feat: update values files to use released charts

Update global, simple, spoke, and trusted-hub values files to
align with released chart versions and configuration.

Co-authored-by: Beraldo Leal <bleal@redhat.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: 3 people

values-global.yaml

@@ -11,6 +11,12 @@ global:
   # This defines whether or not to use upstream resources for CoCo.
   # Defines whether or not the hub cluster can be used for confidential containers
   coco:
+    securityPolicyFlavour: "insecure" # insecure, signed or reject is expected.
+    secured: true # true or false. If true, the cluster will be secured. If false, the cluster will be insecure.
+    # Enable SSH key injection into podvm for debugging. Do not enable in production.
+    # Also requires: COCO_ENABLE_SSH_DEBUG=true ./scripts/gen-secrets.sh
+    # and uncommenting the sshKey block in values-secret.yaml.template.
+    enableSSHDebug: false
     azure:
       defaultVMFlavour: "Standard_DC2as_v5"
       VMFlavours: "Standard_DC2as_v5,Standard_DC4as_v5,Standard_DC8as_v5,Standard_DC16as_v5"
@@ -24,6 +30,7 @@ main:
     clusterGroupChartVersion: 0.9.*
 
 # Common secret store configuration used across multiple charts
+# Warning do not rely on this. it does not consistently apply.
 secretStore:
   name: vault-backend
   kind: ClusterSecretStore

values-simple.yaml

@@ -3,6 +3,8 @@
 clusterGroup:
   name: simple
   isHubCluster: true
+  # Override health check for Subscriptions to treat UpgradePending as healthy
+  # Only applies to pinned CSV subscriptions (sandbox and trustee)
   namespaces:
   - open-cluster-management
   - vault
@@ -12,7 +14,6 @@ clusterGroup:
   - hello-openshift
   - cert-manager-operator
   - cert-manager
-  - letsencrypt
   - kbs-access
   - encrypted-storage
   subscriptions:
@@ -26,14 +27,14 @@ clusterGroup:
       source: redhat-operators
       channel: stable
       installPlanApproval: Manual 
-      csv: sandboxed-containers-operator.v1.10.1
+      csv: sandboxed-containers-operator.v1.11.0
     trustee:
       name: trustee-operator
       namespace: trustee-operator-system
       source: redhat-operators
       channel: stable
       installPlanApproval: Manual
-      csv: trustee-operator.v0.4.1
+      csv: trustee-operator.v1.0.0
     cert-manager:
       name: openshift-cert-manager-operator
       namespace: cert-manager-operator
@@ -72,39 +73,28 @@ clusterGroup:
       project: golang-external-secrets
       chart: golang-external-secrets
       chartVersion: 0.1.*
-
     trustee:
       name: trustee
       namespace: trustee-operator-system #upstream config
       project: trustee
       chart: trustee
-      chartVersion: 0.1.*
-      # Use the override file to specify the list of secrets accessible to trustee from the ESO backend (today by default, Vault).
-      extraValueFiles:
-        - '$patternref/overrides/values-trustee.yaml'
+      chartVersion: 0.2.*     
     sandbox:
       name: sandbox
       namespace: openshift-sandboxed-containers-operator #upstream config
       project: sandbox
       chart: sandboxed-containers
-      chartVersion: 0.0.*
+      chartVersion: 0.2.*
     sandbox-policies:
       name: sandbox-policies
       namespace: openshift-sandboxed-containers-operator #upstream config
       chart: sandboxed-policies
-      chartVersion: 0.0.*
-
-    # Letsencrypt is not required anymore for trustee.
-    # It's only here if you need it for your needs.
-    letsencrypt:
-      name: letsencrypt
-      namespace: letsencrypt
-      project: hub
-      path: charts/all/letsencrypt
-      # Default to 'safe' for ARO
+      chartVersion: 0.1.*
       overrides:
-      - name: letsencrypt.enabled
-        value: false
+        - name: global.coco.azure.tags
+          value: "key1=value1,key2=value2"
+        - name: global.coco.azure.rootVolumeSize
+          value: "20"
     hello-openshift:
       name: hello-openshift
       namespace: hello-openshift
@@ -117,14 +107,14 @@ clusterGroup:
       project: workloads
       path: charts/coco-supported/kbs-access
 
