From 1e9d944c2fa40a2c67ad24dce656e166ea8cd0ee Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Tue, 26 May 2026 19:47:43 +0900 Subject: [PATCH] feat: consolidate trustee and kyverno overrides via extraValueFiles Remove duplicated inline overrides across profiles by consolidating common configuration into shared override files loaded via extraValueFiles. Changes: - Fix overrides/values-trustee.yaml: remove FIXME global.coco.secured, add kbs.admin.format and kbs.https.enabled - Create overrides/values-kyverno.yaml with securityContext nulls and CRD/report disables for OpenShift compatibility - Wire both override files via extraValueFiles in values-simple.yaml, values-baremetal.yaml, values-baremetal-gpu.yaml, values-trusted-hub.yaml - Remove inline duplicates (admin.format, secured, https, secretResources, all kyverno securityContext/CRD overrides) - Keep profile-specific inline overrides: tdx, collateralService, gpu.enabled, backgroundController.resources Reduces ~25 lines of duplication per profile while maintaining profile-specific customization. --- overrides/values-kyverno.yaml | 27 +++++++++++++++++++++++ overrides/values-trustee.yaml | 21 +++++++++--------- values-baremetal-gpu.yaml | 40 ++++------------------------------- values-baremetal.yaml | 40 ++++------------------------------- values-simple.yaml | 30 ++++---------------------- values-trusted-hub.yaml | 7 ++---- 6 files changed, 51 insertions(+), 114 deletions(-) create mode 100644 overrides/values-kyverno.yaml diff --git a/overrides/values-kyverno.yaml b/overrides/values-kyverno.yaml new file mode 100644 index 00000000..1adf4423 --- /dev/null +++ b/overrides/values-kyverno.yaml @@ -0,0 +1,27 @@ +# Shared Kyverno chart overrides loaded via extraValueFiles. +# OpenShift security context compatibility: null all securityContext fields. +# Disable wgpolicyk8s CRDs and reports controller (not needed for coco-pattern). +# Profile-specific overrides (backgroundController.resources) stay inline in values-.yaml. +admissionController: + container: + securityContext: null + initContainer: + securityContext: null +backgroundController: + securityContext: null +cleanupController: + securityContext: null +reportsController: + securityContext: null + enabled: false +crds: + migration: + securityContext: null + groups: + wgpolicyk8s: + policyreports: false + clusterpolicyreports: false +webhooksCleanup: + securityContext: null +test: + securityContext: null diff --git a/overrides/values-trustee.yaml b/overrides/values-trustee.yaml index 03dd120a..2c110c4e 100644 --- a/overrides/values-trustee.yaml +++ b/overrides/values-trustee.yaml @@ -1,14 +1,13 @@ -# Override the default values for the trustee chart -# This lists the secret resources that are uploaded to your chosen ESO backend (today by default, Vault). -# it does not contain the secrets themselves +# Shared trustee chart overrides loaded via extraValueFiles. +# Common to all profiles: admin format, HTTPS config, secret resources. +# Profile-specific overrides (tdx, collateralService, gpu, baremetal) stay inline in values-.yaml. kbs: + admin: + format: "v1.1" + https: + enabled: false secretResources: - - name: "kbsres1" # name is the name of the k8s secret that will be presented to trustee and accessible via the CDH - key: "secret/data/hub/kbsres1" # this is the path to the secret in vault. + - name: "kbsres1" + key: "secret/data/hub/kbsres1" - name: "passphrase" - key: "secret/data/hub/passphrase" -# Override the default values for the coco pattern this is because when testing against a branch strange stuff happens -# FIXME: Don't commit this to main -global: - coco: - secured: true # true or false. If true, the cluster will be secured. If false, the cluster will be insecure. \ No newline at end of file + key: "secret/data/hub/passphrase" \ No newline at end of file diff --git a/values-baremetal-gpu.yaml b/values-baremetal-gpu.yaml index 7253b777..35772fd5 100644 --- a/values-baremetal-gpu.yaml +++ b/values-baremetal-gpu.yaml @@ -118,25 +118,13 @@ clusterGroup: project: trustee chart: trustee chartVersion: 0.3.