Merge pull request #446 from beraldoleal/release-1.7-v2

Sync release-1.7 with devel

Author: beraldoleal

PROJECT

@@ -13,7 +13,7 @@ repo: github.com/openshift/sandboxed-containers-operator
 resources:
 - group: confidentialcontainers
   kind: PeerPodConfig
-  path: github.com/confidential-containers/cloud-api-adaptor/peerpodconfig-ctrl/api/v1alpha1
+  path: github.com/confidential-containers/cloud-api-adaptor/src/peerpodconfig-ctrl/api/v1alpha1
   version: v1alpha1
 - controller: true
   domain: kataconfiguration.openshift.io
@@ -30,7 +30,7 @@ resources:
   controller: true
   domain: confidentialcontainers.org
   kind: PeerPod
-  path: github.com/confidential-containers/cloud-api-adaptor/peerpod-ctrl/api/v1alpha1
+  path: github.com/confidential-containers/cloud-api-adaptor/src/peerpod-ctrl/api/v1alpha1
   version: v1alpha1
 - controller: true
   group: core

config/peerpods/credentials-requests/credentials_request_aws.yaml

@@ -10,8 +10,31 @@ spec:
   providerSpec:
     apiVersion: cloudcredential.openshift.io/v1
     kind: AWSProviderSpec
-    statementEntries: # limit permissions
+    statementEntries:
     - effect: Allow
-      action:
-        - "*"
       resource: "*"
+      action:
+        - "ec2:*"
+        # By default we allow all ec2 actions to prevent dysfunctioning for untested configurations.
+        # The following actions were extracted from AWS CloudTrail Event History,
+        # filtered based on access key, for peer-pod execution with default configuration.
+        # use it to restrict the requested permissions.
+        #- ec2:AuthorizeSecurityGroupIngress
+        #- ec2:CreateDefaultVpc
+        #- ec2:CreateImage
+        #- ec2:CreateKeyPair
+        #- ec2:CreateTags
+        #- ec2:CreateSecurityGroup
+        #- ec2:DeleteKeyPair
+        #- ec2:DeleteSecurityGroup
+        #- ec2:DescribeImages
+        #- ec2:DescribeInstances
+        #- ec2:DescribeInstanceTypes
+        #- ec2:DescribeRegions
+        #- ec2:DescribeSecurityGroups
+        #- ec2:DescribeSubnets
+        #- ec2:DescribeVolumes
+        #- ec2:DescribeVpcs
+        #- ec2:RunInstances
+        #- ec2:StopInstances
+        #- ec2:TerminateInstances

config/peerpods/credentials-requests/credentials_request_azure.yaml

@@ -10,5 +10,7 @@ spec:
   providerSpec:
     apiVersion: cloudcredential.openshift.io/v1
     kind: AzureProviderSpec
-    roleBindings: # limit
-      - role: Contributor
+    roleBindings:
+      - role: Reader
+      - role: Virtual Machine Contributor
+      - role: Network Contributor

config/peerpods/peerpodssecret.yaml

@@ -10,4 +10,10 @@ stringData:
   #LIBVIRT_NET: "default
   #LIBVIRT_POOL: "default"
   #REDHAT_OFFLINE_TOKEN: "" #Required to download rhel base image : Download token from https://access.redhat.com/management/api
-  
+  #HOST_KEY_CERTS: "" #Download the certificate from https://www.ibm.com/support/resourcelink/api/content/public/host-key-documents.html and make sure the certficate lines are aligned
+  # Example:
+  # HOST_KEY_CERTS: |
+  #   -----BEGIN CERTIFICATE-----
+  #   xxx
+  #   xxx
+  #   -----END CERTIFICATE-----

