User guide

This is the user guide. In this setup, we will automatically install and configure the operators. After that, we will run an example.

Reminder: You can assume that everything running in the trustee-operator-system namespace should run in a trusted, separate environment. Because of the limitations of this ARO workshop, it is not possible to set up two clusters.

Setting up the environment

  1. Go into the terminal on the right and run the following commands:

    • Log into azure CLI: az login --service-principal --username=insert_your_sp_here --password=insert_your_sppw_here --tenant=insert_your_tid_here

    • Export the AZURE_RESOURCE_GROUP variable. It will needed when setting up the operator: export AZURE_RESOURCE_GROUP=insert_your_rg_here

  2. If you need to use the web UI (not necessary in this workshop):

    • Navigate to the Openshift Console

    • Login as administrator:

      • Username: kubeadmin

      • Password: insert_your_pw_here

Automatically set up the environment

All you need to do is download this script, and let it run till it finishes.

The following scripts sets everything just as in the admin guide, with the following:

  • Container signature policy accepts any signed/unsigned image.

    • Refer here if you want to change it.

  • INITDATA allows logs, but disallows generic exec. The only command available in exec are curl for kbsres1 keys, to run the hello-openshift example.

    • Refer here if you want to change OSC INITDATA.

    • Updating INITDATA in OSC means that we also need to update Trustee PCR8 in the reference values, otherwise attestation will fail, and then restart the Trustee deployment with oc rollout restart deployment/trustee-deployment -n trustee-operator-system

  • Trustee already has the necessary keys to run all the next examples.

    • Refer here if you want to change Trustee secrets or add new ones. Remember that after the change you need to restart the Trustee deployment with oc rollout restart deployment/trustee-deployment -n trustee-operator-system.

  • CoCo CVM root disk size is 10.

    • Refer here (ROOT_VOLUME_SIZE) to change it. Minimum has to be 6. Remember that after the change you need to restart the osc-caa-ds Daemonset with oc set env ds/osc-caa-ds -n openshift-sandboxed-containers-operator REBOOT="$(date)".

curl -L https://raw.githubusercontent.com/confidential-devhub/workshop-on-ARO-showroom/refs/heads/main/helpers/configure.sh -o configure.sh

chmod +x configure.sh

./configure.sh

Now that the configuration is complete, let’s run some example!