From 452e44e541b0bae0e967344bdf7b41d2de19976e Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Thu, 22 May 2025 14:11:48 +1000 Subject: [PATCH 01/11] fix: cleanup kbs access Signed-off-by: Chris Butler --- .../kbs-access/sealed-secret.json | 8 ++++++ ...environment.yaml => curl-location-cm.yaml} | 2 +- .../{secure-pod.yaml => curl-pod.yaml} | 12 +++------ .../{secure-route.yaml => curl-route.yaml} | 4 +-- .../{secure-svc.yaml => curl-svc.yaml} | 4 +-- .../templates/sealed-location-cm.yaml | 7 +++++ .../kbs-access/templates/sealed-pod.yaml | 27 +++++++++++++++++++ .../kbs-access/templates/sealed-route.yaml | 12 +++++++++ .../kbs-access/templates/sealed-secret.yaml | 9 +++++++ .../kbs-access/templates/sealed-service.yaml | 14 ++++++++++ 10 files changed, 85 insertions(+), 14 deletions(-) create mode 100644 charts/coco-supported/kbs-access/sealed-secret.json rename charts/coco-supported/kbs-access/templates/{environment.yaml => curl-location-cm.yaml} (83%) rename charts/coco-supported/kbs-access/templates/{secure-pod.yaml => curl-pod.yaml} (70%) rename charts/coco-supported/kbs-access/templates/{secure-route.yaml => curl-route.yaml} (82%) rename charts/coco-supported/kbs-access/templates/{secure-svc.yaml => curl-svc.yaml} (85%) create mode 100644 charts/coco-supported/kbs-access/templates/sealed-location-cm.yaml create mode 100644 charts/coco-supported/kbs-access/templates/sealed-pod.yaml create mode 100644 charts/coco-supported/kbs-access/templates/sealed-route.yaml create mode 100644 charts/coco-supported/kbs-access/templates/sealed-secret.yaml create mode 100644 charts/coco-supported/kbs-access/templates/sealed-service.yaml diff --git a/charts/coco-supported/kbs-access/sealed-secret.json b/charts/coco-supported/kbs-access/sealed-secret.json new file mode 100644 index 00000000..4b5dcb6c --- /dev/null +++ b/charts/coco-supported/kbs-access/sealed-secret.json @@ -0,0 +1,8 @@ +{ + "version": "0.1.0", + "type": "vault", + "name": "kbs:///default/kbsres1/key3", + "provider": "kbs", + "provider_settings": {}, + "annotations": {} +} \ No newline at end of file diff --git a/charts/coco-supported/kbs-access/templates/environment.yaml b/charts/coco-supported/kbs-access/templates/curl-location-cm.yaml similarity index 83% rename from charts/coco-supported/kbs-access/templates/environment.yaml rename to charts/coco-supported/kbs-access/templates/curl-location-cm.yaml index 3f5bc49e..93733e27 100644 --- a/charts/coco-supported/kbs-access/templates/environment.yaml +++ b/charts/coco-supported/kbs-access/templates/curl-location-cm.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: kbsref + name: kbsref-curl namespace: kbs-access data: FILEPATH: "/output/kbsres1.txt" \ No newline at end of file diff --git a/charts/coco-supported/kbs-access/templates/secure-pod.yaml b/charts/coco-supported/kbs-access/templates/curl-pod.yaml similarity index 70% rename from charts/coco-supported/kbs-access/templates/secure-pod.yaml rename to charts/coco-supported/kbs-access/templates/curl-pod.yaml index f8f32fd7..62bf20ee 100644 --- a/charts/coco-supported/kbs-access/templates/secure-pod.yaml +++ b/charts/coco-supported/kbs-access/templates/curl-pod.yaml @@ -1,9 +1,9 @@ apiVersion: v1 kind: Pod metadata: - name: secure + name: curl labels: - app: secure + app: curl annotations: peerpods: "true" spec: @@ -18,7 +18,7 @@ spec: mountPath: /output envFrom: - configMapRef: - name: kbsref + name: kbsref-curl initContainers: - name: curl image: registry.redhat.io/ubi9/ubi:latest # Lightweight image with curl installed @@ -26,12 +26,6 @@ spec: volumeMounts: - name: output-volume mountPath: /output - # - name: hi - # image: registry.redhat.io/ubi9/ubi:latest # Lightweight image with curl installed - # command: ['sh', '-c', 'echo "hi" > /output/kbsres1.txt'] - # volumeMounts: - # - name: output-volume - # mountPath: /output volumes: - name: output-volume emptyDir: {} diff --git a/charts/coco-supported/kbs-access/templates/secure-route.yaml b/charts/coco-supported/kbs-access/templates/curl-route.yaml similarity index 82% rename from charts/coco-supported/kbs-access/templates/secure-route.yaml rename to charts/coco-supported/kbs-access/templates/curl-route.yaml index dba755f2..56ca71f8 100644 --- a/charts/coco-supported/kbs-access/templates/secure-route.yaml +++ b/charts/coco-supported/kbs-access/templates/curl-route.yaml @@ -1,12 +1,12 @@ apiVersion: route.openshift.io/v1 kind: Route metadata: - name: secure + name: curl spec: port: targetPort: 5000 to: kind: Service - name: secure + name: curl weight: 100 wildcardPolicy: None diff --git a/charts/coco-supported/kbs-access/templates/secure-svc.yaml b/charts/coco-supported/kbs-access/templates/curl-svc.yaml similarity index 85% rename from charts/coco-supported/kbs-access/templates/secure-svc.yaml rename to charts/coco-supported/kbs-access/templates/curl-svc.yaml index 618f2f41..aed64668 100644 --- a/charts/coco-supported/kbs-access/templates/secure-svc.yaml +++ b/charts/coco-supported/kbs-access/templates/curl-svc.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Service metadata: - name: secure + name: curl spec: ports: - name: 5000-tcp @@ -9,6 +9,6 @@ spec: protocol: TCP targetPort: 5000 selector: - app: secure + app: curl sessionAffinity: None type: ClusterIP diff --git a/charts/coco-supported/kbs-access/templates/sealed-location-cm.yaml b/charts/coco-supported/kbs-access/templates/sealed-location-cm.yaml new file mode 100644 index 00000000..69a248bc --- /dev/null +++ b/charts/coco-supported/kbs-access/templates/sealed-location-cm.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: kbsref-sealed + namespace: kbs-access +data: + FILEPATH: "/output/kbsres1.txt" \ No newline at end of file diff --git a/charts/coco-supported/kbs-access/templates/sealed-pod.yaml b/charts/coco-supported/kbs-access/templates/sealed-pod.yaml new file mode 100644 index 00000000..c52c84bc --- /dev/null +++ b/charts/coco-supported/kbs-access/templates/sealed-pod.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sealed + labels: + app: sealed + annotations: + peerpods: "true" +spec: + runtimeClassName: kata-remote + containers: + - name: python-access + image: ghcr.io/butler54/kbs-access-app:latest + ports: + - containerPort: 5000 + envFrom: + - configMapRef: + name: kbsref-sealed + volumeMounts: + - name: secret-volume + mountPath: "sealed/myvalue" + env: + - name: PROTECTED_SECRET + valueFrom: + secretKeyRef: + name: sealed-secret + key: secret diff --git a/charts/coco-supported/kbs-access/templates/sealed-route.yaml b/charts/coco-supported/kbs-access/templates/sealed-route.yaml new file mode 100644 index 00000000..56572b50 --- /dev/null +++ b/charts/coco-supported/kbs-access/templates/sealed-route.yaml @@ -0,0 +1,12 @@ +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: sealed +spec: + port: + targetPort: 5000 + to: + kind: Service + name: sealed + weight: 100 + wildcardPolicy: None diff --git a/charts/coco-supported/kbs-access/templates/sealed-secret.yaml b/charts/coco-supported/kbs-access/templates/sealed-secret.yaml new file mode 100644 index 00000000..cccea527 --- /dev/null +++ b/charts/coco-supported/kbs-access/templates/sealed-secret.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: +data: + # Base64 encoding of install-config yaml + secret: "sealed.fakejwsheader.