20 | # Set FBC-specific label for the location of the FBC root directory 21 | # in the image 22 | LABEL operators.operatorframework.io.index.configs.v1=/configs 23 | -------------------------------------------------------------------------------- /fbc/v4.18/Dockerfile: -------------------------------------------------------------------------------- 1 | # The builder image is expected to contain 2 | # /bin/opm (with serve subcommand) 3 | FROM brew.registry.redhat.io/rh-osbs/openshift-ose-operator-registry-rhel9:v4.18 as builder 4 | 5 | # Copy FBC root into image at /configs and pre-populate serve cache 6 | ADD catalog/ /configs 7 | RUN ["/bin/opm", "serve", "/configs", "--cache-dir=/tmp/cache", "--cache-only"] 8 | 9 | FROM brew.registry.redhat.io/rh-osbs/openshift-ose-operator-registry-rhel9:v4.18 10 | # The base image is expected to contain 11 | # /bin/opm (with serve subcommand) and /bin/grpc_health_probe 12 | 13 | # Configure the entrypoint and command 14 | ENTRYPOINT ["/bin/opm"] 15 | CMD ["serve", "/configs", "--cache-dir=/tmp/cache"] 16 | 17 | COPY --from=builder /configs /configs 18 | COPY --from=builder /tmp/cache /tmp/cache 19 | 20 | # Set FBC-specific label for the location of the FBC root directory 21 | # in the image 22 | LABEL operators.operatorframework.io.index.configs.v1=/configs 23 | -------------------------------------------------------------------------------- /fbc/v4.19/Dockerfile: -------------------------------------------------------------------------------- 1 | # The builder image is expected to contain 2 | # /bin/opm (with serve subcommand) 3 | FROM brew.registry.redhat.io/rh-osbs/openshift-ose-operator-registry-rhel9:v4.19 as builder 4 | 5 | # Copy FBC root into image at /configs and pre-populate serve cache 6 | ADD catalog/ /configs 7 | RUN ["/bin/opm", "serve", "/configs", "--cache-dir=/tmp/cache", "--cache-only"] 8 | 9 | FROM brew.registry.redhat.io/rh-osbs/openshift-ose-operator-registry-rhel9:v4.19 10 | # The base image is expected to contain 11 | # /bin/opm (with serve subcommand) and /bin/grpc_health_probe 12 | 13 | # Configure the entrypoint and command 14 | ENTRYPOINT ["/bin/opm"] 15 | CMD ["serve", "/configs", "--cache-dir=/tmp/cache"] 16 | 17 | COPY --from=builder /configs /configs 18 | COPY --from=builder /tmp/cache /tmp/cache 19 | 20 | # Set FBC-specific label for the location of the FBC root directory 21 | # in the image 22 | LABEL operators.operatorframework.io.index.configs.v1=/configs 23 | -------------------------------------------------------------------------------- /fbc/v4.20/Dockerfile: -------------------------------------------------------------------------------- 1 | # The builder image is expected to contain 2 | # /bin/opm (with serve subcommand) 3 | FROM brew.registry.redhat.io/rh-osbs/openshift-ose-operator-registry-rhel9:v4.20 as builder 4 | 5 | # Copy FBC root into image at /configs and pre-populate serve cache 6 | ADD catalog/ /configs 7 | RUN ["/bin/opm", "serve", "/configs", "--cache-dir=/tmp/cache", "--cache-only"] 8 | 9 | FROM brew.registry.redhat.io/rh-osbs/openshift-ose-operator-registry-rhel9:v4.20 10 | # The base image is expected to contain 11 | # /bin/opm (with serve subcommand) and /bin/grpc_health_probe 12 | 13 | # Configure the entrypoint and command 14 | ENTRYPOINT ["/bin/opm"] 15 | CMD ["serve", "/configs", "--cache-dir=/tmp/cache"] 16 | 17 | COPY --from=builder /configs /configs 18 | COPY --from=builder /tmp/cache /tmp/cache 19 | 20 | # Set FBC-specific label for the location of the FBC root directory 21 | # in the image 22 | LABEL operators.operatorframework.io.index.configs.v1=/configs 23 | -------------------------------------------------------------------------------- /config/network-policy/allow-metrics-traffic.yaml: -------------------------------------------------------------------------------- 1 | # This NetworkPolicy allows ingress traffic 2 | # with Pods running on namespaces labeled with 'metrics: enabled'. Only Pods on those 3 | # namespaces are able to gathering data from the metrics endpoint. 4 | apiVersion: networking.k8s.io/v1 5 | kind: NetworkPolicy 6 | metadata: 7 | labels: 8 | app.kubernetes.io/name: memcached-operator 9 | app.kubernetes.io/managed-by: kustomize 10 | name: allow-metrics-traffic 11 | namespace: system 12 | spec: 13 | podSelector: 14 | matchLabels: 15 | control-plane: controller-manager 16 | policyTypes: 17 | - Ingress 18 | ingress: 19 | # This allows ingress traffic from any namespace with the label metrics: enabled 20 | - from: 21 | - namespaceSelector: 22 | matchLabels: 23 | metrics: enabled # Only from namespaces with this label 24 | ports: 25 | - port: 8443 26 | protocol: TCP 27 | -------------------------------------------------------------------------------- /config/network-policy/allow-webhook-traffic.yaml: -------------------------------------------------------------------------------- 1 | # This NetworkPolicy allows ingress traffic to your webhook server running 2 | # as part of the controller-manager from specific namespaces and pods. CR(s) which uses webhooks 3 | # will only work when applied in namespaces labeled with 'webhook: enabled' 4 | apiVersion: networking.k8s.io/v1 5 | kind: NetworkPolicy 6 | metadata: 7 | labels: 8 | app.kubernetes.io/name: memcached-operator 9 | app.kubernetes.io/managed-by: kustomize 10 | name: allow-webhook-traffic 11 | namespace: system 12 | spec: 13 | podSelector: 14 | matchLabels: 15 | control-plane: controller-manager 16 | policyTypes: 17 | - Ingress 18 | ingress: 19 | # This allows ingress traffic from any namespace with the label webhook: enabled 20 | - from: 21 | - namespaceSelector: 22 | matchLabels: 23 | webhook: enabled # Only from namespaces with this label 24 | ports: 25 | - port: 443 26 | protocol: TCP 27 | -------------------------------------------------------------------------------- /config/peerpods/podvm/libvirt-podvm-image-cm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: libvirt-podvm-image-cm 5 | namespace: openshift-sandboxed-containers-operator 6 | data: 7 | # PodVM image distro 8 | PODVM_DISTRO: "rhel" 9 | 10 | # Pod VM sources 11 | # If changing the source, then ensure the respective payload binaries are available 12 | # for the new source 13 | CAA_SRC: "https://github.com/confidential-containers/cloud-api-adaptor" 14 | CAA_REF: "v0.8.2" 15 | 16 | # Booleans 17 | DOWNLOAD_SOURCES: "no" 18 | CONFIDENTIAL_COMPUTE_ENABLED: "no" 19 | UPDATE_PEERPODS_CM: "yes" 20 | 21 | # Libvirt specific 22 | ORG_ID: "" 23 | ACTIVATION_KEY: "" 24 | BASE_OS_VERSION: "9.4" 25 | 26 | # To Enable SE for IBM Z 27 | SE_BOOT: "true" 28 | 29 | # To enable SE verification on IBM Z 30 | SE_VERIFY: "true" 31 | 32 | # For Pre-built PodVM images. 33 | PODVM_IMAGE_URI: "" # eg: oci::quay.io/openshift_sandboxed_containers/libvirt-podvm-image:latest::/image/podvm.qcow2 34 | -------------------------------------------------------------------------------- /config/crd/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # This kustomization.yaml is not intended to be run by itself, 2 | # since it depends on service name and namespace that are out of this kustomize package. 3 | # It should be run by config/default 4 | resources: 5 | - bases/kataconfiguration.openshift.io_kataconfigs.yaml 6 | # +kubebuilder:scaffold:crdkustomizeresource 7 | 8 | patchesStrategicMerge: 9 | # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. 10 | # patches here are for enabling the conversion webhook for each CRD 11 | #- patches/webhook_in_kataconfigs.yaml 12 | # +kubebuilder:scaffold:crdkustomizewebhookpatch 13 | 14 | # [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix. 15 | # patches here are for enabling the CA injection for each CRD 16 | #- patches/cainjection_in_kataconfigs.yaml 17 | # +kubebuilder:scaffold:crdkustomizecainjectionpatch 18 | 19 | # the following config is for teaching kustomize how to do kustomization for CRDs. 20 | configurations: 21 | - kustomizeconfig.yaml 22 | -------------------------------------------------------------------------------- /config/rbac/caa_rbac.yaml: -------------------------------------------------------------------------------- 1 | # This file is based on https://github.com/confidential-containers/cloud-api-adaptor/blob/staging/install/rbac/peer-pod.yaml 2 | # It adds the required rules to the default SA which is used by CAA DA 3 | # when owner reference is both object must be on the same namespace, hence, 4 | # caa should have cluster-wide permissions to support any pod namespace 5 | --- 6 | apiVersion: rbac.authorization.k8s.io/v1 7 | kind: ClusterRole 8 | metadata: 9 | name: caa-role 10 | rules: 11 | - apiGroups: [""] 12 | resources: ["pods", "pods/finalizers"] 13 | verbs: ["get","create", "patch", "update"] 14 | - apiGroups: ["confidentialcontainers.org"] 15 | resources: ["peerpods", "pods"] 16 | verbs: ["create", "patch", "update"] 17 | --- 18 | apiVersion: rbac.authorization.k8s.io/v1 19 | kind: ClusterRoleBinding 20 | metadata: 21 | name: caa-rolebinding 22 | subjects: 23 | - kind: ServiceAccount 24 | name: default 25 | namespace: system 26 | roleRef: 27 | kind: ClusterRole 28 | name: caa-role 29 | apiGroup: rbac.authorization.k8s.io 30 | -------------------------------------------------------------------------------- /config/certmanager/certificate.yaml: -------------------------------------------------------------------------------- 1 | # The following manifests contain a self-signed issuer CR and a certificate CR. 2 | # More document can be found at https://docs.cert-manager.io 3 | # WARNING: Targets CertManager 0.11 check https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html for 4 | # breaking changes 5 | apiVersion: cert-manager.io/v1 6 | kind: Issuer 7 | metadata: 8 | name: selfsigned-issuer 9 | namespace: system 10 | spec: 11 | selfSigned: {} 12 | --- 13 | apiVersion: cert-manager.io/v1 14 | kind: Certificate 15 | metadata: 16 | name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml 17 | namespace: system 18 | spec: 19 | # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize 20 | dnsNames: 21 | - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc 22 | - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local 23 | issuerRef: 24 | kind: Issuer 25 | name: selfsigned-issuer 26 | secretName: webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize 27 | -------------------------------------------------------------------------------- /config/peerpods/podvm/gcp-podvm-image-cm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: gcp-podvm-image-cm 5 | namespace: openshift-sandboxed-containers-operator 6 | data: 7 | # Pod VM sources 8 | # If changing the source, then ensure the respective payload binaries are available 9 | # for the new source 10 | CAA_SRC: "https://github.com/confidential-containers/cloud-api-adaptor" 11 | CAA_REF: "main" 12 | 13 | IMAGE_BASE_NAME: "podvm-image" 14 | # Must be in Major(int).Minor(int).Patch(int) format 15 | # When deployed from operator, update the IMAGE_VERSION to something like 16 | # "$clusterid-0-1" 17 | IMAGE_VERSION: "0-0-1" 18 | 19 | # Booleans 20 | INSTALL_PACKAGES: "no" 21 | DISABLE_CLOUD_CONFIG: "true" 22 | UPDATE_PEERPODS_CM: "yes" 23 | BOOT_FIPS: "no" 24 | 25 | # Custom Agent Policy 26 | #AGENT_POLICY: "" # set to base64 encoded agent policy 27 | 28 | # precreated artifacts 29 | #PODVM_IMAGE_URI: bootc::image-registry.openshift-image-registry.svc:5000/openshift-sandboxed-containers-operator/podvm-bootc 30 | -------------------------------------------------------------------------------- /config/peerpods/podvm/bootc/podvm-git-buildconfig.yaml: -------------------------------------------------------------------------------- 1 | # This will build according to git source and push to the local cluster's registry: 2 | # image-registry.openshift-image-registry.svc:5000/openshift-sandboxed-containers-operator/podvm-bootc 3 | apiVersion: image.openshift.io/v1 4 | kind: ImageStream 5 | metadata: 6 | name: podvm-bootc 7 | namespace: openshift-sandboxed-containers-operator 8 | spec: 9 | lookupPolicy: 10 | local: false 11 | --- 12 | apiVersion: build.openshift.io/v1 13 | kind: BuildConfig 14 | metadata: 15 | name: bootc-image-build 16 | namespace: openshift-sandboxed-containers-operator 17 | spec: 18 | output: 19 | to: 20 | kind: ImageStreamTag 21 | name: podvm-bootc:latest 22 | source: 23 | contextDir: "config/peerpods/podvm/bootc" 24 | git: 25 | uri: 'https://github.com/openshift/sandboxed-containers-operator.git' 26 | # TODO-RELEASE: switch to release branch 27 | ref: devel 28 | strategy: 29 | dockerStrategy: 30 | dockerfilePath: "Containerfile.rhel" 31 | type: Docker 32 | triggers: 33 | - type: ConfigChange 34 | -------------------------------------------------------------------------------- /scripts/install-helpers/baremetal-coco/nfd/intel-rules.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: nfd.openshift.io/v1alpha1 2 | kind: NodeFeatureRule 3 | metadata: 4 | name: intel-dp-devices 5 | namespace: openshift-nfd 6 | spec: 7 | rules: 8 | - name: "intel.sgx" 9 | labels: 10 | "intel.feature.node.kubernetes.io/sgx": "true" 11 | extendedResources: 12 | sgx.intel.com/epc: "@cpu.security.sgx.epc" 13 | matchFeatures: 14 | - feature: cpu.cpuid 15 | matchExpressions: 16 | SGX: {op: Exists} 17 | SGXLC: {op: Exists} 18 | - feature: cpu.security 19 | matchExpressions: 20 | sgx.enabled: {op: IsTrue} 21 | - feature: kernel.config 22 | matchExpressions: 23 | X86_SGX: {op: Exists} 24 | - name: "intel.tdx" 25 | labels: 26 | "intel.feature.node.kubernetes.io/tdx": "true" 27 | extendedResources: 28 | tdx.intel.com/keys: "@cpu.security.tdx.total_keys" 29 | matchFeatures: 30 | - feature: cpu.security 31 | matchExpressions: 32 | tdx.enabled: {op: Exists} 33 | -------------------------------------------------------------------------------- /must-gather/collection-scripts/gather: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Resource list 4 | resources=() 5 | 6 | # sandboxed containers related namespaces 7 | resources+=(ns/openshift-operator-lifecycle-manager) 8 | resources+=(ns/openshift-marketplace) 9 | 10 | # ImageStreamTag 11 | resources+=(istag) 12 | 13 | # Nodes and Machines 14 | resources+=(nodes) 15 | resources+=(machines) 16 | 17 | # Run the collection of resources using must-gather 18 | for resource in "${resources[@]}"; do 19 | echo "Inspecting resource ${resource}..." 20 | /usr/bin/oc adm inspect --dest-dir must-gather --all-namespaces "${resource}" &> /dev/null 21 | done 22 | 23 | # Collect CRDs 24 | /usr/bin/gather_crds 25 | 26 | # Collect the apiservices 27 | /usr/bin/gather_apiservices 28 | 29 | # Collect "audit" details 30 | /usr/bin/gather_audit_logs 31 | 32 | # Collect nodes details 33 | /usr/bin/gather_nodes 34 | 35 | # Collect image details 36 | # Workaround for: https://github.com/openshift/must-gather/issues/122 37 | /usr/bin/gather_images 38 | 39 | # Collect sandboxed-containers details 40 | /usr/bin/gather_sandboxed_containers_logs 41 | 42 | exit 0 43 | -------------------------------------------------------------------------------- /scripts/cm-helpers/README.md: -------------------------------------------------------------------------------- 1 | ## OSC ConfigMap Configurator 2 | 3 | ./pp-cm-helper.sh is an interactive Bash script designed to assist in populating the peer-pods-cm 4 | ConfigMap, which is essential for configuring Peer Pods or CoCo. 5 | The script intelligently suggests default values based on metadata collected from the cluster's 6 | cloud provider, recommended best practices, and user-provided input. 7 | 8 | ### Supported Cloud Providers 9 | * AWS 10 | * Azure 11 | * Libvirt 12 | * GCP 13 | 14 | ### Prerequisites 15 | * jq, kubectl or oc installed 16 | * Preconfigured OCP cluster with OSC Operator installed 17 | 18 | ### Usage: 19 | ./pp-cm-helper.sh [options] 20 | options: 21 | -c Use CoCo defaults for the specified trusted platform type 22 | -h Print this help message 23 | -v Set a known or custom variable explicitly 24 | -y Automatically answer yes for all questions 25 | 26 | * Defaults are fetched according to the following order: 27 | 1. Explicitly set CLI custom vars 28 | 2. Explicitly defined enviroment vars 29 | 3. Fixed/Fetched/Existing values 30 | -------------------------------------------------------------------------------- /config/peerpods/podvm/osc-podvm-gallery-delete-job.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: osc-podvm-gallery-deletion 5 | namespace: openshift-sandboxed-containers-operator 6 | spec: 7 | parallelism: 1 8 | completions: 1 9 | backoffLimit: 1 10 | template: 11 | metadata: 12 | name: osc-podvm-gallery-deletion 13 | spec: 14 | containers: 15 | - name: delete-gallery 16 | image: registry.redhat.io/openshift-sandboxed-containers/osc-podvm-builder-rhel9:1.11.1 ## OSC_VERSION 17 | securityContext: 18 | runAsUser: 0 # needed for container mode dnf access 19 | envFrom: 20 | - secretRef: 21 | name: peer-pods-secret 22 | - configMapRef: 23 | name: peer-pods-cm 24 | optional: true 25 | - configMapRef: 26 | name: azure-podvm-image-cm 27 | optional: true 28 | - configMapRef: 29 | name: aws-podvm-image-cm 30 | optional: true 31 | command: ["/podvm-builder.sh", "delete-gallery", "-f"] 32 | 33 | restartPolicy: Never 34 | -------------------------------------------------------------------------------- /PROJECT: -------------------------------------------------------------------------------- 1 | # Code generated by tool. DO NOT EDIT. 2 | # This file is used to track the info used to scaffold your project 3 | # and allow the plugins properly work. 4 | # More info: https://book.kubebuilder.io/reference/project-config.html 5 | domain: kataconfiguration.openshift.io 6 | layout: 7 | - go.kubebuilder.io/v4 8 | plugins: 9 | manifests.sdk.operatorframework.io/v2: {} 10 | scorecard.sdk.operatorframework.io/v2: {} 11 | projectName: sandboxed-containers-operator 12 | repo: github.com/openshift/sandboxed-containers-operator 13 | resources: 14 | - controller: true 15 | domain: kataconfiguration.openshift.io 16 | group: kataconfiguration 17 | kind: KataConfig 18 | path: github.com/openshift/sandboxed-containers-operator/api/v1 19 | version: v1 20 | webhooks: 21 | validation: true 22 | webhookVersion: v1 23 | - api: 24 | crdVersion: v1 25 | namespaced: true 26 | controller: true 27 | domain: confidentialcontainers.org 28 | kind: PeerPod 29 | path: github.com/confidential-containers/cloud-api-adaptor/src/peerpod-ctrl/api/v1alpha1 30 | version: v1alpha1 31 | - controller: true 32 | group: core 33 | kind: Secret 34 | path: k8s.io/api/core/v1 35 | version: v1 36 | version: "3" 37 | -------------------------------------------------------------------------------- /config/samples/deploy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: CatalogSource 3 | metadata: 4 | name: my-operator-catalog 5 | namespace: openshift-marketplace 6 | spec: 7 | DisplayName: My Operator Catalog 8 | sourceType: grpc 9 | image: quay.io/openshift_sandboxed_containers/openshift-sandboxed-containers-operator-catalog:v1.11.1 ## OSC_VERSION 10 | updateStrategy: 11 | registryPoll: 12 | interval: 5m 13 | --- 14 | apiVersion: v1 15 | kind: Namespace 16 | metadata: 17 | name: openshift-sandboxed-containers-operator 18 | --- 19 | apiVersion: operators.coreos.com/v1 20 | kind: OperatorGroup 21 | metadata: 22 | name: openshift-sandboxed-containers-operator 23 | namespace: openshift-sandboxed-containers-operator 24 | spec: 25 | targetNamespaces: 26 | - openshft-sandboxed-containers-operator 27 | --- 28 | apiVersion: operators.coreos.com/v1alpha1 29 | kind: Subscription 30 | metadata: 31 | name: sandboxed-containers-operator 32 | namespace: openshift-sandboxed-containers-operator 33 | spec: 34 | channel: "candidate" 35 | installPlanApproval: Automatic 36 | name: sandboxed-containers-operator 37 | source: my-operator-catalog 38 | sourceNamespace: openshift-marketplace 39 | startingCSV: sandboxed-containers-operator.v1.11.1 ## OSC_VERSION 40 | -------------------------------------------------------------------------------- /must-gather/collection-scripts/gather_audit_logs: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Downloads the audit.log (and its rotated copies) from 3 | # /var/logs/{kube-apiserver,openshift-apiserver} on each 4 | # master node. 5 | BASE_COLLECTION_PATH="${BASE_COLLECTION_PATH:-/must-gather}" 6 | echo "INFO: Collecting one or more audit logs on ALL worker nodes in your cluster." 