feat: initial drop (#5)

* feat: initial drop

Signed-off-by: Chris Butler <chris.butler@redhat.com>

* fix: include default vars in values.yaml

Signed-off-by: Chris Butler <chris.butler@redhat.com>

* fix: missing prettier file

Signed-off-by: Chris Butler <chris.butler@redhat.com>

* chore: add auotdocs

Signed-off-by: Chris Butler <chris.butler@redhat.com>

---------

Signed-off-by: Chris Butler <chris.butler@redhat.com>

Author: butler54

.github/workflows/conventional-pr.yml

@@ -0,0 +1,26 @@
+name: "Lint PR title"
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+    branches:
+      - 'main'
+      - 'develop'
+jobs:
+  lint:
+    if: ${{ github.head_ref != 'develop' }}
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Install dependencies
+      run: npm install @commitlint/cli @commitlint/config-conventional
+
+    - name: Validate PR title
+      run: |
+        PR_TITLE=$(jq -r '.pull_request.title' "$GITHUB_EVENT_PATH")
+        echo "$PR_TITLE" | npx commitlint --config commitlint.config.js

.prettierrc

@@ -0,0 +1,4 @@
+{
+  "singleQuote": true,
+  "semi": false
+}

Chart.yaml

@@ -1,6 +1,9 @@
 apiVersion: v2
-description: A Helm chart to serve as the Validated Patterns Template
+description: A Helm chart to provide an opinionated deployment of Trustee in a validated pattern
 keywords:
 - pattern
-name: vp-template
+- trustee
+- confidential-computing
+- confidential-containers
+name: trustee
 version: 0.0.1

README.md

@@ -1,12 +1,23 @@
-# vp-template
+# trustee
 
 ![Version: 0.0.1](https://img.shields.io/badge/Version-0.0.1-informational?style=flat-square)
 
-A Helm chart to serve as the Validated Patterns Template
+A Helm chart to provide an opinionated deployment of Trustee in a validated pattern
 
 This chart is used to serve as the template for Validated Patterns Charts
 
 ### Notable changes
 
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| global.secretStore.backend | string | `""` |  |
+| kbs.publicKey | string | `"secret/data/hub/kbsPublicKey"` |  |
+| kbs.secretResources | list | `[]` |  |
+| kbs.securityPolicy | string | `"secret/data/hub/securityPolicyConfig"` |  |
+| secretStore.kind | string | `""` |  |
+| secretStore.name | string | `""` |  |
+
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

commitlint.config.js

@@ -0,0 +1 @@
+module.exports = { extends: ['@commitlint/config-conventional'] }

templates/.keep

@@ -0,0 +1,25 @@
+{{- if ne .Values.global.secretStore.backend "none" }}
+{{- range .Values.kbs.secretResources }}
+---
+apiVersion: "external-secrets.io/v1beta1"
+kind: ExternalSecret
+metadata: 
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  name: {{ .name }}-eso
+  namespace: trustee-operator-system
+spec:
+  refreshInterval: 15s
+  secretStoreRef:
+    name: {{ $.Values.secretStore.name }}
+    kind: {{ $.Values.secretStore.kind }}
+  target:
+    name: {{ .name }}
+    template:
+      type: Opaque
+  dataFrom:
+  - extract:
+      key: {{ .key }}
+{{- end }}
+{{- end }}
+

templates/dynamic-eso.yaml

@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kbs-config
+  namespace: trustee-operator-system
+data:
+  kbs-config.toml: |
+    [http_server]
+    sockets = ["0.0.0.0:8080"]
+    insecure_http = false
+    private_key = "/etc/https-key/tls.key"
+    certificate = "/etc/https-cert/tls.crt"
+    [admin]
+    insecure_api = true
+    auth_public_key = "/etc/auth-secret/publicKey"
+
+    [attestation_token]
+    insecure_key = true
+    attestation_token_type = "CoCo"
+
+    [attestation_service]
+    type = "coco_as_builtin"
+    work_dir = "/opt/confidential-containers/attestation-service"
+    policy_engine = "opa"
+
+      [attestation_service.attestation_token_broker]
+      type = "Ear"
+      policy_dir = "/opt/confidential-containers/attestation-service/policies"
+
+      [attestation_service.attestation_token_config]
+      duration_min = 5
+
+      [attestation_service.rvps_config]
+      type = "BuiltIn"
+
+        [attestation_service.rvps_config.storage]
+        type = "LocalJson"
+        file_path = "/opt/confidential-containers/rvps/reference-values/reference-values.json"
+
+    [[plugins]]
+    name = "resource"
+    type = "LocalFs"
+    dir_path = "/opt/confidential-containers/kbs/repository"
+
+    [policy_engine]
+    policy_path = "/opt/confidential-containers/opa/policy.rego"

templates/kbs-config-map.yaml

@@ -0,0 +1,23 @@
+{{- if ne .Values.global.secretStore.backend "none" }}
+---
+apiVersion: "external-secrets.io/v1beta1"
+kind: ExternalSecret
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  name: kbs-auth-public-key-eso
+  namespace: trustee-operator-system
+spec:
+  refreshInterval: 15s
+  secretStoreRef:
+    name: {{ .Values.secretStore.name }}
+    kind: {{ .Values.secretStore.kind }}
+  data:
+  target:
+    name: kbs-auth-public-key
+    template:
+      type: Opaque
+  dataFrom:
+  - extract:
+      key: {{ .Values.kbs.publicKey }}
+{{- end }}

templates/kbs-operator-keys.yaml

@@ -0,0 +1,16 @@
+# Single cluster deploy don't use the route yet.
+--- 
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: kbs
+  namespace: trustee-operator-system
+spec:
+  port:
+    targetPort: 8080
+  to:
+    kind: Service
+    name: kbs-service
+    weight: 100
+  tls:
+    termination: passthrough