docs: Updated installation using helm charts

Signed-off-by: Pawel Proskurnicki <pawel.proskurnicki@intel.com>

Author: pawelpros

assets/scss/_styles_project.scss

@@ -1 +1 @@
-@import 'td/code-dark'
+@import 'td/code-dark';

…/en/docs/getting-started/installation.md …s/getting-started/installation/_index.mdcontent/en/docs/getting-started/installation.md renamed to content/en/docs/getting-started/installation/_index.md content/en/docs/getting-started/installation.md renamed to content/en/docs/getting-started/installation/_index.md

@@ -1,23 +1,36 @@
 ---
-title: Installation 
+title: Installation
 description: Installing Confidential Containers with Helm charts
-weight: 20
+weight: 11
 categories:
-- getting-started 
+  - getting-started
 tags:
-- helm
-- installation
+  - helm
+  - installation
 ---
+
 {{% alert title="Note" color="primary" %}}
 Make sure you have completed the pre-requisites before installing Confidential Containers.
 {{% /alert %}}
 
-### Install CoCo with Helm
+## Install CoCo with Helm
 
-Install the CoCo runtime using the Helm chart, substituting `<VERSION>` with the desired
-[release version](https://github.com/confidential-containers/charts/releases):
+Install the CoCo runtime using the Helm chart from the Confidential Containers charts
+repository.
 
+{{< tabpane text=true right=true >}}
+{{% tab header="Latest release" lang="bash" %}}
+Install the latest released version:
+```bash
+helm install coco oci://ghcr.io/confidential-containers/charts/confidential-containers \
+  --namespace coco-system \
+  --create-namespace
 ```
+{{% /tab %}}
+{{% tab header="Pinned version" lang="bash" %}}
+Substitute `<VERSION>` with the desired [release version](https://github.com/confidential-containers/charts/releases):
+
+```bash
 helm install coco oci://ghcr.io/confidential-containers/charts/confidential-containers \
   --version <VERSION> \
   --namespace coco-system \
@@ -26,16 +39,18 @@ helm install coco oci://ghcr.io/confidential-containers/charts/confidential-cont
 
 For example, to install version v0.18.0:
 
-```
+```bash
 helm install coco oci://ghcr.io/confidential-containers/charts/confidential-containers \
-  --version v0.18.0 \
+  --version 0.18.0 \
   --namespace coco-system \
   --create-namespace
 ```
+{{% /tab %}}
+{{< /tabpane >}}
 
 Wait until each pod has the STATUS of Running.
 
-```
+```bash
 kubectl get pods -n coco-system --watch
 ```
 
@@ -45,14 +60,14 @@ see the [charts repository documentation](https://github.com/confidential-contai
 ### Verify Installation
 
 See if the expected runtime classes were created.
-```
+```bash
 kubectl get runtimeclass
 ```
 
 The available runtimeclasses depend on the architecture:
 
 {{< tabpane text=true right=true >}}
- {{% tab header="x86_64" lang="bash" %}}
+{{% tab header="x86_64" lang="bash" %}}
 | runtimeclass | Description |
 | ------------ | ----------- |
 | `kata-qemu-coco-dev` | Development/testing runtime |
@@ -61,18 +76,26 @@ The available runtimeclasses depend on the architecture:
 | `kata-qemu-tdx` | Intel TDX |
 | `kata-qemu-nvidia-gpu-snp` | NVIDIA GPU with AMD SEV-SNP protection |
 | `kata-qemu-nvidia-gpu-tdx` | NVIDIA GPU with Intel TDX protection |
-  {{% /tab %}}
-  {{% tab header="s390x" lang="bash" %}}
+{{% /tab %}}
+{{% tab header="s390x" lang="bash" %}}
 | runtimeclass | Description |
 | ------------ | ----------- |
 | `kata-qemu-coco-dev` | Development/testing runtime |
 | `kata-qemu-coco-dev-runtime-rs` | Development/testing runtime (Rust-based) |
 | `kata-qemu-se` | IBM Secure Execution |
 | `kata-qemu-se-runtime-rs` | IBM Secure Execution (Rust-based) |
-  {{% /tab %}}
-  {{% tab header="peer-pods" lang="bash" %}}
+{{% /tab %}}
+{{% tab header="peer-pods" lang="bash" %}}
 | runtimeclass | Description |
 | ------------ | ----------- |
 | `kata-remote` | Peer-pods |
-  {{% /tab %}}
+{{% /tab %}}
 {{< /tabpane >}}
+
+### Uninstall
+
+To uninstall Confidential Containers and delete the `coco-system` namespace, run:
+```bash
+helm uninstall coco --namespace coco-system
+kubectl delete namespace coco-system
+```

content/en/docs/getting-started/installation/advanced_configuration.md

@@ -0,0 +1,138 @@
+---
+title: Customization
+description: Customize the Helm chart deployment of Confidential Containers
+weight: 1
+categories:
+- installation
+- helm
+---
+The Helm chart can be customized by passing additional parameters to the `helm install` command.
+
+## Important Notes
+
+1. **Node Selectors:** When setting node selectors with dots in the key, escape them: `node-role\.kubernetes\.io/worker`
+2. **Namespace:** All examples use `coco-system` namespace. Adjust as needed for your environment
+3. **Architecture:** The default architecture is x86_64. Other architectures must be explicitly specified
+4. **Comma Escaping:** When using `--set` with values containing commas, escape them with `\,`
+
+## Customizing deployment
+
+You can combine architecture values files (with `-f`) and/or with `--set` flags for customizations.
+
+
+### Using `--set` flags
+
+To customize the installation using `--set` flags, run one of the following commands based on your architecture:
+
+```bash
+# For x86_64
+
+helm install coco oci://ghcr.io/confidential-containers/charts/confidential-containers \
+  --set kata-as-coco-runtime.debug=true \
+  --namespace coco-system \
+  --create-namespace
+
+# For s390x
+
+helm install coco oci://ghcr.io/confidential-containers/charts/confidential-containers \
+  -f https://raw.githubusercontent.com/confidential-containers/charts/main/values/kata-s390x.yaml \
+  --set kata-as-coco-runtime.debug=true \
+  --namespace coco-system \
+  --create-namespace
+```
+
+Parameters that are commonly customized (use `--set` flags):
+
+| Parameter                               | Description                                             | Default  |
+|-----------------------------------------|---------------------------------------------------------|----------|
+| `kata-as-coco-runtime.imagePullPolicy`  | Image pull policy                                       | `Always` |
+| `kata-as-coco-runtime.imagePullSecrets` | Image pull secrets for private registry                 | `[]`     |
+| `kata-as-coco-runtime.k8sDistribution`  | Kubernetes distribution (k8s, k3s, rke2, k0s, microk8s) | `k8s`    |
+| `kata-as-coco-runtime.nodeSelector`     | Node selector for deployment                            | `{}`     |
+| `kata-as-coco-runtime.debug`            | Enable debug logging                                    | `false`  |
+
+#### Structured Configuration (Kata Containers)
+
+The chart uses Kata Containers' structured configuration format for TEE shims. Parameters set by architecture-specific
+kata runtime values files:
+
+| Parameter                                                          | Description                                                                             | Set by values/kata-*.yaml |
+|--------------------------------------------------------------------|-----------------------------------------------------------------------------------------|---------------------------|
+| `architecture`                                                     | Architecture label for NOTES                                                            | `x86_64` or `s390x`       |
+| `kata-as-coco-runtime.snapshotter.setup`                           | Array of snapshotters to set up (e.g., `["nydus"]`)                                     | Architecture-specific     |
+| `kata-as-coco-runtime.shims.<shim-name>.enabled`                   | Enable/disable specific shim (e.g., `qemu-snp`, `qemu-tdx`, `qemu-se`, `qemu-coco-dev`) | Architecture-specific     |
+| `kata-as-coco-runtime.shims.<shim-name>.supportedArches`           | List of architectures supported by the shim                                             | Architecture-specific     |
+| `kata-as-coco-runtime.shims.<shim-name>.containerd.snapshotter`    | Snapshotter to use for containerd (e.g., `nydus`, `""` for none)                        | Architecture-specific     |
+| `kata-as-coco-runtime.shims.<shim-name>.containerd.forceGuestPull` | Enable experimental force guest pull                                                    | `false`                   |
+| `kata-as-coco-runtime.shims.<shim-name>.crio.guestPull`            | Enable guest pull for CRI-O                                                             | Architecture-specific     |
+| `kata-as-coco-runtime.shims.<shim-name>.agent.httpsProxy`          | HTTPS proxy for guest agent                                                             | `""`                      |
+| `kata-as-coco-runtime.shims.<shim-name>.agent.noProxy`             | No proxy settings for guest agent                                                       | `""`                      |
+| `kata-as-coco-runtime.runtimeClasses.enabled`                      | Create runtimeclass resources                                                           | `true`                    |
+| `kata-as-coco-runtime.runtimeClasses.createDefault`                | Create default k8s runtimeclass                                                         | `false`                   |
+| `kata-as-coco-runtime.runtimeClasses.defaultName`                  | Name for default runtimeclass                                                           | `"kata"`                  |
+| `kata-as-coco-runtime.defaultShim.<arch>`                          | Default shim per architecture (e.g., `amd64: qemu-snp`)                                 | Architecture-specific     |
+
+#### Additional Parameters (kata-deploy options)
+
+These inherit from kata-deploy defaults but can be overridden:
+
+| Parameter                                     | Description                       | Default                               |
+|-----------------------------------------------|-----------------------------------|---------------------------------------|
+| `kata-as-coco-runtime.image.reference`        | Kata deploy image                 | `quay.io/kata-containers/kata-deploy` |
+| `kata-as-coco-runtime.image.tag`              | Kata deploy image tag             | Chart's application version           |
+| `kata-as-coco-runtime.env.installationPrefix` | Installation path prefix          | `""` (uses kata-deploy defaults)      |
+| `kata-as-coco-runtime.env.multiInstallSuffix` | Suffix for multiple installations | `""`                                  |
+
+See [quickstart](https://github.com/confidential-containers/charts/blob/main/QUICKSTART.md) for complete customization examples and usage.
+ 
+### Using file based values
+
+Prepare `my-values.yaml` file in one of the following ways:
+
+- Using latest default values downloaded from the chart:
+
+  ```bash
+  helm show values oci://ghcr.io/confidential-containers/charts/confidential-containers > my-values.yaml
+  ```
+
+- Using newly created file `my-values.yaml` with your customizations, e.g., for s390x with debug and node selector:
+
+  ```yaml
+  architecture: s390x
+  
+  kata-as-coco-runtime:
+    env:
+      debug: "true"
+      shims: "qemu-coco-dev qemu-se"
+      snapshotterHandlerMapping: "qemu-coco-dev:nydus,qemu-se:nydus"
+      agentHttpsProxy: "http://proxy.example.com:8080"
+    nodeSelector:
+      node-role.kubernetes.io/worker: ""
+  ```
+
+  List of custom values examples can be found in the [examples-custom-values](https://github.com/confidential-containers/charts/blob/main/examples-custom-values.yaml).
+
+Install chart using your custom values file:
+
+```bash
+helm install coco oci://ghcr.io/confidential-containers/charts/confidential-containers \
+  -f my-values.yaml \
+  --namespace coco-system \
+  --create-namespace
+```
+
+#### Multiple combined customization options
+
+Customizations using `--set` flags can be combined with file based values using `-f`.
+
+See below example which will provide s390x architecture, enable debug logging, and set a node selector for worker nodes.
+
+```bash
+helm install coco oci://ghcr.io/confidential-containers/charts/confidential-containers \
+  -f https://raw.githubusercontent.com/confidential-containers/charts/main/values/kata-s390x.yaml \
+  --set kata-as-coco-runtime.env.debug=true \
+  --set kata-as-coco-runtime.nodeSelector."node-role\.kubernetes\.io/worker"="" \
+  --set kata-as-coco-runtime.k8sDistribution=k3s \
+  --namespace coco-system \
+  --create-namespace
+```