{{ tpl "sealed-secret.json" . | base64 }}.fakesignature" +type: Opaque \ No newline at end of file diff --git a/charts/coco-supported/kbs-access/templates/sealed-service.yaml b/charts/coco-supported/kbs-access/templates/sealed-service.yaml new file mode 100644 index 00000000..ab9d0d48 --- /dev/null +++ b/charts/coco-supported/kbs-access/templates/sealed-service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: sealed +spec: + ports: + - name: 5000-tcp + port: 5000 + protocol: TCP + targetPort: 5000 + selector: + app: sealed + sessionAffinity: None + type: ClusterIP From 4160070bed81f08e821f27645f0c0fdc4d1d89ca Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Thu, 22 May 2025 15:00:32 +1000 Subject: [PATCH 02/11] chore: enable le Signed-off-by: Chris Butler --- values-simple.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/values-simple.yaml b/values-simple.yaml index f25bc61f..86a54035 100644 --- a/values-simple.yaml +++ b/values-simple.yaml @@ -95,7 +95,7 @@ clusterGroup: # Default to 'safe' for ARO overrides: - name: letsencrypt.enabled - value: false + value: true hello-openshift: name: hello-openshift namespace: hello-openshift From d223419af12e679fa69934571b79ebc3296ece42 Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Thu, 22 May 2025 15:14:05 +1000 Subject: [PATCH 03/11] fix: correct secret Signed-off-by: Chris Butler --- charts/coco-supported/kbs-access/templates/sealed-secret.yaml | 2 +- rhdp/wrapper.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) mode change 100644 => 100755 rhdp/wrapper.sh diff --git a/charts/coco-supported/kbs-access/templates/sealed-secret.yaml b/charts/coco-supported/kbs-access/templates/sealed-secret.yaml index cccea527..ae2ac86c 100644 --- a/charts/coco-supported/kbs-access/templates/sealed-secret.yaml +++ b/charts/coco-supported/kbs-access/templates/sealed-secret.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Secret metadata: - name: + name: sealed-secret data: # Base64 encoding of install-config yaml secret: "sealed.fakejwsheader.{{ tpl "sealed-secret.json" . | base64 }}.fakesignature" diff --git a/rhdp/wrapper.sh b/rhdp/wrapper.sh old mode 100644 new mode 100755 index 0df76df7..4304157b --- a/rhdp/wrapper.sh +++ b/rhdp/wrapper.sh @@ -66,7 +66,7 @@ fi echo "---------------------" echo "defining cluster" echo "---------------------" -python3 rhdp/rhdp-cluster-define.py ${AZUREREGION} +python rhdp/rhdp-cluster-define.py ${AZUREREGION} echo "---------------------" echo "cluster defined" echo "---------------------" From 8d5fef392fc92099086f0d54fc040c5b90e323f5 Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Thu, 22 May 2025 18:33:43 +1000 Subject: [PATCH 04/11] fix: correct encoder Signed-off-by: Chris Butler --- charts/coco-supported/kbs-access/templates/sealed-secret.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/coco-supported/kbs-access/templates/sealed-secret.yaml b/charts/coco-supported/kbs-access/templates/sealed-secret.yaml index ae2ac86c..b55ede23 100644 --- a/charts/coco-supported/kbs-access/templates/sealed-secret.yaml +++ b/charts/coco-supported/kbs-access/templates/sealed-secret.yaml @@ -5,5 +5,5 @@ metadata: name: sealed-secret data: # Base64 encoding of install-config yaml - secret: "sealed.fakejwsheader.{{ tpl "sealed-secret.json" . | base64 }}.fakesignature" + secret: "sealed.fakejwsheader.{{ tpl "sealed-secret.json" . | b64enc }}.fakesignature" type: Opaque \ No newline at end of file From 12957ef96d3f0f9b9dfe053affacb8c3543dd6ec Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Thu, 22 May 2025 18:39:08 +1000 Subject: [PATCH 05/11] fix: correct encoder Signed-off-by: Chris Butler --- charts/coco-supported/kbs-access/templates/sealed-secret.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/coco-supported/kbs-access/templates/sealed-secret.yaml b/charts/coco-supported/kbs-access/templates/sealed-secret.yaml index b55ede23..fe189045 100644 --- a/charts/coco-supported/kbs-access/templates/sealed-secret.yaml +++ b/charts/coco-supported/kbs-access/templates/sealed-secret.yaml @@ -5,5 +5,5 @@ metadata: name: sealed-secret data: # Base64 encoding of install-config yaml - secret: "sealed.fakejwsheader.