Skip to content

feat: add bare metal support for Intel TDX and AMD SEV-SNP#73

Open
butler54 wants to merge 1 commit intovalidatedpatterns:mainfrom
butler54:baremetal-tp-releases-squashed
Open

feat: add bare metal support for Intel TDX and AMD SEV-SNP#73
butler54 wants to merge 1 commit intovalidatedpatterns:mainfrom
butler54:baremetal-tp-releases-squashed

Conversation

@butler54
Copy link
Collaborator

@butler54 butler54 commented Mar 9, 2026

Summary

  • Adds a new baremetal clusterGroup for deploying CoCo on bare metal with Intel TDX or AMD SEV-SNP hardware
  • NFD auto-detects CPU TEE capabilities and labels nodes accordingly
  • RuntimeClasses for kata-tdx and kata-snp created automatically
  • MachineConfigs for kernel parameters (TDX) and vsock device access
  • Intel DCAP chart with PCCS and QGS services for TDX attestation
  • Storage support via HPP, LVMS, or external providers
  • PCCS secrets generation added to gen-secrets.sh
  • Platform override files for BareMetal and None platforms
  • Documentation for Dell TDX configuration, NFD notes, and bare metal PCR reference values

Test plan

  • Deploy baremetal clusterGroup on Intel TDX hardware
  • Deploy baremetal clusterGroup on AMD SEV-SNP hardware
  • Verify NFD correctly labels nodes with TEE capabilities
  • Verify kata-tdx/kata-snp RuntimeClasses are created
  • Verify PCCS and QGS services deploy on Intel nodes
  • Verify existing Azure deployments (simple, trusted-hub, spoke) are unaffected

🤖 Generated with Claude Code

@butler54 butler54 requested a review from a team March 9, 2026 06:30
@butler54 @claude
feat: add bare metal support for Intel TDX and AMD SEV-SNP
bad2552 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@butler54 butler54 force-pushed the baremetal-tp-releases-squashed branch from b4eaf36 to bad2552 Compare March 10, 2026 02:22
bpradipt
bpradipt reviewed Mar 10, 2026
View reviewed changes
ansible/detect-runtime-class.yaml
- amd.feature.node.kubernetes.io/snp=true
register: snp_nodes

- name: Set runtime handler for Intel TDX
Copy link
Collaborator

@bpradipt bpradipt Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Won't this conflict with the OSC operator runtimeclass creation?

bpradipt
bpradipt reviewed Mar 10, 2026
View reviewed changes
charts/all/baremetal/bm-kernel-params.yaml
@@ -0,0 +1,2 @@
[hypervisor.qemu]
kernel_params="agent.aa_kbc_params=cc_kbc::http://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}"
Copy link
Collaborator

@bpradipt bpradipt Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can avoid this and provide all config via initdata or via pod annotations. Otherwise there could be inconsistencies between config via cmd line and initdata creating hard to debug issues

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bpradipt bpradipt bpradipt left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@butler54 @bpradipt