@@ -87,6 +87,124 @@ secrets:
8787 onMissingValue: generate
8888 vaultPolicy: alphaNumericPolicy
8989
90+ # CoCo (Confidential Containers) secrets
91+ - name: sshKey
92+ vaultPrefixes:
93+ - global
94+ fields:
95+ - name: id_rsa.pub
96+ path: ~/.config/validated-patterns/id_rsa.pub
97+ - name: id_rsa
98+ path: ~/.config/validated-patterns/id_rsa
99+
100+ # Container Image Signature Verification Policy
101+ # Controls which container images are allowed to run in confidential containers.
102+ # The policy is fetched by the TEE via initdata using image_security_policy_uri.
103+ #
104+ # Three policy variants are provided:
105+ # - insecure: Accept all images (for development/testing only)
106+ # - reject: Reject all images (useful for testing policy enforcement)
107+ # - signed: Only accept images signed with cosign (for production)
108+ #
109+ # Select policy in initdata:
110+ # image_security_policy_uri = 'kbs:///default/security-policy/insecure'
111+ #
112+ # TODO: Rename to 'container-image-policy' in trustee-chart to better reflect
113+ # that this is about container image signature verification, not general security policy.
114+ - name: securityPolicyConfig
115+ vaultPrefixes:
116+ - hub
117+ fields:
118+ # Accept all images without verification (INSECURE - dev/testing only)
119+ - name: insecure
120+ value: |
121+ {
122+ "default": [{"type": "insecureAcceptAnything"}],
123+ "transports": {}
124+ }
125+ # Reject all images (useful for testing policy enforcement)
126+ - name: reject
127+ value: |
128+ {
129+ "default": [{"type": "reject"}],
130+ "transports": {}
131+ }
132+ # Only accept signed images (production)
133+ # Edit the transports section to add your signed images.
134+ # Each image needs a corresponding cosign public key in cosign-keys secret.
135+ - name: signed
136+ value: |
137+ {
138+ "default": [{"type": "reject"}],
139+ "transports": {
140+ "docker": {
141+ "registry.example.com/my-image": [
142+ {
143+ "type": "sigstoreSigned",
144+ "keyPath": "kbs:///default/cosign-keys/key-0"
145+ }
146+ ]
147+ }
148+ }
149+ }
150+
151+ # Cosign public keys for image signature verification
152+ # Required when using the "signed" policy above.
153+ # Add your cosign public key files here.
154+ # Generate a cosign key pair: cosign generate-key-pair
155+ #- name: cosign-keys
156+ # vaultPrefixes:
157+ # - hub
158+ # fields:
159+ # - name: key-0
160+ # path: ~/.config/validated-patterns/trustee/cosign-key-0.pub
161+
162+ # KBS authentication keys (Ed25519) for Trustee admin API
163+ # Generate with:
164+ # mkdir -p ~/.config/validated-patterns/trustee
165+ # openssl genpkey -algorithm ed25519 > ~/.config/validated-patterns/trustee/kbsPrivateKey
166+ # openssl pkey -in ~/.config/validated-patterns/trustee/kbsPrivateKey -pubout -out ~/.config/validated-patterns/trustee/kbsPublicKey
167+ # chmod 600 ~/.config/validated-patterns/trustee/kbsPrivateKey
168+ - name: kbsPublicKey
169+ vaultPrefixes:
170+ - hub
171+ fields:
172+ - name: publicKey
173+ path: ~/.config/validated-patterns/trustee/kbsPublicKey
174+
175+ - name: kbsPrivateKey
176+ vaultPrefixes:
177+ - global
178+ fields:
179+ - name: privateKey
180+ path: ~/.config/validated-patterns/trustee/kbsPrivateKey
181+
182+ - name: kbsres1
183+ vaultPrefixes:
184+ - hub
185+ fields:
186+ - name: key1
187+ value: ''
188+ onMissingValue: generate
189+ vaultPolicy: validatedPatternDefaultPolicy
190+ - name: key2
191+ value: ''
192+ onMissingValue: generate
193+ vaultPolicy: validatedPatternDefaultPolicy
194+ - name: key3
195+ value: ''
196+ onMissingValue: generate
197+ vaultPolicy: validatedPatternDefaultPolicy
198+
199+ - name: passphrase
200+ vaultPrefixes:
201+ - hub
202+ fields:
203+ - name: passphrase
204+ value: ''
205+ onMissingValue: generate
206+ vaultPolicy: validatedPatternDefaultPolicy
207+
90208 # If you use clusterPools you will need to uncomment the following lines
91209 #- name: aws
92210 # fields:
0 commit comments