Automation scripts for provisioning Confidential Containers (CoCo) infrastructure. Currently supports ARO (Azure Red Hat OpenShift), with potential for other platforms in the future.
Automate end-to-end CoCo setup: cluster creation, Trustee (attestation), and OSC (OpenShift Sandboxed Containers) with peer pods. Used for testing custom KServe builds with CoCo.
- The subscription has a cleanup policy (
dpp-toolkitservice principal) that deletes resource groups after ~12 hours. Request preservation before creating clusters. - ARO-managed resource groups (
aro-*) may be protected by Azure from deletion, but use--cluster-resource-groupto give them a predictable name and request preservation anyway. - Must deploy to
eastus2for H100 peer pods (Standard_NCC40ads_H100_v5). Standard_D8as_v5andStandard_D8ds_v5can hit ZonalAllocationFailed ineastus2(transient).Standard_D8s_v5works.- Must register
Microsoft.RedHatOpenShiftprovider before first ARO create.
- Create ARO cluster (
create-aro.sh) - Install Trustee + cert-manager (
install-trustee.sh) - Configure Trustee (
configure-trustee.shwithTRUSTEE_ENV=gen) - Install OSC (
install-osc.sh) - Configure OSC (
configure-osc.shwithINITDATA_PATH=./trustee/initdata.toml OSC_ENV=aro)
/coco-create— Create ARO cluster with full CoCo setup/coco-destroy— Tear down cluster and clean up all resource groups/coco-status— Check cluster and CoCo component status
- Lowercase, no period, imperative mood (e.g., "add status script for cluster and CoCo components")