confidential-containers · beraldoleal · Jan 15, 2026 · Jan 15, 2026
@@ -88,6 +88,16 @@ help: ## Display this help.
 .PHONY: manifests
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
 	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+	# Copy generated files to Helm chart and transform kustomize placeholders to Helm templates
+	@mkdir -p charts/trustee-operator/crds charts/trustee-operator/templates/rbac
+	@cp config/crd/bases/*.yaml charts/trustee-operator/crds/
+	@cp config/rbac/*.yaml charts/trustee-operator/templates/rbac/
+	@rm -f charts/trustee-operator/templates/rbac/kustomization.yaml
+	@sed -i '1s/^/# AUTO-GENERATED by controller-gen. DO NOT EDIT.\n/' charts/trustee-operator/templates/rbac/role.yaml
+	@for crd in charts/trustee-operator/crds/*.yaml; do sed -i '1s/^/# AUTO-GENERATED by controller-gen. DO NOT EDIT.\n/' $$crd; done
+	@sed -i 's/namespace: system/namespace: {{ .Values.namespace }}/g' charts/trustee-operator/templates/rbac/*.yaml
+	@sed -i 's/name: \([a-z-]*-role\|controller-manager\|.*-rolebinding\)/name: {{ .Values.namePrefix }}\1/g' charts/trustee-operator/templates/rbac/*.yaml
+	@sed -i 's/app.kubernetes.io\/managed-by: kustomize/app.kubernetes.io\/managed-by: {{ .Release.Service }}/g' charts/trustee-operator/templates/rbac/*.yaml
 
 .PHONY: generate
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
@@ -0,0 +1,21 @@
+apiVersion: v2
+name: trustee-operator
+description: Operator to manage the lifecycle of Trustee (KBS)
+type: application
+version: 0.1.0
+appVersion: "v0.5.0"
+
+keywords:
+  - confidential-containers
+  - trustee
+  - kbs
+  - operator
+
+home: https://github.com/confidential-containers/trustee-operator
+
+sources:
+  - https://github.com/confidential-containers/trustee-operator
+
+maintainers:
+  - name: Confidential Containers Community
+    url: https://github.com/confidential-containers
@@ -0,0 +1,69 @@
+# Trustee Operator Helm Chart
+
+Helm chart for deploying the Trustee Operator, which manages the lifecycle of
+[Trustee](https://github.com/confidential-containers/trustee) components (KBS, AS, RVPS)
+in a Kubernetes cluster.
+
+## Prerequisites
+
+Before installing this chart, ensure you have:
+
+- **Helm** v3.x or later installed ([installation guide](https://helm.sh/docs/intro/install/))
+- **Kubernetes cluster** v1.24+ with appropriate access
+- **kubeconfig** configured to access your cluster
+
+## Quick Start
+
+### Install Operator Only
+
+Deploy the operator without creating a Trustee instance (you'll manage TrusteeConfig CRs manually):
+
+```bash
+helm install trustee-operator ./charts/trustee-operator \
+  --set trustee.enabled=false \
+  -n trustee-operator-system \
+  --create-namespace
+```
+
+### Install Operator + Trustee Instance
+
+Deploy the operator and automatically create a TrusteeConfig CR for a working Trustee deployment:
+
+```bash
+helm install trustee-operator ./charts/trustee-operator \
+  -n trustee-operator-system \
+  --create-namespace
+```
+
+This creates:
+- Trustee Operator deployment
+- All required RBAC (ClusterRoles, RoleBindings, ServiceAccount)
+- CRDs (KbsConfig, TrusteeConfig)
+- A TrusteeConfig CR named `trustee-sample` (configurable)
+
+### Install with Custom Configuration
+
+```bash
+helm install trustee-operator ./charts/trustee-operator \
+  --set trustee.profileType=Restrictive \
+  --set kbs.serviceType=NodePort \
+  --set kbs.https.enabled=true \
+  --set kbs.https.tlsSecretName=kbs-tls-cert \
+  -n trustee-operator-system \
+  --create-namespace
+```
+
+## Configuration
+
+All configuration options are defined in [`values.yaml`](./values.yaml) with detailed
+comments explaining each field.
+
+You can override any value by either:
+1. Using `--set key=value` flags
+2. Creating your own values file and passing it with `-f custom-values.yaml`
+
+## Uninstall
+
+```bash
+helm uninstall trustee-operator -n trustee-operator-system
+```
@@ -0,0 +1,184 @@
+# AUTO-GENERATED by controller-gen. DO NOT EDIT.
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.18.0
+  name: kbsconfigs.confidentialcontainers.org
+spec:
+  group: confidentialcontainers.org
+  names:
+    kind: KbsConfig
+    listKind: KbsConfigList
+    plural: kbsconfigs
+    singular: kbsconfig
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: KbsConfig is the Schema for the kbsconfigs API
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KbsConfigSpec defines the desired state of KbsConfig
+            properties:
+              KbsDeploymentSpec:
+                description: KbsDeploymentSpec is the struct for trustee deployment
+                  options
+                properties:
+                  replicas:
+                    description: |-
+                      Number of desired trustee pods. This is a pointer to distinguish between explicit
+                      zero and not specified. Defaults to 1.