config/peerpods/podvm/lib.sh

@@ -208,20 +208,36 @@ function prepare_source_code() {
     # links must be relative
     if [[ "${AGENT_POLICY}" ]]; then
         echo "Custom agent policy is being set through the AGENT_POLICY value"
-        echo ${AGENT_POLICY} | base64 -d > "${podvm_dir}"/files/etc/kata-opa/custom.rego
-        if [[ $? == 0 ]] && grep -q "agent_policy" "${podvm_dir}"/files/etc/kata-opa/custom.rego; then # checks policy validity
-            ln -sf custom.rego  "${podvm_dir}"/files/etc/kata-opa/default-policy.rego
+        echo "${AGENT_POLICY}" | base64 -d >"${podvm_dir}"/files/etc/kata-opa/custom.rego
+        return_code=$?
+        if [[ "$return_code" == 0 ]] && grep -q "agent_policy" "${podvm_dir}"/files/etc/kata-opa/custom.rego; then # checks policy validity
+            ln -sf custom.rego "${podvm_dir}"/files/etc/kata-opa/default-policy.rego
         else
             error_exit "Invalid AGENT_POLICY value set, expected base64 encoded valid agent policy, got: \"${AGENT_POLICY}\""
-	fi
+        fi
     elif [[ "$CONFIDENTIAL_COMPUTE_ENABLED" == "yes" ]]; then
         echo "Setting custom agent policy to CoCo's recommended policy"
         sed 's/default ReadStreamRequest := true/default ReadStreamRequest := false/;
             s/default ExecProcessRequest := true/default ExecProcessRequest := false/' \
-            "${podvm_dir}"/files/etc/kata-opa/default-policy.rego > "${podvm_dir}"/files/etc/kata-opa/coco-default-policy.rego
+            "${podvm_dir}"/files/etc/kata-opa/default-policy.rego >"${podvm_dir}"/files/etc/kata-opa/coco-default-policy.rego
         ln -sf coco-default-policy.rego "${podvm_dir}"/files/etc/kata-opa/default-policy.rego
     fi
     echo "~~~ Current Agent Policy ~~~" && cat "${podvm_dir}"/files/etc/kata-opa/default-policy.rego
+
+    # Fix disk mounts for CoCo
+    if [[ "$CONFIDENTIAL_COMPUTE_ENABLED" == "yes" ]]; then
+        create_overlay_mount_unit
+    fi
+
+    # Validate and copy HKD for IBM Z Secure Enablement 
+    if [[ "$SE_BOOT" == "true" ]]; then
+        if [[ -z "$HOST_KEY_CERTS" ]]; then
+            error_exit "Error: HKD is not present."
+        else
+            echo "$HOST_KEY_CERTS" >> "${podvm_dir}/files/HKD.crt"
+        fi
+    fi
+
 }
 
 # Download and extract pause container image
@@ -267,6 +283,36 @@ function download_and_extract_pause_image() {
 
 }
 
+# Function to create overlay mount unit in the podvm files
+# this ensures rw (overlay) layer for the container images are in memory (encrypted)
+function create_overlay_mount_unit() {
+    # The actual mount point is /run/kata-containers/image/overlay
+    local unit_name="run-kata\\x2dcontainers-image-overlay.mount"
+    local unit_path="${podvm_dir}/files/etc/systemd/system/${unit_name}"
+
+    cat <<EOF >"${unit_path}"
+[Unit]
+Description=Mount unit for /run/kata-containers/image/overlay
+Before=kata-agent.service
+
+[Mount]
+What=tmpfs
+Where=/run/kata-containers/image/overlay
+Type=tmpfs
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+    echo "Mount unit created at ${unit_name}"
+
+    # Enable the mount unit by creating a symlink
+    # This syntax works to create the symlink to the unit file in ${podvm_dir}/files/etc/systemd/system
+    ln -sf ../"${unit_name}" "${podvm_dir}/files/etc/systemd/system/multi-user.target.wants/${unit_name}" ||
+        error_exit "Failed to enable the overlay mount unit"
+
+}
+
 # Global variables
 
 # Set global variable for the source code directory

config/peerpods/podvm/libvirt-podvm-image-cm.yaml

@@ -21,4 +21,8 @@ data:
   # Libvirt specific
   ORG_ID: ""
   ACTIVATION_KEY: ""
-  BASE_OS_VERSION: "9.2"
+  BASE_OS_VERSION: "9.4"
+
+  # To Enable SE for IBM Z
+  SE_BOOT: "true"
+  

config/peerpods/podvm/libvirt-podvm-image-handler.sh

@@ -8,7 +8,6 @@
 # Create image (-c)
 # Delete image (-C)
 
-set -x
 # include common functions from lib.sh
 # shellcheck source=/dev/null
 # The directory is where libvirt-podvm-image-handler.sh is located
@@ -73,6 +72,15 @@ function create_libvirt_image() {
 # Function to dowload the rhel base image
 
 function download_rhel_kvm_guest_qcow2() {
+    #Validate RHEL version for IBM Z Secure Enablement
+    if [ "$SE_BOOT" == "true" ]; then
+        version=$(echo $BASE_OS_VERSION | awk -F "." '{ print $1 }')
+        release=$(echo $BASE_OS_VERSION | awk -F "." '{ print $2 }')
+        if [[ "$version" -lt 9 || ("$version" -eq 9 && "$release" -lt 4) ]]; then
+            error_exit "Libvirt Secure Execution supports RHEL OS version 9.4 or above"
+        fi
+    fi
+
     ARCH=$(uname -m)
     export ARCH
 

config/peerpods/podvm/osc-podvm-create-job.yaml

@@ -57,11 +57,10 @@ spec:
             - name: payload
               mountPath: /payload
             - name: regauth
-              mountPath: /tmp/regauth  
+              mountPath: /tmp/regauth
             - name: ssh-key-secret
               mountPath: "/root/.ssh/"
               readOnly: true
-              optional: true             
       volumes:
         - name: payload
           emptyDir: {}
@@ -75,4 +74,5 @@ spec:
             - key: id_rsa
               path: "id_rsa"
             defaultMode: 0400
+            optional: true
       restartPolicy: Never