7 | # the command executed by xargs below expects four parameters: 8 | # $1 - node path under /var/logs to download 9 | # $2 - local output path 10 | # $3 - node name 11 | # $4 - log file name 12 | paths=(audit) 13 | # shellcheck disable=SC2016 14 | for path in "${paths[@]}" ; do 15 | output_dir="${BASE_COLLECTION_PATH}/audit_logs/$path" 16 | mkdir -p "$output_dir" 17 | oc adm node-logs --role=worker --path="$path" | \ 18 | tee "${BASE_COLLECTION_PATH}/audit_logs/$path.audit_logs_listing" | \ 19 | grep -v ".terminating" | \ 20 | grep -v ".lock" | \ 21 | sed "s|^|$path $output_dir |" 22 | done | \ 23 | xargs --max-args=4 --max-procs=45 bash -c \ 24 | 'echo "INFO: Started downloading $1/$4 from $3"; 25 | oc adm node-logs $3 --path=$1/$4 | gzip > $2/$3-$4.gz; 26 | echo "INFO: Finished downloading $1/$4 from $3"' \ 27 | bash 28 | echo "INFO: Audit logs collected." 29 | 30 | # force disk flush to ensure that all data gathered is accessible in the copy container 31 | sync 32 | -------------------------------------------------------------------------------- /config/manifests/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # These resources constitute the fully configured set of manifests 2 | # used to generate the 'manifests/' directory in a bundle. 3 | resources: 4 | - bases/sandboxed-containers-operator.clusterserviceversion.yaml 5 | - ../default 6 | - ../samples 7 | - ../scorecard 8 | - extension-crds/ 9 | 10 | # [WEBHOOK] To enable webhooks, uncomment all the sections with [WEBHOOK] prefix. 11 | # Do NOT uncomment sections with prefix [CERTMANAGER], as OLM does not support cert-manager. 12 | # These patches remove the unnecessary "cert" volume and its manager container volumeMount. 13 | #patchesJson6902: 14 | #- target: 15 | # group: apps 16 | # version: v1 17 | # kind: Deployment 18 | # name: controller-manager 19 | # namespace: system 20 | # patch: |- 21 | # # Remove the manager container's "cert" volumeMount, since OLM will create and mount a set of certs. 22 | # # Update the indices in this path if adding or removing containers/volumeMounts in the manager's Deployment. 23 | # - op: remove 24 | # path: /spec/template/spec/containers/1/volumeMounts/0 25 | # # Remove the "cert" volume, since OLM will create and mount a set of certs. 26 | # # Update the indices in this path if adding or removing volumes in the manager's Deployment. 27 | # - op: remove 28 | # path: /spec/template/spec/volumes/0 29 | -------------------------------------------------------------------------------- /api/v1/groupversion_info.go: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | // Package v1 contains API Schema definitions for the kataconfiguration v1 API group 18 | // +kubebuilder:object:generate=true 19 | // +groupName=kataconfiguration.openshift.io 20 | package v1 21 | 22 | import ( 23 | "k8s.io/apimachinery/pkg/runtime/schema" 24 | "sigs.k8s.io/controller-runtime/pkg/scheme" 25 | ) 26 | 27 | var ( 28 | // GroupVersion is group version used to register these objects 29 | GroupVersion = schema.GroupVersion{Group: "kataconfiguration.openshift.io", Version: "v1"} 30 | 31 | // SchemeBuilder is used to add go types to the GroupVersionKind scheme 32 | SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} 33 | 34 | // AddToScheme adds the types in this group-version to the given scheme. 35 | AddToScheme = SchemeBuilder.AddToScheme 36 | ) 37 | -------------------------------------------------------------------------------- /controllers/scc.go: -------------------------------------------------------------------------------- 1 | package controllers 2 | 3 | import ( 4 | secv1 "github.com/openshift/api/security/v1" 5 | corev1 "k8s.io/api/core/v1" 6 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 7 | ) 8 | 9 | func GetScc() *secv1.SecurityContextConstraints { 10 | 11 | trueVar := false 12 | sccName := "sandboxed-containers-operator-scc" 13 | 14 | return &secv1.SecurityContextConstraints{ 15 | TypeMeta: metav1.TypeMeta{ 16 | APIVersion: "security.openshift.io/v1", 17 | Kind: "SecurityContextConstraints", 18 | }, 19 | ObjectMeta: metav1.ObjectMeta{ 20 | Name: sccName, 21 | }, 22 | AllowHostDirVolumePlugin: true, 23 | AllowHostIPC: false, 24 | AllowHostNetwork: false, 25 | AllowHostPID: false, 26 | AllowHostPorts: false, 27 | AllowPrivilegeEscalation: &trueVar, 28 | AllowPrivilegedContainer: false, 29 | RequiredDropCapabilities: []corev1.Capability{"MKNOD", "FSETID", "KILL", "FOWNER"}, 30 | AllowedCapabilities: []corev1.Capability{"DAC_READ_OVERRIDE"}, 31 | RunAsUser: secv1.RunAsUserStrategyOptions{ 32 | Type: secv1.RunAsUserStrategyMustRunAsNonRoot, 33 | }, 34 | SELinuxContext: secv1.SELinuxContextStrategyOptions{ 35 | Type: secv1.SELinuxStrategyRunAsAny, 36 | }, 37 | Volumes: []secv1.FSType{secv1.FSTypeAll}, 38 | Users: []string{"system:serviceaccount:openshift-sandboxed-containers-operator:monitor"}, 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /config/scorecard/patches/olm.config.yaml: -------------------------------------------------------------------------------- 1 | - op: add 2 | path: /stages/0/tests/- 3 | value: 4 | entrypoint: 5 | - scorecard-test 6 | - olm-bundle-validation 7 | image: quay.io/operator-framework/scorecard-test:master 8 | labels: 9 | suite: olm 10 | test: olm-bundle-validation-test 11 | - op: add 12 | path: /stages/0/tests/- 13 | value: 14 | entrypoint: 15 | - scorecard-test 16 | - olm-crds-have-validation 17 | image: quay.io/operator-framework/scorecard-test:master 18 | labels: 19 | suite: olm 20 | test: olm-crds-have-validation-test 21 | - op: add 22 | path: /stages/0/tests/- 23 | value: 24 | entrypoint: 25 | - scorecard-test 26 | - olm-crds-have-resources 27 | image: quay.io/operator-framework/scorecard-test:master 28 | labels: 29 | suite: olm 30 | test: olm-crds-have-resources-test 31 | - op: add 32 | path: /stages/0/tests/- 33 | value: 34 | entrypoint: 35 | - scorecard-test 36 | - olm-spec-descriptors 37 | image: quay.io/operator-framework/scorecard-test:master 38 | labels: 39 | suite: olm 40 | test: olm-spec-descriptors-test 41 | - op: add 42 | path: /stages/0/tests/- 43 | value: 44 | entrypoint: 45 | - scorecard-test 46 | - olm-status-descriptors 47 | image: quay.io/operator-framework/scorecard-test:master 48 | labels: 49 | suite: olm 50 | test: olm-status-descriptors-test 51 | -------------------------------------------------------------------------------- /scripts/rvps-extraction/static-files/HKD.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIID7jCCAdagAwIBAgIJBFlsRgUYzLtIMA0GCSqGSIb3DQEBDQUAMGMxCzAJBgNV 3 | BAYTAlVTMQwwCgYDVQQKDANJQk0xEDAOBgNVBAsMB1Rlc3RpbmcxDDAKBgNVBAcM 4 | A1BPSzELMAkGA1UECAwCTlkxGTAXBgNVBAMMEFFTYWZlIEhLIHNpZ25pbmcwHhcN 5 | MjQwMjI4MTAzNjE4WhcNMjUwMjI3MTAzNjE4WjBbMQswCQYDVQQGEwJVUzEMMAoG 6 | A1UECgwDSUJNMRAwDgYDVQQLDAdUZXN0aW5nMQwwCgYDVQQHDANQT0sxCzAJBgNV 7 | BAgMAk5ZMREwDwYDVQQDDAhRc2FmZSBISzCBmzAQBgcqhkjOPQIBBgUrgQQAIwOB 8 | hgAEAIs8F4mItSnho7Wx/ngnZTfsQ9LtSchfKvc1r6Op5vNKGOuiuJ30GTOZUoZD 9 | M/MqioakC4EB0cpSTllh6qrYuxz2AUHgstGQNAFctkCKE3GqMEuFrcgazUvbV4JD 10 | NXSl/KB6uaKCgAeOuxw37+WkWaUpNOvpsh/dCjZ3pJeWYjv92r6BozUwMzAOBgNV 11 | HQ8BAf8EBAMCAwgwIQYDVR0fBBowGDAWoBSgEoYQaHR0cDovL3NvbWV3aGVyZTAN 12 | BgkqhkiG9w0BAQ0FAAOCAgEAas/Vg/xdwA3BqroBY+aRAfd6hwMNdVjbooYjga9M 13 | WeM6zDW+JOPuVYWij/yWGvRzKrmxwdpDrlEwQNFvh9uiwZorv6PCMnrF0Qprdwyl 14 | rvUzwXV28xrRgJtCpU5PDw2NSXZse7nsZD9zxtEYu8RywhtVO6LnXViAeTZLn1jK 15 | LMc+P1FlEA/+aVmNT3hr+sfFTDKn1oP4RbYJy4T9cbIGRgtRWpMyQaSqEX1bPytW 16 | ZjdK+LU55bZceAIrfR0um+gGSB+rRdyDQU0g9BS0dDXxVhDkzKVrD/UG2dqXd106 17 | Q3JeuROVwdd55dvwD5b+UmSS52oRlmTff1uJg6BF6tHWP7zh5rqLJdH3ds5AfITb 18 | 2tHK3M1KhwIivbtBzogWH+LaxEF3n5V2FCc8bx92zB81IhKycSLnmE9OZ602d/0j 19 | BCU0hkh8BZS7o6A3sTHZHFh65jjFwRMQSDY43MLeNBWhdX8ymOcuiwVPWsHrrIBK 20 | w01nAbpR4IedQgwc0SJtExsqWKGS6OEyaDV5QcZh97/PA8ddBmsaJyZESJuwj1hp 21 | hq6jU/NtOT/J33vnoO0UWX8FaX58+4MCG638/fatMsdCUmt1OTw1b9Qry/p7pn56 22 | 53FvYE30z1G7Arsu7LzTaz8EfLzQ57MVKb9cj2/NKzqhh5PMIb+9SdznQGuDqj5F 23 | ++c= 24 | -----END CERTIFICATE----- 25 | -------------------------------------------------------------------------------- /config/peerpods/podvm/agent-policy/allow-all.rego: -------------------------------------------------------------------------------- 1 | package agent_policy 2 | 3 | default AddARPNeighborsRequest := true 4 | default AddSwapRequest := true 5 | default CloseStdinRequest := true 6 | default CopyFileRequest := true 7 | default CreateContainerRequest := true 8 | default CreateSandboxRequest := true 9 | default DestroySandboxRequest := true 10 | default ExecProcessRequest := true 11 | default GetMetricsRequest := true 12 | default GetOOMEventRequest := true 13 | default GuestDetailsRequest := true 14 | default ListInterfacesRequest := true 15 | default ListRoutesRequest := true 16 | default MemHotplugByProbeRequest := true 17 | default OnlineCPUMemRequest := true 18 | default PauseContainerRequest := true 19 | default PullImageRequest := true 20 | default ReadStreamRequest := true 21 | default RemoveContainerRequest := true 22 | default RemoveStaleVirtiofsShareMountsRequest := true 23 | default ReseedRandomDevRequest := true 24 | default ResumeContainerRequest := true 25 | default SetGuestDateTimeRequest := true 26 | default SetPolicyRequest := true 27 | default SignalProcessRequest := true 28 | default StartContainerRequest := true 29 | default StartTracingRequest := true 30 | default StatsContainerRequest := true 31 | default StopTracingRequest := true 32 | default TtyWinResizeRequest := true 33 | default UpdateContainerRequest := true 34 | default UpdateEphemeralMountsRequest := true 35 | default UpdateInterfaceRequest := true 36 | default UpdateRoutesRequest := true 37 | default WaitProcessRequest := true 38 | default WriteStreamRequest := true 39 | -------------------------------------------------------------------------------- /config/peerpods/podvm/aws-podvm-image-cm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: aws-podvm-image-cm 5 | namespace: openshift-sandboxed-containers-operator 6 | data: 7 | # PodVM image distro 8 | PODVM_DISTRO: rhel 9 | 10 | # Image 11 | AMI_BASE_NAME: "podvm-image" 12 | # Must be in Major(int).Minor(int).Patch(int) format. Not mandatory for AWS, but 13 | # for consistency sake with Azure 14 | # When deployed from operator, update the AMI_VERSION to something like 15 | # "$clusterid.0.1" 16 | AMI_VERSION: "0.0.1" 17 | AMI_VOLUME_SIZE: "30" 18 | 19 | # Packer Instance type 20 | INSTANCE_TYPE: "c4.xlarge" 21 | 22 | # Pod VM sources 23 | # If changing the source, then ensure the respective payload binaries are available 24 | # for the new source 25 | CAA_SRC: "https://gitlab.cee.redhat.com/osc/midstream/cloud-api-adaptor" 26 | CAA_REF: "v0.8.0-1.6" 27 | 28 | # Booleans 29 | INSTALL_PACKAGES: "no" 30 | DOWNLOAD_SOURCES: "no" 31 | CONFIDENTIAL_COMPUTE_ENABLED: "no" 32 | DISABLE_CLOUD_CONFIG: "true" 33 | ENABLE_NVIDIA_GPU: "no" 34 | UPDATE_PEERPODS_CM: "yes" 35 | BOOT_FIPS: "no" 36 | 37 | # NVIDIA GPU vars 38 | NVIDIA_DRIVER_VERSION: "535" 39 | NVIDIA_USERSPACE_VERSION: "1.13.5-1" 40 | 41 | # Custom Agent Policy 42 | #AGENT_POLICY: "" # set to base64 encoded agent policy 43 | 44 | # precreated artifacts 45 | #BUCKET_NAME: existing-bucket-name 46 | #PODVM_IMAGE_URI: bootc::image-registry.openshift-image-registry.svc:5000/openshift-sandboxed-containers-operator/podvm-bootc 47 | -------------------------------------------------------------------------------- /config/peerpods/podvm/agent-policy/coco-policy.rego: -------------------------------------------------------------------------------- 1 | package agent_policy 2 | 3 | default AddARPNeighborsRequest := true 4 | default AddSwapRequest := true 5 | default CloseStdinRequest := true 6 | default CopyFileRequest := true 7 | default CreateContainerRequest := true 8 | default CreateSandboxRequest := true 9 | default DestroySandboxRequest := true 10 | default GetMetricsRequest := true 11 | default GetOOMEventRequest := true 12 | default GuestDetailsRequest := true 13 | default ListInterfacesRequest := true 14 | default ListRoutesRequest := true 15 | default MemHotplugByProbeRequest := true 16 | default OnlineCPUMemRequest := true 17 | default PauseContainerRequest := true 18 | default PullImageRequest := true 19 | default ReadStreamRequest := false 20 | default RemoveContainerRequest := true 21 | default RemoveStaleVirtiofsShareMountsRequest := true 22 | default ReseedRandomDevRequest := true 23 | default ResumeContainerRequest := true 24 | default SetGuestDateTimeRequest := true 25 | default SetPolicyRequest := true 26 | default SignalProcessRequest := true 27 | default StartContainerRequest := true 28 | default StartTracingRequest := true 29 | default StatsContainerRequest := true 30 | default StopTracingRequest := true 31 | default TtyWinResizeRequest := true 32 | default UpdateContainerRequest := true 33 | default UpdateEphemeralMountsRequest := true 34 | default UpdateInterfaceRequest := true 35 | default UpdateRoutesRequest := true 36 | default WaitProcessRequest := true 37 | default WriteStreamRequest := true 38 | 39 | default ExecProcessRequest := false 40 | -------------------------------------------------------------------------------- /config/peerpods/podvm/agent-policy/allow-all-except-exec-process.rego: -------------------------------------------------------------------------------- 1 | package agent_policy 2 | 3 | default AddARPNeighborsRequest := true 4 | default AddSwapRequest := true 5 | default CloseStdinRequest := true 6 | default CopyFileRequest := true 7 | default CreateContainerRequest := true 8 | default CreateSandboxRequest := true 9 | default DestroySandboxRequest := true 10 | default GetMetricsRequest := true 11 | default GetOOMEventRequest := true 12 | default GuestDetailsRequest := true 13 | default ListInterfacesRequest := true 14 | default ListRoutesRequest := true 15 | default MemHotplugByProbeRequest := true 16 | default OnlineCPUMemRequest := true 17 | default PauseContainerRequest := true 18 | default PullImageRequest := true 19 | default ReadStreamRequest := true 20 | default RemoveContainerRequest := true 21 | default RemoveStaleVirtiofsShareMountsRequest := true 22 | default ReseedRandomDevRequest := true 23 | default ResumeContainerRequest := true 24 | default SetGuestDateTimeRequest := true 25 | default SetPolicyRequest := true 26 | default SignalProcessRequest := true 27 | default StartContainerRequest := true 28 | default StartTracingRequest := true 29 | default StatsContainerRequest := true 30 | default StopTracingRequest := true 31 | default TtyWinResizeRequest := true 32 | default UpdateContainerRequest := true 33 | default UpdateEphemeralMountsRequest := true 34 | default UpdateInterfaceRequest := true 35 | default UpdateRoutesRequest := true 36 | default WaitProcessRequest := true 37 | default WriteStreamRequest := true 38 | 39 | default ExecProcessRequest := false 40 | -------------------------------------------------------------------------------- /config/peerpods/credentials-requests/credentials_request_aws.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cloudcredential.openshift.io/v1 2 | kind: CredentialsRequest 3 | metadata: 4 | name: openshift-sandboxed-containers-aws 5 | namespace: openshift-cloud-credential-operator 6 | spec: 7 | secretRef: 8 | name: cco-secret 9 | namespace: openshift-sandboxed-containers-operator 10 | providerSpec: 11 | apiVersion: cloudcredential.openshift.io/v1 12 | kind: AWSProviderSpec 13 | statementEntries: 14 | - effect: Allow 15 | resource: "*" 16 | action: 17 | - "ec2:*" 18 | # By default we allow all ec2 actions to prevent dysfunctioning for untested configurations. 19 | # The following actions were extracted from AWS CloudTrail Event History, 20 | # filtered based on access key, for peer-pod execution with default configuration. 21 | # use it to restrict the requested permissions. 22 | #- ec2:AuthorizeSecurityGroupIngress 23 | #- ec2:CreateDefaultVpc 24 | #- ec2:CreateImage 25 | #- ec2:CreateKeyPair 26 | #- ec2:CreateTags 27 | #- ec2:CreateSecurityGroup 28 | #- ec2:DeleteKeyPair 29 | #- ec2:DeleteSecurityGroup 30 | #- ec2:DescribeImages 31 | #- ec2:DescribeInstances 32 | #- ec2:DescribeInstanceTypes 33 | #- ec2:DescribeRegions 34 | #- ec2:DescribeSecurityGroups 35 | #- ec2:DescribeSubnets 36 | #- ec2:DescribeVolumes 37 | #- ec2:DescribeVpcs 38 | #- ec2:RunInstances 39 | #- ec2:StopInstances 40 | #- ec2:TerminateInstances 41 | -------------------------------------------------------------------------------- /must-gather/collection-scripts/gather_images: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | IFS=$'\n' 4 | 5 | BASE_COLLECTION_PATH="/must-gather" 6 | 7 | IMAGES_PATH=${BASE_COLLECTION_PATH}/cluster-scoped-resources 8 | NAMESPACE_PATH=${BASE_COLLECTION_PATH}/namespaces 9 | 10 | mkdir -p ${IMAGES_PATH} 11 | for name in $(oc get image -o=custom-columns=NAME:.metadata.name --no-headers) 12 | do 13 | echo "Gathering image $name" 14 | oc get image "$name" -o yaml >> "${IMAGES_PATH}/images" 15 | echo '---------------' >> "${IMAGES_PATH}/images" 16 | done 17 | 18 | for line in $(oc get imagestreams -o=custom-columns=NAMESPACE:.metadata.namespace,NAME:.metadata.name --no-headers --all-namespaces) 19 | do 20 | IFS=$' ' 21 | read -r namespace name <<< "$line" 22 | IFS=$'\n' 23 | echo "Gathering imagestream $namespace/$name" 24 | mkdir -p "${NAMESPACE_PATH}/${namespace}" 25 | oc get imagestream "${name}" -n "${namespace}" -o yaml >> "${NAMESPACE_PATH}/${namespace}/imagestreams" 26 | echo '---------------' >> "${NAMESPACE_PATH}/${namespace}/imagestreams" 27 | done 28 | 29 | for line in $(oc get imagestreamtags -o=custom-columns=NAMESPACE:.metadata.namespace,NAME:.metadata.name --no-headers --all-namespaces) 30 | do 31 | IFS=$' ' 32 | read -r namespace name <<< "$line" 33 | IFS=$'\n' 34 | echo "Gathering imagestreamtag $namespace/$name" 35 | mkdir -p "${NAMESPACE_PATH}/${namespace}" 36 | oc get imagestreamtag "${name}" -n "${namespace}" -o yaml >> "${NAMESPACE_PATH}/${namespace}/imagestreamtags" 37 | echo '---------------' >> "${NAMESPACE_PATH}/${namespace}/imagestreamtags" 38 | done 39 | -------------------------------------------------------------------------------- /.tekton/osc-fbc-4-15-push.