+                    format: int32
+                    type: integer
+                type: object
+              KbsEnvVars:
+                additionalProperties:
+                  type: string
+                description: |-
+                  KbsEnvVars injects environment variables in the trustee pods
+                  For example, RUST_LOG=debug enables logging with DEBUG severity
+                type: object
+              ibmSEConfigSpec:
+                description: IbmSEConfigSpec is the struct that hosts the IBMSE specific
+                  configuration
+                properties:
+                  certStorePvc:
+                    description: certStorePvc is the name of the PeristentVolumeClaim
+                      where certificates/keys are mounted
+                    type: string
+                type: object
+              kbsAsConfigMapName:
+                description: |-
+                  KbsAsConfigMapName is the name of the configmap that contains the KBS AS configuration
+                  Required only when MicroservicesDeployment is set
+                type: string
+              kbsAttestationCertSecretName:
+                description: KbsAttestationCertSecretName is the name of the secret
+                  that contains the attestation token certificate
+                type: string
+              kbsAttestationKeySecretName:
+                description: KbsAttestationKeySecretName is the name of the secret
+                  that contains the attestation token private key
+                type: string
+              kbsAttestationPolicyConfigMapName:
+                description: KbsAttestationPolicyConfigMapName is the name of the
+                  configmap that contains the Attestation Policy
+                type: string
+              kbsAuthSecretName:
+                description: KbsAuthSecretName is the name of the secret that contains
+                  the KBS auth secret
+                type: string
+              kbsConfigMapName:
+                description: KbsConfigMapName is the name of the configmap that contains
+                  the KBS configuration
+                type: string
+              kbsDeploymentType:
+                description: |-
+                  KbsDeploymentType is the type of KBS deployment
+                  It can assume one of the following values:
+                     AllInOneDeployment: all the KBS components will be deployed in the same container
+                     MicroservicesDeployment: all the KBS components will be deployed in separate containers
+                  Default value is AllInOneDeployment
+                enum:
+                - AllInOneDeployment
+                - MicroservicesDeployment
+                type: string
+              kbsHttpsCertSecretName:
+                description: KbsHttpsCertSecretName is the name of the secret that
+                  contains the KBS https certificate
+                type: string
+              kbsHttpsKeySecretName:
+                description: KbsHttpsKeySecretName is the name of the secret that
+                  contains the KBS https private key
+                type: string
+              kbsLocalCertCacheSpec:
+                description: KbsLocalCertCacheSpec is the struct for mounting local
+                  certificates into trustee file system
+                properties:
+                  secrets:
+                    description: Secrets is a list of certificate cache entries, each
+                      containing a secret name and mount path
+                    items:
+                      description: KbsLocalCertCacheEntry defines a single certificate
+                        cache entry with secret and mount path
+                      properties:
+                        mountPath:
+                          description: |-
+                            MountPath is the destination path in the trustee file system
+                            The default path is "/etc/kbs/certs" if not specified by the user
+                          type: string
+                        secretName:
+                          description: SecretName is the name of the secret that maps
+                            to a local directory containing the certificates
+                          type: string
+                      required:
+                      - secretName
+                      type: object
+                    type: array
+                type: object
+              kbsResourcePolicyConfigMapName:
+                description: KbsResourcePolicyConfigMapName is the name of the configmap
+                  that contains the Resource Policy
+                type: string
+              kbsRvpsConfigMapName:
+                description: |-
+                  KbsRvpsConfigMapName is the name of the configmap that contains the KBS RVPS configuration
+                  Required only when MicroservicesDeployment is set
+                type: string
+              kbsRvpsRefValuesConfigMapName:
+                description: kbsRvpsRefValuesConfigMapName is the name of the configmap
+                  that contains the RVPS reference values
+                type: string
+              kbsSecretResources:
+                description: KbsSecretResources is an array of secret names that contain
+                  the keys required by clients
+                items:
+                  type: string
+                type: array
+              kbsServiceType:
+                description: |-
+                  KbsServiceType is the type of service to create for KBS
+                  Default value is ClusterIP
+                type: string
+              tdxConfigSpec:
+                description: TdxConfigSpec is the struct that hosts the TDX specific
+                  configuration
+                properties:
+                  kbsTdxConfigMapName:
+                    description: kbsTdxConfigMapName is the name of the configmap
+                      containing sgx_default_qcnl.conf file
+                    type: string
+                type: object
+            type: object
+          status:
+            description: KbsConfigStatus defines the observed state of KbsConfig
+            properties:
+              isReady:
+                description: IsReady is true when the KBS configuration is ready
+                type: boolean
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}