install-helper: Add ITA support

scripts/install-helpers/README.md

@@ -59,7 +59,7 @@ You can edit the `resource-policy` configMap and set `default allow = true`.
 Create the TDX configmap
 
 ```sh
-oc apply -f tdx-cm.yaml
+oc apply -f tdx-coco-as-cm.yaml
 ```
 
 Update the KbsConfig CR

scripts/install-helpers/install.sh

@@ -5,7 +5,16 @@ OCP_PULL_SECRET_LOCATION="${OCP_PULL_SECRET_LOCATION:-$HOME/pull-secret.json}"
 MIRRORING=false
 ADD_IMAGE_PULL_SECRET=false
 GA_RELEASE=true
-TRUSTEE_IMAGE=${TRUSTEE_IMAGE:-quay.io/openshift_sandboxed_containers/kbs:v0.10.1}
+TDX=${TDX:-false}
+ITA_KEY="${ITA_KEY:-}"
+if [ -n "$ITA_KEY" ]; then
+	TDX=true
+fi
+DEFAULT_IMAGE=quay.io/openshift_sandboxed_containers/kbs:v0.10.1
+if [ -n "$ITA_KEY" ]; then
+    DEFAULT_IMAGE+="-ita"
+fi
+TRUSTEE_IMAGE=${TRUSTEE_IMAGE:-$DEFAULT_IMAGE}
 
 # Function to check if the oc command is available
 function check_oc() {
@@ -121,6 +130,25 @@ function add_image_pull_secret() {
 
 #Function to create Trustee artefacts secret
 function create_trustee_artefacts() {
+    local kbs_cm="kbs-cm.yaml"
+    local rvps_cm="rvps-cm.yaml"
+    local resource_policy_cm="resource-policy-cm.yaml"
+    local tdx_coco_as_cm=""
+    local config="kbsconfig.yaml"
+    if [ "$TDX" = "true" ]; then
+        if [ -n "$ITA_KEY" ]; then
+            kbs_cm="tdx-ita-$kbs_cm"
+            resource_policy_cm="tdx-ita-$resource_policy_cm"
+            config="tdx-ita-$config"
+
+            sed -i -e "s/tBfd5kKX2x9ahbodKV1.../${ITA_KEY}/g" $kbs_cm
+	else
+            tdx_coco_as_cm="tdx-coco-as-cm.yaml"
+
+            sed -i -e "s/\# tdxConfigSpec/tdxConfigSpec/g" $config
+            sed -i -e "s/\#   kbsTdxConfigMapName/    kbsTdxConfigMapName/g" $config
+        fi
+    fi
 
     # Create secret
     openssl genpkey -algorithm ed25519 >privateKey
@@ -135,13 +163,13 @@ function create_trustee_artefacts() {
     fi
 
     # Create KBS configmap
-    oc apply -f kbs-cm.yaml || return 1
+    oc apply -f "$kbs_cm" || return 1
 
     # Create RVPS configmap
-    oc apply -f rvps-cm.yaml || return 1
+    oc apply -f "$rvps_cm" || return 1
 
     # Create resource policy configmap
-    oc apply -f resource-policy-cm.yaml || return 1
+    oc apply -f "$resource_policy_cm" || return 1
 
     # Create few secrets to serve via Trustee
     # Create kbsres1 secret only if it doesn't exist
@@ -153,8 +181,13 @@ function create_trustee_artefacts() {
         echo "Secret kbsres1 already exists, skipping creation"
     fi
 
+    # Create TDX configmap
+    if [ -n "$tdx_coco_as_cm" ]; then
+        oc apply -f "$tdx_coco_as_cm" || return 1
+    fi
+
     # Create KBSConfig
-    oc apply -f kbsconfig.yaml || return 1
+    oc apply -f "$config" || return 1
 
 }
 
@@ -253,6 +286,12 @@ function display_help() {
     echo "# Install the GA operator"
     echo " ./install.sh "
     echo " "
+    echo "# Install the GA operator with ITA support"
+    echo " ITA_KEY="tBfd5kKX2x9ahbodKV1..." ./install.sh"
+    echo " "
+    echo "# Install the GA operator with DCAP support"
+    echo " TDX=true ./install.sh"
+    echo " "
     echo "# Install the GA operator with image mirroring"
     echo " ./install.sh -m"
     echo " "

scripts/install-helpers/tdx-coco-as-cm.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: tdx-config
+  namespace: trustee-operator-system
+data:
+  sgx_default_qcnl.conf: |
+    {
+      "pccs_url": "https://pccs-service.intel-dcap:8042/sgx/certification/v4/",
+      "use_secure_cert": false,
+      "retry_times": 6,
+      "retry_delay": 10,
+      "pck_cache_expire_hours": 168,
+      "verify_collateral_cache_expire_hours": 168,
+      "local_cache_only": false
+    }

scripts/install-helpers/tdx-ita-kbs-cm.yaml

@@ -0,0 +1,42 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: tdx-ita-config
+  namespace: trustee-operator-system
+data:
+  kbs-config.json: |
+    {
+        "insecure_http" : true,
+        "sockets": ["0.0.0.0:8080"],
+        "auth_public_key": "/etc/auth-secret/publicKey",
+        "attestation_token_config": {
+          "attestation_token_type": "Jwk",
+          "trusted_certs_paths": ["https://portal.trustauthority.intel.com"]
+        },
+        "repository_config": {
+          "type": "LocalFs",
+          "dir_path": "/opt/confidential-containers/kbs/repository"
+        },
+        "as_config": {
+          "work_dir": "/opt/confidential-containers/attestation-service",
+          "policy_engine": "opa",
+          "attestation_token_broker": "Simple",
+          "attestation_token_config": {
+            "duration_min": 5
+          },
+          "rvps_config": {
+            "store_type": "LocalJson",
+            "store_config": {
+              "file_path": "/opt/confidential-containers/rvps/reference-values/reference-values.json"
+            }
+          }
+        },
+        "policy_engine_config": {
+          "policy_path": "/opt/confidential-containers/opa/policy.rego"
+        },
+        "intel_trust_authority_config" : {
+          "base_url": "https://api.trustauthority.intel.com",
+          "api_key": "tBfd5kKX2x9ahbodKV1...",
+          "certs_file": "https://portal.trustauthority.intel.com"
+        }
+    }

scripts/install-helpers/tdx-ita-kbsconfig.yaml

@@ -0,0 +1,19 @@
+apiVersion: confidentialcontainers.org/v1alpha1
+kind: KbsConfig
+metadata:
+  labels:
+    app.kubernetes.io/name: kbsconfig
+    app.kubernetes.io/instance: kbsconfig
+    app.kubernetes.io/part-of: trustee-operator
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/created-by: trustee-operator
+  name: cluster-kbsconfig
+  namespace: trustee-operator-system
+spec:
+  kbsConfigMapName: tdx-ita-config
+  kbsAuthSecretName: kbs-auth-public-key
+  kbsDeploymentType: AllInOneDeployment
+  kbsRvpsRefValuesConfigMapName: rvps-reference-values
+  kbsSecretResources: ["kbsres1"]
+  kbsResourcePolicyConfigMapName: resource-policy
+  #kbsServiceType: NodePort

scripts/install-helpers/tdx-ita-resource-policy-cm.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: resource-policy
+  namespace: trustee-operator-system
+data:
+  policy.rego: |
+    package policy
+    default allow = false
+    allow {
+            input["attester_type"] != "sample"
+    }