* + extraValueFiles: + - '/overrides/values-trustee.yaml' overrides: - - name: global.coco.secured - value: "true" - - name: kbs.admin.format - value: "v1.1" - - name: kbs.https.enabled - value: "false" - - name: kbs.secretResources[0].name - value: kbsres1 - - name: kbs.secretResources[0].key - value: secret/data/hub/kbsres1 - name: kbs.tdx.enabled value: "true" - name: kbs.tdx.collateralService value: "https://pccs-service.intel-dcap.svc.cluster.local:8042/sgx/certification/v4/" - - name: kbs.secretResources[1].name - value: passphrase - - name: kbs.secretResources[1].key - value: secret/data/hub/passphrase - name: kbs.gpu.enabled value: "true" @@ -235,29 +223,9 @@ clusterGroup: limit: 20 syncOptions: - ServerSideApply=true + extraValueFiles: + - '/overrides/values-kyverno.yaml' overrides: - - name: admissionController.container.securityContext - value: "null" - - name: admissionController.initContainer.securityContext - value: "null" - - name: backgroundController.securityContext - value: "null" - - name: cleanupController.securityContext - value: "null" - - name: reportsController.securityContext - value: "null" - - name: crds.migration.securityContext - value: "null" - - name: webhooksCleanup.securityContext - value: "null" - - name: test.securityContext - value: "null" - - name: crds.groups.wgpolicyk8s.policyreports - value: "false" - - name: crds.groups.wgpolicyk8s.clusterpolicyreports - value: "false" - - name: reportsController.enabled - value: "false" - name: backgroundController.resources.limits.memory value: "512Mi" - name: backgroundController.resources.requests.memory diff --git a/values-baremetal.yaml b/values-baremetal.yaml index 9a10ef38..b78e614f 100644 --- a/values-baremetal.yaml +++ b/values-baremetal.yaml @@ -108,25 +108,13 @@ clusterGroup: project: trustee chart: trustee chartVersion: 0.3.* + extraValueFiles: + - '/overrides/values-trustee.yaml' overrides: - - name: global.coco.secured - value: "true" - - name: kbs.admin.format - value: "v1.1" - - name: kbs.https.enabled - value: "false" - - name: kbs.secretResources[0].name - value: kbsres1 - - name: kbs.secretResources[0].key - value: secret/data/hub/kbsres1 - name: kbs.tdx.enabled value: "true" - name: kbs.tdx.collateralService value: "https://pccs-service.intel-dcap.svc.cluster.local:8042/sgx/certification/v4/" - - name: kbs.secretResources[1].name - value: passphrase - - name: kbs.secretResources[1].key - value: secret/data/hub/passphrase storage: name: storage @@ -208,29 +196,9 @@ clusterGroup: limit: 20 syncOptions: - ServerSideApply=true + extraValueFiles: + - '/overrides/values-kyverno.yaml' overrides: - - name: admissionController.container.securityContext - value: "null" - - name: admissionController.initContainer.securityContext - value: "null" - - name: backgroundController.securityContext - value: "null" - - name: cleanupController.securityContext - value: "null" - - name: reportsController.securityContext - value: "null" - - name: crds.migration.securityContext - value: "null" - - name: webhooksCleanup.securityContext - value: "null" - - name: test.securityContext - value: "null" - - name: crds.groups.wgpolicyk8s.policyreports - value: "false" - - name: crds.groups.wgpolicyk8s.clusterpolicyreports - value: "false" - - name: reportsController.enabled - value: "false" - name: backgroundController.resources.limits.memory value: "512Mi" - name: backgroundController.resources.requests.memory diff --git a/values-simple.yaml b/values-simple.yaml index f4235303..85fbaee8 100644 --- a/values-simple.yaml +++ b/values-simple.yaml @@ -80,9 +80,8 @@ clusterGroup: project: trustee chart: trustee chartVersion: 0.3.* - overrides: - - name: kbs.admin.format - value: "v1.1" + extraValueFiles: + - '/overrides/values-trustee.yaml' sandbox: name: sandbox namespace: openshift-sandboxed-containers-operator #upstream config @@ -130,29 +129,8 @@ clusterGroup: limit: 20 syncOptions: - ServerSideApply=true - overrides: - - name: admissionController.container.securityContext - value: "null" - - name: admissionController.initContainer.securityContext - value: "null" - - name: backgroundController.securityContext - value: "null" - - name: cleanupController.securityContext - value: "null" - - name: reportsController.securityContext - value: "null" - - name: crds.migration.securityContext - value: "null" - - name: webhooksCleanup.securityContext - value: "null" - - name: test.securityContext - value: "null" - - name: crds.groups.wgpolicyk8s.policyreports - value: "false" - - name: crds.groups.wgpolicyk8s.clusterpolicyreports - value: "false" - - name: reportsController.enabled - value: "false" + extraValueFiles: + - '/overrides/values-kyverno.yaml' coco-kyverno-policies: name: coco-kyverno-policies diff --git a/values-trusted-hub.yaml b/values-trusted-hub.yaml index 0806bd77..436de0df 100644 --- a/values-trusted-hub.yaml +++ b/values-trusted-hub.yaml @@ -69,11 +69,8 @@ clusterGroup: repoURL: https://github.com/butler54/trustee-chart.git path: . chartVersion: feature/trustee-1.1-compat - overrides: - - name: global.coco.secured - value: "true" - - name: kbs.admin.format - value: "v1.1" + extraValueFiles: + - '/overrides/values-trustee.yaml' sandbox-policies: name: sandbox-policies namespace: openshift-sandboxed-containers-operator #upstream config