Skip to content

Commit 0adb849

Browse files
authored
feat: initial drop (#4)
* feat: initial drop Signed-off-by: Chris Butler <chris.butler@redhat.com> * feat: initial drop Signed-off-by: Chris Butler <chris.butler@redhat.com> --------- Signed-off-by: Chris Butler <chris.butler@redhat.com>
1 parent 87e6394 commit 0adb849

8 files changed

Lines changed: 96 additions & 6 deletions

File tree

Chart.yaml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,9 @@
11
apiVersion: v2
2-
description: A Helm chart to serve as the Validated Patterns Template
2+
description: A Helm chart to provide an opinionated deployment of Sandboxed Containers in a validated pattern
33
keywords:
44
- pattern
5-
name: vp-template
5+
- sandboxed-containers
6+
- confidential-computing
7+
- confidential-containers
8+
name: sandboxed-containers
69
version: 0.0.1

README.md

Lines changed: 21 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,30 @@
1-
# vp-template
1+
# sandboxed-containers
22

33
![Version: 0.0.1](https://img.shields.io/badge/Version-0.0.1-informational?style=flat-square)
44

5-
A Helm chart to serve as the Validated Patterns Template
5+
A Helm chart to provide an opinionated deployment of Sandboxed Containers in a validated pattern
66

7-
This chart is used to serve as the template for Validated Patterns Charts
7+
This chart is intended for use with the [coco-pattern](https://github.com/validatedpatterns/coco-pattern) and other validated patterns.
8+
9+
It is part of three charts that are intended to be used together:
10+
1. [trustee](https://github.com/validatedpatterns/trustee-chart) indended to deploy the Key Broker Service (KBS) and related infrastructure.
11+
1. This should be deployed on an ACM hub cluster
12+
2. [sandboxed-containers](https://github.com/validatedpatterns/sandboxed-containers-chart) this chart, indended to be deployed on an ACM spoke cluster where there is access to confidential hardware
13+
3. [sandboxed-policies](https://github.com/validatedpatterns/sandboxed-policies-chart) this chart, indended to be deployed on an ACM hub cluster which pushes polices to the spoke cluster.
14+
15+
Along side this is a small number of imperative jobs which can be seen in the coco pattern.
816

917
### Notable changes
1018

19+
## Values
20+
21+
| Key | Type | Default | Description |
22+
|-----|------|---------|-------------|
23+
| global.clusterPlatform | string | `""` | |
24+
| global.secretStore.backend | string | `""` | |
25+
| sandbox.sshKey | string | `"secret/data/global/sshKey"` | |
26+
| secretStore.kind | string | `""` | |
27+
| secretStore.name | string | `""` | |
28+
1129
----------------------------------------------
1230
Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

README.md.gotmpl

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,16 @@
55

66
{{ template "chart.description" . }}
77

8-
This chart is used to serve as the template for Validated Patterns Charts
8+
This chart is intended for use with the [coco-pattern](https://github.com/validatedpatterns/coco-pattern) and other validated patterns.
9+
10+
It is part of three charts that are intended to be used together:
11+
1. [trustee](https://github.com/validatedpatterns/trustee-chart) indended to deploy the Key Broker Service (KBS) and related infrastructure.
12+
1. This should be deployed on an ACM hub cluster
13+
2. [sandboxed-containers](https://github.com/validatedpatterns/sandboxed-containers-chart) this chart, indended to be deployed on an ACM spoke cluster where there is access to confidential hardware
14+
3. [sandboxed-policies](https://github.com/validatedpatterns/sandboxed-policies-chart) this chart, indended to be deployed on an ACM hub cluster which pushes polices to the spoke cluster.
15+
16+
Along side this is a small number of imperative jobs which can be seen in the coco pattern.
17+
918

1019
### Notable changes
1120

templates/.keep

Whitespace-only changes.

templates/feature-gate.yaml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
apiVersion: v1
2+
kind: ConfigMap
3+
metadata:
4+
annotations:
5+
argocd.argoproj.io/sync-wave: "1"
6+
name: osc-feature-gates
7+
namespace: openshift-sandboxed-containers-operator
8+
data:
9+
confidential: "true"

templates/kata-config.yaml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
apiVersion: kataconfiguration.openshift.io/v1
2+
kind: KataConfig
3+
metadata:
4+
annotations:
5+
argocd.argoproj.io/sync-wave: "100"
6+
name: default-kata-config
7+
spec:
8+
enablePeerPods: {{ if or (eq .Values.global.clusterPlatform "Azure") (eq .Values.global.clusterPlatform "AWS") }}true{{ else }}false{{ end }}

templates/ssh-key-eso.yaml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
{{- if and (ne .Values.global.secretStore.backend "none") (eq .Values.global.clusterPlatform "Azure") }}
2+
---
3+
apiVersion: "external-secrets.io/v1beta1"
4+
kind: ExternalSecret
5+
metadata:
6+
annotations:
7+
argocd.argoproj.io/sync-wave: "1"
8+
name: ssh-key-secret-eso
9+
namespace: openshift-sandboxed-containers-operator
10+
spec:
11+
refreshInterval: 15s
12+
secretStoreRef:
13+
name: {{ .Values.secretStore.name }}
14+
kind: {{ .Values.secretStore.kind }}
15+
target:
16+
name: ssh-key-secret
17+
template:
18+
type: Opaque
19+
dataFrom:
20+
- extract:
21+
key: {{ .Values.sandbox.sshKey }}
22+
{{- end }}

values.yaml

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1 +1,22 @@
11
---
2+
# Chart-specific values
3+
# Common values are inherited from values-global.yaml
4+
5+
# Global values used by this chart (overridden by values-global.yaml)
6+
global:
7+
clusterPlatform: "" # Cluster platform: "Azure" or "AWS"
8+
secretStore:
9+
# Secret store backend, typically overridden by values-global.yaml
10+
backend: ""
11+
12+
# Secret store configuration (overridden by values-global.yaml)
13+
secretStore:
14+
name: ""
15+
kind: ""
16+
17+
# Sandbox-specific configuration
18+
sandbox:
19+
sshKey: secret/data/global/sshKey
20+
# These variables today limit to one cluster
21+
# revise using imperative framework to infer from cluster vars
22+
# Strongly advised to override in values-global.yaml or values-{cluster-group}.yaml

0 commit comments

Comments
 (0)