validatedpatterns · butler54 · Nov 27, 2025 · Nov 27, 2025 · Nov 27, 2025
diff --git a/Chart.yaml b/Chart.yaml
@@ -1,6 +1,9 @@
 apiVersion: v2
-description: A Helm chart to serve as the Validated Patterns Template
+description: A Helm chart to provide an opinionated deployment of Sandboxed Containers in a validated pattern
 keywords:
 - pattern
-name: vp-template
+- sandboxed-containers
+- confidential-computing
+- confidential-containers
+name: sandboxed-containers
 version: 0.0.1
diff --git a/README.md b/README.md
@@ -1,12 +1,30 @@
-# vp-template
+# sandboxed-containers
 
 ![Version: 0.0.1](https://img.shields.io/badge/Version-0.0.1-informational?style=flat-square)
 
-A Helm chart to serve as the Validated Patterns Template
+A Helm chart to provide an opinionated deployment of Sandboxed Containers in a validated pattern
 
-This chart is used to serve as the template for Validated Patterns Charts
+This chart is intended for use with the [coco-pattern](https://github.com/validatedpatterns/coco-pattern) and other validated patterns.
+
+It is part of three charts that are intended to be used together:
+1. [trustee](https://github.com/validatedpatterns/trustee-chart) indended to deploy the Key Broker Service (KBS) and related infrastructure.
+    1. This should be deployed on an ACM hub cluster
+2. [sandboxed-containers](https://github.com/validatedpatterns/sandboxed-containers-chart) this chart, indended to be deployed on an ACM spoke cluster where there is access to confidential hardware
+3. [sandboxed-policies](https://github.com/validatedpatterns/sandboxed-policies-chart) this chart, indended to be deployed on an ACM hub cluster which pushes polices to the spoke cluster.
+
+Along side this is a small number of imperative jobs which can be seen in the coco pattern.
 
 ### Notable changes
 
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| global.clusterPlatform | string | `""` |  |
+| global.secretStore.backend | string | `""` |  |
+| sandbox.sshKey | string | `"secret/data/global/sshKey"` |  |
+| secretStore.kind | string | `""` |  |
+| secretStore.name | string | `""` |  |
+
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)
diff --git a/README.md.gotmpl b/README.md.gotmpl
@@ -5,7 +5,16 @@
 
 {{ template "chart.description" . }}
 
-This chart is used to serve as the template for Validated Patterns Charts
+This chart is intended for use with the [coco-pattern](https://github.com/validatedpatterns/coco-pattern) and other validated patterns.
+
+It is part of three charts that are intended to be used together:
+1. [trustee](https://github.com/validatedpatterns/trustee-chart) indended to deploy the Key Broker Service (KBS) and related infrastructure.
+    1. This should be deployed on an ACM hub cluster
+2. [sandboxed-containers](https://github.com/validatedpatterns/sandboxed-containers-chart) this chart, indended to be deployed on an ACM spoke cluster where there is access to confidential hardware
+3. [sandboxed-policies](https://github.com/validatedpatterns/sandboxed-policies-chart) this chart, indended to be deployed on an ACM hub cluster which pushes polices to the spoke cluster.
+
+Along side this is a small number of imperative jobs which can be seen in the coco pattern.
+
 
 ### Notable changes
 

diff --git a/templates/.keep b/templates/.keep
diff --git a/templates/feature-gate.yaml b/templates/feature-gate.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  name: osc-feature-gates
+  namespace: openshift-sandboxed-containers-operator
+data:
+  confidential: "true"
diff --git a/templates/kata-config.yaml b/templates/kata-config.yaml
@@ -0,0 +1,8 @@
+apiVersion: kataconfiguration.openshift.io/v1
+kind: KataConfig
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "100"
+  name: default-kata-config
+spec:
+  enablePeerPods: {{ if or (eq .Values.global.clusterPlatform "Azure") (eq .Values.global.clusterPlatform "AWS") }}true{{ else }}false{{ end }}
diff --git a/templates/ssh-key-eso.yaml b/templates/ssh-key-eso.yaml
@@ -0,0 +1,22 @@
+{{- if and (ne .Values.global.secretStore.backend "none") (eq .Values.global.clusterPlatform "Azure") }}
+---
+apiVersion: "external-secrets.io/v1beta1"
+kind: ExternalSecret
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  name: ssh-key-secret-eso
+  namespace: openshift-sandboxed-containers-operator
+spec:
+  refreshInterval: 15s
+  secretStoreRef:
+    name: {{ .Values.secretStore.name }}
+    kind: {{ .Values.secretStore.kind }}
+  target:
+    name: ssh-key-secret
+    template:
+      type: Opaque
+  dataFrom:
+  - extract:
+      key: {{ .Values.sandbox.sshKey }}
+{{- end }}
diff --git a/values.yaml b/values.yaml
@@ -1 +1,22 @@
 ---
+# Chart-specific values
+# Common values are inherited from values-global.yaml
+
+# Global values used by this chart (overridden by values-global.yaml)
+global:
+  clusterPlatform: ""  # Cluster platform: "Azure" or "AWS"
+  secretStore:
+    # Secret store backend, typically overridden by values-global.yaml
+    backend: ""
+
+# Secret store configuration (overridden by values-global.yaml)
+secretStore:
+  name: ""
+  kind: ""
+
+# Sandbox-specific configuration
+sandbox:
+  sshKey: secret/data/global/sshKey
+  # These variables today limit to one cluster
+  # revise using imperative framework to infer from cluster vars
+  # Strongly advised to override in values-global.yaml or values-{cluster-group}.yaml