docs: add bare metal reference documentation#75
Draft
butler54 wants to merge 1 commit intovalidatedpatterns:mainfrom
Draft
docs: add bare metal reference documentation#75butler54 wants to merge 1 commit intovalidatedpatterns:mainfrom
butler54 wants to merge 1 commit intovalidatedpatterns:mainfrom
Conversation
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
butler54
added a commit
to butler54/coco-pattern
that referenced
this pull request
Apr 30, 2026
…lidatedpatterns#75 documentation This commit addresses all review comments from bpradipt and pawelpros on PR validatedpatterns#73, merges documentation from PR validatedpatterns#75, and updates container images. Documentation changes: - README: Replace "peer-pod infrastructure" wording to clarify Azure vs bare metal - README: Update OCP version requirements from 4.17+ to 4.19.28+ (OSC 1.12 requirement) - README: Clarify PCR collection differs for Azure (get-pcr.sh) vs bare metal (manual) - README: Distinguish Azure (kata-remote) from bare metal (kata-cc) runtime classes - values-secret.yaml.template: Add missing kbsPrivateKey secret - values-secret.yaml.template: Reorganize with clear section headers and improved docs - gen-secrets.sh: Add prominent alert when values-secret file is created - Merge docs/nfd-matchall-bug.md from PR validatedpatterns#75 (NFD matchAll bug report) - Merge docs/pcr-reference-values-bare-metal.md from PR validatedpatterns#75 (PCR collection guide) Code cleanup: - Delete obsolete qgs-config-cm.yaml (QGS args now inline) - Delete obsolete qgs-sgx-cm.yaml (QCNL config via downwardAPI) - Remove commented-out detect-runtime-class reference in values-baremetal.yaml Image updates: - intel-dpo-sgx.yaml: Update intel-sgx-plugin to sha256:4ac8769c (v0.35.0) - pccs-deployment.yaml: Update osc-pccs to sha256:edf57087 (v1.12) - qgs-ds.yaml: Update osc-tdx-qgs to sha256:308d66da (v1.12) Resolves review comments from: - bpradipt: peer-pod wording, OCP versions, PCR clarification - pawelpros: obsolete ConfigMaps, image digests, PCR requirements Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
butler54
added a commit
that referenced
this pull request
May 5, 2026
* feat: add bare metal support for Intel TDX and AMD SEV-SNP
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: update baremetal values to use released charts
Replace git branch references (repoURL/targetRevision/path) with
released Helm chart references (chart/chartVersion) for trustee,
sandboxed-containers, and sandboxed-policies in values-baremetal.yaml.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add TDX kernel flag and enable intel-dcap for baremetal
Add tdx.enabled flag (default true) to baremetal chart to conditionally
set kvm_intel.tdx=1 kernel argument. Without this, the kvm_intel module
does not activate TDX and NFD cannot detect it.
Enable intel-dcap application in values-baremetal.yaml for PCCS/QGS
attestation services.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: remove unused runtime class, kernel params, and commented-out templates
Address PR review feedback:
- Remove detect-runtime-class.yaml (OSC operator manages RuntimeClass)
- Remove bm-kernel-params.yaml and kernel-params-mco.yaml (config should
be provided via initdata or pod annotations to avoid inconsistencies)
- Remove commented-out runtimeclass templates for AMD SNP and Intel TDX
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: update to OSC 1.12 / Trustee 1.1.0
Signed-off-by: Chris Butler <chris.butler@redhat.com>
* feat: integrate Kyverno and update trustee config for baremetal
- Add Kyverno chart and coco-kyverno-policies to baremetal values
- Update trustee chart to 0.3.* with kbs.admin.format v1.1
- Remove bypassAttestation (proper attestation via init_data)
- Remove explicit runtimeClassName overrides (auto-detected by platform)
- Add syncPolicy prune to hello-openshift and kbs-access
- Reset default clusterGroupName to simple
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: set clusterGroupName to baremetal for deployment testing
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: add UPDATE operation to initdata injection policy
The policy only fired on Pod/Deployment CREATE, so pods created before
the initdata ConfigMap existed never got the cc_init_data annotation.
Adding UPDATE allows Kyverno to inject the annotation when a Deployment
is updated (e.g. by ArgoCD sync), triggering a rolling restart with
the correct initdata.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: add intel-device-plugins-operator subscription for SGX/TDX quote generation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: enable TDX config in trustee to point QCNL at local PCCS service
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: store raw SHA-256 hash alongside PCR8 hash in initdata ConfigMaps
Adds RAW_HASH field to both initdata and debug-initdata ConfigMaps.