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1 2 | kind: PipelineRun 3 | metadata: 4 | annotations: 5 | build.appstudio.openshift.io/repo: https://github.com/openshift/sandboxed-containers-operator?rev={{revision}} 6 | build.appstudio.redhat.com/commit_sha: '{{revision}}' 7 | build.appstudio.redhat.com/target_branch: '{{target_branch}}' 8 | pipelinesascode.tekton.dev/max-keep-runs: "3" 9 | pipelinesascode.tekton.dev/on-cel-expression: 10 | event == "push" && 11 | target_branch == "devel" && 12 | files.all.exists(path, path.matches('.tekton/fbc-pipeline.yaml$|.tekton/osc-fbc-4-15-.*.yaml$|fbc/v4.15/Dockerfile$|fbc/v4.15/.*/catalog.json$')) 13 | creationTimestamp: null 14 | labels: 15 | appstudio.openshift.io/application: osc-fbc-4-15 16 | appstudio.openshift.io/component: osc-fbc-4-15 17 | pipelines.appstudio.openshift.io/type: build 18 | name: osc-fbc-4-15-on-push 19 | namespace: ose-osc-tenant 20 | spec: 21 | params: 22 | - name: git-url 23 | value: '{{source_url}}' 24 | - name: revision 25 | value: '{{revision}}' 26 | - name: output-image 27 | value: quay.io/redhat-user-workloads/ose-osc-tenant/osc-fbc-4-15:{{revision}} 28 | - name: build-platforms 29 | value: 30 | - linux/x86_64 31 | - name: path-context 32 | value: fbc/v4.15 33 | - name: dockerfile 34 | value: fbc/v4.15/Dockerfile 35 | pipelineRef: 36 | name: fbc-pipeline 37 | taskRunTemplate: 38 | serviceAccountName: build-pipeline-osc-fbc-4-15 39 | workspaces: 40 | - name: git-auth 41 | secret: 42 | secretName: '{{ git_auth_secret }}' 43 | status: {} 44 | -------------------------------------------------------------------------------- /.tekton/osc-fbc-4-17-push.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1 2 | kind: PipelineRun 3 | metadata: 4 | annotations: 5 | build.appstudio.openshift.io/repo: https://github.com/openshift/sandboxed-containers-operator?rev={{revision}} 6 | build.appstudio.redhat.com/commit_sha: '{{revision}}' 7 | build.appstudio.redhat.com/target_branch: '{{target_branch}}' 8 | pipelinesascode.tekton.dev/max-keep-runs: "3" 9 | pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch 10 | == "devel" && files.all.exists(path, path.matches('.tekton/fbc-pipeline.yaml$|.tekton/osc-fbc-4-17-.*.yaml$|fbc/v4.17/Dockerfile$|fbc/v4.17/.*/catalog.json$')) 11 | creationTimestamp: null 12 | labels: 13 | appstudio.openshift.io/application: osc-fbc-4-17 14 | appstudio.openshift.io/component: osc-fbc-4-17 15 | pipelines.appstudio.openshift.io/type: build 16 | name: osc-fbc-4-17-on-push 17 | namespace: ose-osc-tenant 18 | spec: 19 | params: 20 | - name: git-url 21 | value: '{{source_url}}' 22 | - name: revision 23 | value: '{{revision}}' 24 | - name: output-image 25 | value: quay.io/redhat-user-workloads/ose-osc-tenant/osc-fbc-4-17:{{revision}} 26 | - name: build-platforms 27 | value: 28 | - linux/x86_64 29 | - linux/s390x 30 | - name: path-context 31 | value: fbc/v4.17 32 | - name: dockerfile 33 | value: fbc/v4.17/Dockerfile 34 | pipelineRef: 35 | name: fbc-pipeline 36 | taskRunTemplate: 37 | serviceAccountName: build-pipeline-osc-fbc-4-17 38 | workspaces: 39 | - name: git-auth 40 | secret: 41 | secretName: '{{ git_auth_secret }}' 42 | status: {} 43 | -------------------------------------------------------------------------------- /.tekton/osc-fbc-4-16-push.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1 2 | kind: PipelineRun 3 | metadata: 4 | annotations: 5 | build.appstudio.openshift.io/repo: https://github.com/openshift/sandboxed-containers-operator?rev={{revision}} 6 | build.appstudio.redhat.com/commit_sha: '{{revision}}' 7 | build.appstudio.redhat.com/target_branch: '{{target_branch}}' 8 | pipelinesascode.tekton.dev/max-keep-runs: "3" 9 | pipelinesascode.tekton.dev/on-cel-expression: 10 | event == "push" && 11 | target_branch == "devel" && 12 | files.all.exists(path, path.matches('.tekton/fbc-pipeline.yaml$|.tekton/osc-fbc-4-16-.*.yaml$|fbc/v4.16/Dockerfile$|fbc/v4.16/.*/catalog.json$')) 13 | creationTimestamp: null 14 | labels: 15 | appstudio.openshift.io/application: osc-fbc-4-16 16 | appstudio.openshift.io/component: osc-fbc-4-16 17 | pipelines.appstudio.openshift.io/type: build 18 | name: osc-fbc-4-16-on-push 19 | namespace: ose-osc-tenant 20 | spec: 21 | params: 22 | - name: git-url 23 | value: '{{source_url}}' 24 | - name: revision 25 | value: '{{revision}}' 26 | - name: output-image 27 | value: quay.io/redhat-user-workloads/ose-osc-tenant/osc-fbc-4-16:{{revision}} 28 | - name: build-platforms 29 | value: 30 | - linux/x86_64 31 | - linux/s390x 32 | - name: path-context 33 | value: fbc/v4.16 34 | - name: dockerfile 35 | value: fbc/v4.16/Dockerfile 36 | pipelineRef: 37 | name: fbc-pipeline 38 | taskRunTemplate: 39 | serviceAccountName: build-pipeline-osc-fbc-4-16 40 | workspaces: 41 | - name: git-auth 42 | secret: 43 | secretName: '{{ git_auth_secret }}' 44 | status: {} 45 | -------------------------------------------------------------------------------- /.tekton/osc-fbc-4-18-push.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1 2 | kind: PipelineRun 3 | metadata: 4 | annotations: 5 | build.appstudio.openshift.io/repo: https://github.com/openshift/sandboxed-containers-operator?rev={{revision}} 6 | build.appstudio.redhat.com/commit_sha: '{{revision}}' 7 | build.appstudio.redhat.com/target_branch: '{{target_branch}}' 8 | pipelinesascode.tekton.dev/max-keep-runs: "3" 9 | pipelinesascode.tekton.dev/on-cel-expression: 10 | event == "push" && 11 | target_branch == "devel" && 12 | files.all.exists(path, path.matches('.tekton/fbc-pipeline.yaml$|.tekton/osc-fbc-4-18-.*.yaml$|fbc/v4.18/Dockerfile$|fbc/v4.18/.*/catalog.json$')) 13 | creationTimestamp: null 14 | labels: 15 | appstudio.openshift.io/application: osc-fbc-4-18 16 | appstudio.openshift.io/component: osc-fbc-4-18 17 | pipelines.appstudio.openshift.io/type: build 18 | name: osc-fbc-4-18-on-push 19 | namespace: ose-osc-tenant 20 | spec: 21 | params: 22 | - name: git-url 23 | value: '{{source_url}}' 24 | - name: revision 25 | value: '{{revision}}' 26 | - name: output-image 27 | value: quay.io/redhat-user-workloads/ose-osc-tenant/osc-fbc-4-18:{{revision}} 28 | - name: build-platforms 29 | value: 30 | - linux/x86_64 31 | - linux/s390x 32 | - name: path-context 33 | value: fbc/v4.18 34 | - name: dockerfile 35 | value: fbc/v4.18/Dockerfile 36 | pipelineRef: 37 | name: fbc-pipeline 38 | taskRunTemplate: 39 | serviceAccountName: build-pipeline-osc-fbc-4-18 40 | workspaces: 41 | - name: git-auth 42 | secret: 43 | secretName: '{{ git_auth_secret }}' 44 | status: {} 45 | -------------------------------------------------------------------------------- /.tekton/osc-fbc-4-19-push.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1 2 | kind: PipelineRun 3 | metadata: 4 | annotations: 5 | build.appstudio.openshift.io/repo: https://github.com/openshift/sandboxed-containers-operator?rev={{revision}} 6 | build.appstudio.redhat.com/commit_sha: '{{revision}}' 7 | build.appstudio.redhat.com/target_branch: '{{target_branch}}' 8 | pipelinesascode.tekton.dev/max-keep-runs: "3" 9 | pipelinesascode.tekton.dev/on-cel-expression: 10 | event == "push" && 11 | target_branch == "devel" && 12 | files.all.exists(path, path.matches('.tekton/fbc-pipeline.yaml$|.tekton/osc-fbc-4-19-.*.yaml$|fbc/v4.19/Dockerfile$|fbc/v4.19/.*/catalog.json$')) 13 | creationTimestamp: null 14 | labels: 15 | appstudio.openshift.io/application: osc-fbc-4-19 16 | appstudio.openshift.io/component: osc-fbc-4-19 17 | pipelines.appstudio.openshift.io/type: build 18 | name: osc-fbc-4-19-on-push 19 | namespace: ose-osc-tenant 20 | spec: 21 | params: 22 | - name: git-url 23 | value: '{{source_url}}' 24 | - name: revision 25 | value: '{{revision}}' 26 | - name: output-image 27 | value: quay.io/redhat-user-workloads/ose-osc-tenant/osc-fbc-4-19:{{revision}} 28 | - name: build-platforms 29 | value: 30 | - linux/x86_64 31 | - linux/s390x 32 | - name: path-context 33 | value: fbc/v4.19 34 | - name: dockerfile 35 | value: fbc/v4.19/Dockerfile 36 | pipelineRef: 37 | name: fbc-pipeline 38 | taskRunTemplate: 39 | serviceAccountName: build-pipeline-osc-fbc-4-19 40 | workspaces: 41 | - name: git-auth 42 | secret: 43 | secretName: '{{ git_auth_secret }}' 44 | status: {} 45 | -------------------------------------------------------------------------------- /.tekton/osc-fbc-4-20-push.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1 2 | kind: PipelineRun 3 | metadata: 4 | annotations: 5 | build.appstudio.openshift.io/repo: https://github.com/openshift/sandboxed-containers-operator?rev={{revision}} 6 | build.appstudio.redhat.com/commit_sha: '{{revision}}' 7 | build.appstudio.redhat.com/target_branch: '{{target_branch}}' 8 | pipelinesascode.tekton.dev/max-keep-runs: "3" 9 | pipelinesascode.tekton.dev/on-cel-expression: 10 | event == "push" && 11 | target_branch == "devel" && 12 | files.all.exists(path, path.matches('.tekton/fbc-pipeline.yaml$|.tekton/osc-fbc-4-20-.*.yaml$|fbc/v4.20/Dockerfile$|fbc/v4.20/.*/catalog.json$')) 13 | creationTimestamp: null 14 | labels: 15 | appstudio.openshift.io/application: osc-fbc-4-20 16 | appstudio.openshift.io/component: osc-fbc-4-20 17 | pipelines.appstudio.openshift.io/type: build 18 | name: osc-fbc-4-20-on-push 19 | namespace: ose-osc-tenant 20 | spec: 21 | params: 22 | - name: git-url 23 | value: '{{source_url}}' 24 | - name: revision 25 | value: '{{revision}}' 26 | - name: output-image 27 | value: quay.io/redhat-user-workloads/ose-osc-tenant/osc-fbc-4-20:{{revision}} 28 | - name: build-platforms 29 | value: 30 | - linux/x86_64 31 | - linux/s390x 32 | - name: path-context 33 | value: fbc/v4.20 34 | - name: dockerfile 35 | value: fbc/v4.20/Dockerfile 36 | pipelineRef: 37 | name: fbc-pipeline 38 | taskRunTemplate: 39 | serviceAccountName: build-pipeline-osc-fbc-4-20 40 | workspaces: 41 | - name: git-auth 42 | secret: 43 | secretName: '{{ git_auth_secret }}' 44 | status: {} 45 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Temporary Build Files 2 | build/_output 3 | build/_test 4 | # Created by https://www.gitignore.io/api/go,vim,emacs,visualstudiocode 5 | ### Emacs ### 6 | # -*- mode: gitignore; -*- 7 | *~ 8 | \#*\# 9 | /.emacs.desktop 10 | /.emacs.desktop.lock 11 | *.elc 12 | auto-save-list 13 | tramp 14 | .\#* 15 | # Org-mode 16 | .org-id-locations 17 | *_archive 18 | # flymake-mode 19 | *_flymake.* 20 | # eshell files 21 | /eshell/history 22 | /eshell/lastdir 23 | # elpa packages 24 | /elpa/ 25 | # reftex files 26 | *.rel 27 | # AUCTeX auto folder 28 | /auto/ 29 | # cask packages 30 | .cask/ 31 | dist/ 32 | # Flycheck 33 | flycheck_*.el 34 | # server auth directory 35 | /server/ 36 | # projectiles files 37 | .projectile 38 | projectile-bookmarks.eld 39 | # directory configuration 40 | .dir-locals.el 41 | # saveplace 42 | places 43 | # url cache 44 | url/cache/ 45 | # cedet 46 | ede-projects.el 47 | # smex 48 | smex-items 49 | # company-statistics 50 | company-statistics-cache.el 51 | # anaconda-mode 52 | anaconda-mode/ 53 | ### Go ### 54 | # Binaries for programs and plugins 55 | *.exe 56 | *.exe~ 57 | *.dll 58 | *.so 59 | *.dylib 60 | # Test binary, build with 'go test -c' 61 | *.test 62 | # Output of the go coverage tool, specifically when used with LiteIDE 63 | *.out 64 | ### Vim ### 65 | # swap 66 | .sw[a-p] 67 | .*.sw[a-p] 68 | # session 69 | Session.vim 70 | # temporary 71 | .netrwhist 72 | # auto-generated tag files 73 | tags 74 | ### VisualStudioCode ### 75 | .vscode/* 76 | .history 77 | # End of https://www.gitignore.io/api/go,vim,emacs,visualstudiocode 78 | testbin* 79 | # operator-sdk build deps 80 | bin/* 81 | # make generate files 82 | api/v1/zz_generated.deepcopy.go 83 | -------------------------------------------------------------------------------- /fbc/README.md: -------------------------------------------------------------------------------- 1 | # OSC FBC 2 | 3 | The file based catalog (**FBC**) for OpenShift sandboxed containers. 4 | 5 | ## Prerequisites 6 | 7 | ### Install `opm` 8 | 9 | You need v1.46.0 or greater. 10 | 11 | Download the binary from [Github releases](https://github.com/operator-framework/operator-registry/releases). 12 | 13 | ### Install `jq` and `curl` 14 | 15 | Packages from your favorite distros should work. 16 | 17 | ## Update the FBC 18 | 19 | 1. Update the digests in the template. 20 | 2. Run `./update.sh [VERSION]` to update the digests in the template. 21 | 3. Run `./render.sh [VERSION]` to update the actual catalog. 22 | 4. Open a pull request with your changes. 23 | 24 | ## Add a new OpenShift version 25 | 26 | In examples that follow, the latest release is `v4.17` and you want to release for `v4.18` too. 27 | 28 | ### New Konflux application 29 | 30 | 1. In the web UI, add a new application and a new component. 31 | 2. Ignore the pull request from the Konflux bot. 32 | 3. Add the new application to the ReleasePlanAdmission. 33 | 4. Create a new ReleasePlan. 34 | 35 | ### New files 36 | 37 | 1. Run the duplicate script: 38 | ``` 39 | ./duplicate.sh v4.17 v4.18 40 | ``` 41 | 42 | 2. Run the render script to update the actual catalog. Note that this command will not make any changes, if they are not needed. 43 | ``` 44 | ./render.sh 45 | ``` 46 | 47 | ## Add a previously released catalog 48 | 49 | Run the migrate script. For example: 50 | ``` 51 | ./migrate.sh v4.16 52 | ``` 53 | 54 | ## Further reading 55 | 56 | - [File-based Catalogs](https://olm.operatorframework.io/docs/reference/file-based-catalogs/) in the Operator Lifecycle Manager (OLM) documentation. 57 | -------------------------------------------------------------------------------- /must-gather/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM registry.redhat.io/openshift4/ose-must-gather-rhel9:v4.19 as builder 2 | 3 | FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1764578379 4 | 5 | # For gathering data from nodes 6 | # NOTE for hermetic build: any change to the packages installed here must 7 | # be reflected in the rpms.in.yaml file. 8 | # Also make sure to re-generate the rpms.lock.yaml file when doing so. 9 | # See https://konflux.pages.redhat.com/docs/users/building/prefetching-dependencies.html#rpm 10 | RUN microdnf update -y && microdnf install tar rsync -y && microdnf clean all 11 | 12 | COPY --from=builder /usr/bin/oc /usr/bin/oc 13 | 14 | # Save original gather script 15 | COPY --from=builder /usr/bin/gather /usr/bin/gather_original 16 | 17 | # Copy all collection scripts to /usr/bin 18 | COPY collection-scripts/* /usr/bin/ 19 | 20 | # Copy node-gather resources to /etc 21 | COPY node-gather/node-gather-crd.yaml /etc/ 22 | COPY node-gather/node-gather-ds.yaml /etc/ 23 | 24 | # Red Hat labels 25 | LABEL name="openshift-sandboxed-containers/osc-must-gather-rhel9" \ 26 | cpe="cpe:/a:redhat:confidential_compute_attestation:1.11::el9" \ 27 | version="1.11" \ 28 | com.redhat.component="osc-must-gather-container" \ 29 | summary="osc-must-gather collects information about the sandboxed containers operator and the kata runtime" \ 30 | maintainer="support@redhat.com" \ 31 | description="osc-must-gather collects information about the sandboxed containers operator and the kata runtime" \ 32 | io.k8s.display-name="openshift-sandboxed-containers-must-gather" \ 33 | io.k8s.description="osc-must-gather collects information about the sandboxed containers operator and the kata runtime" \ 34 | io.openshift.tags="" 35 | 36 | ENTRYPOINT /usr/bin/gather 37 | -------------------------------------------------------------------------------- /config/peerpods/default-non-cc-initdata.toml: -------------------------------------------------------------------------------- 1 | # This initdata file was created by the osc-operator 2 | algorithm = "sha384" 3 | version = "0.1.0" 4 | 5 | [data] 6 | "aa.toml" = ''' 7 | ''' 8 | 9 | "policy.rego" = ''' 10 | package agent_policy 11 | 12 | default AddARPNeighborsRequest := true 13 | default AddSwapRequest := true 14 | default CloseStdinRequest := true 15 | default CopyFileRequest := true 16 | default CreateContainerRequest := true 17 | default CreateSandboxRequest := true 18 | default DestroySandboxRequest := true 19 | default ExecProcessRequest := true 20 | default GetMetricsRequest := true 21 | default GetOOMEventRequest := true 22 | default GuestDetailsRequest := true 23 | default ListInterfacesRequest := true 24 | default ListRoutesRequest := true 25 | default MemHotplugByProbeRequest := true 26 | default OnlineCPUMemRequest := true 27 | default PauseContainerRequest := true 28 | default PullImageRequest := true 29 | default ReadStreamRequest := true 30 | default RemoveContainerRequest := true 31 | default RemoveStaleVirtiofsShareMountsRequest := true 32 | default ReseedRandomDevRequest := true 33 | default ResumeContainerRequest := true 34 | default SetGuestDateTimeRequest := true 35 | default SetPolicyRequest := true 36 | default SignalProcessRequest := true 37 | default StartContainerRequest := true 38 | default StartTracingRequest := true 39 | default StatsContainerRequest := true 40 | default StopTracingRequest := true 41 | default TtyWinResizeRequest := true 42 | default UpdateContainerRequest := true 43 | default UpdateEphemeralMountsRequest := true 44 | default UpdateInterfaceRequest := true 45 | default UpdateRoutesRequest := true 46 | default WaitProcessRequest := true 47 | default WriteStreamRequest := true 48 | ''' 49 | -------------------------------------------------------------------------------- /fbc/duplicate.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -xe 4 | 5 | # Get command line arguments. 6 | CURRENT_OCP_VERSION=$1 7 | NEW_OCP_VERSION=$2 8 | 9 | # Make sure arguments are defined. 10 | test -n "$CURRENT_OCP_VERSION" 11 | test -n "$NEW_OCP_VERSION" 12 | 13 | function escape_with_dash () { 14 | echo "$1" | sed 's/\./-/' | sed 's/v//' 15 | } 16 | 17 | CURRENT_OCP_VERSION_DASH=$(escape_with_dash "$CURRENT_OCP_VERSION") 18 | NEW_OCP_VERSION_DASH=$(escape_with_dash "$NEW_OCP_VERSION") 19 | 20 | # Define directory variables. 21 | GIT_TOP_DIR=$(git rev-parse --show-toplevel) 22 | TEKTON_DIR="$GIT_TOP_DIR/.tekton" 23 | FBC_DIR="$GIT_TOP_DIR/fbc" 24 | 25 | # Create the PipelineRuns to build the new FBC. 26 | function new_tekton () { 27 | pushd $TEKTON_DIR 28 | for FILE in $(ls | grep fbc | grep $CURRENT_OCP_VERSION_DASH); do 29 | NEW_FILE=$(echo $FILE | sed "s/$CURRENT_OCP_VERSION_DASH/$NEW_OCP_VERSION_DASH/g") 30 | # Copy the file. 31 | cp $FILE $NEW_FILE 32 | # Update all occurrences of the version string in the file. 33 | sed -i "s/$CURRENT_OCP_VERSION/$NEW_OCP_VERSION/g" "$NEW_FILE" 34 | sed -i "s/$CURRENT_OCP_VERSION_DASH/$NEW_OCP_VERSION_DASH/g" "$NEW_FILE" 35 | done 36 | popd 37 | } 38 | 39 | # Create the new FBC. 40 | function new_catalog () { 41 | pushd $FBC_DIR 42 | # Copy the folder. 43 | cp -r "$CURRENT_OCP_VERSION" "$NEW_OCP_VERSION" 44 | 45 | # Update the base image version in the Dockerfile. 46 | sed -i "s/$CURRENT_OCP_VERSION/$NEW_OCP_VERSION/" "$NEW_OCP_VERSION/Dockerfile" 47 | popd 48 | } 49 | 50 | new_tekton 51 | new_catalog 52 | 53 | set +x 54 | 55 | echo " 56 | Done. Now review the result and run the render script." 57 | -------------------------------------------------------------------------------- /.tekton/osc-fbc-4-15-pull-request.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1 2 | kind: PipelineRun 3 | metadata: 4 | annotations: 5 | build.appstudio.openshift.io/repo: https://github.com/openshift/sandboxed-containers-operator?rev={{revision}} 6 | build.appstudio.redhat.com/commit_sha: '{{revision}}' 7 | build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' 8 | build.appstudio.redhat.com/target_branch: '{{target_branch}}' 9 | pipelinesascode.tekton.dev/max-keep-runs: "3" 10 | pipelinesascode.tekton.dev/on-cel-expression: 11 | event == "pull_request" && 12 | target_branch == "devel" && 13 | files.all.exists(path, path.matches('.tekton/fbc-pipeline.yaml$|.tekton/osc-fbc-4-15-.