config/peerpods/podvm/osc-podvm-delete-job.yaml

@@ -49,7 +49,6 @@ spec:
             - name: ssh-key-secret
               mountPath: "/root/.ssh/"
               readOnly: true
-              optional: true
       volumes:
         - name: ssh-key-secret
           secret:
@@ -58,5 +57,6 @@ spec:
             - key: id_rsa
               path: "id_rsa"
             defaultMode: 0400
+            optional: true
 
       restartPolicy: Never

controllers/openshift_controller.go

@@ -24,7 +24,7 @@ import (
 	"reflect"
 	"time"
 
-	"github.com/confidential-containers/cloud-api-adaptor/peerpodconfig-ctrl/api/v1alpha1"
+	"github.com/confidential-containers/cloud-api-adaptor/src/peerpodconfig-ctrl/api/v1alpha1"
 
 	appsv1 "k8s.io/api/apps/v1"
 

go.mod

@@ -3,11 +3,11 @@ module github.com/openshift/sandboxed-containers-operator
 go 1.21
 
 require (
-	github.com/confidential-containers/cloud-api-adaptor/peerpod-ctrl v0.8.0-alpha.1
-	github.com/confidential-containers/cloud-api-adaptor/peerpodconfig-ctrl v0.8.0-alpha.1
+	github.com/confidential-containers/cloud-api-adaptor/src/peerpod-ctrl v0.9.0
+	github.com/confidential-containers/cloud-api-adaptor/src/peerpodconfig-ctrl v0.9.0
 	github.com/coreos/ignition/v2 v2.9.0
 	github.com/ghodss/yaml v1.0.0
-	github.com/go-logr/logr v1.2.4
+	github.com/go-logr/logr v1.4.1
 	github.com/onsi/ginkgo/v2 v2.9.5
 	github.com/onsi/gomega v1.27.7
 	github.com/openshift/api v0.0.0-20231204192004-bfea29e5e6c4
@@ -23,18 +23,16 @@ require (
 )
 
