fix: update with security policies

Signed-off-by: Chris Butler <chris.butler@redhat.com>

Author: butler54

ansible/init-data-gzipper.yaml

@@ -7,6 +7,7 @@
     kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}"
     cluster_platform: "{{ global.clusterPlatform | default('none') | lower }}"
     hub_domain: "{{ global.hubClusterDomain | default('none')  | lower}}"
+    security_policy_flavour: "{{ global.coco.securityPolicyFlavour | default('insecure') }}"
     template_src: "initdata-default.toml.tpl"
   tasks:
     - name: Create temporary working directory

ansible/initdata-default.toml.tpl

@@ -27,7 +27,7 @@ kbs_cert = """
 '''
 
 [image]
-image_security_policy_uri = 'kbs:///default/security-policy/osc
+image_security_policy_uri = 'kbs:///default/security-policy/{{ security_policy_flavour }}
 '''
 
 "policy.rego" = '''

values-global.yaml

@@ -11,6 +11,7 @@ global:
   # This defines whether or not to use upstream resources for CoCo.
   # Defines whether or not the hub cluster can be used for confidential containers
   coco:
+    securityPolicyFlavour: "insecure" # insecure, signed or reject is expected.
     azure:
       defaultVMFlavour: "Standard_DC2as_v5"
       VMFlavours: "Standard_DC2as_v5,Standard_DC4as_v5,Standard_DC8as_v5,Standard_DC16as_v5"
@@ -24,6 +25,7 @@ main:
     clusterGroupChartVersion: 0.9.*
 
 # Common secret store configuration used across multiple charts
+# Warning do not rely on this. it does not consistently apply.
 secretStore:
   name: vault-backend
   kind: ClusterSecretStore

values-secret.yaml.template

@@ -8,19 +8,55 @@ version: "2.0"
 secrets:
 
 
-  - name: 'securityPolicyConfig'
+  - name: securityPolicyConfig
     vaultPrefixes:
     - hub
     fields:
-    - name: osc
+    # Accept all images without verification (INSECURE - dev/testing only)
+    - name: insecure
       value: |
         {
-         "default": [
-          {
-            "type": "insecureAcceptAnything"
-          }],
-         "transports": {}
+          "default": [{"type": "insecureAcceptAnything"}],
+          "transports": {}
         }
+    # Reject all images (useful for testing policy enforcement)
+    - name: reject
+      value: |
+        {
+          "default": [{"type": "reject"}],
+          "transports": {}
+        }
+    # Only accept signed images (production)
+    # Edit the transports section to add your signed images.
+    # Each image needs a corresponding cosign public key in cosign-keys secret.
+    # The keys much line up with the keys below
+    - name: signed
+      value: |
+        {
+          "default": [{"type": "reject"}],
+          "transports": {
+            "docker": {
+              "registry.example.com/my-image": [
+                {
+                  "type": "sigstoreSigned",
+                  "keyPath": "kbs:///default/cosign-keys/key-0"
+                }
+              ]
+            }
+          }
+        }
+  
+  # Cosign public keys for image signature verification
+  # Required when using the "signed" policy above.
+  # Add your cosign public key files here.
+  # Generate a cosign key pair: cosign generate-key-pair
+  #- name: cosign-keys
+  #  vaultPrefixes:
+  #  - hub
+  #  fields:
+  #  - name: key-0
+  #    path: ~/.coco-pattern/trustee/cosign-key-0.pub
+
 
   - name: attestationStatus
     vaultPrefixes:

values-simple.yaml

@@ -80,11 +80,12 @@ clusterGroup:
       repoURL: https://github.com/butler54/trustee-chart.git
       targetRevision: merge-certs
       path: ./
+      extraValueFiles:
+        - '$patternref/overrides/values-trustee.yaml'
       # chart: trustee
       # chartVersion: 0.1.*
       # Use the override file to specify the list of secrets accessible to trustee from the ESO backend (today by default, Vault).
-      extraValueFiles:
-        - '$patternref/overrides/values-trustee.yaml'
+
     # sandbox:
     #   name: sandbox
     #   namespace: openshift-sandboxed-containers-operator #upstream config