Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 14 additions & 7 deletions scripts/gen-secrets.sh
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,6 @@ echo "Creating secrets as required"
echo

COCO_SECRETS_DIR="${HOME}/.coco-pattern"
KBS_PRIVATE_KEY="${COCO_SECRETS_DIR}/kbsPrivateKey"
KBS_PUBLIC_KEY="${COCO_SECRETS_DIR}/kbsPublicKey"
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
VALUES_FILE="${HOME}/values-secret-coco-pattern.yaml"

Expand All @@ -21,11 +19,20 @@ if [ "${COCO_ENABLE_SSH_DEBUG:-false}" = "true" ]; then
fi
fi

if [ ! -f "${KBS_PRIVATE_KEY}" ]; then
echo "Creating kbs keys"
rm -f "${KBS_PUBLIC_KEY}"
openssl genpkey -algorithm ed25519 >${KBS_PRIVATE_KEY}
openssl pkey -in "${KBS_PRIVATE_KEY}" -pubout -out "${KBS_PUBLIC_KEY}"
## JWK signing key for sealed secrets (P-256 EC key)
JWK_SIGNING_KEY="${COCO_SECRETS_DIR}/sealed-secrets-signing.jwk"
JWK_PUBLIC_KEY="${COCO_SECRETS_DIR}/sealed-secrets-signing-pub.jwk"

if [ ! -f "${JWK_SIGNING_KEY}" ]; then
if command -v jose >/dev/null 2>&1; then
echo "Creating sealed secrets JWK signing key (P-256 EC) using jose"
jose jwk gen -i '{"alg":"ES256","kid":"coco-signing-key","use":"sig"}' -o "${JWK_SIGNING_KEY}"
jose jwk pub -i "${JWK_SIGNING_KEY}" -o "${JWK_PUBLIC_KEY}"
else
echo "ERROR: jose CLI not found. Install with: sudo dnf install jose"
echo "The jose package is available in rhel-10-for-x86_64-appstream-rpms"
exit 1
fi
fi

## PCCS secrets for bare metal Intel TDX deployments
Expand Down
6 changes: 3 additions & 3 deletions values-azure.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -36,13 +36,13 @@ clusterGroup:
namespace: openshift-sandboxed-containers-operator
channel: stable
installPlanApproval: Manual
csv: sandboxed-containers-operator.v1.12.0
csv: sandboxed-containers-operator.v1.13.0
trustee:
name: trustee-operator
namespace: trustee-operator-system
channel: stable
installPlanApproval: Manual
csv: trustee-operator.v1.1.0
csv: trustee-operator.v1.2.0
cert-manager:
name: openshift-cert-manager-operator
namespace: cert-manager-operator
Expand Down Expand Up @@ -87,7 +87,7 @@ clusterGroup:
namespace: trustee-operator-system
project: trustee
chart: trustee
chartVersion: 0.8.*
chartVersion: 0.9.*
extraValueFiles:
- '/overrides/values-trustee.yaml'
overrides:
Expand Down
11 changes: 5 additions & 6 deletions values-baremetal.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -41,15 +41,15 @@ clusterGroup:
namespace: openshift-sandboxed-containers-operator
channel: stable
installPlanApproval: Manual
csv: sandboxed-containers-operator.v1.12.0
csv: sandboxed-containers-operator.v1.13.0
annotations:
argocd.argoproj.io/sync-wave: "10"
trustee:
name: trustee-operator
namespace: trustee-operator-system
channel: stable
installPlanApproval: Manual
csv: trustee-operator.v1.1.0
csv: trustee-operator.v1.2.0
annotations:
argocd.argoproj.io/sync-wave: "10"
cert-manager:
Expand Down Expand Up @@ -163,17 +163,16 @@ clusterGroup:
project: trustee
annotations:
argocd.argoproj.io/sync-wave: "20"
chart: trustee
chartVersion: 0.8.*
repoURL: https://github.com/butler54/trustee-chart.git
targetRevision: dev/osc-1.13-upgrade
path: .
extraValueFiles:
- '/overrides/values-trustee.yaml'
overrides:
- name: global.coco.secured
value: "true"
- name: kbs.tdx.enabled
value: "true"
- name: kbs.tdx.collateralService
value: "https://pccs-service.intel-dcap.svc.cluster.local:8042/sgx/certification/v4/"
- name: kbs.gpu.enabled
value: "true"
- name: kbs.baremetal.enabled
Expand Down
28 changes: 11 additions & 17 deletions values-secret.yaml.template
Original file line number Diff line number Diff line change
Expand Up @@ -11,23 +11,6 @@ secrets:
# Core KBS Secrets (Always Required)
# ===================================================================

# KBS public key - used by workloads to verify KBS identity
- name: kbsPublicKey
vaultPrefixes:
- hub
fields:
- name: publicKey
path: ~/.coco-pattern/kbsPublicKey

# KBS private key - used by KBS to sign responses
# Generated by gen-secrets.sh alongside kbsPublicKey
- name: kbsPrivateKey
vaultPrefixes:
- global
fields:
- name: privateKey
path: ~/.coco-pattern/kbsPrivateKey

# Auto-generated test secrets provided by KBS
- name: kbsres1
vaultPrefixes:
Expand Down Expand Up @@ -168,6 +151,17 @@ secrets:
}
}

# JWK signing key for sealed secrets
# The public key is provisioned to KBS for signature verification.
# The private key stays local and is used to create sealed secrets.
# Generated by: ./scripts/gen-secrets.sh (requires jose CLI)
- name: sealedSecretsSigningKey
vaultPrefixes:
- hub
fields:
- name: public
path: ~/.coco-pattern/sealed-secrets-signing-pub.jwk

# Sigstore public keys for Red Hat container signature verification
# Red Hat release key 3 (used for sigstore signatures as of Oct 2024)
- name: sigstore-keys
Expand Down
4 changes: 2 additions & 2 deletions values-trusted-hub.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ clusterGroup:
namespace: trustee-operator-system
channel: stable
installPlanApproval: Manual
csv: trustee-operator.v1.1.0
csv: trustee-operator.v1.2.0
cert-manager:
name: openshift-cert-manager-operator
namespace: cert-manager-operator
Expand Down Expand Up @@ -77,7 +77,7 @@ clusterGroup:
namespace: trustee-operator-system
project: trustee
chart: trustee
chartVersion: 0.8.*
chartVersion: 0.9.*
extraValueFiles:
- '/overrides/values-trustee.yaml'
overrides:
Expand Down
Loading