 require (
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v4 v4.2.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v2 v2.2.1 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 // indirect
-	github.com/IBM-Cloud/power-go-client v1.2.3 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
 	github.com/IBM/go-sdk-core/v5 v5.13.1 // indirect
-	github.com/IBM/platform-services-go-sdk v0.36.0 // indirect
 	github.com/IBM/vpc-go-sdk v0.35.0 // indirect
-	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
-	github.com/avast/retry-go/v4 v4.3.3 // indirect
+	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
+	github.com/avast/retry-go/v4 v4.5.1 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.21.0 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.15.11 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.12.6 // indirect
@@ -46,113 +44,94 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.35 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.11.9 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.16.7 // indirect
-	github.com/aws/smithy-go v1.14.2 // indirect
+	github.com/aws/smithy-go v1.17.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
-	github.com/confidential-containers/cloud-api-adaptor v0.8.1-0.20231116150709-232acecae0ca // indirect
-	github.com/containerd/containerd v1.6.8 // indirect
-	github.com/containerd/ttrpc v1.2.2 // indirect
-	github.com/containernetworking/plugins v1.1.1 // indirect
-	github.com/containers/podman/v4 v4.2.0 // indirect
-	github.com/coreos/go-iptables v0.6.0 // indirect
+	github.com/confidential-containers/cloud-api-adaptor/src/cloud-providers v0.9.0 // indirect
 	github.com/coreos/go-semver v0.3.1 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/coreos/vcontext v0.0.0-20201120045928-b0e13dab675c // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
-	github.com/fatih/color v1.13.0 // indirect
+	github.com/fatih/color v1.16.0 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/go-logr/zapr v1.2.4 // indirect
-	github.com/go-openapi/analysis v0.21.2 // indirect
-	github.com/go-openapi/errors v0.20.3 // indirect
+	github.com/go-openapi/errors v0.20.4 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/loads v0.21.1 // indirect
-	github.com/go-openapi/runtime v0.23.0 // indirect
-	github.com/go-openapi/spec v0.20.4 // indirect
-	github.com/go-openapi/strfmt v0.21.3 // indirect
-	github.com/go-openapi/swag v0.22.3 // indirect
-	github.com/go-openapi/validate v0.22.0 // indirect
+	github.com/go-openapi/strfmt v0.21.7 // indirect
+	github.com/go-openapi/swag v0.22.4 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-playground/validator/v10 v10.11.2 // indirect
+	github.com/go-playground/validator/v10 v10.13.0 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/gobuffalo/flect v0.3.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect
-	github.com/google/uuid v1.3.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.2 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
 	github.com/imdario/mergo v0.3.13 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/kata-containers/kata-containers/src/runtime v0.0.0-20231109143605-6c2a2a14fe78 // indirect
-	github.com/kdomanski/iso9660 v0.3.5 // indirect
+	github.com/kdomanski/iso9660 v0.4.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
-	github.com/leodido/go-urn v1.2.1 // indirect
+	github.com/leodido/go-urn v1.2.4 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.16 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/moby/sys/mountinfo v0.6.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
-	github.com/opencontainers/runtime-spec v1.1.0-rc.1 // indirect
-	github.com/opentracing/opentracing-go v1.2.0 // indirect
-	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/prometheus/client_golang v1.16.0 // indirect
 	github.com/prometheus/client_model v0.4.0 // indirect
 	github.com/prometheus/common v0.44.0 // indirect
 	github.com/prometheus/procfs v0.10.1 // indirect
-	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/vincent-petithory/dataurl v0.0.0-20191104211930-d1553a71de50 // indirect
-	github.com/vishvananda/netlink v1.2.1-beta.2 // indirect
-	github.com/vishvananda/netns v0.0.4 // indirect
-	github.com/vmware/govmomi v0.30.0 // indirect
-	go.mongodb.org/mongo-driver v1.11.2 // indirect
+	github.com/vmware/govmomi v0.33.1 // indirect
+	go.mongodb.org/mongo-driver v1.11.3 // indirect
 	go.uber.org/atomic v1.10.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/crypto v0.14.0 // indirect
-	golang.org/x/mod v0.10.0 // indirect
-	golang.org/x/net v0.17.0 // indirect
-	golang.org/x/oauth2 v0.10.0 // indirect
-	golang.org/x/sys v0.13.0 // indirect
-	golang.org/x/term v0.13.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
+	golang.org/x/crypto v0.24.0 // indirect
+	golang.org/x/mod v0.17.0 // indirect
+	golang.org/x/net v0.26.0 // indirect
+	golang.org/x/oauth2 v0.17.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/sys v0.21.0 // indirect
+	golang.org/x/term v0.21.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.9.1 // indirect
+	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
 	gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 // indirect
-	google.golang.org/grpc v1.58.3 // indirect
-	google.golang.org/protobuf v1.32.0 // indirect
+	google.golang.org/appengine v1.6.8 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.28.3 // indirect
 	k8s.io/component-base v0.28.3 // indirect
-	k8s.io/cri-api v0.23.1 // indirect
-	k8s.io/klog/v2 v2.100.1 // indirect
+	k8s.io/klog/v2 v2.110.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
 	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect
-	libvirt.org/go/libvirt v1.8002.0 // indirect
-	libvirt.org/go/libvirtxml v1.9004.0 // indirect
+	libvirt.org/go/libvirt v1.9008.0 // indirect
+	libvirt.org/go/libvirtxml v1.9007.0 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )
 

go.sum

@@ -21,8 +21,8 @@ import (
 	"flag"
 	"os"
 
-	peerpodcontrollers "github.com/confidential-containers/cloud-api-adaptor/peerpod-ctrl/controllers"
-	peerpodconfigcontrollers "github.com/confidential-containers/cloud-api-adaptor/peerpodconfig-ctrl/controllers"
+	peerpodcontrollers "github.com/confidential-containers/cloud-api-adaptor/src/peerpod-ctrl/controllers"
+	peerpodconfigcontrollers "github.com/confidential-containers/cloud-api-adaptor/src/peerpodconfig-ctrl/controllers"
 	configv1 "github.com/openshift/api/config/v1"
 	secv1 "github.com/openshift/api/security/v1"
 	mcfgapi "github.com/openshift/machine-config-operator/pkg/apis/machineconfiguration.openshift.io"
@@ -48,8 +48,8 @@ import (
 	_ "sigs.k8s.io/controller-tools/pkg/genall/help/pretty"
 	_ "sigs.k8s.io/controller-tools/pkg/loader"
 
-	peerpod "github.com/confidential-containers/cloud-api-adaptor/peerpod-ctrl/api/v1alpha1"
-	peerpodconfig "github.com/confidential-containers/cloud-api-adaptor/peerpodconfig-ctrl/api/v1alpha1"
+	peerpod "github.com/confidential-containers/cloud-api-adaptor/src/peerpod-ctrl/api/v1alpha1"
+	peerpodconfig "github.com/confidential-containers/cloud-api-adaptor/src/peerpodconfig-ctrl/api/v1alpha1"
 	ccov1 "github.com/openshift/cloud-credential-operator/pkg/apis/cloudcredential/v1"
 
 	kataconfigurationv1 "github.com/openshift/sandboxed-containers-operator/api/v1"