openshift · gkurz · Oct 29, 2025 · Oct 28, 2025 · Oct 9, 2025
diff --git a/scripts/install-helpers/baremetal-coco/install.sh b/scripts/install-helpers/baremetal-coco/install.sh
@@ -359,6 +359,19 @@ function deploy_intel_dcap() {
     export PCCS_NODE
     export CLUSTER_HTTPS_PROXY
     envsubst <pccs.yaml.in >pccs.yaml
+
+    oc create secret generic pccs-secrets \
+      --namespace intel-dcap \
+      --from-literal=PCCS_API_KEY="$PCCS_API_KEY" \
+      --from-literal=PCCS_USER_TOKEN_HASH="$PCCS_USER_TOKEN_HASH" \
+      --from-literal=PCCS_ADMIN_TOKEN_HASH="$PCCS_ADMIN_TOKEN_HASH" \
+      --from-literal=PCCS_DB_NAME="$PCCS_DB_NAME" \
+      --from-literal=PCCS_DB_USERNAME="$PCCS_DB_USERNAME" \
+      --from-literal=PCCS_DB_PASSWORD="$PCCS_DB_PASSWORD" \
+      --dry-run=client -o yaml | oc apply -f -
+
+    echo "Secrets for PCCS applied."
+
     oc apply -f pccs.yaml || return 1
     wait_for_deployment pccs intel-dcap || return 1
 
@@ -732,6 +745,7 @@ function uninstall_intel_dcap() {
     oc delete -f qgs.yaml || return 1
     oc delete -f registration-ds.yaml || return 1
     oc delete -f pccs.yaml || return 1
+    oc delete secret pccs-secrets -n intel-dcap || return 1
     oc delete -f ns.yaml || return 1
     popd || return 1
 

diff --git a/scripts/install-helpers/baremetal-coco/intel-dcap/pccs.yaml.in b/scripts/install-helpers/baremetal-coco/intel-dcap/pccs.yaml.in
@@ -1,46 +1,4 @@
 apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: pccs-config
-  namespace: intel-dcap
-data:
-  default.json: |
-    {
-      "HTTPS_PORT" : 8042,
-      "hosts" : "0.0.0.0",
-      "uri": "https://api.trustedservices.intel.com/sgx/certification/v4/",
-      "ApiKey" : "${PCCS_API_KEY}",
-      "proxy" : "${CLUSTER_HTTPS_PROXY}",
-      "RefreshSchedule": "0 0 1 * * *",
-      "UserTokenHash" : "${PCCS_USER_TOKEN_HASH}",
-      "AdminTokenHash" : "${PCCS_ADMIN_TOKEN_HASH}",
-      "CachingFillMode" : "LAZY",
-      "OPENSSL_FIPS_MODE" : false,
-      "LogLevel" : "info",
-      "DB_CONFIG" : "sqlite",
-      "sqlite" : {
-        "database" : "${PCCS_DB_NAME}",
-        "username" : "${PCCS_DB_USERNAME}",
-        "password" : "${PCCS_DB_PASSWORD}",
-        "options" : {
-          "host": "localhost",
-          "dialect": "sqlite",
-          "pool": {
-            "max": 5,
-            "min": 0,
-            "acquire": 30000,
-            "idle": 10000
-          },
-          "define": {
-            "freezeTableName": true
-          },
-          "logging" : true,
-          "storage": "/var/cache/pccs/pckcache.db"
-        }
-      }
-    }
----
-apiVersion: v1
 kind: Secret
 metadata:
   name: pccs-tls
@@ -59,10 +17,10 @@ spec:
   selector:
     trustedservices.intel.com/cache: pccs
   ports:
-  - name: pccs
-    protocol: TCP
-    port: 8042
-    targetPort: pccs-port
+    - name: pccs
+      protocol: TCP
+      port: 8042
+      targetPort: pccs-port
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -81,35 +39,42 @@ spec:
         trustedservices.intel.com/cache: pccs
     spec:
       tolerations:
-      - effect: NoSchedule
-        key: node-role.kubernetes.io/master
-        operator: Exists
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+          operator: Exists
       nodeSelector:
         kubernetes.io/hostname: ${PCCS_NODE}
       initContainers:
-       - name: init-seclabel
-         image: registry.access.redhat.com/ubi9/ubi:latest
-         command: ["sh", "-c", "chcon -Rt container_file_t /var/cache/pccs"]
-         volumeMounts:
-         - name: host-database
-           mountPath: /var/cache/pccs
-         securityContext:
-           runAsUser: 0
-           runAsGroup: 0
-           privileged: true  # Required for chcon to work on host files
+        - name: init-seclabel
+          image: registry.access.redhat.com/ubi9/ubi:latest
+          command: [ "sh", "-c", "chcon -Rt container_file_t /var/cache/pccs" ]
+          volumeMounts:
+            - name: host-database
+              mountPath: /var/cache/pccs
+          securityContext:
+            runAsUser: 0
+            runAsGroup: 0
+            privileged: true  # Required for chcon to work on host files
       containers:
         - name: pccs
-          image: quay.io/openshift_sandboxed_containers/dcap/pccs:0.2.0
+          image: quay.io/openshift_sandboxed_containers/dcap/pccs:0.2.4
+          envFrom:
+            - secretRef:
+                name: pccs-secrets
+          env:
+            - name: "PCCS_LOG_LEVEL"
+              value: "info"
+            - name: "CLUSTER_HTTPS_PROXY"
+              value: "${CLUSTER_HTTPS_PROXY}"
+            - name: "PCCS_FILL_MODE"
+              value: "LAZY"
           ports:
             - containerPort: 8042
               name: pccs-port
           volumeMounts:
             - name: pccs-tls
               mountPath: /opt/intel/pccs/ssl_key
               readOnly: true
-            - name: pccs-config
-              mountPath: /opt/intel/pccs/config
-              readOnly: true
             - name: host-database
               mountPath: /var/cache/pccs/
           securityContext:
@@ -118,9 +83,6 @@ spec:
         - name: pccs-tls
           secret:
             secretName: pccs-tls
-        - name: pccs-config
-          configMap:
-            name: pccs-config
         - name: host-database
           hostPath:
             path: /var/cache/pccs/