feat!: update to sandbox container operator 1.9.0

BREAKING CHANGE: Configuration is no longer compatible with OSC 1.8.1 or Trustee 0.2.0

Signed-off-by: Chris Butler <[email protected]>

Author: butler54

README.md

@@ -11,51 +11,112 @@ The target operating model has two clusters:
 On the platform a a sample workload is deployed
 
 1. Sample hello world applications to allow users to experiment with the policies for CoCo and the KBS (trustee).
-   1. This is currently working out of the box (or close to).
+2. A sample application `kbs-access` which presents secrets obtained from trustee to a web service. This is designed to allow users to test locked down environments.
 
 Future work includes:
 
-2. Red Hat OpenShift AI is deployed where a multi-layer perceptron to predict fraud is deployed as a confidential workload for inference
-2. Enirnonments which will work sucessfully across multiple cloud providers
+1. Supporting a multiple cluster deployment
+2. Supporting multiple infrastructure providers
+3. Supporting a more sophisticated workload such as confidential AI inference with protected GPUs.
 
 
 ## Current constraints and assumptions
-- Only currently is known to work with `azure` as the provider of confidential vms via peer-pods
-- Only known to work today with everything on one cluster. The work to expand this is in flight
-- You must be able to get a lets-encrypt certificate. This means the service credentials in openshift must be able to manipulate the dns zone used by OpenSift.
-- 
-- RHOAI data science cluster must be disabled until required components are deployed.
+
+- Only currently is known to work with `azure` as the provider of confidential vms via peer-pods.
+- Only known to work today with everything on one cluster. The work to expand this is in flight.
+- If not using ARO you must either provide your own CA signed certs, or use let's encrypt.
 - Must be on 4.16.14 or later.
 
+## Major versions
+
+### `2.*`
+This is currently the `main` branch for the repository. Version 2.* of the pattern is currently constrained to support:
+- (OpenShift Sandboxed Containers Operator) `1.9.*`
+- Trustee `0.3.*`
+
+This limits support to OpenShift 4.16 and higher.
+
+The pattern has been tested on Azure for two installation methods:
+1. Installing onto an ARO cluster
+2. Self managed OpenShift install using the `openshift-install` CLI. **REQUIRES ADDITIONAL CONFIGURATION**
+
+### `1.0.0`
+1.0.0 supports OpenShift Sandboxed containers version `1.8.1` along with Trustee version `0.2.0`.
+
+The pattern has been tested on Azure for one installation method:
+1. Self managed OpenShift install using the `openshift-install` CLI
+
+
 
 ## validated pattern flavours 
 **Today the demo has one flavour**. 
 A number are planned based on various different hub cluster-groups.
 You can change between behaviour by configuring [`global.main.clusterGroupName`](https://validatedpatterns.io/learn/values-files/) key in the `values-global.yaml` file. 
 
 
-
 `values-simple.yaml`: or the `simple` cluster group is the default for the pattern.
 It deploys a hello-openshift application 3 times: 
 - A standard pod
 - A kata container with peer-pods
 - A confidential kata-container
 
-`values-ai.yaml`: Is currently a work in progress. 
+## Setup instructions
 
 
+### Default single cluster setup with `values-simple.yaml`
 
-## Setup instructions
+The instructions here presume you have a cluster. See further down for provisioning instructions for a cluster.
+
+#### Fork and Clone the GitHub repo
+1. Following [standard validated patterns workflow](https://validatedpatterns.io/learn/workflow/) fork the repository and clone to your development enviroment which has `podman` and `git`
+2. If using a particular version (e.g. `1.0.0`) checkout the correct tag.
 
-### Default single cluster setup with `values-simple.yaml`
 
 #### Configuring required secrets / parameters
 The secrets here secure Trustee and the peer-pod vms. Mostly they are for demonstration purposes. 
 This only has to be done once.
 
 1. Run `sh scripts/gen-secrets.sh`
 
-#### Install on an OCP cluster on azure using Red Hat Demo Platform
+#### Configuring let's encrypt.
+
+Trustee requires a trusted CA issued certificate. Let's Encrypt is included for environments without a trusted cert on OpenShift's routes.
+
+If you need a Let's Encrypt certificate to be issued the `letsencrypt` application configuration needs to be changed as below.
+```yaml
+    
+    ---
+    # Default configuration, safe for ARO
+    letsencrypt:
+      name: letsencrypt
+      namespace: letsencrypt
+      project: hub
+      path: charts/all/letsencrypt
+      # Default to 'safe' for ARO
+      overrides:
+      - name: letsencrypt.enabled
+        value: false
+    ---
+    # Explicitly correct configuration for enabling let's encrypt
+    letsencrypt:
+      name: letsencrypt
+      namespace: letsencrypt
+      project: hub
+      path: charts/all/letsencrypt
+      overrides:
+      - name: letsencrypt.enabled
+        value: true  
+```
+
+This *must* first be pushed before deploying the pattern onto the cluster 
+
+#### Installing onto a cluster
+Once you configuration is pushed (if required) `./pattern.sh make install` to provision a cluster. 
+
+
+## Cluster setup (if not already setup)
+
+### Single cluster install on an OCP cluster on azure using Red Hat Demo Platform
 
 Red Hat a demo platform. This allows easy access for Red Hat associates and partners to ephemeral cloud resources. The pattern is known to work with this setup.
 1. Get the [openshift installer](https://console.redhat.com/openshift/downloads)
@@ -69,12 +130,13 @@ Red Hat a demo platform. This allows easy access for Red Hat associates and part
       export SUBSCRIPTION=
       export RESOURCEGROUP=
   ```
+1. Ensure Let's encrypt 
 1. Run the wrapper install script 
   1. `sh ./rhdp/wrapper.sh`
 1. You *should* be done
   1. You *may* need to recreate the hello world peer-pods depending on timeouts.
 
-#### Install azure *not* usign Red Hat Demo platform
+### Single cluster install on plain old azure *not* using Red Hat Demo Platform
 **NOTE: Don't use the default node sizes.. increase the node sizes such as below**
 
 
@@ -94,19 +156,8 @@ Red Hat a demo platform. This allows easy access for Red Hat associates and part
 2. `openshift-install create cluster --dir=./ocp-install`
 3. Once installed:
   1. Login to `oc`
-  2. `./pattern.sh make install 
-
+  2. Configure Let's Encrypt (if required)
+  3. `./pattern.sh make install`
 
 ### Multi cluster setup
 TBD
-
-### Multi-cluster setup with AI
-TBD
-
-## Future work
-- Support spreading remote attestation and workload to separate clusters.
-- Finish AI work.
-- Allow use of bare metal infrastructure with Intel TDX or AMD SEV-SMP.
-
-
-