*.yaml$|fbc/v4.15/Dockerfile$|fbc/v4.15/.*/catalog.json$')) 14 | creationTimestamp: null 15 | labels: 16 | appstudio.openshift.io/application: osc-fbc-4-15 17 | appstudio.openshift.io/component: osc-fbc-4-15 18 | pipelines.appstudio.openshift.io/type: build 19 | name: osc-fbc-4-15-on-pull-request 20 | namespace: ose-osc-tenant 21 | spec: 22 | params: 23 | - name: git-url 24 | value: '{{source_url}}' 25 | - name: revision 26 | value: '{{revision}}' 27 | - name: output-image 28 | value: quay.io/redhat-user-workloads/ose-osc-tenant/osc-fbc-4-15:on-pr-{{revision}} 29 | - name: image-expires-after 30 | value: 5d 31 | - name: build-platforms 32 | value: 33 | - linux/x86_64 34 | - name: path-context 35 | value: fbc/v4.15 36 | - name: dockerfile 37 | value: fbc/v4.15/Dockerfile 38 | pipelineRef: 39 | name: fbc-pipeline 40 | taskRunTemplate: 41 | serviceAccountName: build-pipeline-osc-fbc-4-15 42 | workspaces: 43 | - name: git-auth 44 | secret: 45 | secretName: '{{ git_auth_secret }}' 46 | status: {} 47 | -------------------------------------------------------------------------------- /.tekton/osc-fbc-4-17-pull-request.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1 2 | kind: PipelineRun 3 | metadata: 4 | annotations: 5 | build.appstudio.openshift.io/repo: https://github.com/openshift/sandboxed-containers-operator?rev={{revision}} 6 | build.appstudio.redhat.com/commit_sha: '{{revision}}' 7 | build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' 8 | build.appstudio.redhat.com/target_branch: '{{target_branch}}' 9 | pipelinesascode.tekton.dev/max-keep-runs: "3" 10 | pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch 11 | == "devel" && files.all.exists(path, path.matches('.tekton/fbc-pipeline.yaml$|.tekton/osc-fbc-4-17-.*.yaml$|fbc/v4.17/Dockerfile$|fbc/v4.17/.*/catalog.json$')) 12 | creationTimestamp: null 13 | labels: 14 | appstudio.openshift.io/application: osc-fbc-4-17 15 | appstudio.openshift.io/component: osc-fbc-4-17 16 | pipelines.appstudio.openshift.io/type: build 17 | name: osc-fbc-4-17-on-pull-request 18 | namespace: ose-osc-tenant 19 | spec: 20 | params: 21 | - name: git-url 22 | value: '{{source_url}}' 23 | - name: revision 24 | value: '{{revision}}' 25 | - name: output-image 26 | value: quay.io/redhat-user-workloads/ose-osc-tenant/osc-fbc-4-17:on-pr-{{revision}} 27 | - name: image-expires-after 28 | value: 5d 29 | - name: build-platforms 30 | value: 31 | - linux/x86_64 32 | - linux/s390x 33 | - name: path-context 34 | value: fbc/v4.17 35 | - name: dockerfile 36 | value: fbc/v4.17/Dockerfile 37 | pipelineRef: 38 | name: fbc-pipeline 39 | taskRunTemplate: 40 | serviceAccountName: build-pipeline-osc-fbc-4-17 41 | workspaces: 42 | - name: git-auth 43 | secret: 44 | secretName: '{{ git_auth_secret }}' 45 | status: {} 46 | -------------------------------------------------------------------------------- /.tekton/osc-fbc-4-16-pull-request.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1 2 | kind: PipelineRun 3 | metadata: 4 | annotations: 5 | build.appstudio.openshift.io/repo: https://github.com/openshift/sandboxed-containers-operator?rev={{revision}} 6 | build.appstudio.redhat.com/commit_sha: '{{revision}}' 7 | build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' 8 | build.appstudio.redhat.com/target_branch: '{{target_branch}}' 9 | pipelinesascode.tekton.dev/max-keep-runs: "3" 10 | pipelinesascode.tekton.dev/on-cel-expression: 11 | event == "pull_request" && 12 | target_branch == "devel" && 13 | files.all.exists(path, path.matches('.tekton/fbc-pipeline.yaml$|.tekton/osc-fbc-4-16-.*.yaml$|fbc/v4.16/Dockerfile$|fbc/v4.16/.*/catalog.json$')) 14 | creationTimestamp: null 15 | labels: 16 | appstudio.openshift.io/application: osc-fbc-4-16 17 | appstudio.openshift.io/component: osc-fbc-4-16 18 | pipelines.appstudio.openshift.io/type: build 19 | name: osc-fbc-4-16-on-pull-request 20 | namespace: ose-osc-tenant 21 | spec: 22 | params: 23 | - name: git-url 24 | value: '{{source_url}}' 25 | - name: revision 26 | value: '{{revision}}' 27 | - name: output-image 28 | value: quay.io/redhat-user-workloads/ose-osc-tenant/osc-fbc-4-16:on-pr-{{revision}} 29 | - name: image-expires-after 30 | value: 5d 31 | - name: build-platforms 32 | value: 33 | - linux/x86_64 34 | - linux/s390x 35 | - name: path-context 36 | value: fbc/v4.16 37 | - name: dockerfile 38 | value: fbc/v4.16/Dockerfile 39 | pipelineRef: 40 | name: fbc-pipeline 41 | taskRunTemplate: 42 | serviceAccountName: build-pipeline-osc-fbc-4-16 43 | workspaces: 44 | - name: git-auth 45 | secret: 46 | secretName: '{{ git_auth_secret }}' 47 | status: {} 48 | -------------------------------------------------------------------------------- /.tekton/osc-fbc-4-18-pull-request.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1 2 | kind: PipelineRun 3 | metadata: 4 | annotations: 5 | build.appstudio.openshift.io/repo: https://github.com/openshift/sandboxed-containers-operator?rev={{revision}} 6 | build.appstudio.redhat.com/commit_sha: '{{revision}}' 7 | build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' 8 | build.appstudio.redhat.com/target_branch: '{{target_branch}}' 9 | pipelinesascode.tekton.dev/max-keep-runs: "3" 10 | pipelinesascode.tekton.dev/on-cel-expression: 11 | event == "pull_request" && 12 | target_branch == "devel" && 13 | files.all.exists(path, path.matches('.tekton/fbc-pipeline.yaml$|.tekton/osc-fbc-4-18-.*.yaml$|fbc/v4.18/Dockerfile$|fbc/v4.18/.*/catalog.json$')) 14 | creationTimestamp: null 15 | labels: 16 | appstudio.openshift.io/application: osc-fbc-4-18 17 | appstudio.openshift.io/component: osc-fbc-4-18 18 | pipelines.appstudio.openshift.io/type: build 19 | name: osc-fbc-4-18-on-pull-request 20 | namespace: ose-osc-tenant 21 | spec: 22 | params: 23 | - name: git-url 24 | value: '{{source_url}}' 25 | - name: revision 26 | value: '{{revision}}' 27 | - name: output-image 28 | value: quay.io/redhat-user-workloads/ose-osc-tenant/osc-fbc-4-18:on-pr-{{revision}} 29 | - name: image-expires-after 30 | value: 5d 31 | - name: build-platforms 32 | value: 33 | - linux/x86_64 34 | - linux/s390x 35 | - name: path-context 36 | value: fbc/v4.18 37 | - name: dockerfile 38 | value: fbc/v4.18/Dockerfile 39 | pipelineRef: 40 | name: fbc-pipeline 41 | taskRunTemplate: 42 | serviceAccountName: build-pipeline-osc-fbc-4-18 43 | workspaces: 44 | - name: git-auth 45 | secret: 46 | secretName: '{{ git_auth_secret }}' 47 | status: {} 48 | -------------------------------------------------------------------------------- /.tekton/osc-fbc-4-19-pull-request.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1 2 | kind: PipelineRun 3 | metadata: 4 | annotations: 5 | build.appstudio.openshift.io/repo: https://github.com/openshift/sandboxed-containers-operator?rev={{revision}} 6 | build.appstudio.redhat.com/commit_sha: '{{revision}}' 7 | build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' 8 | build.appstudio.redhat.com/target_branch: '{{target_branch}}' 9 | pipelinesascode.tekton.dev/max-keep-runs: "3" 10 | pipelinesascode.tekton.dev/on-cel-expression: 11 | event == "pull_request" && 12 | target_branch == "devel" && 13 | files.all.exists(path, path.matches('.tekton/fbc-pipeline.yaml$|.tekton/osc-fbc-4-19-.*.yaml$|fbc/v4.19/Dockerfile$|fbc/v4.19/.*/catalog.json$')) 14 | creationTimestamp: null 15 | labels: 16 | appstudio.openshift.io/application: osc-fbc-4-19 17 | appstudio.openshift.io/component: osc-fbc-4-19 18 | pipelines.appstudio.openshift.io/type: build 19 | name: osc-fbc-4-19-on-pull-request 20 | namespace: ose-osc-tenant 21 | spec: 22 | params: 23 | - name: git-url 24 | value: '{{source_url}}' 25 | - name: revision 26 | value: '{{revision}}' 27 | - name: output-image 28 | value: quay.io/redhat-user-workloads/ose-osc-tenant/osc-fbc-4-19:on-pr-{{revision}} 29 | - name: image-expires-after 30 | value: 5d 31 | - name: build-platforms 32 | value: 33 | - linux/x86_64 34 | - linux/s390x 35 | - name: path-context 36 | value: fbc/v4.19 37 | - name: dockerfile 38 | value: fbc/v4.19/Dockerfile 39 | pipelineRef: 40 | name: fbc-pipeline 41 | taskRunTemplate: 42 | serviceAccountName: build-pipeline-osc-fbc-4-19 43 | workspaces: 44 | - name: git-auth 45 | secret: 46 | secretName: '{{ git_auth_secret }}' 47 | status: {} 48 | -------------------------------------------------------------------------------- /.tekton/osc-fbc-4-20-pull-request.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1 2 | kind: PipelineRun 3 | metadata: 4 | annotations: 5 | build.appstudio.openshift.io/repo: https://github.com/openshift/sandboxed-containers-operator?rev={{revision}} 6 | build.appstudio.redhat.com/commit_sha: '{{revision}}' 7 | build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' 8 | build.appstudio.redhat.com/target_branch: '{{target_branch}}' 9 | pipelinesascode.tekton.dev/max-keep-runs: "3" 10 | pipelinesascode.tekton.dev/on-cel-expression: 11 | event == "pull_request" && 12 | target_branch == "devel" && 13 | files.all.exists(path, path.matches('.tekton/fbc-pipeline.yaml$|.tekton/osc-fbc-4-20-.*.yaml$|fbc/v4.20/Dockerfile$|fbc/v4.20/.*/catalog.json$')) 14 | creationTimestamp: null 15 | labels: 16 | appstudio.openshift.io/application: osc-fbc-4-20 17 | appstudio.openshift.io/component: osc-fbc-4-20 18 | pipelines.appstudio.openshift.io/type: build 19 | name: osc-fbc-4-20-on-pull-request 20 | namespace: ose-osc-tenant 21 | spec: 22 | params: 23 | - name: git-url 24 | value: '{{source_url}}' 25 | - name: revision 26 | value: '{{revision}}' 27 | - name: output-image 28 | value: quay.io/redhat-user-workloads/ose-osc-tenant/osc-fbc-4-20:on-pr-{{revision}} 29 | - name: image-expires-after 30 | value: 5d 31 | - name: build-platforms 32 | value: 33 | - linux/x86_64 34 | - linux/s390x 35 | - name: path-context 36 | value: fbc/v4.20 37 | - name: dockerfile 38 | value: fbc/v4.20/Dockerfile 39 | pipelineRef: 40 | name: fbc-pipeline 41 | taskRunTemplate: 42 | serviceAccountName: build-pipeline-osc-fbc-4-20 43 | workspaces: 44 | - name: git-auth 45 | secret: 46 | secretName: '{{ git_auth_secret }}' 47 | status: {} 48 | -------------------------------------------------------------------------------- /scripts/kata-install/osc-log-level.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -xeuo pipefail 4 | 5 | LOG_LEVELS=("fatal" "panic" "error" "warn" "info" "debug" "trace") 6 | LOG_FILE_PATH=/host/etc/crio/crio.conf.d/01-ctrcfg-logLevel 7 | 8 | # save a crio config file that contains the log level configuration 9 | create_or_override_log_config() { 10 | local level="$1" 11 | local file_content 12 | 13 | file_content=$( 14 | cat <"$LOG_FILE_PATH" 29 | # Set permissions 30 | chmod 644 "$LOG_FILE_PATH" 31 | } 32 | 33 | remove_log_config() { 34 | if [[ -f "$LOG_FILE_PATH" ]]; then 35 | rm -f "$LOG_FILE_PATH" 36 | fi 37 | } 38 | 39 | reload_crio() { 40 | chroot /host /bin/bash -c "systemctl reload crio" 41 | } 42 | 43 | set_loglevel() { 44 | local level="$1" 45 | local valid=false 46 | 47 | for valid_level in "${LOG_LEVELS[@]}"; do 48 | if [[ "$level" == "$valid_level" ]]; then 49 | valid=true 50 | break 51 | fi 52 | done 53 | 54 | if ! $valid; then 55 | echo "Usage: $0 install {${LOG_LEVELS[*]}}" >&2 56 | exit 1 57 | fi 58 | 59 | create_or_override_log_config "$level" 60 | reload_crio 61 | } 62 | 63 | unset_loglevel() { 64 | remove_log_config 65 | reload_crio 66 | } 67 | 68 | main() { 69 | local action="${1:-}" 70 | local level="${2:-}" 71 | 72 | case "$action" in 73 | install) 74 | set_loglevel "$level" 75 | ;; 76 | uninstall) 77 | unset_loglevel 78 | ;; 79 | *) 80 | echo "Usage: $0 {install|uninstall} [log_level]" >&2 81 | exit 1 82 | ;; 83 | esac 84 | 85 | sleep infinity 86 | } 87 | 88 | main "$@" 89 | -------------------------------------------------------------------------------- /config/peerpods/podvm/bootc/Containerfile.rhel: -------------------------------------------------------------------------------- 1 | # Get payload 2 | FROM registry.redhat.io/openshift-sandboxed-containers/osc-podvm-payload-rhel9:1.11.1 as payload ## OSC_VERSION 3 | 4 | # Build bootc rhel podvm 5 | FROM registry.redhat.io/rhel9/rhel-bootc:9.5-1738698007 as podvm-bootc 6 | 7 | ARG ORG_ID 8 | ARG ACTIVATION_KEY 9 | ARG CLOUD_PROVIDER 10 | 11 | # register 12 | RUN if [[ -n "${ACTIVATION_KEY}" && -n "${ORG_ID}" ]]; then \ 13 | #rm -f /etc/rhsm-host && rm -f /etc/pki/entitlement-host; \ 14 | subscription-manager register --org=${ORG_ID} --activationkey=${ACTIVATION_KEY}; \ 15 | fi 16 | 17 | COPY etc /etc 18 | COPY usr /usr 19 | 20 | # afterburn is required for Azure 21 | #RUN dnf config-manager --add-repo=https://mirror.stream.centos.org/9-stream/AppStream/x86_64/os/ && dnf install -y --nogpgcheck afterburn && dnf clean all && dnf config-manager --set-disabled "*centos*" 22 | RUN if [[ "${CLOUD_PROVIDER}" == "azure" ]]; then \ 23 | dnf install -y afterburn && dnf clean all && \ 24 | ln -s ../afterburn-checkin.service /etc/systemd/system/multi-user.target.wants/afterburn-checkin.service; \ 25 | fi 26 | 27 | # Cloud-init is required for Libvirt 28 | RUN if [[ "${CLOUD_PROVIDER}" == "libvirt" ]]; then \ 29 | dnf install -y cloud-init && dnf clean all; \ 30 | fi 31 | 32 | # Extract podvm binaries and pause bundle 33 | COPY --from=payload /podvm-binaries.tar.gz /podvm-binaries.tar.gz 34 | COPY --from=payload /pause-bundle.tar.gz /pause-bundle.tar.gz 35 | RUN tar -xzvf podvm-binaries.tar.gz -C / && rm /podvm-binaries.tar.gz && \ 36 | tar -xzvf pause-bundle.tar.gz -C / && rm /pause-bundle.tar.gz && \ 37 | sed -i 's#What=/kata-containers#What=/var/kata-containers#g' /etc/systemd/system/run-kata\\x2dcontainers.mount 38 | 39 | # a workaround to set podvm-bootc as default target 40 | FROM podvm-bootc as default-target 41 | RUN bootc container lint 42 | -------------------------------------------------------------------------------- /must-gather/README.md: -------------------------------------------------------------------------------- 1 | # OpenShift sandboxed containers must-gather 2 | 3 | `must-gather` is a tool built on top of [OpenShift must-gather](https://github.com/openshift/must-gather) 4 | that expands its capabilities to gather sandboxed containers information. 5 | 6 | ### Usage 7 | ```sh 8 | oc adm must-gather --image=quay.io/openshift_sandboxed_containers/openshift-sandboxed-containers-must-gather 9 | ``` 10 | 11 | The command above will create a local directory with a dump of the OpenShift sandboxed-containers state. 12 | Note that this command will only get data related to the sandboxed-containers part of the OpenShift cluster. 13 | 14 | You will get a dump of: 15 | - All namespaces (and their children objects) that belong to any sandboxed containers resources 16 | 17 | In order to get data about other parts of the cluster (not specific to sandboxed containers) you should 18 | run `oc adm must-gather` (without passing a custom image). Run `oc adm must-gather -h` to see more options. 19 | 20 | ### Development 21 | You can build the image locally using the Dockerfile included. 22 | 23 | A `makefile` is also provided. To use it, you must pass a repository via the command-line using the variable `MUST_GATHER_IMAGE`. 24 | You can also specify the registry using the variable `IMAGE_REGISTRY` (default is [quay.io](https://quay.io)) and the tag via `IMAGE_TAG` (default is `latest`). 25 | 26 | The targets for `make` are as follows: 27 | - `build`: builds the image with the supplied name and pushes it 28 | - `podman-build`: builds the image but does not push it 29 | - `podman-push`: pushes an already-built image 30 | 31 | For example: 32 | ```sh 33 | make build MUST_GATHER_IMAGE=openshift_sandboxed_containers/openshift-sandboxed-containers-must-gather 34 | ``` 35 | would build the local repository as `quay.io/openshift_sandboxed_containers/openshift-sandboxed-containers-must-gather:latest` and then push it. 36 | -------------------------------------------------------------------------------- /bundle/tests/scorecard/config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: scorecard.operatorframework.io/v1alpha3 2 | kind: Configuration 3 | metadata: 4 | name: config 5 | stages: 6 | - parallel: true 7 | tests: 8 | - entrypoint: 9 | - scorecard-test 10 | - basic-check-spec 11 | image: quay.io/operator-framework/scorecard-test:master 12 | labels: 13 | suite: basic 14 | test: basic-check-spec-test 15 | storage: 16 | spec: 17 | mountPath: {} 18 | - entrypoint: 19 | - scorecard-test 20 | - olm-bundle-validation 21 | image: quay.io/operator-framework/scorecard-test:master 22 | labels: 23 | suite: olm 24 | test: olm-bundle-validation-test 25 | storage: 26 | spec: 27 | mountPath: {} 28 | - entrypoint: 29 | - scorecard-test 30 | - olm-crds-have-validation 31 | image: quay.io/operator-framework/scorecard-test:master 32 | labels: 33 | suite: olm 34 | test: olm-crds-have-validation-test 35 | storage: 36 | spec: 37 | mountPath: {} 38 | - entrypoint: 39 | - scorecard-test 40 | - olm-crds-have-resources 41 | image: quay.io/operator-framework/scorecard-test:master 42 | labels: 43 | suite: olm 44 | test: olm-crds-have-resources-test 45 | storage: 46 | spec: 47 | mountPath: {} 48 | - entrypoint: 49 | - scorecard-test 50 | - olm-spec-descriptors 51 | image: quay.io/operator-framework/scorecard-test:master 52 | labels: 53 | suite: olm 54 | test: olm-spec-descriptors-test 55 | storage: 56 | spec: 57 | mountPath: {} 58 | - entrypoint: 59 | - scorecard-test 60 | - olm-status-descriptors 61 | image: quay.io/operator-framework/scorecard-test:master 62 | labels: 63 | suite: olm 64 | test: olm-status-descriptors-test 65 | storage: 66 | spec: 67 | mountPath: {} 68 | storage: 69 | spec: 70 | mountPath: {} 71 | -------------------------------------------------------------------------------- /fbc/update.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | 3 | # Print what you're doing, exit on error. 4 | set -xe 5 | 6 | # Which OCP versions are we running this for. 7 | versions="$@" 8 | 9 | [ -n "${versions}" ] || versions="v4.*" 10 | 11 | # Check that a folder exists for the versions you set. 12 | ls ${versions} > /dev/null 13 | 14 | # Make script fail when API requests fail. 15 | alias curl="curl --fail" 16 | 17 | # Get the latest merge commit for the bundle. This is the string the bundle image is tagged with. 18 | get_tag () { 19 | local commits_url="https://api.github.com/repos/openshift/sandboxed-containers-operator/commits?per_page=1&path=bundle" 20 | local commit=$(curl "${commits_url}" | jq -r '.[0].sha') 21 | local pulls_url="https://api.github.com/repos/openshift/sandboxed-containers-operator/commits/${commit}/pulls" 22 | curl "${pulls_url}" | jq -r '.[0].merge_commit_sha' 23 | } 24 | 25 | # Get the digest for a tagged image. Pass the as the first argument. 26 | # Quay API docs are at https://docs.quay.io/api/swagger/#!/tag/listRepoTags. 27 | get_digest () { 28 | local tag="$1" 29 | local url="https://quay.io/api/v1/repository/redhat-user-workloads/ose-osc-tenant/osc-operator-bundle/tag?specificTag=${tag}" 30 | curl -L "${url}" | jq -r '.tags[0].manifest_digest' 31 | } 32 | 33 | # Update the last bundle image digest in the with the new 34 | replace_digest_last () { 35 | local digest="$1" 36 | local file="$2" 37 | 38 | local old_digest=$(yq '.entries[] | select(.schema == "olm.bundle") | .image' "${file}" | tail -n1 | sed 's/.