feat: initial drop

Signed-off-by: Chris Butler <chris.butler@redhat.com>

Author: butler54

.github/workflows/conventional-pr.yml

@@ -0,0 +1,26 @@
+name: "Lint PR title"
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+    branches:
+      - 'main'
+      - 'develop'
+jobs:
+  lint:
+    if: ${{ github.head_ref != 'develop' }}
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Install dependencies
+      run: npm install @commitlint/cli @commitlint/config-conventional
+
+    - name: Validate PR title
+      run: |
+        PR_TITLE=$(jq -r '.pull_request.title' "$GITHUB_EVENT_PATH")
+        echo "$PR_TITLE" | npx commitlint --config commitlint.config.js

Chart.yaml

@@ -1,6 +1,9 @@
 apiVersion: v2
-description: A Helm chart to serve as the Validated Patterns Template
+description: A Helm chart to provide an opinionated deployment of Trustee in a validated pattern
 keywords:
 - pattern
-name: vp-template
+- trustee
+- confidential-computing
+- confidential-containers
+name: trustee
 version: 0.0.1

README.md

@@ -1,10 +1,14 @@
-# vp-template
+# trustee
 
 ![Version: 0.0.1](https://img.shields.io/badge/Version-0.0.1-informational?style=flat-square)
 
-A Helm chart to serve as the Validated Patterns Template
+A helm chart to deploy trustee into the [coco-pattern](https://github.com/validatedpatterns/coco-pattern) and other charts.
+
+What is needed in addition to the chart to make this work?
+1. The [gen-certificate](https://github.com/validatedpatterns/coco-pattern/blob/main/ansible/gen-certificate.yaml) ansible job.
+2. A subscription to Red Hat Build of Trustee
+3. Creating (at least) a container security policy [as describe here](https://docs.redhat.com/en/documentation/openshift_sandboxed_containers/1.10/html/deploying_red_hat_build_of_trustee/deploying-trustee_azure-trustee#creating-image-verification-policy_azure-trustee)
 
-This chart is used to serve as the template for Validated Patterns Charts
 
 ### Notable changes
 

commitlint.config.js

@@ -0,0 +1 @@
+module.exports = { extends: ['@commitlint/config-conventional'] }

templates/.keep

@@ -0,0 +1,25 @@
+{{- if ne .Values.global.secretStore.backend "none" }}
+{{- range .Values.kbs.secretResources }}
+---
+apiVersion: "external-secrets.io/v1beta1"
+kind: ExternalSecret
+metadata: 
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  name: {{ .name }}-eso
+  namespace: trustee-operator-system
+spec:
+  refreshInterval: 15s
+  secretStoreRef:
+    name: {{ $.Values.secretStore.name }}
+    kind: {{ $.Values.secretStore.kind }}
+  target:
+    name: {{ .name }}
+    template:
+      type: Opaque
+  dataFrom:
+  - extract:
+      key: {{ .key }}
+{{- end }}
+{{- end }}
+

templates/dynamic-eso.yaml

@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kbs-config
+  namespace: trustee-operator-system
+data:
+  kbs-config.toml: |
+    [http_server]
+    sockets = ["0.0.0.0:8080"]
+    insecure_http = false
+    private_key = "/etc/https-key/tls.key"
+    certificate = "/etc/https-cert/tls.crt"
+    [admin]
+    insecure_api = true
+    auth_public_key = "/etc/auth-secret/publicKey"
+
+    [attestation_token]
+    insecure_key = true
+    attestation_token_type = "CoCo"
+
+    [attestation_service]
+    type = "coco_as_builtin"
+    work_dir = "/opt/confidential-containers/attestation-service"
+    policy_engine = "opa"
+
+      [attestation_service.attestation_token_broker]
+      type = "Ear"
+      policy_dir = "/opt/confidential-containers/attestation-service/policies"
+
+      [attestation_service.attestation_token_config]
+      duration_min = 5
+
+      [attestation_service.rvps_config]
+      type = "BuiltIn"
+
+        [attestation_service.rvps_config.storage]
+        type = "LocalJson"
+        file_path = "/opt/confidential-containers/rvps/reference-values/reference-values.json"
+
+    [[plugins]]
+    name = "resource"
+    type = "LocalFs"
+    dir_path = "/opt/confidential-containers/kbs/repository"
+
+    [policy_engine]
+    policy_path = "/opt/confidential-containers/opa/policy.rego"

templates/kbs-config-map.yaml

@@ -0,0 +1,23 @@
+{{- if ne .Values.global.secretStore.backend "none" }}
+---
+apiVersion: "external-secrets.io/v1beta1"
+kind: ExternalSecret
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  name: kbs-auth-public-key-eso
+  namespace: trustee-operator-system
+spec:
+  refreshInterval: 15s
+  secretStoreRef:
+    name: {{ .Values.secretStore.name }}
+    kind: {{ .Values.secretStore.kind }}
+  data:
+  target:
+    name: kbs-auth-public-key
+    template:
+      type: Opaque
+  dataFrom:
+  - extract:
+      key: {{ .Values.kbs.publicKey }}
+{{- end }}

templates/kbs-operator-keys.yaml

@@ -0,0 +1,16 @@
+# Single cluster deploy don't use the route yet.
+--- 
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: kbs
+  namespace: trustee-operator-system
+spec:
+  port:
+    targetPort: 8080
+  to:
+    kind: Service
+    name: kbs-service
+    weight: 100
+  tls:
+    termination: passthrough

templates/kbs-route.yaml

@@ -0,0 +1,37 @@
+apiVersion: confidentialcontainers.org/v1alpha1
+kind: KbsConfig
+metadata:
+  name: kbsconfig
+  namespace: trustee-operator-system
+spec:
+  kbsConfigMapName: kbs-config
+  kbsAuthSecretName: kbs-auth-public-key
+  kbsDeploymentType: AllInOneDeployment
+  kbsRvpsRefValuesConfigMapName: rvps-reference-values
+  kbsSecretResources: 
+    {{- range .Values.kbs.secretResources }}
+    - "{{ .name }}"
+    {{- end }}
+    - "security-policy"
+  kbsHttpsKeySecretName: kbs-https-key
+  kbsHttpsCertSecretName: kbs-https-certificate
+  kbsResourcePolicyConfigMapName: resource-policy
+
+  # TDX specific configuration (optional)
+  # tdxConfigSpec:
+  #   kbsTdxConfigMapName: tdx-config
+
+  # IBM SE specific configuration (optional)
+  # ibmSEConfigSpec:
+  #   certStorePvc: <persistent-volume-claim>
+
+  # Override attestation policy (optional)
+  # kbsAttestationPolicyConfigMapName: attestation-policy 
+
+  # Inject environment variables (optional)
+  # Enable DEBUG logging in trustee pods
+  KbsEnvVars: 
+    RUST_LOG: debug
+
+  # service type (optional, it defaults to ClusterIP)
+  kbsServiceType: ClusterIP