Skip to content

feat: consolidate trustee and kyverno overrides via extraValueFiles #85

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
butler54 wants to merge 1 commit into
base: main
Choose a base branch
from
+51 −114
Open

feat: consolidate trustee and kyverno overrides via extraValueFiles #85

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions overrides/values-kyverno.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# Shared Kyverno chart overrides loaded via extraValueFiles.
# OpenShift security context compatibility: null all securityContext fields.
# Disable wgpolicyk8s CRDs and reports controller (not needed for coco-pattern).
# Profile-specific overrides (backgroundController.resources) stay inline in values-<profile>.yaml.
admissionController:
container:
securityContext: null
initContainer:
securityContext: null
backgroundController:
securityContext: null
cleanupController:
securityContext: null
reportsController:
securityContext: null
enabled: false
crds:
migration:
securityContext: null
groups:
wgpolicyk8s:
policyreports: false
clusterpolicyreports: false
webhooksCleanup:
securityContext: null
test:
securityContext: null
21 changes: 10 additions & 11 deletions overrides/values-trustee.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,13 @@
# Override the default values for the trustee chart
# This lists the secret resources that are uploaded to your chosen ESO backend (today by default, Vault).
# it does not contain the secrets themselves
# Shared trustee chart overrides loaded via extraValueFiles.
# Common to all profiles: admin format, HTTPS config, secret resources.
# Profile-specific overrides (tdx, collateralService, gpu, baremetal) stay inline in values-<profile>.yaml.
kbs:
admin:
format: "v1.1"
https:
enabled: false
secretResources:
- name: "kbsres1" # name is the name of the k8s secret that will be presented to trustee and accessible via the CDH
key: "secret/data/hub/kbsres1" # this is the path to the secret in vault.
- name: "kbsres1"
key: "secret/data/hub/kbsres1"
- name: "passphrase"
key: "secret/data/hub/passphrase"
# Override the default values for the coco pattern this is because when testing against a branch strange stuff happens
# FIXME: Don't commit this to main
global:
coco:
secured: true # true or false. If true, the cluster will be secured. If false, the cluster will be insecure.
key: "secret/data/hub/passphrase"
40 changes: 4 additions & 36 deletions values-baremetal-gpu.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,25 +118,13 @@ clusterGroup:
project: trustee
chart: trustee
chartVersion: 0.3.*
extraValueFiles:
- '/overrides/values-trustee.yaml'
overrides:
- name: global.coco.secured
value: "true"
- name: kbs.admin.format
value: "v1.1"
- name: kbs.https.enabled
value: "false"
- name: kbs.secretResources[0].name
value: kbsres1
- name: kbs.secretResources[0].key
value: secret/data/hub/kbsres1
- name: kbs.tdx.enabled
value: "true"
- name: kbs.tdx.collateralService
value: "https://pccs-service.intel-dcap.svc.cluster.local:8042/sgx/certification/v4/"
- name: kbs.secretResources[1].name
value: passphrase
- name: kbs.secretResources[1].key
value: secret/data/hub/passphrase
- name: kbs.gpu.enabled
value: "true"