*@//') 39 | 40 | sed -i "s/${old_digest}/${digest}/" "${file}" 41 | } 42 | 43 | tag="$(get_tag)" 44 | digest="$(get_digest ${tag})" 45 | 46 | for version in ${versions}; do 47 | file="${version}/catalog-template.yaml" 48 | replace_digest_last "${digest}" "${file}" 49 | done 50 | 51 | # No more debug. All went good. 52 | set +x 53 | 54 | echo " 55 | Done." 56 | -------------------------------------------------------------------------------- /scripts/kata-install/lib.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Contains common functions used by the scripts 3 | 4 | function extract_container_image() { 5 | # Set the values required for the container image extraction. 6 | local image="${1}" 7 | 8 | local copy_src="${2}" 9 | local copy_des="${3}" 10 | 11 | local auth_json_file="${4}" 12 | 13 | local dest_image="/tmp/image" 14 | local tag="tag" 15 | local destination_path="/tmp/unpacked" 16 | 17 | # If arguments are not provided, exit the script with an error message 18 | [[ $# -lt 3 ]] && 19 | error_exit "Usage: extract_container_image [registry_secret]" 20 | 21 | # Form the skopeo CLI. Add authfile if provided 22 | # copy signatures for OCI images is not supported, hence the signatures if any are removed while copying 23 | if [[ -n "${4}" ]]; then 24 | SKOPEO_CLI="skopeo copy --remove-signatures --authfile ${auth_json_file}" 25 | else 26 | SKOPEO_CLI="skopeo copy --remove-signatures" 27 | fi 28 | 29 | # Download the container image 30 | $SKOPEO_CLI "docker://${image}" "oci:${dest_image}:${tag}" || 31 | error_exit "Failed to download the container image" 32 | 33 | # Extract the container image using umoci into provided directory 34 | umoci unpack --rootless --image "${dest_image}:${tag}" "${destination_path}" || 35 | error_exit "Failed to extract the container image" 36 | 37 | # Copy requested files or directories 38 | for src in $copy_src; do 39 | full_src="${destination_path}/rootfs${src}" 40 | if [[ -e "$full_src" ]]; then 41 | cp -r "$full_src" "$copy_des/" 42 | else 43 | echo "Warning: Not found in image: $src" 44 | sleep infinity 45 | fi 46 | done 47 | 48 | # Clean up 49 | rm -rf "${image}" "${destination_path}" 50 | } 51 | 52 | client_tools() { 53 | mkdir -p "/usr/bin" 54 | extract_container_image "$CLI_IMAGE" "/usr/bin/oc /usr/bin/kubectl" "/usr/bin" "/tmp/regauth/auth.json" 55 | chmod +x /usr/bin/oc 56 | chmod +x /usr/bin/kubectl 57 | } 58 | -------------------------------------------------------------------------------- /ISSUE_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 27 | 28 | **Description** 29 | 30 | 33 | 34 | **Steps to reproduce the issue:** 35 | 1. 36 | 2. 37 | 3. 38 | 39 | **Describe the results you received:** 40 | 41 | 42 | **Describe the results you expected:** 43 | 44 | 45 | **Additional information you deem important (e.g. issue happens only occasionally):** 46 | 47 | **Output of `oc describe kataconfig `:** 48 | 49 | ``` 50 | (paste your output here) 51 | ``` 52 | 53 | **Additional environment details (platform, options, etc.):** 54 | -------------------------------------------------------------------------------- /bundle.Dockerfile: -------------------------------------------------------------------------------- 1 | FROM scratch 2 | 3 | # Core bundle labels. 4 | LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1 5 | LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ 6 | LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ 7 | LABEL operators.operatorframework.io.bundle.package.v1=sandboxed-containers-operator 8 | LABEL operators.operatorframework.io.bundle.channels.v1=stable 9 | LABEL operators.operatorframework.io.bundle.channel.default.v1=stable 10 | LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.39.1 11 | LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 12 | LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v4 13 | 14 | # Labels for testing. 15 | LABEL operators.operatorframework.io.test.mediatype.v1=scorecard+v1 16 | LABEL operators.operatorframework.io.test.config.v1=tests/scorecard/ 17 | 18 | # Copy files to locations specified by labels. 19 | COPY bundle/manifests /manifests/ 20 | COPY bundle/metadata /metadata/ 21 | COPY bundle/tests/scorecard /tests/scorecard/ 22 | 23 | # Red Hat labels 24 | LABEL io.k8s.display-name='OpenShift sandboxed containers operator' 25 | LABEL io.k8s.description='This operator manages the sandboxed-containers runtime' 26 | LABEL com.redhat.delivery.appregistry='' 27 | LABEL maintainer='support@redhat.com' 28 | LABEL name="openshift-sandboxed-containers/osc-operator-bundle" 29 | LABEL cpe="cpe:/a:redhat:confidential_compute_attestation:1.11::el9" 30 | LABEL com.redhat.component="osc-operator-bundle-container" 31 | LABEL io.openshift.maintainer.product='OpenShift Container Platform' 32 | LABEL io.openshift.maintainer.component='Sandboxed Containers' 33 | LABEL version="1.11" 34 | LABEL com.redhat.delivery.operator.bundle=true 35 | LABEL com.redhat.openshift.versions=v4.15 36 | LABEL summary="This operator manages the sandboxed-containers runtime" 37 | LABEL description="This operator manages the sandboxed-containers runtime" 38 | LABEL io.openshift.tags="" 39 | LABEL distribution-scope=public 40 | LABEL release="1" 41 | LABEL url="https://access.redhat.com/" 42 | LABEL vendor="Red Hat, Inc." 43 | -------------------------------------------------------------------------------- /fbc/render.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | 3 | # Print what you're doing, exit on error. 4 | set -xe 5 | 6 | OCP_VERSIONS=$1 7 | 8 | test -n "$OCP_VERSIONS" || OCP_VERSIONS="v4.*" 9 | 10 | BUILD_REGISTRY="quay.io/redhat-user-workloads/ose-osc-tenant/" 11 | RELEASE_REGISTRY="registry.redhat.io/openshift-sandboxed-containers/" 12 | PACKAGE_NAME="sandboxed-containers-operator" 13 | TEMPLATE_NAME="catalog-template.yaml" 14 | ICON="icon.png" 15 | ICON_BASE64="$ICON.base64" 16 | 17 | echo 18 | 19 | base64 "$ICON" > "$ICON_BASE64" 20 | 21 | for OCP_VERSION in $OCP_VERSIONS 22 | do 23 | pushd "$OCP_VERSION" 24 | 25 | RELEASE_IMAGE=$(yq '.entries[] | select(.schema == "olm.bundle") | .image' "$TEMPLATE_NAME" | tail -n1) 26 | BUILD_IMAGE=$(echo $RELEASE_IMAGE | sed "s|$RELEASE_REGISTRY|$BUILD_REGISTRY|") 27 | 28 | # Switch to the build registry, so `opm` can pull freely. 29 | sed -i "s|$RELEASE_IMAGE|$BUILD_IMAGE|" "$TEMPLATE_NAME" 30 | 31 | # Add the icon data. 32 | yq -i ".entries[0].icon.base64data = \"$(cat ../$ICON_BASE64)\"" "$TEMPLATE_NAME" 33 | 34 | # enable migrate params for OCP 4.17 and onwards 35 | # skip the check for test-fbc, assuming it is always using the latest version 36 | MIGRATE_PARAM="--migrate-level bundle-object-to-csv-metadata" 37 | if [ "$OCP_VERSION" != "test-fbc" ]; then 38 | OCP_VERSION_NUMERAL=$(echo $OCP_VERSION | grep -o -E '[0-9.]+') 39 | if [ "`echo "${OCP_VERSION_NUMERAL} < 4.17" | bc`" -eq 1 ]; then 40 | MIGRATE_PARAM="" 41 | fi 42 | fi 43 | 44 | # Render that template. It's what we're here for. 45 | opm $MIGRATE_PARAM alpha render-template basic "$TEMPLATE_NAME" > catalog/${PACKAGE_NAME}/catalog.json 46 | 47 | # Switch back to the release registry. 48 | sed -i "s|$BUILD_IMAGE|$RELEASE_IMAGE|" "$TEMPLATE_NAME" 49 | sed -i "s|$BUILD_IMAGE|$RELEASE_IMAGE|" catalog/${PACKAGE_NAME}/catalog.json 50 | # Remove the icon base64 data. 51 | yq -i ".entries[0].icon.base64data = \"\"" "$TEMPLATE_NAME" 52 | 53 | popd 54 | echo 55 | done 56 | 57 | # No more debug. All went good. 58 | set +x 59 | 60 | echo " 61 | Done." 62 | -------------------------------------------------------------------------------- /config/manifests/extension-crds/confidentialcontainers.org_peerpods.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | annotations: 6 | controller-gen.kubebuilder.io/version: v0.10.0 7 | creationTimestamp: null 8 | name: peerpods.confidentialcontainers.org 9 | spec: 10 | group: confidentialcontainers.org 11 | names: 12 | kind: PeerPod 13 | listKind: PeerPodList 14 | plural: peerpods 15 | singular: peerpod 16 | scope: Namespaced 17 | versions: 18 | - name: v1alpha1 19 | schema: 20 | openAPIV3Schema: 21 | description: PeerPod is the Schema for the peerpods API 22 | properties: 23 | apiVersion: 24 | description: 'APIVersion defines the versioned schema of this representation 25 | of an object. Servers should convert recognized schemas to the latest 26 | internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 27 | type: string 28 | kind: 29 | description: 'Kind is a string value representing the REST resource this 30 | object represents. Servers may infer this from the endpoint the client 31 | submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 32 | type: string 33 | metadata: 34 | type: object 35 | spec: 36 | description: PeerPodSpec defines the desired state of PeerPod 37 | properties: 38 | cloudProvider: 39 | type: string 40 | instanceID: 41 | type: string 42 | type: object 43 | status: 44 | description: PeerPodStatus defines the observed state of PeerPod 45 | properties: 46 | cleand: 47 | type: boolean 48 | type: object 49 | type: object 50 | served: true 51 | storage: true 52 | subresources: 53 | status: {} 54 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM registry.access.redhat.com/ubi9/go-toolset:1.25.3-1764620329 as builder 2 | 3 | # Required by the ubi based go-toolset image 4 | USER root 5 | 6 | WORKDIR /workspace 7 | 8 | COPY Makefile Makefile 9 | COPY hack hack/ 10 | COPY PROJECT PROJECT 11 | COPY go.mod go.mod 12 | COPY go.sum go.sum 13 | COPY cmd/ cmd/ 14 | COPY api api/ 15 | COPY config config/ 16 | COPY controllers controllers/ 17 | 18 | # Copy our controller-gen script to work around hermetic build issues 19 | # See comments in the script itself for more details. 20 | COPY controller-gen bin/ 21 | 22 | # get the version of controller-gen in an env variable for reusing 23 | RUN echo "export CONTROLLER_TOOLS_VERSION=$(grep -m 1 controller-tools go.mod | awk '{print $2}')" > controller-tools-ver 24 | 25 | # rename the script to use the same version as defined in our go.mod file 26 | RUN . ./controller-tools-ver && mv bin/controller-gen bin/controller-gen-$CONTROLLER_TOOLS_VERSION 27 | 28 | # make sure 'make' uses the right version of controller-gen 29 | RUN . ./controller-tools-ver && make build 30 | 31 | # Use OpenShift base image 32 | FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1764578379 33 | WORKDIR / 34 | COPY --from=builder /workspace/bin/manager . 35 | COPY --from=builder /workspace/bin/metrics-server . 36 | COPY --from=builder /workspace/config/peerpods /config/peerpods 37 | 38 | RUN useradd -r -u 499 nonroot 39 | RUN getent group nonroot || groupadd -o -g 499 nonroot 40 | 41 | # Red Hat labels 42 | LABEL name="openshift-sandboxed-containers/osc-rhel9-operator" \ 43 | cpe="cpe:/a:redhat:confidential_compute_attestation:1.11::el9" \ 44 | version="1.11" \ 45 | com.redhat.component="osc-operator-container" \ 46 | summary="This operator manages the Openshift Sandboxed Containers runtime installation" \ 47 | maintainer="redhat@redhat.com" \ 48 | description="The Openshift Sandboxed containers operator manages runtime configuration and lifecycle" \ 49 | io.k8s.display-name="openshift-sandboxed-containers-operator" \ 50 | io.k8s.description="This operator manages the Openshift Sandboxed Containers runtime installation" \ 51 | io.openshift.tags="" 52 | 53 | USER 499:499 54 | ENTRYPOINT ["/manager"] 55 | -------------------------------------------------------------------------------- /fbc/test-fbc/Dockerfile: -------------------------------------------------------------------------------- 1 | # The builder image is expected to contain 2 | # /bin/opm (with serve subcommand) 3 | FROM brew.registry.redhat.io/rh-osbs/openshift-ose-operator-registry-rhel9:v4.19 as builder 4 | ARG GIT_URL="" 5 | ARG GIT_REVISION="" 6 | USER root 7 | 8 | WORKDIR /workdir 9 | ADD render.sh icon.png ./ 10 | COPY test-fbc ./test-fbc 11 | 12 | RUN dnf install -y go git jq skopeo && go install github.com/mikefarah/yq/v4@v4.35.1 13 | RUN PATH=/root/go/bin:$PATH ./render.sh test-fbc 14 | 15 | # Copy FBC root into image at /configs and pre-populate serve cache 16 | RUN cp -r test-fbc/catalog/ /configs 17 | RUN ["/bin/opm", "serve", "/configs", "--cache-dir=/tmp/cache", "--cache-only"] 18 | 19 | # Optionally clone the git repo and generate changelog from it 20 | # 21 | # FIXME : temporarily unplug changelog generation until changelog.sh is fixed 22 | # see https://github.com/openshift/sandboxed-containers-operator/pull/1381 23 | # 24 | # ENV GIT_URL=${GIT_URL} 25 | # ENV GIT_REVISION=${GIT_REVISION} 26 | # RUN if [[ -n "${GIT_URL}" && -n "${GIT_REVISION}" ]]; then \ 27 | # echo GIT_URL="${GIT_URL}" ; \ 28 | # echo GIT_REVISION="${GIT_REVISION}" ; \ 29 | # git clone "${GIT_URL}" repo && \ 30 | # pushd repo && \ 31 | # git checkout "${GIT_REVISION}" && \ 32 | # cd fbc/test-fbc && \ 33 | # ./changelog.sh && \ 34 | # popd ; \ 35 | # fi 36 | 37 | FROM brew.registry.redhat.io/rh-osbs/openshift-ose-operator-registry-rhel9:v4.19 38 | # The base image is expected to contain 39 | # /bin/opm (with serve subcommand) and /bin/grpc_health_probe 40 | 41 | # Configure the entrypoint and command 42 | ENTRYPOINT ["/bin/opm"] 43 | CMD ["serve", "/configs", "--cache-dir=/tmp/cache"] 44 | 45 | COPY --from=builder /configs /configs 46 | COPY --from=builder /tmp/cache /tmp/cache 47 | # 48 | # FIXME : temporarily unplug changelog generation until changelog.sh is fixed 49 | # see https://github.com/openshift/sandboxed-containers-operator/pull/1381 50 | # 51 | #COPY --from=builder /workdir/repo/fbc/test-fbc/CHANGELOG /CHANGELOG 52 | 53 | # Set FBC-specific label for the location of the FBC root directory 54 | # in the image 55 | LABEL operators.operatorframework.io.index.configs.v1=/configs 56 | -------------------------------------------------------------------------------- /bundle/manifests/confidentialcontainers.org_peerpods.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | annotations: 5 | controller-gen.kubebuilder.io/version: v0.10.0 6 | creationTimestamp: null 7 | name: peerpods.confidentialcontainers.org 8 | spec: 9 | group: confidentialcontainers.org 10 | names: 11 | kind: PeerPod 12 | listKind: PeerPodList 13 | plural: peerpods 14 | singular: peerpod 15 | scope: Namespaced 16 | versions: 17 | - name: v1alpha1 18 | schema: 19 | openAPIV3Schema: 20 | description: PeerPod is the Schema for the peerpods API 21 | properties: 22 | apiVersion: 23 | description: 'APIVersion defines the versioned schema of this representation 24 | of an object. Servers should convert recognized schemas to the latest 25 | internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 26 | type: string 27 | kind: 28 | description: 'Kind is a string value representing the REST resource this 29 | object represents. Servers may infer this from the endpoint the client 30 | submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 31 | type: string 32 | metadata: 33 | type: object 34 | spec: 35 | description: PeerPodSpec defines the desired state of PeerPod 36 | properties: 37 | cloudProvider: 38 | type: string 39 | instanceID: 40 | type: string 41 | type: object 42 | status: 43 | description: PeerPodStatus defines the observed state of PeerPod 44 | properties: 45 | cleand: 46 | type: boolean 47 | type: object 48 | type: object 49 | served: true 50 | storage: true 51 | subresources: 52 | status: {} 53 | status: 54 | acceptedNames: 55 | kind: "" 56 | plural: "" 57 | conditions: null 58 | storedVersions: null 59 | -------------------------------------------------------------------------------- /tests/make-test.yaml: -------------------------------------------------------------------------------- 1 | kind: Pipeline 2 | apiVersion: tekton.dev/v1beta1 3 | metadata: 4 | name: make-test 5 | spec: 6 | params: 7 | - description: 'Snapshot of the application' 8 | name: SNAPSHOT 9 | default: '{"components": [{"name":"test-app", "containerImage": "quay.io/example/repo:latest"}]}' 10 | type: string 11 | tasks: 12 | - name: run-make-test 13 | description: Get the sources of the operator, and run 'make test' on them 14 | params: 15 | - name: SNAPSHOT 16 | value: $(params.SNAPSHOT) 17 | taskSpec: 18 | params: 19 | - name: SNAPSHOT 20 | results: 21 | - name: TEST_OUTPUT 22 | description: Test output 23 | steps: 24 | - image: registry.redhat.io/openshift4/ose-cli:latest 25 | env: 26 | - name: SNAPSHOT 27 | value: $(params.SNAPSHOT) 28 | script: | 29 | #!/bin/bash 30 | set -e 31 | SUCCESSES=0 32 | FAILURES=0 33 | WARNINGS=0 34 | 35 | dnf -y install jq git make go 36 | srcURL=$(jq -r '.components[] | select(.name=="osc-operator") | .source.git.url' <<< "${SNAPSHOT}") 37 | srcREV=$(jq -r '.components[] | select(.name=="osc-operator") | .source.git.revision' <<< "${SNAPSHOT}") 38 | 39 | git clone ${srcURL} sources 40 | cd sources 41 | git checkout ${srcREV} 42 | make test 43 | 44 | # After the tests finish, record the overall result in the RESULT variable 45 | if [ $? -eq 0 ]; then 46 | RESULT="SUCCESS" 47 | SUCCESSES=1 48 | else 49 | RESULT="FAILURE" 50 | FAILURES=1 51 | fi 52 | 53 | # Output the standardized TEST_OUTPUT result in JSON form 54 | TEST_OUTPUT=$(jq -rc --arg date $(date -u --iso-8601=seconds) --arg RESULT "${RESULT}" \ 55 | --argjson FAILURES ${FAILURES} --argjson SUCCESSES ${SUCCESSES} --argjson WARNINGS ${WARNINGS} --null-input \ 56 | '{result: $RESULT, timestamp: $date, failures: $FAILURES, successes: $SUCCESSES, warnings: $WARNINGS}') 57 | echo -n "${TEST_OUTPUT}" | tee $(results.TEST_OUTPUT.path) 58 | -------------------------------------------------------------------------------- /must-gather/node-gather/node-gather-ds.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: DaemonSet 4 | metadata: 5 | name: node-gather-daemonset 6 | namespace: node-gather 7 | labels: 8 | spec: 9 | selector: 10 | matchLabels: 11 | name: node-gather-daemonset 12 | template: 13 | metadata: 14 | labels: 15 | name: node-gather-daemonset 16 | spec: 17 | serviceaccount: node-gather 18 | serviceAccountName: node-gather 19 | terminationGracePeriodSeconds: 0 20 | hostNetwork: true 21 | containers: 22 | - name: node-probe 23 | image: MUST_GATHER_IMAGE 24 | command: ["/bin/bash", "-c", "echo ok > /tmp/healthy && sleep INF"] 25 | imagePullPolicy: IfNotPresent 26 | resources: 27 | requests: 28 | cpu: "100m" 29 | memory: "50Mi" 30 | limits: 31 | cpu: "100m" 32 | memory: "50Mi" 33 | readinessProbe: 34 | exec: 35 | command: 36 | - cat 37 | - /tmp/healthy 38 | initialDelaySeconds: 5 39 | periodSeconds: 5 40 | volumeMounts: 41 | - name: sys 42 | mountPath: /host/sys 43 | - name: proc 44 | mountPath: /host/proc 45 | - name: dev 46 | mountPath: /host/dev 47 | - name: etc 48 | mountPath: /host/etc 49 | - name: opt 50 | mountPath: /host/opt 51 | - name: var 52 | mountPath: /host/var 53 | - name: run 54 | mountPath: /host/run 55 | securityContext: 56 | privileged: true 57 | volumes: 58 | - name: sys 59 | hostPath: 60 | path: /sys 61 | type: Directory 62 | - name: proc 63 | hostPath: 64 | path: /proc 65 | type: Directory 66 | - name: dev 67 | hostPath: 68 | path: /dev 69 | type: Directory 70 | - name: etc 71 | hostPath: 72 | path: /etc 73 | type: Directory 74 | - name: opt 75 | hostPath: 76 | path: /opt 77 | type: Directory 78 | - name: var 79 | hostPath: 80 | path: /var 81 | type: Directory 82 | - name: run 83 | hostPath: 84 | path: /run 85 | type: Directory -------------------------------------------------------------------------------- /config/peerpods/podvm/azure-podvm-image-cm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: azure-podvm-image-cm 5 | namespace: openshift-sandboxed-containers-operator 6 | data: 7 | # PodVM image distro 8 | PODVM_DISTRO: rhel 9 | 10 | # Gallery 11 | # Set the gallery name explicitly, otherwise it'll be set by the operator to 12 | # PodVMGallery_${cluster-id}. If a gallery name is provided, the job will 13 | # use the specific gallery name. 14 | # Note that the gallery name must be unique across the subscription and not exceed 80 characters. 