{{ tpl "sealed-secret.json" . | b64enc }}.fakesignature" -type: Opaque \ No newline at end of file + secret: '{{ "sealed.fakejwsheader."{{ tpl "sealed-secret.json" . | b64enc }}".fakesignature" | b64enc }' +type: Generic \ No newline at end of file From 8a1dcaa71fb7f368e4c4df2cebf79214f6ef4a39 Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Thu, 22 May 2025 18:40:00 +1000 Subject: [PATCH 06/11] fix: correct encoder Signed-off-by: Chris Butler --- charts/coco-supported/kbs-access/templates/sealed-secret.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/coco-supported/kbs-access/templates/sealed-secret.yaml b/charts/coco-supported/kbs-access/templates/sealed-secret.yaml index fe189045..9f1fae5b 100644 --- a/charts/coco-supported/kbs-access/templates/sealed-secret.yaml +++ b/charts/coco-supported/kbs-access/templates/sealed-secret.yaml @@ -5,5 +5,5 @@ metadata: name: sealed-secret data: # Base64 encoding of install-config yaml - secret: '{{ "sealed.fakejwsheader."{{ tpl "sealed-secret.json" . | b64enc }}".fakesignature" | b64enc }' + secret: '{{ "sealed.fakejwsheader."{{ tpl "sealed-secret.json" . | b64enc }}".fakesignature" | b64enc }}' type: Generic \ No newline at end of file From 7288b9d3a86b663753939bf9067260e6142a4475 Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Thu, 22 May 2025 18:42:56 +1000 Subject: [PATCH 07/11] fix: correct encoder Signed-off-by: Chris Butler --- charts/coco-supported/kbs-access/templates/sealed-secret.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/charts/coco-supported/kbs-access/templates/sealed-secret.yaml b/charts/coco-supported/kbs-access/templates/sealed-secret.yaml index 9f1fae5b..51ab562b 100644 --- a/charts/coco-supported/kbs-access/templates/sealed-secret.yaml +++ b/charts/coco-supported/kbs-access/templates/sealed-secret.yaml @@ -3,7 +3,8 @@ apiVersion: v1 kind: Secret metadata: name: sealed-secret + data: # Base64 encoding of install-config yaml - secret: '{{ "sealed.fakejwsheader."{{ tpl "sealed-secret.json" . | b64enc }}".fakesignature" | b64enc }}' + secret: "{{ printf "sealed.fakejwsheader.%s.fakesignature" (tpl ( .Files.Get "sealed-secret.json" ) . | base64 ) | b64enc }}" type: Generic \ No newline at end of file From 15af0b16cfea69f49cad93f3dcb4c045354e296f Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Thu, 22 May 2025 18:43:25 +1000 Subject: [PATCH 08/11] fix: correct encoder Signed-off-by: Chris Butler --- charts/coco-supported/kbs-access/templates/sealed-secret.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/coco-supported/kbs-access/templates/sealed-secret.yaml b/charts/coco-supported/kbs-access/templates/sealed-secret.yaml index 51ab562b..276aaddd 100644 --- a/charts/coco-supported/kbs-access/templates/sealed-secret.yaml +++ b/charts/coco-supported/kbs-access/templates/sealed-secret.yaml @@ -6,5 +6,5 @@ metadata: data: # Base64 encoding of install-config yaml - secret: "{{ printf "sealed.fakejwsheader.%s.fakesignature" (tpl ( .Files.Get "sealed-secret.json" ) . | base64 ) | b64enc }}" + secret: "{{ printf "sealed.fakejwsheader.%s.fakesignature" (tpl ( .Files.Get "sealed-secret.json" ) . | b64enc ) | b64enc }}" type: Generic \ No newline at end of file From e76c625892ae8abd9c4c50937a6453da74edbe2a Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Thu, 22 May 2025 18:49:18 +1000 Subject: [PATCH 09/11] feat: add volume Signed-off-by: Chris Butler --- charts/coco-supported/kbs-access/templates/sealed-pod.