feat: consolidate trustee and kyverno overrides via extraValueFiles (#85)

* feat: consolidate trustee and kyverno overrides via extraValueFiles

Remove duplicated inline overrides across profiles by consolidating
common configuration into shared override files loaded via extraValueFiles.

Changes:
- Fix overrides/values-trustee.yaml: remove FIXME global.coco.secured,
  add kbs.admin.format and kbs.https.enabled
- Create overrides/values-kyverno.yaml with securityContext nulls and
  CRD/report disables for OpenShift compatibility
- Wire both override files via extraValueFiles in values-simple.yaml,
  values-baremetal.yaml, values-baremetal-gpu.yaml, values-trusted-hub.yaml
- Remove inline duplicates (admin.format, secured, https, secretResources,
  all kyverno securityContext/CRD overrides)
- Keep profile-specific inline overrides: tdx, collateralService, gpu.enabled,
  backgroundController.resources

Reduces ~25 lines of duplication per profile while maintaining
profile-specific customization.

* feat: add extraSecrets support to trustee overrides

Enable custom secret mounting in KBS via extraSecrets array.
Loaded via extraValueFiles mechanism across all profiles.

* chore: bump trustee chart to v0.4.*

Update all profiles to use trustee-chart v0.4.0 which includes:
- SNP init_data fix (32-byte unpadded hash support)
- Worker pod count configuration
- Generalized resource policy iteration

Author: butler54

overrides/values-kyverno.yaml

@@ -0,0 +1,27 @@
+# Shared Kyverno chart overrides loaded via extraValueFiles.
+# OpenShift security context compatibility: null all securityContext fields.
+# Disable wgpolicyk8s CRDs and reports controller (not needed for coco-pattern).
+# Profile-specific overrides (backgroundController.resources) stay inline in values-<profile>.yaml.
+admissionController:
+  container:
+    securityContext: null
+  initContainer:
+    securityContext: null
+backgroundController:
+  securityContext: null
+cleanupController:
+  securityContext: null
+reportsController:
+  securityContext: null
+  enabled: false
+crds:
+  migration:
+    securityContext: null
+  groups:
+    wgpolicyk8s:
+      policyreports: false
+      clusterpolicyreports: false
+webhooksCleanup:
+  securityContext: null
+test:
+  securityContext: null

overrides/values-trustee.yaml

@@ -1,14 +1,15 @@
-# Override the default values for the trustee chart
-# This lists the secret resources that are uploaded to your chosen ESO backend (today by default, Vault).
-# it does not contain the secrets themselves
+# Shared trustee chart overrides loaded via extraValueFiles.
+# Common to all profiles: admin format, HTTPS config, secret resources.
+# Profile-specific overrides (tdx, collateralService, gpu, baremetal) stay inline in values-<profile>.yaml.
 kbs:
+  admin:
+    format: "v1.1"
+  https:
+    enabled: false
   secretResources:
-    - name: "kbsres1" # name is the name of the k8s secret that will be presented to trustee and accessible via the CDH
-      key: "secret/data/hub/kbsres1" # this is the path to the secret in vault. 
+    - name: "kbsres1"
+      key: "secret/data/hub/kbsres1"
     - name: "passphrase"
       key: "secret/data/hub/passphrase"
-# Override the default values for the coco pattern this is because when testing against a branch strange stuff happens
-# FIXME: Don't commit this to main
-global:
-  coco:
-    secured: true # true or false. If true, the cluster will be secured. If false, the cluster will be insecure.
+  extraSecrets:
+    - mySecret

values-baremetal-gpu.yaml

@@ -117,26 +117,14 @@ clusterGroup:
       namespace: trustee-operator-system
       project: trustee
       chart: trustee
-      chartVersion: 0.3.*
+      chartVersion: 0.4.*
+      extraValueFiles:
+        - '/overrides/values-trustee.yaml'
       overrides:
-        - name: global.coco.secured
-          value: "true"
-        - name: kbs.admin.format
-          value: "v1.1"
-        - name: kbs.https.enabled
-          value: "false"
-        - name: kbs.secretResources[0].name
-          value: kbsres1
-        - name: kbs.secretResources[0].key
-          value: secret/data/hub/kbsres1
         - name: kbs.tdx.enabled
           value: "true"
         - name: kbs.tdx.collateralService
           value: "https://pccs-service.intel-dcap.svc.cluster.local:8042/sgx/certification/v4/"
-        - name: kbs.secretResources[1].name
-          value: passphrase
-        - name: kbs.secretResources[1].key
-          value: secret/data/hub/passphrase
         - name: kbs.gpu.enabled
           value: "true"
 
@@ -235,29 +223,9 @@ clusterGroup:
           limit: 20
         syncOptions:
           - ServerSideApply=true
+      extraValueFiles:
+        - '/overrides/values-kyverno.yaml'
       overrides:
-        - name: admissionController.container.securityContext
-          value: "null"
-        - name: admissionController.initContainer.securityContext
-          value: "null"
-        - name: backgroundController.securityContext
-          value: "null"
-        - name: cleanupController.securityContext
-          value: "null"
-        - name: reportsController.securityContext
-          value: "null"
-        - name: crds.migration.securityContext
-          value: "null"
-        - name: webhooksCleanup.securityContext
-          value: "null"
-        - name: test.securityContext
-          value: "null"
-        - name: crds.groups.wgpolicyk8s.policyreports
-          value: "false"
-        - name: crds.groups.wgpolicyk8s.clusterpolicyreports
-          value: "false"
-        - name: reportsController.enabled
-          value: "false"
         - name: backgroundController.resources.limits.memory
           value: "512Mi"
         - name: backgroundController.resources.requests.memory

values-baremetal.yaml

@@ -107,26 +107,14 @@ clusterGroup:
       namespace: trustee-operator-system
       project: trustee
       chart: trustee
-      chartVersion: 0.3.*
+      chartVersion: 0.4.*
+      extraValueFiles:
+        - '/overrides/values-trustee.yaml'
       overrides:
-        - name: global.coco.secured
-          value: "true"
-        - name: kbs.admin.format
-          value: "v1.1"
-        - name: kbs.https.enabled
-          value: "false"
-        - name: kbs.secretResources[0].name
-          value: kbsres1
-        - name: kbs.secretResources[0].key
-          value: secret/data/hub/kbsres1
         - name: kbs.tdx.enabled
           value: "true"
         - name: kbs.tdx.collateralService
           value: "https://pccs-service.intel-dcap.svc.cluster.local:8042/sgx/certification/v4/"
-        - name: kbs.secretResources[1].name
-          value: passphrase
-        - name: kbs.secretResources[1].key
-          value: secret/data/hub/passphrase
 
     storage:
       name: storage
@@ -208,29 +196,9 @@ clusterGroup:
           limit: 20
         syncOptions:
           - ServerSideApply=true
+      extraValueFiles:
+        - '/overrides/values-kyverno.yaml'
       overrides:
-        - name: admissionController.container.securityContext
-          value: "null"
-        - name: admissionController.initContainer.securityContext
-          value: "null"
-        - name: backgroundController.securityContext
-          value: "null"
-        - name: cleanupController.securityContext
-          value: "null"
-        - name: reportsController.securityContext
-          value: "null"
-        - name: crds.migration.securityContext
-          value: "null"
-        - name: webhooksCleanup.securityContext
-          value: "null"
-        - name: test.securityContext
-          value: "null"
-        - name: crds.groups.wgpolicyk8s.policyreports
-          value: "false"
-        - name: crds.groups.wgpolicyk8s.clusterpolicyreports
-          value: "false"
-        - name: reportsController.enabled
-          value: "false"
         - name: backgroundController.resources.limits.memory
           value: "512Mi"
         - name: backgroundController.resources.requests.memory

values-simple.yaml

@@ -79,10 +79,9 @@ clusterGroup:
       namespace: trustee-operator-system #upstream config
       project: trustee
       chart: trustee
-      chartVersion: 0.3.*
-      overrides:
-        - name: kbs.admin.format
-          value: "v1.1"
+      chartVersion: 0.4.*
+      extraValueFiles:
+        - '/overrides/values-trustee.yaml'
     sandbox:
       name: sandbox
       namespace: openshift-sandboxed-containers-operator #upstream config
@@ -130,29 +129,8 @@ clusterGroup:
           limit: 20
         syncOptions:
           - ServerSideApply=true
-      overrides:
-        - name: admissionController.container.securityContext
-          value: "null"
-        - name: admissionController.initContainer.securityContext
-          value: "null"
-        - name: backgroundController.securityContext
-          value: "null"
-        - name: cleanupController.securityContext
-          value: "null"
-        - name: reportsController.securityContext
-          value: "null"
-        - name: crds.migration.securityContext
-          value: "null"
-        - name: webhooksCleanup.securityContext
-          value: "null"
-        - name: test.securityContext
-          value: "null"
-        - name: crds.groups.wgpolicyk8s.policyreports
-          value: "false"
-        - name: crds.groups.wgpolicyk8s.clusterpolicyreports
-          value: "false"
-        - name: reportsController.enabled
-          value: "false"
+      extraValueFiles:
+        - '/overrides/values-kyverno.yaml'
 
     coco-kyverno-policies:
       name: coco-kyverno-policies

values-trusted-hub.yaml

@@ -69,11 +69,8 @@ clusterGroup:
       repoURL: https://github.com/butler54/trustee-chart.git
       path: .
       chartVersion: feature/trustee-1.1-compat
-      overrides:
-        - name: global.coco.secured
-          value: "true"
-        - name: kbs.admin.format
-          value: "v1.1"
+      extraValueFiles:
+        - '/overrides/values-trustee.yaml'
     sandbox-policies:
       name: sandbox-policies
       namespace: openshift-sandboxed-containers-operator #upstream config