content/en/docs/getting-started/prerequisites/software.md

@@ -12,7 +12,7 @@ Confidential Containers requires Kubernetes.
 A cluster must be installed before installing the Helm charts.
 Many different clusters can be used but they should meet the following requirements.
 - The minimum Kubernetes version is 1.24
-- Cluster must use `containerd`. Note: `cri-o` is not tested with the Helm charts for baremetal deployments.
+- Cluster must use `containerd` in version 1.7+ or newer. Note: `cri-o` is not tested with the Helm charts for baremetal deployments.
 - At least one node has the label `node.kubernetes.io/worker`.
 - SELinux is not enabled.
 - Helm 3.8+ is installed.

content/en/docs/getting-started/workload.md

@@ -12,8 +12,8 @@ Once you've used the Helm charts to install Confidential Containers, you can run
 First, we will use the `kata-qemu-coco-dev` runtime class which uses CoCo without hardware support.
 Initially we will try this with an unencrypted container image.
 
-In this example, we will be using the bitnami/nginx image as described in the following yaml:
-```
+In this example, we will be using the nginx image as described in the following yaml:
+```yaml
 apiVersion: v1
 kind: Pod
 metadata:
@@ -24,8 +24,8 @@ metadata:
     io.containerd.cri.runtime-handler: kata-qemu-coco-dev
 spec:
   containers:
-  - image: bitnami/nginx:1.22.0
-    name: nginx
+  - name: nginx
+    image: nginx:1.29.4
   dnsPolicy: ClusterFirst
   runtimeClassName: kata-qemu-coco-dev
 ```
@@ -36,16 +36,16 @@ the only requirement for the pod YAML.
 Create a pod YAML file as previously described (we named it `nginx.yaml`) .
 
 Create the workload:
-```
+```bash
 kubectl apply -f nginx.yaml
 ```
 Output:
-```
+```bash
 pod/nginx created
 ```
 
 Ensure the pod was created successfully (in running state):
-```
+```bash
 kubectl get pods
 ```
 Output:

styles/config/vocabularies/coco/accept.txt

@@ -170,3 +170,4 @@ SBOM[s]
 TDX
 SNP
 Tekton
+snapshotter[s]