Skip to content

font/coco-infra

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
.claude/skills
.claude/skills
 
 
aro
aro
 
 
.gitignore
.gitignore
 
 
CLAUDE.md
CLAUDE.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

coco-infra

Automation scripts for provisioning Confidential Containers (CoCo) infrastructure.

ARO (Azure Red Hat OpenShift)

End-to-end setup for CoCo on ARO: creates the cluster, installs and configures Trustee (attestation) and OSC (OpenShift Sandboxed Containers) with peer pods.

Prerequisites

  • Azure CLI (az) logged in with a service principal that has Contributor + User Access Administrator roles
  • Service principal credentials at ~/.azure/osServicePrincipal.json
  • OpenShift pull secret at ~/pull-secret.json
  • oc, skopeo, jq, podman installed

Quick Start

# Full setup from scratch (~1.5 hours)
cd aro
bash setup.sh

# With custom parameters
RESOURCE_GROUP=my-rg CLUSTER_NAME=my-cluster bash aro/setup.sh

# Skip cluster creation (use existing ARO cluster)
SKIP_CLUSTER=true bash aro/setup.sh

# Teardown
bash aro/teardown.sh

Configuration

Variable Default Description
RESOURCE_GROUP ${USER}-coco-rg Azure resource group
CLUSTER_NAME ${USER}-coco ARO cluster name
CLUSTER_RESOURCE_GROUP ${RESOURCE_GROUP}-managed ARO-managed resource group
LOCATION eastus2 Azure region
WORKER_VM_SIZE Standard_D8s_v5 Worker node VM size
WORKER_COUNT 3 Number of worker nodes
ARO_VERSION 4.19.20 OpenShift version (must be >= 4.18.30)
SKIP_CLUSTER false Skip cluster creation

When running configure-trustee.sh or configure-osc.sh individually (not via setup.sh), the following variables are also needed:

Variable Default Used by Description
TRUSTEE_ENV gen configure-trustee.sh Key source: gen (generate new) or rhdp
OSC_ENV rhdp configure-osc.sh Platform: aro, rhdp, or az
INITDATA_PATH ~/trustee/initdata.toml configure-osc.sh Path to initdata.toml generated by configure-trustee.sh
AZURE_INSTANCE_SIZE Standard_DC4as_v5 configure-osc.sh Default peer pod VM size
AZURE_INSTANCE_SIZES Standard_DC2as_v5,... configure-osc.sh Allowed peer pod VM sizes (comma-separated)

Installation Order

When running scripts individually (not via setup.sh), order matters:

  1. create-aro.sh — cluster must exist first
  2. install-trustee.sh — Trustee + cert-manager operators
  3. configure-trustee.sh — generates keys, policies, and initdata.toml
  4. install-osc.sh — OSC operator
  5. configure-osc.sh — requires initdata.toml from step 3

Scripts

Script Description
aro/setup.sh Full end-to-end setup
aro/create-aro.sh Create ARO cluster only
aro/teardown.sh Delete cluster and resource group
aro/status.sh Check cluster and CoCo component status
aro/install-trustee.sh Install Trustee + cert-manager operators
aro/configure-trustee.sh Configure Trustee with keys, policies, initdata
aro/install-osc.sh Install OSC operator
aro/configure-osc.sh Configure OSC with peer pods and KataConfig

Claude Code Skills

The following Claude Code skills are available in .claude/skills/:

Skill Description
/coco-create Create ARO cluster with full CoCo setup
/coco-destroy Tear down cluster and clean up all resource groups
/coco-status Check cluster and CoCo component status

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages