Skip to content

Commit 975b1cc

Browse files
butler54butler54
authored
Merge branch 'main' into chore/update-pattern-infrastructure
2 parents b18ba56 + 4419a55 commit 975b1cc

6 files changed

Lines changed: 79 additions & 116 deletions

File tree

overrides/values-kyverno.yaml

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
# Shared Kyverno chart overrides loaded via extraValueFiles.
2+
# OpenShift security context compatibility: null all securityContext fields.
3+
# Disable wgpolicyk8s CRDs and reports controller (not needed for coco-pattern).
4+
# Profile-specific overrides (backgroundController.resources) stay inline in values-<profile>.yaml.
5+
admissionController:
6+
container:
7+
securityContext: null
8+
initContainer:
9+
securityContext: null
10+
backgroundController:
11+
securityContext: null
12+
cleanupController:
13+
securityContext: null
14+
reportsController:
15+
securityContext: null
16+
enabled: false
17+
crds:
18+
migration:
19+
securityContext: null
20+
groups:
21+
wgpolicyk8s:
22+
policyreports: false
23+
clusterpolicyreports: false
24+
webhooksCleanup:
25+
securityContext: null
26+
test:
27+
securityContext: null

overrides/values-trustee.yaml

Lines changed: 11 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,15 @@
1-
# Override the default values for the trustee chart
2-
# This lists the secret resources that are uploaded to your chosen ESO backend (today by default, Vault).
3-
# it does not contain the secrets themselves
1+
# Shared trustee chart overrides loaded via extraValueFiles.
2+
# Common to all profiles: admin format, HTTPS config, secret resources.
3+
# Profile-specific overrides (tdx, collateralService, gpu, baremetal) stay inline in values-<profile>.yaml.
44
kbs:
5+
admin:
6+
format: "v1.1"
7+
https:
8+
enabled: false
59
secretResources:
6-
- name: "kbsres1" # name is the name of the k8s secret that will be presented to trustee and accessible via the CDH
7-
key: "secret/data/hub/kbsres1" # this is the path to the secret in vault.
10+
- name: "kbsres1"
11+
key: "secret/data/hub/kbsres1"
812
- name: "passphrase"
913
key: "secret/data/hub/passphrase"
10-
# Override the default values for the coco pattern this is because when testing against a branch strange stuff happens
11-
# FIXME: Don't commit this to main
12-
global:
13-
coco:
14-
secured: true # true or false. If true, the cluster will be secured. If false, the cluster will be insecure.
14+
extraSecrets:
15+
- mySecret

values-baremetal-gpu.yaml

Lines changed: 13 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -117,26 +117,14 @@ clusterGroup:
117117
namespace: trustee-operator-system
118118
project: trustee
119119
chart: trustee
120-
chartVersion: 0.3.*
120+
chartVersion: 0.4.*
121+
extraValueFiles:
122+
- '/overrides/values-trustee.yaml'
121123
overrides:
122-
- name: global.coco.secured
123-
value: "true"
124-
- name: kbs.admin.format
125-
value: "v1.1"
126-
- name: kbs.https.enabled
127-
value: "false"
128-
- name: kbs.secretResources[0].name
129-
value: kbsres1
130-
- name: kbs.secretResources[0].key
131-
value: secret/data/hub/kbsres1
132124
- name: kbs.tdx.enabled
133125
value: "true"
134126
- name: kbs.tdx.collateralService
135127
value: "https://pccs-service.intel-dcap.svc.cluster.local:8042/sgx/certification/v4/"
136-
- name: kbs.secretResources[1].name
137-
value: passphrase
138-
- name: kbs.secretResources[1].key
139-
value: secret/data/hub/passphrase
140128
- name: kbs.gpu.enabled
141129
value: "true"
142130

@@ -235,29 +223,17 @@ clusterGroup:
235223
limit: 20
236224
syncOptions:
237225
- ServerSideApply=true
226+
- RespectIgnoreDifferences=true
227+
ignoreDifferences:
228+
- group: apiextensions.k8s.io
229+
kind: CustomResourceDefinition
230+
name: policies.kyverno.io
231+
jsonPointers:
232+
- /metadata/labels
233+
- /metadata/annotations
234+
extraValueFiles:
235+
- '/overrides/values-kyverno.yaml'
238236
overrides:
239-
- name: admissionController.container.securityContext
240-
value: "null"
241-
- name: admissionController.initContainer.securityContext
242-
value: "null"
243-
- name: backgroundController.securityContext
244-
value: "null"
245-
- name: cleanupController.securityContext
246-
value: "null"
247-
- name: reportsController.securityContext
248-
value: "null"
249-
- name: crds.migration.securityContext
250-
value: "null"
251-
- name: webhooksCleanup.securityContext
252-
value: "null"
253-
- name: test.securityContext
254-
value: "null"
255-
- name: crds.groups.wgpolicyk8s.policyreports
256-
value: "false"
257-
- name: crds.groups.wgpolicyk8s.clusterpolicyreports
258-
value: "false"
259-
- name: reportsController.enabled
260-
value: "false"
261237
- name: backgroundController.resources.limits.memory
262238
value: "512Mi"
263239
- name: backgroundController.resources.requests.memory

values-baremetal.yaml

Lines changed: 13 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -107,26 +107,14 @@ clusterGroup:
107107
namespace: trustee-operator-system
108108
project: trustee
109109
chart: trustee
110-
chartVersion: 0.3.*
110+
chartVersion: 0.4.*
111+
extraValueFiles:
112+
- '/overrides/values-trustee.yaml'
111113
overrides:
112-
- name: global.coco.secured
113-
value: "true"
114-
- name: kbs.admin.format
115-
value: "v1.1"
116-
- name: kbs.https.enabled
117-
value: "false"
118-
- name: kbs.secretResources[0].name
119-
value: kbsres1
120-
- name: kbs.secretResources[0].key
121-
value: secret/data/hub/kbsres1
122114
- name: kbs.tdx.enabled
123115
value: "true"
124116
- name: kbs.tdx.collateralService
125117
value: "https://pccs-service.intel-dcap.svc.cluster.local:8042/sgx/certification/v4/"
126-
- name: kbs.secretResources[1].name
127-
value: passphrase
128-
- name: kbs.secretResources[1].key
129-
value: secret/data/hub/passphrase
130118

131119
storage:
132120
name: storage
@@ -208,29 +196,17 @@ clusterGroup:
208196
limit: 20
209197
syncOptions:
210198
- ServerSideApply=true
199+
- RespectIgnoreDifferences=true
200+
ignoreDifferences:
201+
- group: apiextensions.k8s.io
202+
kind: CustomResourceDefinition
203+
name: policies.kyverno.io
204+
jsonPointers:
205+
- /metadata/labels
206+
- /metadata/annotations
207+
extraValueFiles:
208+
- '/overrides/values-kyverno.yaml'
211209
overrides:
212-
- name: admissionController.container.securityContext
213-
value: "null"
214-
- name: admissionController.initContainer.securityContext
215-
value: "null"
216-
- name: backgroundController.securityContext
217-
value: "null"
218-
- name: cleanupController.securityContext
219-
value: "null"
220-
- name: reportsController.securityContext
221-
value: "null"
222-
- name: crds.migration.securityContext
223-
value: "null"
224-
- name: webhooksCleanup.securityContext
225-
value: "null"
226-
- name: test.securityContext
227-
value: "null"
228-
- name: crds.groups.wgpolicyk8s.policyreports
229-
value: "false"
230-
- name: crds.groups.wgpolicyk8s.clusterpolicyreports
231-
value: "false"
232-
- name: reportsController.enabled
233-
value: "false"
234210
- name: backgroundController.resources.limits.memory
235211
value: "512Mi"
236212
- name: backgroundController.resources.requests.memory

values-simple.yaml

Lines changed: 13 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -79,10 +79,9 @@ clusterGroup:
7979
namespace: trustee-operator-system #upstream config
8080
project: trustee
8181
chart: trustee
82-
chartVersion: 0.3.*
83-
overrides:
84-
- name: kbs.admin.format
85-
value: "v1.1"
82+
chartVersion: 0.4.*
83+
extraValueFiles:
84+
- '/overrides/values-trustee.yaml'
8685
sandbox:
8786
name: sandbox
8887
namespace: openshift-sandboxed-containers-operator #upstream config
@@ -130,29 +129,16 @@ clusterGroup:
130129
limit: 20
131130
syncOptions:
132131
- ServerSideApply=true
133-
overrides:
134-
- name: admissionController.container.securityContext
135-
value: "null"
136-
- name: admissionController.initContainer.securityContext
137-
value: "null"
138-
- name: backgroundController.securityContext
139-
value: "null"
140-
- name: cleanupController.securityContext
141-
value: "null"
142-
- name: reportsController.securityContext
143-
value: "null"
144-
- name: crds.migration.securityContext
145-
value: "null"
146-
- name: webhooksCleanup.securityContext
147-
value: "null"
148-
- name: test.securityContext
149-
value: "null"
150-
- name: crds.groups.wgpolicyk8s.policyreports
151-
value: "false"
152-
- name: crds.groups.wgpolicyk8s.clusterpolicyreports
153-
value: "false"
154-
- name: reportsController.enabled
155-
value: "false"
132+
- RespectIgnoreDifferences=true
133+
ignoreDifferences:
134+
- group: apiextensions.k8s.io
135+
kind: CustomResourceDefinition
136+
name: policies.kyverno.io
137+
jsonPointers:
138+
- /metadata/labels
139+
- /metadata/annotations
140+
extraValueFiles:
141+
- '/overrides/values-kyverno.yaml'
156142

157143
coco-kyverno-policies:
158144
name: coco-kyverno-policies

values-trusted-hub.yaml

Lines changed: 2 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -69,11 +69,8 @@ clusterGroup:
6969
repoURL: https://github.com/butler54/trustee-chart.git
7070
path: .
7171
chartVersion: feature/trustee-1.1-compat
72-
overrides:
73-
- name: global.coco.secured
74-
value: "true"
75-
- name: kbs.admin.format
76-
value: "v1.1"
72+
extraValueFiles:
73+
- '/overrides/values-trustee.yaml'
7774
sandbox-policies:
7875
name: sandbox-policies
7976
namespace: openshift-sandboxed-containers-operator #upstream config

0 commit comments

Comments
 (0)