15 | # Also, the allowed characters are English alphanumeric characters, 16 | # with underscores and periods allowed in the middle 17 | IMAGE_GALLERY_NAME: "" 18 | 19 | # Image definition 20 | IMAGE_DEFINITION_NAME: "podvm-image" 21 | IMAGE_DEFINITION_PUBLISHER: "RedHat" 22 | IMAGE_DEFINITION_OFFER: "OSC-PodVM" 23 | IMAGE_DEFINITION_SKU: "OSC-PodVM" 24 | IMAGE_DEFINITION_OS_TYPE: "Linux" 25 | IMAGE_DEFINITION_OS_STATE: "Generalized" 26 | IMAGE_DEFINITION_VM_GENERATION: "V2" 27 | IMAGE_DEFINITION_ARCHITECTURE: "x64" 28 | 29 | # base image - should be coordinated with IMAGE_DEFINITION_VM_GENERATION 30 | BASE_IMAGE_PUBLISHER: "redhat" 31 | BASE_IMAGE_OFFER: "RHEL" 32 | BASE_IMAGE_SKU: "94_gen2" 33 | 34 | # Image 35 | IMAGE_BASE_NAME: "podvm-image" 36 | # Must be in Major(int).Minor(int).Patch(int) format 37 | # When deployed from operator, update the IMAGE_VERSION to something like 38 | # "$clusterid.0.1" 39 | IMAGE_VERSION: "0.0.1" 40 | 41 | # Packer VM size 42 | VM_SIZE: "Standard_D2as_v5" 43 | 44 | # Pod VM sources 45 | # If changing the source, then ensure the respective payload binaries are available 46 | # for the new source 47 | CAA_SRC: "https://gitlab.cee.redhat.com/osc/midstream/cloud-api-adaptor" 48 | CAA_REF: "v0.8.0-1.6" 49 | 50 | # Booleans 51 | INSTALL_PACKAGES: "no" 52 | DOWNLOAD_SOURCES: "no" 53 | CONFIDENTIAL_COMPUTE_ENABLED: "no" 54 | DISABLE_CLOUD_CONFIG: "true" 55 | ENABLE_NVIDIA_GPU: "no" 56 | UPDATE_PEERPODS_CM: "yes" 57 | BOOT_FIPS: "no" 58 | 59 | # NVIDIA GPU vars 60 | NVIDIA_DRIVER_VERSION: "535" 61 | NVIDIA_USERSPACE_VERSION: "1.13.5-1" 62 | 63 | # Custom Agent Policy 64 | #AGENT_POLICY: "" # set to base64 encoded agent policy 65 | 66 | # precreated artifacts 67 | #PODVM_IMAGE_URI: bootc::image-registry.openshift-image-registry.svc:5000/openshift-sandboxed-containers-operator/podvm-bootc 68 | -------------------------------------------------------------------------------- /tests/show-snapshot.yaml: -------------------------------------------------------------------------------- 1 | kind: Pipeline 2 | apiVersion: tekton.dev/v1beta1 3 | metadata: 4 | name: show-snapshot 5 | spec: 6 | params: 7 | - description: 'Snapshot of the application' 8 | name: SNAPSHOT 9 | default: '{"components": [{"name":"test-app", "containerImage": "quay.io/example/repo:latest"}]}' 10 | type: string 11 | tasks: 12 | - name: task-1 13 | description: Placeholder task that prints the Snapshot and outputs standard TEST_OUTPUT 14 | params: 15 | - name: SNAPSHOT 16 | value: $(params.SNAPSHOT) 17 | taskSpec: 18 | params: 19 | - name: SNAPSHOT 20 | results: 21 | - name: TEST_OUTPUT 22 | description: Test output 23 | steps: 24 | - image: registry.redhat.io/openshift4/ose-cli:latest 25 | env: 26 | - name: SNAPSHOT 27 | value: $(params.SNAPSHOT) 28 | script: | 29 | #!/bin/bash 30 | set -e 31 | dnf -y install jq 32 | snapshotComponents=$(jq -c '.components[]' <<< "${SNAPSHOT}") 33 | 34 | echo -e "Example test task for the Snapshot:\n ${SNAPSHOT}" 35 | # Run custom tests for the given Snapshot here 36 | while read componentEntry 37 | do 38 | # Variables 39 | componentName=$(echo "${componentEntry}" | jq -r '.name') 40 | componentUrl=$(echo "${componentEntry}" | jq -r '.source.git.url') 41 | componentSha=$(echo "${componentEntry}" | jq -r '.source.git.revision') 42 | 43 | echo "Print the infomation for component ${componentName} included in snapshot, more test can be added to inspect git source and containerImage in component::" 44 | echo "${componentName}" 45 | echo " - URL: ${componentUrl}" 46 | echo " - SHA: ${componentSha}" 47 | echo 48 | done < <(echo "$snapshotComponents") 49 | 50 | # After the tests finish, record the overall result in the RESULT variable 51 | RESULT="SUCCESS" 52 | 53 | # Output the standardized TEST_OUTPUT result in JSON form 54 | TEST_OUTPUT=$(jq -rc --arg date $(date -u --iso-8601=seconds) --arg RESULT "${RESULT}" --null-input \ 55 | '{result: $RESULT, timestamp: $date, failures: 0, successes: 1, warnings: 0}') 56 | echo -n "${TEST_OUTPUT}" | tee $(results.TEST_OUTPUT.path) 57 | -------------------------------------------------------------------------------- /scripts/bump-osc-version.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # USAGE: bump-osc-versio.sh [replaced version] 4 | # bump-osc-versio.sh -h 5 | # 6 | 7 | version="$1" 8 | replaced="$2" 9 | 10 | if [[ "${version}" = "-h" ]] || [[ -z "${version}" ]]; then 11 | cat<&2 12 | USAGE: bump-osc-versio.sh [replaced version] 13 | bump-osc-versio.sh -h 14 | 15 | Do the following : 16 | - update version everywhere 17 | - optionally update the version at "replaces:" in the CSV 18 | EOF 19 | exit 1 20 | fi 21 | 22 | sed -Ei "s/[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+([^#]+## OSC_VERSION)/${version}\1/g" \ 23 | $(git grep -El '[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+[^#]+## OSC_VERSION') 24 | 25 | sed -Ei \ 26 | "s/(olm.skipRange: '>=1\.1\.0 <)[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+'/\1${version}'/g" \ 27 | config/manifests/bases/sandboxed-containers-operator.clusterserviceversion.yaml 28 | 29 | if [[ -n "$replaced" ]]; then 30 | sed -Ei "s/(replaces: sandboxed-containers-operator\.v)[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+/\1${replaced}/g" \ 31 | config/manifests/bases/sandboxed-containers-operator.clusterserviceversion.yaml 32 | fi 33 | 34 | major_minor() 35 | { 36 | local major minor 37 | IFS=. read major minor rem <<< "$1" 38 | echo ${major}.${minor} 39 | } 40 | 41 | sed -Ei "s/(version=)\"[[:digit:]]+\.[[:digit:]]+\"/\1\"$(major_minor "${version}")\"/g" \ 42 | $(git grep -El 'version=\"[[:digit:]]+\.[[:digit:]]+\"') 43 | 44 | # 45 | # `make bundle` applies some changes that we don't want to the following files. 46 | # 47 | readonly files_to_preserve=( 48 | "bundle.Dockerfile" 49 | "config/manager/kustomization.yaml" 50 | "config/metrics/kustomization.yaml" 51 | "config/manifests/bases/sandboxed-containers-operator.clusterserviceversion.yaml" 52 | ) 53 | 54 | readonly backup_dir=`mktemp --directory -t bump-osc-version-XXXXXX` 55 | 56 | for f in "${files_to_preserve[@]}"; do 57 | mkdir -p "$(dirname ${backup_dir}/${f})" 58 | cp -f "${f}" "${backup_dir}/${f}" 59 | done 60 | 61 | # Preserve the operator image 62 | readonly imgpath=".spec.install.spec.deployments[0].spec.template.spec.containers[0].image" 63 | export IMG="$(yq ${imgpath} bundle/manifests/sandboxed-containers-operator.clusterserviceversion.yaml)" 64 | 65 | make bundle 66 | 67 | # We don't want to merge these changes 68 | for f in "${files_to_preserve[@]}"; do 69 | cp -f "${backup_dir}/${f}" "${f}" 70 | done 71 | 72 | rm -rf "${backup_dir}" 73 | -------------------------------------------------------------------------------- /scripts/kata-install/README.md: -------------------------------------------------------------------------------- 1 | # How to build the image 2 | 3 | ## Multi-architecture images 4 | 5 | This guide explains how to build and push multi-architecture container images using Podman or Docker. 6 | 7 | ### Prerequisites 8 | - A Linux system with QEMU and `binfmt` properly configured for cross-platform builds. 9 | - Access to a container registry (e.g., `quay.io`). 10 | 11 | The image uses an environment variable `TARGETARCH`, which should match one of the supported architectures (e.g., `amd64`, `s390x`) recognized by your build tool and `umoci`. 12 | 13 | ### Building with Podman 14 | 15 | Run the following commands from the project root directory: 16 | 17 | ```bash 18 | VERSION=1.11 19 | IMAGE_BASE=quay.io/openshift_sandboxed_containers/osc-daemonset 20 | 21 | # Build for amd64 22 | podman build \ 23 | --platform linux/amd64 \ 24 | --build-arg TARGETARCH=amd64 \ 25 | -t "${IMAGE_BASE}:${VERSION}-amd64" \ 26 | -f scripts/kata-install/Dockerfile \ 27 | ./scripts/kata-install 28 | 29 | # Build for s390x 30 | podman build \ 31 | --platform linux/s390x \ 32 | --build-arg TARGETARCH=s390x \ 33 | -t "${IMAGE_BASE}:${VERSION}-s390x" \ 34 | -f scripts/kata-install/Dockerfile \ 35 | ./scripts/kata-install 36 | 37 | # Create a multi-arch manifest 38 | podman manifest create "${IMAGE_BASE}:${VERSION}" 39 | podman manifest add "${IMAGE_BASE}:${VERSION}" "${IMAGE_BASE}:${VERSION}-amd64" 40 | podman manifest add "${IMAGE_BASE}:${VERSION}" "${IMAGE_BASE}:${VERSION}-s390x" 41 | 42 | # Push the multi-arch image 43 | podman manifest push --all "${IMAGE_BASE}:${VERSION}" 44 | ``` 45 | Tip: Verify the manifest after creation: 46 | 47 | ```bash 48 | podman manifest inspect "${IMAGE_BASE}:${VERSION}" 49 | ``` 50 | 51 | ### Building with Docker buildx 52 | 53 | Run the following command from the project root directory: 54 | 55 | ```bash 56 | docker buildx build \ 57 | --platform linux/amd64,linux/s390x \ 58 | -t quay.io/openshift_sandboxed_containers/osc-daemonset:1.11 \ 59 | -f scripts/kata-install/Dockerfile \ 60 | ./scripts/kata-install \ 61 | --push 62 | ``` 63 | 64 | ### Additional information 65 | 66 | Multi-architecture manifests allow a single image tag to support multiple CPU architectures, enabling automatic selection based on the client’s platform. 67 | Learn more about multi-platform builds: 68 | - [Docker official documentation](https://docs.docker.com/build/building/multi-platform) 69 | - [Red Hat guide on multi-architecture](https://developers.redhat.com/learning/learn:openshift:simplify-certificate-management-openshift-across-multiple-architectures/resource/resources:create-multi-architecture-images-cross-platform-applications) -------------------------------------------------------------------------------- /config/peerpods/credentials-requests/credentials_request_gcp.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cloudcredential.openshift.io/v1 2 | kind: CredentialsRequest 3 | metadata: 4 | name: openshift-sandboxed-containers-gcp 5 | namespace: openshift-cloud-credential-operator 6 | spec: 7 | secretRef: 8 | name: cco-secret 9 | namespace: openshift-sandboxed-containers-operator 10 | providerSpec: 11 | apiVersion: cloudcredential.openshift.io/v1 12 | kind: GCPProviderSpec 13 | permissions: 14 | - iam.serviceAccounts.get 15 | - iam.serviceAccounts.list 16 | - compute.acceleratorTypes.get 17 | - compute.acceleratorTypes.list 18 | - compute.disks.create 19 | - compute.disks.createTagBinding 20 | - compute.disks.setLabels 21 | - compute.globalOperations.get 22 | - compute.globalOperations.list 23 | - compute.healthChecks.useReadOnly 24 | - compute.instanceGroups.create 25 | - compute.instanceGroups.delete 26 | - compute.instanceGroups.get 27 | - compute.instanceGroups.list 28 | - compute.instanceGroups.update 29 | - compute.instances.create 30 | - compute.instances.createTagBinding 31 | - compute.instances.delete 32 | - compute.instances.get 33 | - compute.instances.list 34 | - compute.instances.use 35 | - compute.instances.setLabels 36 | - compute.instances.setMetadata 37 | - compute.instances.setTags 38 | - compute.instances.setServiceAccount 39 | - compute.instances.update 40 | - storage.buckets.get 41 | - storage.buckets.create 42 | - storage.buckets.list 43 | - storage.buckets.delete 44 | - storage.objects.create 45 | - storage.objects.get 46 | - storage.objects.delete 47 | - storage.objects.list 48 | - compute.images.useReadOnly 49 | - compute.images.create 50 | - compute.images.delete 51 | - compute.images.get 52 | - compute.images.list 53 | - compute.machineTypes.get 54 | - compute.machineTypes.list 55 | - compute.projects.get 56 | - compute.regionBackendServices.get 57 | - compute.regionBackendServices.create 58 | - compute.regionBackendServices.update 59 | - compute.regions.get 60 | - compute.regions.list 61 | - compute.subnetworks.use 62 | - compute.subnetworks.useExternalIp 63 | - compute.targetPools.addInstance 64 | - compute.targetPools.delete 65 | - compute.targetPools.get 66 | - compute.targetPools.removeInstance 67 | - compute.zoneOperations.get 68 | - compute.zoneOperations.list 69 | - compute.zones.get 70 | - compute.zones.list 71 | - resourcemanager.tagValues.get 72 | - resourcemanager.tagValues.list 73 | - serviceusage.quotas.get 74 | - serviceusage.services.get 75 | - serviceusage.services.list 76 | -------------------------------------------------------------------------------- /scripts/install-helpers/baremetal-coco/intel-dcap/pccs.yaml.in: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: pccs-tls 5 | namespace: intel-dcap 6 | type: Opaque 7 | data: 8 | private.pem: ${PCCS_PEM} 9 | file.crt: ${PCCS_CERT} 10 | --- 11 | apiVersion: v1 12 | kind: Service 13 | metadata: 14 | name: pccs-service 15 | namespace: intel-dcap 16 | spec: 17 | selector: 18 | trustedservices.intel.com/cache: pccs 19 | ports: 20 | - name: pccs 21 | protocol: TCP 22 | port: 8042 23 | targetPort: pccs-port 24 | --- 25 | apiVersion: apps/v1 26 | kind: Deployment 27 | metadata: 28 | name: pccs 29 | namespace: intel-dcap 30 | spec: 31 | replicas: 1 32 | selector: 33 | matchLabels: 34 | app: pccs 35 | template: 36 | metadata: 37 | labels: 38 | app: pccs 39 | trustedservices.intel.com/cache: pccs 40 | spec: 41 | tolerations: 42 | - effect: NoSchedule 43 | key: node-role.kubernetes.io/master 44 | operator: Exists 45 | nodeSelector: 46 | kubernetes.io/hostname: ${PCCS_NODE} 47 | initContainers: 48 | - name: init-seclabel 49 | image: registry.access.redhat.com/ubi9/ubi:9.7-1764578509 50 | command: [ "sh", "-c", "chcon -Rt container_file_t /var/cache/pccs" ] 51 | volumeMounts: 52 | - name: host-database 53 | mountPath: /var/cache/pccs 54 | securityContext: 55 | runAsUser: 0 56 | runAsGroup: 0 57 | privileged: true # Required for chcon to work on host files 58 | containers: 59 | - name: pccs 60 | image: registry.redhat.io/openshift-sandboxed-containers/osc-pccs@sha256:de64fc7b13aaa7e466e825d62207f77e7c63a4f9da98663c3ab06abc45f2334d 61 | envFrom: 62 | - secretRef: 63 | name: pccs-secrets 64 | env: 65 | - name: "PCCS_LOG_LEVEL" 66 | value: "info" 67 | - name: "CLUSTER_HTTPS_PROXY" 68 | value: "${CLUSTER_HTTPS_PROXY}" 69 | - name: "PCCS_FILL_MODE" 70 | value: "LAZY" 71 | ports: 72 | - containerPort: 8042 73 | name: pccs-port 74 | volumeMounts: 75 | - name: pccs-tls 76 | mountPath: /opt/intel/pccs/ssl_key 77 | readOnly: true 78 | - name: host-database 79 | mountPath: /var/cache/pccs/ 80 | securityContext: 81 | runAsUser: 0 82 | volumes: 83 | - name: pccs-tls 84 | secret: 85 | secretName: pccs-tls 86 | - name: host-database 87 | hostPath: 88 | path: /var/cache/pccs/ 89 | type: DirectoryOrCreate 90 | -------------------------------------------------------------------------------- /config/peerpods/podvm/agent-policy/README.md: -------------------------------------------------------------------------------- 1 | # Kata Agent Policy 2 | 3 | The Agent Policy feature in Kata Containers allows the Guest VM to perform additional validation on 4 | each agent API request. You can change the default policies to a custom agent policy you provide 5 | or to specify policy as a k8s annotation at runtime (if configured to be allowed). 6 | 7 | ## Specify Custom Policy To Be Used As Default 8 | 9 | By default Openshift Sandboxed Containers set a preconfigured policy, Peer-Pods images will be set with an 10 | allow-all policy, whereas CoCo images will be set with an allow-all exept for the `ReadStreamRequest` and 11 | `ExecProcessRequest` calls. 12 | 13 | ### Set Custom Policy As Default At Image Creation Time 14 | 15 | To set a default custom policy at image creation time, make sure to encode the policy file (e.g., 16 | [allow-all-except-exec-process.rego](allow-all-except-exec-process.rego)) in base64 format and set it as 17 | the value for the AGENT_POLICY key in your `-image-cm` ConfigMap. 18 | 19 | ```sh 20 | ENCODED_POLICY=$(cat allow-all-except-exec-process.rego | base64 -w 0) 21 | kubectl patch cm aws-podvm-image-cm -p "{\"data\":{\"AGENT_POLICY\":\"${ENCODED_POLICY}\"}}" -n openshift-sandboxed-containers-operator 22 | ``` 23 | 24 | **note:** InitData custom default policy will override policy that was set at image creation. 25 | 26 | ### Set Custom Policy As Default Using InitData 27 | 28 | See [InitData documention](https://github.com/confidential-containers/cloud-api-adaptor/blob/main/src/cloud-api-adaptor/docs/initdata.md) 29 | 30 | ## Specify Policy At Runtime Through Pod Annotation 31 | 32 | As long as the `SetPolicyRequest` call was not disabled by the default policy, users specify custom 33 | policy through annotation at pod creation time. To set policy through annotation, encode your policy 34 | file (e.g., [allow-all-except-exec-process.rego](allow-all-except-exec-process.rego)) in base64 format 35 | and set it to the `io.katacontainers.config.agent.policy` annotation. 36 | 37 | **note:** annotation policy will override any previous policy (as long as `SetPolicyRequest` is allowed) 38 | 39 | ```sh 40 | ENCODED_POLICY=$(cat allow-all-except-exec-process.rego | base64 -w 0) 41 | cat <<-EOF | kubectl apply -f - 42 | apiVersion: v1 43 | kind: Pod 44 | metadata: 45 | name: sleep 46 | annotations: 47 | io.containerd.cri.runtime-handler: kata-remote 48 | io.katacontainers.config.agent.policy: ${ENCODED_POLICY} 49 | spec: 50 | runtimeClassName: kata-remote 51 | containers: 52 | - name: sleeping 53 | image: fedora 54 | command: ["sleep"] 55 | args: ["infinity"] 56 | EOF 57 | ``` 58 | 59 | ## Example Policies 60 | - [allow-all.rego](allow-all.rego) 61 | - [allow-all-except-exec-process.rego](allow-all-except-exec-process.rego) 62 | -------------------------------------------------------------------------------- /must-gather/must-gather-requirements.md: -------------------------------------------------------------------------------- 1 | #
Requirements for OpenShift Sandboxed Containers (OSC) must-gather