-
   imperative:
     # NOTE: We *must* use lists and not hashes. As hashes lose ordering once parsed by helm
     # The default schedule is every 10 minutes: imperative.schedule
     # Total timeout of all jobs is 1h: imperative.activeDeadlineSeconds
     # imagePullPolicy is set to always: imperative.imagePullPolicy
     # For additional overrides that apply to the jobs, please refer to
     # https://validatedpatterns.io/imperative-actions/#additional-job-customizations
+    image: ghcr.io/butler54/imperative-container:latest
     jobs:
     - name: install-deps
       playbook: ansible/install-deps.yaml

values-spoke.yaml

@@ -17,7 +17,7 @@ clusterGroup:
       source: redhat-operators
       channel: stable
       installPlanApproval: Manual 
-      csv: sandboxed-containers-operator.v1.10.1
+      csv: sandboxed-containers-operator.v1.11.0
     cert-manager:
       name: openshift-cert-manager-operator
       namespace: cert-manager-operator
@@ -49,7 +49,14 @@ clusterGroup:
       namespace: openshift-sandboxed-containers-operator #upstream config
       project: sandbox
       chart: sandboxed-containers
-      chartVersion: 0.0.*
+      chartVersion: 0.2.*
+      overrides:
+        - name: global.secretStore.backend
+          value: vault
+        - name: secretStore.name
+          value: vault-backend
+        - name: secretStore.kind
+          value: ClusterSecretStore
 
     hello-openshift:
       name: hello-openshift
@@ -64,12 +71,7 @@ clusterGroup:
       path: charts/coco-supported/kbs-access
 
   imperative:
-    # NOTE: We *must* use lists and not hashes. As hashes lose ordering once parsed by helm
-    # The default schedule is every 10 minutes: imperative.schedule
-    # Total timeout of all jobs is 1h: imperative.activeDeadlineSeconds
-    # imagePullPolicy is set to always: imperative.imagePullPolicy
-    # For additional overrides that apply to the jobs, please refer to
-    # https://validatedpatterns.io/imperative-actions/#additional-job-customizations
+    image: ghcr.io/butler54/imperative-container:latest
     jobs:
     - name: install-deps
       playbook: ansible/install-deps.yaml

values-trusted-hub.yaml

@@ -22,7 +22,7 @@ clusterGroup:
       source: redhat-operators
       channel: stable
       installPlanApproval: Manual
-      csv: trustee-operator.v0.4.1
+      csv: trustee-operator.v1.0.0
     cert-manager:
       name: openshift-cert-manager-operator
       namespace: cert-manager-operator
@@ -67,30 +67,34 @@ clusterGroup:
       namespace: trustee-operator-system #upstream config
       project: trustee
       chart: trustee
-      chartVersion: 0.1.*
-      # Use the override file to specify the list of secrets accessible to trustee from the ESO backend (today by default, Vault).
-      extraValueFiles:
-        - '$patternref/overrides/values-trustee.yaml'
+      chartVersion: 0.2.*
+      overrides:
+        - name: global.coco.secured
+          value: "true"
     sandbox-policies:
       name: sandbox-policies
       namespace: openshift-sandboxed-containers-operator #upstream config
       chart: sandboxed-policies
-      chartVersion: 0.0.*
+      chartVersion: 0.1.*
+      overrides:
+        - name: global.coco.azure.tags
+          value: "key1=value1,key2=value2"
+        - name: global.coco.azure.rootVolumeSize
+          value: "20"
 
 
 
   imperative:
-    # NOTE: We *must* use lists and not hashes. As hashes lose ordering once parsed by helm
-    # The default schedule is every 10 minutes: imperative.schedule
-    # Total timeout of all jobs is 1h: imperative.activeDeadlineSeconds
-    # imagePullPolicy is set to always: imperative.imagePullPolicy
-    # For additional overrides that apply to the jobs, please refer to
-    # https://validatedpatterns.io/imperative-actions/#additional-job-customizations
+    image: ghcr.io/butler54/imperative-container:latest
     jobs:
     - name: install-deps
       playbook: ansible/install-deps.yaml
       verbosity: -vvv
       timeout: 3600
+    - name: configure-azure-dns
+      playbook: ansible/configure-issuer.yaml
+      verbosity: -vvv
+      timeout: 3600
     - name: init-data-gzipper
       playbook: ansible/init-data-gzipper.yaml
       verbosity: -vvv