values.yaml

---
# Secret store configuration
# Default configuration is vault
secretStore:
  name: "vault-backend"
  kind: "ClusterSecretStore"


global:
  secretStore:
    # Secret store backend, typically overridden by values-global.yaml
    backend: ""
  # must be global as needs to be propagated to ansible playbooks.
  # SHOULD be set in values-global.yaml
  coco:
    securityPolicy: secret/data/hub/securityPolicyConfig
    securityPolicyFlavour: "insecure" # insecure, signed or reject is expected.
    attestationStatus: secret/data/hub/attestationStatus
    secured: false # true or false. If true, the cluster will be secured. If false, the cluster will be insecure.

# KBS (Key Broker Service) configuration
kbs:
  admin:
    # Admin config format: "v1.0" for Trustee 1.0 (auth_public_key),
    # "v1.1" for Trustee 1.1+ (type = "Simple" with [[admin.personas]])
    format: "v1.0"

  # Security policy is an expected secret and is required to be pushed into the KBS
  # presumes security policy flavour is signed
  cosignKeys: secret/data/hub/coSignKeys

  # Public key for authentication by a user with the KBS management API
  publicKey: secret/data/hub/kbsPublicKey

  # Dynamic secret resources list - add new secrets here
  # Each entry generates an ESO and gets added to kbsSecretResources
  # requires a name of the secret and a key to retrieve using ESO, typically from vault.
  secretResources: 
    # Example:
    - name: "kbsres1"
      key: "secret/data/hub/kbsres1"
    - name: "passphrase"
      key: "secret/data/hub/passphrase"
  # Pre-existing secrets to add to kbsSecretResources without creating
  # ExternalSecrets. Use this for secrets that are created outside the
  # Vault/ESO flow (e.g. by imperative jobs, cert-manager, or other
  # controllers). Only the secret name is needed; the secret must already
  # exist in the trustee-operator-system namespace.
  extraSecrets: []

  # Number of HTTP worker threads for the KBS server.
  # If unset, the KBS binary defaults to one worker per logical CPU core,
  # which can cause "too many open files" crashes on high-core-count systems
  # where the container's nofile ulimit is lower than the worker count.
  # Set this to a reasonable value (e.g., 4-8) on systems with many cores.
  # workerCount: 4

  # NVIDIA GPU confidential computing configuration
  gpu:
    enabled: false

  # Intel TDX (Trust Domain Extensions) configuration
  tdx:
    # Enable TDX attestation support
    enabled: false
    # PCCS collateral service URL for quote verification
    # For Azure: Use https://global.acccache.azure.net/sgx/certification/v4/
    # For bare metal/Intel: Use https://api.trustedservices.intel.com/sgx/certification/v4/
    collateralService: "https://api.trustedservices.intel.com/sgx/certification/v4/"

  # Bare metal attestation configuration
  # Enables firmware reference value collection and enforcement
  baremetal:
    # Enable bare metal firmware reference values (Intel TDX / AMD SEV-SNP)
    # When enabled, creates ExternalSecret to pull firmware measurements from Vault
    # Requires firmware values pushed to secret/data/hub/firmwareReferenceValues
    # See docs/firmware-reference-values.md in coco-pattern for collection workflow
    enabled: false

  # Resource policy configuration
  resourcePolicy:
    # Enforce hardware trust claims in resource policy
    # When true: requires hardware claim >= 2 (affirming range)
    # When false: allows resource access even if hardware claim fails
    # Note: For SNP, hardware enforcement requires TCB reference values
    # (tcb_bootloader, tcb_microcode, tcb_snp, tcb_tee) in RVPS
    enforceHardware: true

# Attestation token certificate configuration
# Used when secretStore.backend is "none" (cert-manager generates certs)
attestation:
  commonName: "kbs-trustee-operator-system"
  organization: "Red Hat"