2 | 3 | 4 | ### Usage 5 | The kataconfig must have `logLevel: debug` set before running `must-gather`. 6 | 7 | OSC `must-gather` should gather all OCS information and logs needed for debugging in a directory 8 | ```sh 9 | oc adm must-gather --image=registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest 10 | ``` 11 | Data about other parts of the cluster is gathered with `oc adm must-gather`. Run `oc adm must-gather -h` to see more options. 12 | 13 | ### Openshift Sandboxed Containers 14 | Kata runtime is the `containerd-shim-kata-v2` process that talks to the kata agent in the VM. 15 | See also the [Official 1.5 documentation](https://access.redhat.com/documentation/en-us/openshift_sandboxed_containers/1.5/html-single/openshift_sandboxed_containers_user_guide/index#troubleshooting-sandboxed-containers) 16 | 17 | #### Gathered Data 18 | - Resource definitions 19 | - Service logs 20 | - All namespaces and child objects with OSC resources 21 | - All OSC custom resource definitions (CRDs) 22 | - sandboxed-containers/namespaces/openshift-sandboxed-containers-operator/**_*_**\_description 23 | - versions in nodes/**_nodename_**/**_nodename_**/version 24 | - kata-containers 25 | - qemu 26 | 27 | 28 | #### Locations 29 | - CRI-O logs - from the kata runtime 30 | - nodes/**_nodename_**/**_nodename_**\_logs\_crio 31 | - QEMU 32 | - logs are part of the **CRI-O** logs as _subsystem=qemu_ , _subsystem=qmp_ and/or _qemuPID=**PID**_ 33 | - Audits 34 | - audit_logs/**_nodename_**-audit.log.gz 35 | - Logs 36 | - sandboxed-containers/namespaces/openshift-sandboxed-containers-operator/controller-manager-**_*_**\_logs 37 | - sandboxed-containers/namespaces/openshift-sandboxed-containers-operator/install-**_*_**\_logs 38 | - sandboxed-containers/namespaces/openshift-sandboxed-containers-operator/openshift-sandboxed-containers-monitor-**_*_**\_logs 39 | - sandboxed-containers/namespaces/openshift-sandboxed-containers-operator/peerpodconfig-ctrl-caa-daemon-**_*_**\_logs 40 | - sandboxed-containers/namespaces/openshift-sandboxed-containers-operator/peer-pods-webhook-**_*_**\_logs 41 | - OSC CRDs 42 | - sandboxed-containers/namespaces/openshift-sandboxed-containers-operator/**_*_**\_description 43 | - sandboxed-containers/clusterserviceversion_description 44 | - sandboxed-containers/kataconfig_description 45 | - sandboxed-containers/services_description 46 | - sandboxed-containers/subscription_description 47 | - sandboxed-containers/validatingwebhookconfigurations_description 48 | - apiservices/v1.kataconfiguration.openshift.io.yaml 49 | - cluster-scoped-resources/apiextensions.k8s.io/customresourcedefinitions/kataconfigs.kataconfiguration.openshift.io.yaml 50 | 51 | 52 | -------------------------------------------------------------------------------- /controllers/cm_event_handler.go: -------------------------------------------------------------------------------- 1 | package controllers 2 | 3 | import ( 4 | "context" 5 | "reflect" 6 | 7 | corev1 "k8s.io/api/core/v1" 8 | "k8s.io/client-go/util/workqueue" 9 | "sigs.k8s.io/controller-runtime/pkg/event" 10 | "sigs.k8s.io/controller-runtime/pkg/reconcile" 11 | ) 12 | 13 | type ConfigMapEventHandler struct { 14 | reconciler *KataConfigOpenShiftReconciler 15 | } 16 | 17 | func (ch *ConfigMapEventHandler) Create(ctx context.Context, event event.CreateEvent, queue workqueue.TypedRateLimitingInterface[reconcile.Request]) { 18 | 19 | if ch.reconciler.kataConfig == nil { 20 | return 21 | } 22 | 23 | cm := event.Object 24 | 25 | // Check if the configMap name is relevant to the operator 26 | if cm.GetNamespace() != OperatorNamespace || !isConfigMapRelevant(cm.GetName()) { 27 | return 28 | } 29 | log := ch.reconciler.Log.WithName("CMCreate").WithValues("cm name", cm.GetName()) 30 | log.Info("FeatureGates configMap created") 31 | 32 | queue.Add(ch.reconciler.makeReconcileRequest()) 33 | } 34 | 35 | func (ch *ConfigMapEventHandler) Update(ctx context.Context, event event.UpdateEvent, queue workqueue.TypedRateLimitingInterface[reconcile.Request]) { 36 | 37 | if ch.reconciler.kataConfig == nil { 38 | return 39 | } 40 | 41 | cm := event.ObjectNew 42 | cmOld := event.ObjectOld 43 | 44 | // Check if the configMap name is relevant to the operator 45 | if cm.GetNamespace() != OperatorNamespace || !isConfigMapRelevant(cm.GetName()) { 46 | return 47 | } 48 | 49 | log := ch.reconciler.Log.WithName("CMUpdate").WithValues("cm name", cm.GetName()) 50 | log.Info("FeatureGates configMap updated") 51 | 52 | // Check if the configMap data has actually changed 53 | // Otherwise we don't need to do anything 54 | dataOld := cmOld.DeepCopyObject().(*corev1.ConfigMap).Data 55 | dataNew := cm.DeepCopyObject().(*corev1.ConfigMap).Data 56 | if reflect.DeepEqual(dataOld, dataNew) { 57 | log.Info("No change in configMap data") 58 | return 59 | } 60 | 61 | queue.Add(ch.reconciler.makeReconcileRequest()) 62 | 63 | } 64 | 65 | func (ch *ConfigMapEventHandler) Delete(ctx context.Context, event event.DeleteEvent, queue workqueue.TypedRateLimitingInterface[reconcile.Request]) { 66 | if ch.reconciler.kataConfig == nil { 67 | return 68 | } 69 | 70 | cm := event.Object 71 | 72 | /// Check if the configMap name is relevant to the operator 73 | if cm.GetNamespace() != OperatorNamespace || !isConfigMapRelevant(cm.GetName()) { 74 | return 75 | } 76 | log := ch.reconciler.Log.WithName("CMDelete").WithValues("cm name", cm.GetName()) 77 | log.Info("FeatureGates configMap deleted") 78 | 79 | queue.Add(ch.reconciler.makeReconcileRequest()) 80 | } 81 | 82 | func (ch *ConfigMapEventHandler) Generic(ctx context.Context, event event.GenericEvent, queue workqueue.TypedRateLimitingInterface[reconcile.Request]) { 83 | } 84 | -------------------------------------------------------------------------------- /tests/osc-test-fbc-integration.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1beta1 2 | kind: Pipeline 3 | metadata: 4 | name: osc-test-fbc-integration 5 | spec: 6 | description: >- 7 | Run Prow jobs for testing the osc-test-fbc catalog. 8 | params: 9 | - name: GANGWAY_TOKEN 10 | type: string 11 | description: Token to authenticate with gangway 12 | default: gangway-token 13 | - description: 'Snapshot of the application' 14 | name: SNAPSHOT 15 | default: '{"components": [{"name":"osc-test-fbc", "containerImage": "quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest"}]}' 16 | type: string 17 | tasks: 18 | - name: get-catalog-image 19 | params: 20 | - name: SNAPSHOT 21 | value: $(params.SNAPSHOT) 22 | taskSpec: 23 | params: 24 | - name: SNAPSHOT 25 | results: 26 | - name: CATALOG_IMAGE 27 | description: "The catalog image extracted from the SNAPSHOT" 28 | steps: 29 | - name: get-catalog-image 30 | image: registry.redhat.io/openshift4/ose-cli:latest 31 | env: 32 | - name: SNAPSHOT 33 | value: $(params.SNAPSHOT) 34 | script: | 35 | #!/bin/bash 36 | set -e 37 | dnf -y install jq 38 | echo "Snapshot: ${SNAPSHOT}" 39 | catalogImage=$(jq -r '.components[] | select(.name=="osc-test-fbc") | .containerImage' <<< "${SNAPSHOT}") 40 | echo "Catalog image: ${catalogImage}" 41 | echo "${catalogImage}" > $(results.CATALOG_IMAGE.path) 42 | - name: prow-job 43 | displayName: "Running prow job $(params.PROWJOB_NAME)" 44 | timeout: "4h" 45 | runAfter: 46 | - get-catalog-image 47 | taskRef: 48 | resolver: git 49 | params: 50 | - name: url 51 | value: https://github.com/openshift/konflux-tasks 52 | - name: revision 53 | value: 26d8e981a7d1d035f05c4accd30b38d07f8f02b5 54 | - name: pathInRepo 55 | value: tasks/provide-prowjob/0.1/provide-prowjob.yaml 56 | params: 57 | - name: SNAPSHOT 58 | value: $(params.SNAPSHOT) 59 | - name: VARIANT 60 | value: downstream-candidate 61 | - name: ENVS 62 | value: "CATALOG_SOURCE_IMAGE=$(tasks.get-catalog-image.results.CATALOG_IMAGE)" 63 | matrix: 64 | params: 65 | - name: PROWJOB_NAME 66 | value: 67 | - periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate-azure-ipi-kata 68 | - periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate-azure-ipi-peerpods 69 | - periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate-aws-ipi-peerpods 70 | -------------------------------------------------------------------------------- /config/peerpods/podvm/ubi.repo: -------------------------------------------------------------------------------- 1 | [ubi-9-for-$basearch-baseos-rpms] 2 | name = Red Hat Universal Base Image 9 (RPMs) - BaseOS 3 | baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/baseos/os 4 | enabled = 1 5 | gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release 6 | gpgcheck = 1 7 | 8 | [ubi-9-for-$basearch-baseos-debug-rpms] 9 | name = Red Hat Universal Base Image 9 (Debug RPMs) - BaseOS 10 | baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/baseos/debug 11 | enabled = 0 12 | gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release 13 | gpgcheck = 1 14 | 15 | [ubi-9-for-$basearch-baseos-source-rpms] 16 | name = Red Hat Universal Base Image 9 (Source RPMs) - BaseOS 17 | baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/baseos/source/SRPMS 18 | enabled = 1 19 | gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release 20 | gpgcheck = 1 21 | 22 | [ubi-9-for-$basearch-appstream-rpms] 23 | name = Red Hat Universal Base Image 9 (RPMs) - AppStream 24 | baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/appstream/os 25 | enabled = 1 26 | gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release 27 | gpgcheck = 1 28 | 29 | [ubi-9-for-$basearch-appstream-debug-rpms] 30 | name = Red Hat Universal Base Image 9 (Debug RPMs) - AppStream 31 | baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/appstream/debug 32 | enabled = 0 33 | gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release 34 | gpgcheck = 1 35 | 36 | [ubi-9-for-$basearch-appstream-source-rpms] 37 | name = Red Hat Universal Base Image 9 (Source RPMs) - AppStream 38 | baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/appstream/source/SRPMS 39 | enabled = 1 40 | gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release 41 | gpgcheck = 1 42 | 43 | [codeready-builder-for-ubi-9-$basearch-rpms] 44 | name = Red Hat Universal Base Image 9 (RPMs) - CodeReady Builder 45 | baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/codeready-builder/os 46 | enabled = 1 47 | gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release 48 | gpgcheck = 1 49 | 50 | [codeready-builder-for-ubi-9-$basearch-debug-rpms] 51 | name = Red Hat Universal Base Image 9 (Debug RPMs) - CodeReady Builder 52 | baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/codeready-builder/debug 53 | enabled = 0 54 | gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release 55 | gpgcheck = 1 56 | 57 | [codeready-builder-for-ubi-9-$basearch-source-rpms] 58 | name = Red Hat Universal Base Image 9 (Source RPMs) - CodeReady Builder 59 | baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/codeready-builder/source/SRPMS 60 | enabled = 1 61 | gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release 62 | gpgcheck = 1 63 | -------------------------------------------------------------------------------- /config/peerpods/podvm/Dockerfile.podvm-builder: -------------------------------------------------------------------------------- 1 | FROM registry.access.redhat.com/ubi9/ubi:9.7-1764578509 2 | 3 | # azure-podvm-image-handler.sh script under /scripts/azure-podvm-image-handler.sh 4 | # aws-podvm-image-handler.sh script under /scripts/aws-podvm-image-handler.sh 5 | # sources for cloud-api-adaptor under /src/cloud-api-adaptor 6 | # The podvm binaries are expected to be under /payload/podvm-binaries.tar.gz 7 | # Binaries like kubectl, packer and yq under /usr/local/bin will be installed by the scripts 8 | 9 | 10 | LABEL kata_src=https://github.com/kata-containers/kata-containers 11 | LABEL kata_src_commit=stable-3.7 12 | 13 | ARG ORG_ID 14 | ARG ACTIVATION_KEY 15 | 16 | # This registering RHEL when building on an unsubscribed system 17 | # If you are running a UBI container on a registered and subscribed RHEL host, 18 | # the main RHEL Server repository is enabled inside the standard UBI container. 19 | # Uncomment this and provide the associated ARG variables to register. 20 | #RUN if [[ -n "${ACTIVATION_KEY}" && -n "${ORG_ID}" ]]; then \ 21 | # rm -f /etc/rhsm-host && rm -f /etc/pki/entitlement-host; \ 22 | # subscription-manager register --org=${ORG_ID} --activationkey=${ACTIVATION_KEY}; \ 23 | # fi 24 | 25 | RUN mkdir -p /scripts 26 | 27 | ADD ami-helper.sh lib.sh libvirt-podvm-image-handler.sh aws-podvm-image-handler.sh azure-podvm-image-handler.sh gcp-podvm-image-handler.sh ibmcloud-podvm-image-handler.sh /scripts/ 28 | 29 | RUN mkdir -p /scripts/bootc 30 | ADD bootc/config.toml /scripts/bootc/ 31 | 32 | # TODO: Since this installation applies to all providers, consider renaming the 33 | # script or moving the generic RPMS installation elsewhere for better clarity. 34 | RUN /scripts/azure-podvm-image-handler.sh -- install_rpms 35 | 36 | ARG CAA_SRC=https://github.com/confidential-containers/cloud-api-adaptor 37 | ARG CAA_REF=main 38 | ARG CERT_RPM 39 | 40 | 41 | ENV CAA_SRC=$CAA_SRC 42 | ENV CAA_REF=$CAA_REF 43 | ENV CERT_RPM=$CERT_RPM 44 | 45 | RUN if [[ -n "$CERT_RPM" ]] ; then \ 46 | dnf install -y $CERT_RPM ; \ 47 | fi 48 | 49 | 50 | COPY cloud-api-adaptor /src/cloud-api-adaptor 51 | 52 | ADD podvm-builder.sh /podvm-builder.sh 53 | 54 | # Red Hat labels 55 | LABEL name="openshift-sandboxed-containers/osc-podvm-builder-rhel9" \ 56 | cpe="cpe:/a:redhat:confidential_compute_attestation:1.10::el9" \ 57 | version="1.11" \ 58 | com.redhat.component="osc-podvm-builder-container" \ 59 | summary="Container image containing artefacts that is required for creating Pod VM images" \ 60 | maintainer="redhat@redhat.com" \ 61 | description="Container image containing artefacts that is required for creating Pod VM images" \ 62 | io.k8s.display-name="openshift-sandboxed-containers-podvm-builder" \ 63 | io.k8s.description="Container image containing artefacts that is required for creating Pod VM images" \ 64 | io.openshift.tags="" 65 | 66 | ENTRYPOINT ["/podvm-builder.sh"] 67 | -------------------------------------------------------------------------------- /must-gather/ubi.repo: -------------------------------------------------------------------------------- 1 | [ubi-9-for-$basearch-baseos-rpms] 2 | name = Red Hat Universal Base Image 9 (RPMs) - BaseOS 3 | baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/baseos/os 4 | enabled = 1 5 | gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release 6 | gpgcheck = 1 7 | 8 | [ubi-9-for-$basearch-baseos-debug-rpms] 9 | name = Red Hat Universal Base Image 9 (Debug RPMs) - BaseOS 10 | baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/baseos/debug 11 | enabled = 0 12 | gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release 13 | gpgcheck = 1 14 | 15 | [ubi-9-for-$basearch-baseos-source-rpms] 16 | name = Red Hat Universal Base Image 9 (Source RPMs) - BaseOS 17 | baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/baseos/source/SRPMS 18 | enabled = 1 19 | gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release 20 | gpgcheck = 1 21 | 22 | [ubi-9-for-$basearch-appstream-rpms] 23 | name = Red Hat Universal Base Image 9 (RPMs) - AppStream 24 | baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/appstream/os 25 | enabled = 1 26 | gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release 27 | gpgcheck = 1 28 | 29 | [ubi-9-for-$basearch-appstream-debug-rpms] 30 | name = Red Hat Universal Base Image 9 (Debug RPMs) - AppStream 31 | baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/appstream/debug 32 | enabled = 0 33 | gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release 34 | gpgcheck = 1 35 | 36 | [ubi-9-for-$basearch-appstream-source-rpms] 37 | name = Red Hat Universal Base Image 9 (Source RPMs) - AppStream 38 | baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/appstream/source/SRPMS 39 | enabled = 1 40 | gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release 41 | gpgcheck = 1 42 | 43 | [codeready-builder-for-ubi-9-$basearch-rpms] 44 | name = Red Hat Universal Base Image 9 (RPMs) - CodeReady Builder 45 | baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/codeready-builder/os 46 | enabled = 1 47 | gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release 48 | gpgcheck = 1 49 | 50 | [codeready-builder-for-ubi-9-$basearch-debug-rpms] 51 | name = Red Hat Universal Base Image 9 (Debug RPMs) - CodeReady Builder 52 | baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/codeready-builder/debug 53 | enabled = 0 54 | gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release 55 | gpgcheck = 1 56 | 57 | [codeready-builder-for-ubi-9-$basearch-source-rpms] 58 | name = Red Hat Universal Base Image 9 (Source RPMs) - CodeReady Builder 59 | baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/codeready-builder/source/SRPMS 60 | enabled = 1 61 | gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release 62 | gpgcheck = 1 63 | -------------------------------------------------------------------------------- /config/peerpods/podvm/osc-podvm-delete-job.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: osc-podvm-image-deletion 5 | namespace: openshift-sandboxed-containers-operator 6 | spec: 7 | parallelism: 1 8 | completions: 1 9 | backoffLimit: 1 10 | template: 11 | metadata: 12 | name: osc-podvm-image-deletion 13 | spec: 14 | containers: 15 | - name: delete 16 | # This image contains the following 17 | # podvm binaries under /payload/podvm-binaries.tar.gz 18 | # azure-podvm-image-handler.sh script under /scripts/azure-podvm-image-handler.sh 19 | # aws-podvm-image-handler.sh script under /scripts/aws-podvm-image-handler.sh 20 | # gcp-podvm-image-handler.sh script under /scripts/gcp-podvm-image-handler.sh 21 | # ibmcloud-podvm-image-handler.sh script under /scripts/ibmcloud-podvm-image-handler.sh 22 | # sources for cloud-api-adaptor under /src/cloud-api-adaptor 23 | # Binaries like kubectl, packer and yq under /usr/local/bin 24 | image: registry.redhat.io/openshift-sandboxed-containers/osc-podvm-builder-rhel9:1.11.1 ## OSC_VERSION 25 | securityContext: 26 | runAsUser: 0 # needed for container mode dnf access 27 | env: 28 | - name: AMI_ID 29 | value: "" # Set this to the aws ami id to delete 30 | - name: IMAGE_ID 31 | value: "" # Set this to the azure image id to delete 32 | - name: LIBVIRT_IMAGE_ID 33 | value: "" # Set this to the libvirt image id to delete 34 | - name: IMAGE_NAME 35 | value: "" # Set this to the gcp image name to delete 36 | envFrom: 37 | - secretRef: 38 | name: peer-pods-secret 39 | - configMapRef: 40 | name: peer-pods-cm 41 | optional: true 42 | - configMapRef: 43 | name: azure-podvm-image-cm 44 | optional: true 45 | - configMapRef: 46 | name: aws-podvm-image-cm 47 | optional: true 48 | - configMapRef: 49 | name: gcp-podvm-image-cm 50 | optional: true 51 | - configMapRef: 52 | name: ibmcloud-podvm-image-cm 53 | optional: true 54 | - configMapRef: 55 | name: libvirt-podvm-image-cm 56 | optional: true 57 | command: ["/podvm-builder.sh", "delete", "-f"] 58 | volumeMounts: 59 | - name: ssh-key-secret 60 | mountPath: "/root/.ssh/" 61 | readOnly: true 62 | volumes: 63 | - name: ssh-key-secret 64 | secret: 65 | secretName: ssh-key-secret 66 | items: 67 | - key: id_rsa 68 | path: "id_rsa" 69 | defaultMode: 0400 70 | optional: true 71 | 72 | restartPolicy: Never 73 | -------------------------------------------------------------------------------- /scripts/rvps-extraction/RVPS_Reference.md: -------------------------------------------------------------------------------- 1 | 2 | # RVPS (Reference Value Provider Service) Usage 3 | 4 | The RVPS (Reference Value Provider Service) values are used for remote attestation. 5 | 6 | It is responsible for verifying, storing, and providing reference values. RVPS receives and verifies inputs from the software supply chain, stores the measurement values, and generates reference value claims for the Attestation Service. 7 | 8 | This operation is performed based on the evidence verified by the Attestation Service (AS). 9 | 10 | ## RVPS Values 11 | 12 | The values are: 13 | 14 | 1. `image_phkh` 15 | 2. `image_tag` 16 | 3. `se.version` 17 | 4. `se.tag` 18 | 5. `se.attestation_phk` 19 | 20 | ## Script Options 21 | 22 | The script will help retrieve the RVPS via the following two options: 23 | 24 | 1. **Calculate the RVPS values based on the SE PODVM image stored locally** on the user’s machine where the script is being executed. The script will expect the absolute path of the SE PODVM image. 