Uploaded image for project: 'Openshift sandboxed containers'
  1. Openshift sandboxed containers
  2. KATA-4063

Fix Confidential Computing prerequisites and setup

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: High High
    • OSC 1.10.0
    • None
    • Documentation
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • False
    • Bugs and Vulnerability Issues
    • 0

      If the user jumps into confidential computing steps without looking at OSC normal setup steps, the whole guide will start with steps to update files and configs. If the user didn't follow the normal OSC setup, these steps won't work and the user has no reference to where the previous steps are.

      For example:
      1. go to main doc: https://docs.redhat.com/en/documentation/openshift_sandboxed_containers/1.10/
      2. click on confidential containers: https://docs.redhat.com/en/documentation/openshift_sandboxed_containers/1.10/html/deploying_confidential_containers
      3. start with actual steps https://docs.redhat.com/en/documentation/openshift_sandboxed_containers/1.10/html/deploying_confidential_containers/deploying-cc_azure-cc

      The guide only mentions in the prerequisite: "You have installed OpenShift sandboxed containers on the Azure cluster." but this can be misinterpreted with installing just the operator.

      And then asks to update some configmap that is assumed to be there.

      2 possible solutions:
      1. add in the prerequisite a link to the normal guide. I think that's the easiest but is a bit ugly because the user first sets the operator for normal peer pods, and then has to enable confidential and update the same files set up earlier
      2. Assume the user starts from scratch, duplicate the steps shared with the normal guide, merge the updates all together

      Avital

      Task scope: The Confidential Containers guide needs to be a standalone guide. User should not have to jump between OSC and CoCo guides.

      Changes affect both IBM and Azure, 1.10+

      Updates:

      • Remove "Install OSC" from prerequisites because it implies user only needs to install the OSC Operator.
      • Add the following sections to the CoCo guide:
        • Peer pod resource requirements
        • Outbound connections (Azure)
        • Installing OSC Operator
        • Creating peer pods secret (optional for Azure, required for IBM)
      • At this point, resume CoCo workflow: Enable feature gate, Create initdata remain the same
      • "Updating peer pods config map" -> "Creating peer pods config map"
      • "Deleting/Re-creating KataConfig CR" -> "Creating KataConfig CR"
      • "Verifying attestation" remains the same

       

              apinnick@redhat.com Avital Pinnick
              eesposit@redhat.com Emanuele Giuseppe Esposito
              Tom Buskey Tom Buskey
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: