coco: update the values-secret template

beraldoleal · beraldoleal · commit 477901006d72 · 2026-03-12T09:28:53.000-04:00
Signed-off-by: Beraldo Leal &lt;bleal@redhat.com&gt;
diff --git a/values-secret.yaml.template b/values-secret.yaml.template
@@ -203,6 +203,132 @@ secrets:
   #    value: "your-registry-token"     # Replace with your token/password
   #    onMissingValue: error
 
+  # ===========================================================================
+  # COCO (CONFIDENTIAL CONTAINERS) SECRETS
+  # Uncomment the secrets below when deploying with CoCo support.
+  # Pre-deployment steps:
+  #   1. Run ./scripts/gen-secrets-coco.sh to generate KBS keypair
+  #   2. Run ./scripts/get-pcr.sh to retrieve PCR measurements
+  # ===========================================================================
+
+  # SSH keys for podvm debug access (optional).
+  # Note: dm-verity based podvm images do not support SSH key injection by design.
+  # This only works with non-dm-verity images built with SSH debug enabled.
+  #- name: sshKey
+  #  vaultPrefixes:
+  #  - global
+  #  fields:
+  #  - name: id_rsa.pub
+  #    path: ~/.config/validated-patterns/id_rsa.pub
+  #  - name: id_rsa
+  #    path: ~/.config/validated-patterns/id_rsa
+
+  # Container Image Signature Verification Policy
+  # Controls which container images are allowed to run in confidential containers.
+  # The policy is fetched by the TEE via initdata using image_security_policy_uri.
+  #
+  # Three policy variants are provided:
+  #   - insecure: Accept all images (for development/testing only)
+  #   - reject: Reject all images (useful for testing policy enforcement)
+  #   - signed: Only accept images signed with cosign (for production)
+  #
+  # Select policy in initdata:
+  #   image_security_policy_uri = 'kbs:///default/security-policy/insecure'
+  #
+  # TODO: Rename to 'container-image-policy' in trustee-chart to better reflect
+  # that this is about container image signature verification, not general security policy.
+  #- name: securityPolicyConfig
+  #  vaultPrefixes:
+  #  - hub
+  #  fields:
+  #  # Accept all images without verification (INSECURE - dev/testing only)
+  #  - name: insecure
+  #    value: |
+  #      {
+  #        "default": [{"type": "insecureAcceptAnything"}],
+  #        "transports": {}
+  #      }
+  #  # Reject all images (useful for testing policy enforcement)
+  #  - name: reject
+  #    value: |
+  #      {
+  #        "default": [{"type": "reject"}],
+  #        "transports": {}
+  #      }
+  #  # Only accept signed images (production)
+  #  # Edit the transports section to add your signed images.
+  #  # Each image needs a corresponding cosign public key in cosign-keys secret.
+  #  - name: signed
+  #    value: |
+  #      {
+  #        "default": [{"type": "reject"}],
+  #        "transports": {
+  #          "docker": {
+  #            "registry.example.com/my-image": [
+  #              {
+  #                "type": "sigstoreSigned",
+  #                "keyPath": "kbs:///default/cosign-keys/key-0"
+  #              }
+  #            ]
+  #          }
+  #        }
+  #      }
+
+  # PCR measurements for attestation.
+  # Required: run ./scripts/get-pcr.sh before deploying.
+  #- name: pcrStash
+  #  vaultPrefixes:
+  #  - hub
+  #  fields:
+  #  - name: json
+  #    path: ~/.config/validated-patterns/trustee/measurements.json
+
+  # Attestation status resource accessible via KBS/CDH from inside the TEE.
+  # Workloads can fetch this to confirm they are running in an attested environment.
+  #- name: attestationStatus
+  #  vaultPrefixes:
+  #  - hub
+  #  fields:
+  #  - name: status
+  #    value: 'attested'
+  #  - name: random
+  #    value: ''
+  #    onMissingValue: generate
+  #    vaultPolicy: validatedPatternDefaultPolicy
+
+  # Cosign public keys for image signature verification
+  # Required when using the "signed" policy above.
+  # Add your cosign public key files here.
+  # Generate a cosign key pair: cosign generate-key-pair
+  #- name: cosign-keys
+  #  vaultPrefixes:
+  #  - hub
+  #  fields:
+  #  - name: key-0
+  #    path: ~/.config/validated-patterns/trustee/cosign-key-0.pub
+
+  # KBS authentication keys (Ed25519) for Trustee admin API
+  # Generate with:
+  #   mkdir -p ~/.config/validated-patterns/trustee
+  #   openssl genpkey -algorithm ed25519 > ~/.config/validated-patterns/trustee/kbsPrivateKey
+  #   openssl pkey -in ~/.config/validated-patterns/trustee/kbsPrivateKey -pubout -out ~/.config/validated-patterns/trustee/kbsPublicKey
+  #   chmod 600 ~/.config/validated-patterns/trustee/kbsPrivateKey
+  #- name: kbsPublicKey
+  #  vaultPrefixes:
+  #  - hub
+  #  fields:
+  #  - name: publicKey
+  #    path: ~/.config/validated-patterns/trustee/kbsPublicKey
+
+  #- name: passphrase
+  #  vaultPrefixes:
+  #  - hub
+  #  fields:
+  #  - name: passphrase
+  #    value: ''
+  #    onMissingValue: generate
+  #    vaultPolicy: validatedPatternDefaultPolicy
+
   # ===========================================================================
   # HUB-SPECIFIC SECRETS (hub/)
   # Secrets for hub cluster management (spoke kubeconfigs, etc.)
