ibmcloud: Fixes and improvements to ROKS demo instructions

1. Changed the instructions to use latest ghcr.io podvm image. 2. Fixed Makefile to download correct OS version of cmctl. 3. Other small corrections and improvements to the doc. Signed-off-by: Frank Budinsky <[email protected]>
confidential-containers · Jan 17, 2025 · 648bda3 · 648bda3
1 parent 165e989
commit 648bda3
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 10 deletions.
diff --git a/src/cloud-api-adaptor/ibmcloud/ROKS_SETUP.md b/src/cloud-api-adaptor/ibmcloud/ROKS_SETUP.md
@@ -77,7 +77,7 @@ By default, your Red Hat OpenShift cluster will not work with the peer pod compo
     ibmcloud is sg-rulec "$CLUSTER_SG" inbound udp --port-min 4789 --port-max 4789 --remote "$KATA_SG"
     ```
 
-1. Allow `cloud-api-adapter` to update pod finalizers
+1. Allow `cloud-api-adaptor` to update pod finalizers
 
     ```bash
     kubectl apply -n default -f - <<EOF
@@ -108,36 +108,41 @@ By default, your Red Hat OpenShift cluster will not work with the peer pod compo
     EOF
     ```
 
-1. Label worker nodes for `cloud-api-adapter`
+1. Label worker nodes for `cloud-api-adaptor`
 
     ```bash
     kubectl label nodes $(kubectl get nodes -o jsonpath={.items..metadata.name}) node.kubernetes.io/worker=
     ```
 
-1. Give `cc-operator` and `cloud-api-adapter` priviledged OpenShift SCC permission
+1. Give `cc-operator` and `cloud-api-adaptor` priviledged OpenShift SCC permission
 
     ```bash
     oc create namespace confidential-containers-system
     oc project confidential-containers-system
     oc adm policy add-scc-to-user privileged -z cc-operator-controller-manager
     oc adm policy add-scc-to-user privileged -z cloud-api-adaptor
+    oc project default
     ```
 
 ## Upload a PeerPod VM Custom Image
 
 A peer pod VM image needs to be created as a VPC custom image in IBM Cloud in order to create the peer pod instances
 from. You can do this by following the [image instructions in README.md](./README.md#peer-pod-vm-image), or run the following command to use a prebuilt demo image.
 
-Run the following command from the root directory of the `cloud-api-adapter` repository:
+> [!WARNING]
+> If you have a previously-downloaded image but have since refreshed the cloud-api-adaptor repo, you should re-import the image to make sure you are using an image that is compatible with the latest code.
+
+Run the following command from the root directory of the `cloud-api-adaptor` repository:
 
 ```bash
-src/cloud-api-adaptor/ibmcloud/image/import.sh quay.io/confidential-containers/podvm-generic-ubuntu-amd64:v0.11.0 "$REGION" --platform linux/amd64
+src/cloud-api-adaptor/ibmcloud/image/import.sh ghcr.io/confidential-containers/podvm-generic-ubuntu-amd64:latest "$REGION" --platform linux/amd64
 ```
 
 This script will end with the line: `Image <image-name> with id <image-id> is available`. Make note of the `image-id`, which will be
 needed below.
 
-Note: If the import.sh script fails and the CLI has not been configured with the COS instance before, you will need to include the `--instance` argument. Refer to [IMPORT_PODVM_TO_VPC.md](https://github.com/confidential-containers/cloud-api-adaptor/blob/main/src/cloud-api-adaptor/ibmcloud/IMPORT_PODVM_TO_VPC.md#running) for details.
+> [!NOTE]
+> If the import.sh script fails and the CLI has not been configured with the COS instance before, you will need to include the `--instance` argument. Refer to [IMPORT_PODVM_TO_VPC.md](https://github.com/confidential-containers/cloud-api-adaptor/blob/main/src/cloud-api-adaptor/ibmcloud/IMPORT_PODVM_TO_VPC.md#running) for details.
 
 ## Deploy the PeerPod Webhook
 
@@ -148,15 +153,15 @@ Follow the [webhook instructions in README.md](./README.md#deploy-peerpod-webhoo
 The `caa-provisioner-cli` command can be use to simplify deployment of the operator and the cloud-api-adaptor resources on to any cluster. See the [test/tools/README.md](../test/tools/README.md) for full instructions. To create an ibmcloud-ready version of the provisioner CLI, run the following make command:
 
 ```bash
-# Starting from directory src/cloud-api-adaptor of the cloud-api-adapter repository
+# Starting from directory src/cloud-api-adaptor of the cloud-api-adaptor repository
 pushd test/tools
 make BUILTIN_CLOUD_PROVIDERS="ibmcloud" all
 popd
 ```
 
 This will create `caa-provisioner-cli` in the `src/cloud-api-adaptor/test/tools` directory. To use the command you will need to set up a `.properties` file containing the relevant ibmcloud information to enable your cluster to create and use peer-pods. 
 
-Set the SSH_KEY_ID and PODVM_IMAGE_ID environment variables and use the following command to generate the `.properties` file (Note that the IBMCLOUD_API_KEY, VPC_ID, and SUBNET_ID environment variables have already been set in [Set up an OpenShift Kubernetes cluster for PeerPod VMs
+Set the SSH_KEY_ID and PODVM_IMAGE_ID environment variables to your values (Note that the IBMCLOUD_API_KEY, VPC_ID, and SUBNET_ID environment variables should already have been set in [Set up an OpenShift Kubernetes cluster for PeerPod VMs
 ](#set-up-an-openshift-kubernetes-cluster-for-peerpod-vms)):
 
 ```bash
@@ -165,7 +170,11 @@ export PODVM_IMAGE_ID= # the image id of the peerpod vm uploaded to ibmcloud
 #export IBMCLOUD_API_KEY= # your ibmcloud apikey
 #export VPC_ID=<your vpc id> # vpc that the cluster is in
 #export SUBNET_ID=<your subnet id> # subnet to use (must have a public gateway attached)
+```
 
+Then run the following command to generate the `.properties` file:
+
+```bash
 cat <<EOF > ~/peerpods-cluster.properties
 APIKEY="$IBMCLOUD_API_KEY"
 SSH_KEY_ID="$SSH_KEY_ID"
@@ -195,7 +204,7 @@ pushd test/tools
 popd
 ```
 
-Run the following command to confirm that the operator and cloud-api-adapter have been deployed:
+Run the following command to confirm that the operator and cloud-api-adaptor have been deployed:
 
 ```bash
 kubectl get pods -n confidential-containers-system

diff --git a/src/webhook/Makefile b/src/webhook/Makefile
@@ -1,4 +1,5 @@
 ARCH        ?= $(subst x86_64,amd64,$(shell uname -m))
+OS          ?= $(shell uname | tr '[:upper:]' '[:lower:]')
 
 # Image URL to use all building/pushing image targets
 IMG ?= quay.io/confidential-containers/peer-pods-webhook:latest
@@ -124,7 +125,7 @@ kind-deploy: docker-build kind-load deploy ## deploy the webhook in the local ki
 
 .PHONY: deploy-cert-manager
 deploy-cert-manager: ## Deploy cert-manager for webhook.
-	curl -fsSL -o cmctl https://github.com/cert-manager/cmctl/releases/latest/download/cmctl_linux_${ARCH}
+	curl -fsSL -o cmctl https://github.com/cert-manager/cmctl/releases/latest/download/cmctl_${OS}_${ARCH}
 	chmod +x cmctl
 	# Deploy cert-manager
 	kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.15.3/cert-manager.yaml