PCR8_HASH = SHA256(zeros || SHA256(toml)) — used by Azure vTPM attestation
RAW_HASH = SHA256(toml) — used by baremetal TDX/SNP attestation
Both are needed because Azure and baremetal present initdata differently
in their attestation evidence. A single Trustee attestation server must
accept both formats to support multi-platform deployments.
Future: integrate veritas for comprehensive reference value generation.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: point trustee at feature branch for baremetal attestation testing
Temporarily uses butler54/trustee-chart feature/baremetal-attestation
branch instead of released chart. This branch includes:
- Baremetal TDX and SNP attestation rules
- Conditional pcr-stash (no error on baremetal without vTPM)
- Raw init_data hash (zero-padded) for baremetal attestation
- TDX QCNL config with use_secure_cert: false for local PCCS
Revert to chartVersion after merging and releasing trustee chart.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: increase kata VM memory for kbs-access to 8192MB
The kbs-access-app container image is ~1GB which causes container
creation timeouts with the default 2GB kata VM memory.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: target Pods only for cc_init_data injection, disable autogen
The autogen Deployment rule causes admission failures when the initdata
ConfigMap hasn't been propagated to the workload namespace yet. By
targeting Pods only (autogen-controllers: none), Deployments are admitted
without ConfigMap resolution. Pods get cc_init_data injected at creation
time when the ConfigMap is available. A rollout restart picks up new
initdata values.
Also removes UPDATE operation — only CREATE is needed since a rollout
restart creates new Pods.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: use ${initial_pcr} braces in PCR8 hash computation
Without braces, bash treats $initial_pcr followed by the hex hash
as a single undefined variable name, producing SHA-256 of empty
string instead of the correct PCR extend value.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* docs: address PR #73 review comments and merge PR #75 documentation
This commit addresses all review comments from bpradipt and pawelpros on
PR #73, merges documentation from PR #75, and updates container images.
Documentation changes:
- README: Replace "peer-pod infrastructure" wording to clarify Azure vs bare metal
- README: Update OCP version requirements from 4.17+ to 4.19.28+ (OSC 1.12 requirement)
- README: Clarify PCR collection differs for Azure (get-pcr.sh) vs bare metal (manual)
- README: Distinguish Azure (kata-remote) from bare metal (kata-cc) runtime classes
- values-secret.yaml.template: Add missing kbsPrivateKey secret
- values-secret.yaml.template: Reorganize with clear section headers and improved docs
- gen-secrets.sh: Add prominent alert when values-secret file is created
- Merge docs/nfd-matchall-bug.md from PR #75 (NFD matchAll bug report)
- Merge docs/pcr-reference-values-bare-metal.md from PR #75 (PCR collection guide)
Code cleanup:
- Delete obsolete qgs-config-cm.yaml (QGS args now inline)
- Delete obsolete qgs-sgx-cm.yaml (QCNL config via downwardAPI)
- Remove commented-out detect-runtime-class reference in values-baremetal.yaml
Image updates:
- intel-dpo-sgx.yaml: Update intel-sgx-plugin to sha256:4ac8769c (v0.35.0)
- pccs-deployment.yaml: Update osc-pccs to sha256:edf57087 (v1.12)
- qgs-ds.yaml: Update osc-tdx-qgs to sha256:308d66da (v1.12)
Resolves review comments from:
- bpradipt: peer-pod wording, OCP versions, PCR clarification
- pawelpros: obsolete ConfigMaps, image digests, PCR requirements
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* fix: revert clusterGroupName to simple for main branch merge
The clusterGroupName was changed to 'baremetal' in commit a601af0 for
deployment testing. Reverting to 'simple' as the default so existing
users are not affected when this PR merges to main.
The baremetal clusterGroup remains available by setting
clusterGroupName: baremetal in user overrides or CI.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* fix: update trustee chart to use upstream 0.3.3 release
Replace butler54/trustee-chart.git fork reference with upstream
chart reference now that validatedpatterns/trustee-chart#21 has
merged and released as v0.3.3.
The 0.3.3 release includes baremetal TDX/SNP attestation support
and NVIDIA GPU attestation via NRAS remote verifier.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---------
Signed-off-by: Chris Butler <chris.butler@redhat.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Test plan
🤖 Generated with Claude Code