feat: enable firmware reference values in bare metal profiles (#90)

butler54 · claude · web-flow · commit 5fb705ec0b30 · 2026-05-29T08:52:57.000+09:00
* feat: enable firmware reference values in bare metal profiles Wire firmware reference value enforcement into bare metal profiles by enabling kbs.baremetal.enabled and updating to trustee-chart v0.5.*. **Changes:** - values-baremetal.yaml: - Add kbs.baremetal.enabled: "true" override - Update trustee chartVersion: 0.4.* → 0.5.* - values-baremetal-gpu.yaml: - Add kbs.baremetal.enabled: "true" override - Update trustee chartVersion: 0.4.* → 0.5.* **Effect:** When deploying bare metal profiles, trustee-chart will now: 1. Create firmware-refvals-eso ExternalSecret (PR 2B) 2. Sync firmware reference values from Vault to cluster 3. Add firmware values to RVPS ConfigMap (PR 2B) 4. Enforce firmware measurements in attestation policy (PR 2C) **Prerequisites:** - Firmware values must be collected via veritas (PR 2A workflow) - Values must be pushed to Vault: `make push-firmware-refvals REFVALS_FILE=./refvals.json` - trustee-chart v0.5.0 must be released (includes PRs 2B, 2C) **Backwards compatibility:** If firmware values not pushed to Vault, attestation policy falls back to init_data-only verification (no breaking change). Part of Wave 2 (firmware hardening). Final PR to wire all pieces together. * feat: update bare metal profiles to trustee-chart v0.6.* Update chartVersion from 0.5.* to 0.6.* to align with trustee-chart PR #30 which introduces BREAKING CHANGE: firmware reference values consumed as single JSON blob instead of multi-key secret. Both profiles already have kbs.baremetal.enabled: "true" set, enabling firmware reference value enforcement when values are present in Vault. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
diff --git a/values-baremetal-gpu.yaml b/values-baremetal-gpu.yaml
@@ -117,7 +117,7 @@ clusterGroup:
       namespace: trustee-operator-system
       project: trustee
       chart: trustee
-      chartVersion: 0.4.*
+      chartVersion: 0.6.*
       extraValueFiles:
         - '/overrides/values-trustee.yaml'
       overrides:
@@ -127,6 +127,8 @@ clusterGroup:
           value: "https://pccs-service.intel-dcap.svc.cluster.local:8042/sgx/certification/v4/"
         - name: kbs.gpu.enabled
           value: "true"
+        - name: kbs.baremetal.enabled
+          value: "true"
 
     storage:
       name: storage
diff --git a/values-baremetal.yaml b/values-baremetal.yaml
@@ -107,14 +107,16 @@ clusterGroup:
       namespace: trustee-operator-system
       project: trustee
       chart: trustee
-      chartVersion: 0.4.*
+      chartVersion: 0.6.*
       extraValueFiles:
         - '/overrides/values-trustee.yaml'
       overrides:
         - name: kbs.tdx.enabled
           value: "true"
         - name: kbs.tdx.collateralService
           value: "https://pccs-service.intel-dcap.svc.cluster.local:8042/sgx/certification/v4/"
+        - name: kbs.baremetal.enabled
+          value: "true"
 
     storage:
       name: storage