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/charts/coco-supported/kbs-access/templates/sealed-pod.yaml b/charts/coco-supported/kbs-access/templates/sealed-pod.yaml index c52c84bc..14a44e79 100644 --- a/charts/coco-supported/kbs-access/templates/sealed-pod.yaml +++ b/charts/coco-supported/kbs-access/templates/sealed-pod.yaml @@ -25,3 +25,7 @@ spec: secretKeyRef: name: sealed-secret key: secret + volumes: + - name: secret-volume + secret: + secretName: sealed-secret \ No newline at end of file From 61c1e92ad6b9a82c0d03cf4bd9e2a729318d03ed Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Thu, 22 May 2025 20:40:03 +1000 Subject: [PATCH 10/11] feat: add volume Signed-off-by: Chris Butler --- .../coco-supported/kbs-access/templates/sealed-location-cm.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/coco-supported/kbs-access/templates/sealed-location-cm.yaml b/charts/coco-supported/kbs-access/templates/sealed-location-cm.yaml index 69a248bc..1a50e427 100644 --- a/charts/coco-supported/kbs-access/templates/sealed-location-cm.yaml +++ b/charts/coco-supported/kbs-access/templates/sealed-location-cm.yaml @@ -4,4 +4,4 @@ metadata: name: kbsref-sealed namespace: kbs-access data: - FILEPATH: "/output/kbsres1.txt" \ No newline at end of file + FILEPATH: "/sealed/myvalue" \ No newline at end of file From ba0258654c751118a02ff9c00ee78212698af264 Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Mon, 26 May 2025 21:11:39 +1000 Subject: [PATCH 11/11] fix: add insecure policy Signed-off-by: Chris Butler --- .../kbs-access/insecure-policy.rego | 38 +++++++++++++++++++ .../kbs-access/templates/sealed-pod.yaml | 1 + 2 files changed, 39 insertions(+) create mode 100644 charts/coco-supported/kbs-access/insecure-policy.rego diff --git a/charts/coco-supported/kbs-access/insecure-policy.rego b/charts/coco-supported/kbs-access/insecure-policy.rego new file mode 100644 index 00000000..b82a0e93 --- /dev/null +++ b/charts/coco-supported/kbs-access/insecure-policy.rego @@ -0,0 +1,38 @@ +package agent_policy + +default AddARPNeighborsRequest := true +default AddSwapRequest := true +default CloseStdinRequest := true +default CopyFileRequest := true +default CreateContainerRequest := true +default CreateSandboxRequest := true +default DestroySandboxRequest := true +default ExecProcessRequest := true +default GetMetricsRequest := true +default GetOOMEventRequest := true +default GuestDetailsRequest := true +default ListInterfacesRequest := true +default ListRoutesRequest := true +default MemHotplugByProbeRequest := true +default OnlineCPUMemRequest := true +default PauseContainerRequest := true +default PullImageRequest := true +default ReadStreamRequest := true +default RemoveContainerRequest := true +default RemoveStaleVirtiofsShareMountsRequest := true +default ReseedRandomDevRequest := true +default ResumeContainerRequest := true +default SetGuestDateTimeRequest := true +default SetPolicyRequest := true +default SignalProcessRequest := true +default StartContainerRequest := true +default StartTracingRequest := true +default StatsContainerRequest := true +default StopTracingRequest := true +default TtyWinResizeRequest := true +default UpdateContainerRequest := true +default UpdateEphemeralMountsRequest := true +default UpdateInterfaceRequest := true +default UpdateRoutesRequest := true +default WaitProcessRequest := true +default WriteStreamRequest := true \ No newline at end of file diff --git a/charts/coco-supported/kbs-access/templates/sealed-pod.yaml b/charts/coco-supported/kbs-access/templates/sealed-pod.yaml index 14a44e79..416c1e89 100644 --- a/charts/coco-supported/kbs-access/templates/sealed-pod.yaml +++ b/charts/coco-supported/kbs-access/templates/sealed-pod.yaml @@ -6,6 +6,7 @@ metadata: app: sealed annotations: peerpods: "true" + io.katacontainers.config.agent.policy: '{{ tpl ( .Files.Get "insecure-policy.rego") . | b64enc }}' spec: runtimeClassName: kata-remote containers: