Releases: validatedpatterns/coco-pattern
Releases · validatedpatterns/coco-pattern
Release list
v6.0.0 — Milestone 1: Pattern Modernization & Reliability
v6.0.0 — Milestone 1: Pattern Modernization & Reliability
Breaking Changes
- Default topology renamed:
simple→azure(clusterGroupName: azurein values-global.yaml). Existingsimpledeployments must update theirvalues-global.yaml. - ESO migration:
golang-external-secretsreplaced by Red Hatopenshift-external-secrets(OCP 4.20+). Old ESO namespace/chart refs are removed. - Custom imperative container removed: All imperative jobs now use the framework default container. References to
ghcr.io/butler54/imperative-containerare gone. - Chart version bumps: trustee-chart 0.8., sandboxed-containers 0.2., sandboxed-policies 0.2.*
New Features
- Authenticated registry support: CoCo pods pull from
registry.redhat.iovia ACM-distributed pull secret and KBS credential - Hardware profile gating:
global.hardware.profilecontrols which operators are active (intel-tdx, amd-snp, *-gpu variants) - ArgoCD sync-wave ordering: Infrastructure (wave 0) → MCO-triggering operators (wave 10) → vault-dependent apps (wave 20) → workloads (wave 30), with a vault-unseal sync hook at wave 5
- Manual subscription sync-wave: sandbox/trustee subscriptions at wave 10 to prevent SA/auto-approve deadlock
- Workload charts: hello-openshift (3 variants), kbs-access-curl (CDH pattern), kbs-access-sealed (sealed secret), gpu-workload — all using Red Hat httpd-24
- Container signing infrastructure: sigstore/GPG key management via
make cache-keys(enforcement blocked by upstream image-rs bug) - NVIDIA GPU support: GPU operator, IOMMU MachineConfig, CC GPU verification workload
- Firmware reference values: Automated collection via veritas container for bare metal attestation
- E2E testing skills: 4 composable verification skills with false-positive detection (cluster-verify, pattern-deploy-verify, coco-workload-verify, secrets-verify)
Bug Fixes
- Fix Kyverno race condition: sync-waves ensure initdata injection before workload pods start
- Fix imperative SA config: use admin SA for CronJobs requiring cluster-wide permissions
- Fix hello-openshift port mismatch: all deployments consistently use httpd-24 on port 8080
- Remove embedded Red Hat signing keys from source (download from official URLs instead)
Phases Completed
- Framework & Chart Updates
- Eliminate Custom Container
- Authenticated Registry
- Values File Simplification
- Test Workload Replacement
- Container Signing Policy (infrastructure ready, enforcement blocked upstream)
- E2E Testing Skills
- ArgoCD Sync Hooks Sequencing
🤖 Generated with Claude Code
v5.6.1
v5.6.0
5.6.0 (2026-06-01)
Features
- update trustee-chart to v0.7.* across all profiles (#93) (bfc6374), closes validatedpatterns/trustee-chart#32