Expand Down Expand Up @@ -235,29 +223,9 @@ clusterGroup:
limit: 20
syncOptions:
- ServerSideApply=true
extraValueFiles:
- '/overrides/values-kyverno.yaml'
overrides:
- name: admissionController.container.securityContext
value: "null"
- name: admissionController.initContainer.securityContext
value: "null"
- name: backgroundController.securityContext
value: "null"
- name: cleanupController.securityContext
value: "null"
- name: reportsController.securityContext
value: "null"
- name: crds.migration.securityContext
value: "null"
- name: webhooksCleanup.securityContext
value: "null"
- name: test.securityContext
value: "null"
- name: crds.groups.wgpolicyk8s.policyreports
value: "false"
- name: crds.groups.wgpolicyk8s.clusterpolicyreports
value: "false"
- name: reportsController.enabled
value: "false"
- name: backgroundController.resources.limits.memory
value: "512Mi"
- name: backgroundController.resources.requests.memory
Expand Down
40 changes: 4 additions & 36 deletions values-baremetal.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,25 +108,13 @@ clusterGroup:
project: trustee
chart: trustee
chartVersion: 0.3.*
extraValueFiles:
- '/overrides/values-trustee.yaml'
overrides:
- name: global.coco.secured
value: "true"
- name: kbs.admin.format
value: "v1.1"
- name: kbs.https.enabled
value: "false"
- name: kbs.secretResources[0].name
value: kbsres1
- name: kbs.secretResources[0].key
value: secret/data/hub/kbsres1
- name: kbs.tdx.enabled
value: "true"
- name: kbs.tdx.collateralService
value: "https://pccs-service.intel-dcap.svc.cluster.local:8042/sgx/certification/v4/"
- name: kbs.secretResources[1].name
value: passphrase
- name: kbs.secretResources[1].key
value: secret/data/hub/passphrase

storage:
name: storage
Expand Down Expand Up @@ -208,29 +196,9 @@ clusterGroup:
limit: 20
syncOptions:
- ServerSideApply=true
extraValueFiles:
- '/overrides/values-kyverno.yaml'
overrides:
- name: admissionController.container.securityContext
value: "null"
- name: admissionController.initContainer.securityContext
value: "null"
- name: backgroundController.securityContext
value: "null"
- name: cleanupController.securityContext
value: "null"
- name: reportsController.securityContext
value: "null"
- name: crds.migration.securityContext
value: "null"
- name: webhooksCleanup.securityContext
value: "null"
- name: test.securityContext
value: "null"
- name: crds.groups.wgpolicyk8s.policyreports
value: "false"
- name: crds.groups.wgpolicyk8s.clusterpolicyreports
value: "false"
- name: reportsController.enabled
value: "false"
- name: backgroundController.resources.limits.memory
value: "512Mi"
- name: backgroundController.resources.requests.memory
Expand Down
30 changes: 4 additions & 26 deletions values-simple.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,9 +80,8 @@ clusterGroup:
project: trustee
chart: trustee
chartVersion: 0.3.*
overrides:
- name: kbs.admin.format
value: "v1.1"
extraValueFiles:
- '/overrides/values-trustee.yaml'
sandbox:
name: sandbox
namespace: openshift-sandboxed-containers-operator #upstream config
Expand Down Expand Up @@ -130,29 +129,8 @@ clusterGroup:
limit: 20
syncOptions:
- ServerSideApply=true
overrides:
- name: admissionController.container.securityContext
value: "null"
- name: admissionController.initContainer.securityContext
value: "null"
- name: backgroundController.securityContext
value: "null"
- name: cleanupController.securityContext
value: "null"
- name: reportsController.securityContext
value: "null"
- name: crds.migration.securityContext
value: "null"
- name: webhooksCleanup.securityContext
value: "null"
- name: test.securityContext
value: "null"
- name: crds.groups.wgpolicyk8s.policyreports
value: "false"
- name: crds.groups.wgpolicyk8s.clusterpolicyreports
value: "false"
- name: reportsController.enabled
value: "false"
extraValueFiles:
- '/overrides/values-kyverno.yaml'

coco-kyverno-policies:
name: coco-kyverno-policies
Expand Down
7 changes: 2 additions & 5 deletions values-trusted-hub.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,11 +69,8 @@ clusterGroup:
repoURL: https://github.com/butler54/trustee-chart.git
path: .
chartVersion: feature/trustee-1.1-compat
overrides:
- name: global.coco.secured
value: "true"
- name: kbs.admin.format
value: "v1.1"
extraValueFiles:
- '/overrides/values-trustee.yaml'
sandbox-policies:
name: sandbox-policies
namespace: openshift-sandboxed-containers-operator #upstream config
Expand Down