25 | 26 | 2. **Calculate the RVPS values based on the SE PODVM image uploaded to a libvirt volume**. The script will expect the following inputs: 27 | - Libvirt Pool Name 28 | - Libvirt URI Name 29 | - Libvirt Volume Name 30 | 31 | ## Output 32 | 33 | After successful execution, you will get `se-message` and `ibmse-policy.rego` in a directory called `output-files`. These files will contain the RVPS parameters. 34 | 35 | ## Prerequisites 36 | 37 | The user needs to copy the `Rvps-Extraction` folder locally: 38 | 39 | ```bash 40 | [root@a3elp36 Rvps-Extraction]# ls -lrt 41 | total 8 42 | drwxr-xr-x. 2 root root 65 Oct 19 16:52 static-files 43 | -rwxr-xr-x. 1 root root 6078 Oct 19 16:52 GetRvps.sh 44 | ``` 45 | 46 | Once copied, the script can be executed as follows: 47 | 48 | ```bash 49 | ./GetRvps.sh 50 | ``` 51 | 52 | ### Options 53 | 1. Generate the RVPS from a local image on the user’s PC 54 | 2. Generate RVPS from a volume 55 | 3. Quit 56 | 57 | Once the script finishes, the output directory will be created, and the files will be copied to the same path where the script is executed. For example: 58 | 59 | ```bash 60 | -rw-r--r--. 1 root root 640 Oct 9 13:25 /root/gaurav-rvps-test/COCO-1010/output-files/hdr.bin 61 | -rw-r--r--. 1 root root 446 Oct 9 13:25 /root/gaurav-rvps-test/COCO-1010/output-files/ibmse-policy.rego 62 | -rw-r--r--. 1 root root 561 Oct 9 13:25 /root/gaurav-rvps-test/COCO-1010/output-files/se-message 63 | ``` 64 | 65 | ## Static Files 66 | 67 | Some static files will also be used to generate the RVPS. These include: 68 | 69 | - **`pvextract-hdr`**: This is used to extract the SE header from the PODVM SE image (input). It generates an intermediate file, `hdr.bin`, which will be used for further extraction. 70 | - **`se_parse_hdr.py`**: A Python parser used to generate the actual RVPS values. 71 | - **`HKD.crt`**: This certificate will vary between labs. The user needs to copy the same `HKD.crt` used to generate the uploaded PODVM SE image into this path. 72 | -------------------------------------------------------------------------------- /must-gather/rpms.lock.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | lockfileVersion: 1 3 | lockfileVendor: redhat 4 | arches: 5 | - arch: s390x 6 | packages: 7 | - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/r/rsync-3.2.5-3.el9.s390x.rpm 8 | repoid: ubi-9-for-s390x-baseos-rpms 9 | size: 418877 10 | checksum: sha256:2d1a87e86fb23bc665b7c7ce8775c73d500ef6e152f15c78493b95638dfb7925 11 | name: rsync 12 | evr: 3.2.5-3.el9 13 | sourcerpm: rsync-3.2.5-3.el9.src.rpm 14 | - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/t/tar-1.34-7.el9.s390x.rpm 15 | repoid: ubi-9-for-s390x-baseos-rpms 16 | size: 902370 17 | checksum: sha256:fa8758bac6a56830de66ad1ab623c87768065bcc6f8242faa42ac4198260d456 18 | name: tar 19 | evr: 2:1.34-7.el9 20 | sourcerpm: tar-1.34-7.el9.src.rpm 21 | source: 22 | - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/source/SRPMS/Packages/r/rsync-3.2.5-3.el9.src.rpm 23 | repoid: ubi-9-for-s390x-baseos-source-rpms 24 | size: 1306931 25 | checksum: sha256:a1fd44e58d1fb5b52b72586c5ef2e12c040428f771cde1d1350b36d3b9155db0 26 | name: rsync 27 | evr: 3.2.5-3.el9 28 | - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/source/SRPMS/Packages/t/tar-1.34-7.el9.src.rpm 29 | repoid: ubi-9-for-s390x-baseos-source-rpms 30 | size: 2261512 31 | checksum: sha256:d002c400d29e7305fe8a982ab6b9f49ee7a8780e4574b86fc0c5b3d5510ecb22 32 | name: tar 33 | evr: 2:1.34-7.el9 34 | module_metadata: [] 35 | - arch: x86_64 36 | packages: 37 | - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/r/rsync-3.2.5-3.el9.x86_64.rpm 38 | repoid: ubi-9-for-x86_64-baseos-rpms 39 | size: 421930 40 | checksum: sha256:b1d90c38b613f2d66dfe0c7c3d067a3ce429f7b2ec5224e560f326fc2fd8d1e5 41 | name: rsync 42 | evr: 3.2.5-3.el9 43 | sourcerpm: rsync-3.2.5-3.el9.src.rpm 44 | - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/t/tar-1.34-7.el9.x86_64.rpm 45 | repoid: ubi-9-for-x86_64-baseos-rpms 46 | size: 910235 47 | checksum: sha256:17f2e592a2c04c050b690afeb9042e02521a0b5ee3288dad837463f4acf542c3 48 | name: tar 49 | evr: 2:1.34-7.el9 50 | sourcerpm: tar-1.34-7.el9.src.rpm 51 | source: 52 | - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/source/SRPMS/Packages/r/rsync-3.2.5-3.el9.src.rpm 53 | repoid: ubi-9-for-x86_64-baseos-source-rpms 54 | size: 1306931 55 | checksum: sha256:a1fd44e58d1fb5b52b72586c5ef2e12c040428f771cde1d1350b36d3b9155db0 56 | name: rsync 57 | evr: 3.2.5-3.el9 58 | - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/source/SRPMS/Packages/t/tar-1.34-7.el9.src.rpm 59 | repoid: ubi-9-for-x86_64-baseos-source-rpms 60 | size: 2261512 61 | checksum: sha256:d002c400d29e7305fe8a982ab6b9f49ee7a8780e4574b86fc0c5b3d5510ecb22 62 | name: tar 63 | evr: 2:1.34-7.el9 64 | module_metadata: [] 65 | -------------------------------------------------------------------------------- /config/peerpods/podvm/README.md: -------------------------------------------------------------------------------- 1 | # Introduction 2 | 3 | This is a brief readme explaining the usage of the podvm-builder scripts and 4 | related files. The scripts and related manifest files are primarily used by 5 | the operator to generate a pod VM image. 6 | 7 | ## PodVM image generation configuration 8 | 9 | The configuration used for the podvm image generation is available in the following configmaps: 10 | 11 | - Azure: `azure-podvm-image-cm` 12 | - AWS: `aws-podvm-image-cm` 13 | - GCP: `gcp-podvm-image-cm` 14 | 15 | If you want to change the default configuration, then depending on the cloud 16 | provider (eg. aws, azure or gcp) you'll need to pre-create the respective 17 | configmaps. Please review and modify the settings in the configMap as 18 | required. For example, if you need to add NVIDIA GPU drivers in the podvm 19 | image then set `ENABLE_NVIDIA_GPU: yes`. Likewise if you want to create image 20 | for confidential containers then set `CONFIDENTIAL_COMPUTE_ENABLED: yes`. 21 | 22 | Use the following command to create the configMap for AWS: 23 | 24 | ```sh 25 | kubectl apply -f aws-podvm-image-cm.yaml 26 | ``` 27 | 28 | Use the following command to create the configMap for Azure: 29 | 30 | ```sh 31 | kubectl apply -f azure-podvm-image-cm.yaml 32 | ``` 33 | 34 | Now when you create a KataConfig with `enablePeerPods: true` with empty 35 | `AZURE_IMAGE_ID` or `AWS_AMI_ID` in `peer-pods-cm`, then depending on the cloud 36 | provider configured, the operator will create the pod VM image based on the 37 | provided config. 38 | 39 | ## PodVM Image Upload Configuration 40 | 41 | The PodVM image can be embedded into a container image. This container image can then be unwrapped and uploaded to the libvirt volume specified in the `peer-pods-cm`. Please note that this feature is currently supported only for the libvirt provider. 42 | 43 | To create an OCI image with the PodVM image, you can use the `Dockerfile.podvm-oci` as follows: 44 | 45 | ```bash 46 | docker build -t podvm-libvirt \ 47 | --build-arg PODVM_IMAGE_SRC= \ 48 | -f Dockerfile.podvm-oci . 49 | ``` 50 | 51 | In this context, `PODVM_IMAGE_SRC` refers to the location of the `qcow2` image on the host. Optionally, you can also set `PODVM_IMAGE_PATH`, which is the path of the qcow2 image inside the container. This path will be used as `` in the `PODVM_IMAGE_URI` as described below. 52 | 53 | `oci` is the only supported `image_repo_type` at present. 54 | 55 | Ensure that `PODVM_IMAGE_URI` is configured in the `libvirt-podvm-image-cm` in the following format: 56 | 57 | ```bash 58 | PODVM_IMAGE_URI: ":::::" 59 | ``` 60 | 61 | For example: 62 | 63 | ```bash 64 | PODVM_IMAGE_URI: "oci::quay.io/openshift_sandboxed_containers/libvirt-podvm-image:latest::/image/podvm-390x.qcow2" 65 | ``` 66 | 67 | In this example, `` and `` are optional. If not provided, the default values will be ``: `latest` and ``: `/image/podvm.qcow2`. 68 | 69 | **Note:** When pulling container images from authenticated registries, make sure that the OpenShift `pull-secrets` are updated with the necessary registry credentials. 70 | -------------------------------------------------------------------------------- /scripts/install-helpers/baremetal-coco/intel-dcap/qgs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: DaemonSet 3 | metadata: 4 | name: tdx-qgs 5 | namespace: intel-dcap 6 | spec: 7 | selector: 8 | matchLabels: 9 | app: tdx-qgs 10 | template: 11 | metadata: 12 | labels: 13 | app: tdx-qgs 14 | annotations: 15 | sgx.intel.com/quote-provider: tdx-qgs 16 | qcnl-conf: '{"pccs_url": "https://pccs-service:8042/sgx/certification/v4/", "use_secure_cert": false, "pck_cache_expire_hours": 168}' 17 | spec: 18 | nodeSelector: 19 | intel.feature.node.kubernetes.io/tdx: 'true' 20 | hostNetwork: true 21 | dnsPolicy: ClusterFirstWithHostNet 22 | initContainers: 23 | - name: platform-registration 24 | image: registry.redhat.io/openshift-sandboxed-containers/osc-tdx-qgs@sha256:86b23461c4eea073f4535a777374a54e934c37ac8c96c6180030f92ebf970524 25 | restartPolicy: Always 26 | command: [ '/usr/bin/dcap-registration-flow' ] 27 | env: 28 | - name: PCCS_URL 29 | value: "https://pccs-service:8042" 30 | - name: SECURE_CERT 31 | value: 'false' 32 | envFrom: 33 | - secretRef: 34 | name: pccs-secrets 35 | securityContext: 36 | readOnlyRootFilesystem: true 37 | allowPrivilegeEscalation: true 38 | privileged: true 39 | capabilities: 40 | drop: 41 | - ALL 42 | add: 43 | - LINUX_IMMUTABLE 44 | volumeMounts: 45 | - name: efivars 46 | mountPath: /sys/firmware/efi/efivars 47 | containers: 48 | - name: tdx-qgs 49 | image: registry.redhat.io/openshift-sandboxed-containers/osc-tdx-qgs@sha256:86b23461c4eea073f4535a777374a54e934c37ac8c96c6180030f92ebf970524 50 | args: 51 | - -p=4050 52 | - -n=4 53 | securityContext: 54 | readOnlyRootFilesystem: true 55 | allowPrivilegeEscalation: false 56 | capabilities: 57 | drop: 58 | - ALL 59 | resources: 60 | limits: 61 | sgx.intel.com/epc: "512Ki" 62 | sgx.intel.com/enclave: 1 63 | sgx.intel.com/provision: 1 64 | env: 65 | - name: QCNL_CONF_PATH 66 | value: "/run/dcap/qcnl_conf" 67 | - name: XDG_CACHE_HOME 68 | value: "/run/dcap/cache" 69 | volumeMounts: 70 | - name: dcap-qcnl-cache 71 | mountPath: /run/dcap/cache 72 | - name: qcnl-config 73 | mountPath: /run/dcap/ 74 | readOnly: true 75 | volumes: 76 | - name: dcap-qcnl-cache 77 | emptyDir: 78 | sizeLimit: 50Mi 79 | - name: qcnl-config 80 | downwardAPI: 81 | items: 82 | - path: "qcnl_conf" 83 | fieldRef: 84 | fieldPath: metadata.annotations['qcnl-conf'] 85 | - name: efivars 86 | hostPath: 87 | path: /sys/firmware/efi/efivars/ 88 | -------------------------------------------------------------------------------- /testbin/setup-envtest.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright 2020 The Kubernetes Authors. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | set -o errexit 18 | set -o pipefail 19 | 20 | # Turn colors in this script off by setting the NO_COLOR variable in your 21 | # environment to any value: 22 | # 23 | # $ NO_COLOR=1 test.sh 24 | NO_COLOR=${NO_COLOR:-""} 25 | if [ -z "$NO_COLOR" ]; then 26 | header=$'\e[1;33m' 27 | reset=$'\e[0m' 28 | else 29 | header='' 30 | reset='' 31 | fi 32 | 33 | function header_text { 34 | echo "$header$*$reset" 35 | } 36 | 37 | function setup_envtest_env { 38 | header_text "setting up env vars" 39 | 40 | # Setup env vars 41 | KUBEBUILDER_ASSETS=${KUBEBUILDER_ASSETS:-""} 42 | if [[ -z "${KUBEBUILDER_ASSETS}" ]]; then 43 | export KUBEBUILDER_ASSETS=$1/bin 44 | fi 45 | } 46 | 47 | # fetch k8s API gen tools and make it available under envtest_root_dir/bin. 48 | # 49 | # Skip fetching and untaring the tools by setting the SKIP_FETCH_TOOLS variable 50 | # in your environment to any value: 51 | # 52 | # $ SKIP_FETCH_TOOLS=1 ./check-everything.sh 53 | # 54 | # If you skip fetching tools, this script will use the tools already on your 55 | # machine. 56 | function fetch_envtest_tools { 57 | SKIP_FETCH_TOOLS=${SKIP_FETCH_TOOLS:-""} 58 | if [ -n "$SKIP_FETCH_TOOLS" ]; then 59 | return 0 60 | fi 61 | 62 | tmp_root=/tmp 63 | envtest_root_dir=$tmp_root/envtest 64 | 65 | k8s_version="${ENVTEST_K8S_VERSION:-1.16.4}" 66 | goarch="$(go env GOARCH)" 67 | goos="$(go env GOOS)" 68 | 69 | if [[ "$goos" != "linux" && "$goos" != "darwin" ]]; then 70 | echo "OS '$goos' not supported. Aborting." >&2 71 | return 1 72 | fi 73 | 74 | local dest_dir="${1}" 75 | 76 | # use the pre-existing version in the temporary folder if it matches our k8s version 77 | if [[ -x "${dest_dir}/bin/kube-apiserver" ]]; then 78 | version=$("${dest_dir}"/bin/kube-apiserver --version) 79 | if [[ $version == *"${k8s_version}"* ]]; then 80 | header_text "Using cached envtest tools from ${dest_dir}" 81 | return 0 82 | fi 83 | fi 84 | 85 | header_text "fetching envtest tools@${k8s_version} (into '${dest_dir}')" 86 | envtest_tools_archive_name="kubebuilder-tools-$k8s_version-$goos-$goarch.tar.gz" 87 | envtest_tools_download_url="https://storage.googleapis.com/kubebuilder-tools/$envtest_tools_archive_name" 88 | 89 | envtest_tools_archive_path="$tmp_root/$envtest_tools_archive_name" 90 | if [ ! -f $envtest_tools_archive_path ]; then 91 | curl -sL ${envtest_tools_download_url} -o "$envtest_tools_archive_path" 92 | fi 93 | 94 | mkdir -p "${dest_dir}" 95 | tar -C "${dest_dir}" --strip-components=1 -zvxf "$envtest_tools_archive_path" 96 | } 97 | -------------------------------------------------------------------------------- /config/peerpods/podvm/ibmcloud-podvm-image-handler.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # FILEPATH: ibmcloud-podvm-image-handler.sh 3 | 4 | # This script is used to import PodVM images to IBM Cloud 5 | # The basic assumption is that the required variables are set as environment variables in the pod 6 | # Typically the variables are read from configmaps and set as environment variables in the pod 7 | # The script will be called with one of the following options: 8 | # Create image (-c) 9 | # Delete image (-C) 10 | 11 | # include common functions from lib.sh 12 | # shellcheck source=/dev/null 13 | # The directory is where ibmcloud-podvm-image-handler.sh is located 14 | source "$(dirname "$0")"/lib.sh 15 | 16 | # function to download and install ibmcloud cli 17 | 18 | function install_ibmcloud_cli() { 19 | # Install ibmcloud cli 20 | # If any error occurs, exit the script with an error message 21 | 22 | # Check if ibmcloud cli is already installed 23 | if command -v ibmcloud &>/dev/null; then 24 | echo "ibmcloud cli is already installed" 25 | return 26 | fi 27 | 28 | # Download ibmcloud cli 29 | curl -fsSL https://clis.cloud.ibm.com/install/linux -o /tmp/ibmcloud_install.sh || 30 | error_exit "Failed to download ibmcloud cli" 31 | 32 | # Install ibmcloud cli 33 | sh /tmp/ibmcloud_install.sh || 34 | error_exit "Failed to execute ibmcloud cli installer" 35 | 36 | # Install ibmcloud cli plugins 37 | ibmcloud plugin install -a || 38 | error_exit "Failed to install ibmcloud cli plugins" 39 | 40 | # Clean up temporary files 41 | rm -f "/tmp/ibmcloud_install.sh" 42 | } 43 | 44 | function create_image() { 45 | error_exit "currently not supported" 46 | } 47 | 48 | function delete_image() { 49 | error_exit "currently not supported" 50 | } 51 | 52 | # display help message 53 | 54 | function display_help() { 55 | echo "This script is used to import PodVM images to IBM Cloud" 56 | echo "Usage: $0 [-c|-C] [-- install_binaries|install_rpms|install_cli]" 57 | echo "Options:" 58 | echo "-c Create image" 59 | echo "-C Delete image" 60 | } 61 | 62 | # main function 63 | 64 | if [ "$#" -eq 0 ]; then 65 | display_help 66 | exit 1 67 | fi 68 | 69 | if [ "$1" = "--" ]; then 70 | shift 71 | # Handle positional parameters 72 | case "$1" in 73 | 74 | install_binaries) 75 | install_binary_packages 76 | ;; 77 | install_rpms) 78 | install_rpm_packages 79 | ;; 80 | install_cli) 81 | install_ibmcloud_cli 82 | ;; 83 | *) 84 | echo "Unknown argument: $1" 85 | exit 1 86 | ;; 87 | esac 88 | else 89 | while getopts "cCh" opt; do 90 | verify_vars 91 | case ${opt} in 92 | c) 93 | create_image 94 | ;; 95 | C) 96 | delete_image 97 | ;; 98 | h) 99 | # Display help 100 | display_help 101 | exit 0 102 | ;; 103 | *) 104 | # Invalid option 105 | display_help 106 | exit 1 107 | ;; 108 | esac 109 | done 110 | fi 111 | -------------------------------------------------------------------------------- /scripts/install-helpers/baremetal-coco/image_mirroring.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.openshift.io/v1 2 | kind: ImageTagMirrorSet 3 | metadata: 4 | name: osc-brew-registry-tag 5 | spec: 6 | imageTagMirrors: 7 | - mirrors: 8 | - brew.registry.redhat.io/rh-osbs/openshift-sandboxed-containers-operator-bundle 9 | source: registry.redhat.io/openshift-sandboxed-containers/openshift-sandboxed-containers-operator-bundle 10 | - mirrors: 11 | - brew.registry.redhat.io/rh-osbs/openshift-sandboxed-containers-podvm-builder 12 | source: registry.redhat.io/openshift-sandboxed-containers/osc-podvm-builder-rhel9 13 | - mirrors: 14 | - brew.registry.redhat.io/rh-osbs/openshift-sandboxed-containers-podvm-payload 15 | source: registry.redhat.io/openshift-sandboxed-containers/osc-podvm-payload-rhel9 16 | - mirrors: 17 | - brew.registry.redhat.io/rh-osbs/openshift-sandboxed-containers-operator 18 | source: registry.redhat.io/openshift-sandboxed-containers/osc-rhel9-operator 19 | - mirrors: 20 | - brew.registry.redhat.io/rh-osbs/openshift-sandboxed-containers-operator-monitor 21 | source: registry.redhat.io/openshift-sandboxed-containers/osc-monitor-rhel9 22 | - mirrors: 23 | - brew.registry.redhat.io/rh-osbs/openshift-sandboxed-containers-operator-cloud-api-adaptor 24 | source: registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9 25 | - mirrors: 26 | - brew.registry.redhat.io/rh-osbs/openshift-sandboxed-containers-operator-cloud-api-adaptor-webhook 27 | source: registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9 28 | --- 29 | apiVersion: config.openshift.io/v1 30 | kind: ImageDigestMirrorSet 31 | metadata: 32 | name: osc-brew-registry-digest 33 | spec: 34 | imageDigestMirrors: 35 | - mirrors: 36 | - brew.registry.redhat.io/rh-osbs/openshift-sandboxed-containers-operator-bundle 37 | source: registry.redhat.io/openshift-sandboxed-containers/openshift-sandboxed-containers-operator-bundle 38 | - mirrors: 39 | - brew.registry.redhat.io/rh-osbs/openshift-sandboxed-containers-podvm-builder 40 | source: registry.redhat.io/openshift-sandboxed-containers/osc-podvm-builder-rhel9 41 | - mirrors: 42 | - brew.registry.redhat.io/rh-osbs/openshift-sandboxed-containers-podvm-payload 43 | source: registry.redhat.io/openshift-sandboxed-containers/osc-podvm-payload-rhel9 44 | - mirrors: 45 | - brew.registry.redhat.io/rh-osbs/openshift-sandboxed-containers-operator 46 | source: registry.redhat.io/openshift-sandboxed-containers/osc-rhel9-operator 47 | - mirrors: 48 | - brew.registry.redhat.io/rh-osbs/openshift-sandboxed-containers-operator-monitor 49 | source: registry.redhat.io/openshift-sandboxed-containers/osc-monitor-rhel9 50 | - mirrors: 51 | - brew.registry.redhat.io/rh-osbs/openshift-sandboxed-containers-operator-cloud-api-adaptor 52 | source: registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9 53 | - mirrors: 54 | - brew.registry.redhat.io/rh-osbs/openshift-sandboxed-containers-operator-cloud-api-adaptor-webhook 55 | source: registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9 56 | --------------------------------------------------------------------------------