feat: initial drop (#2)

* feat: initial drop

Signed-off-by: Chris Butler <[email protected]>

* chore: actually add the files

Signed-off-by: Chris Butler <[email protected]>

* fix: restrict access rights further

Signed-off-by: Chris Butler <[email protected]>

* fix: linting issues

Signed-off-by: Chris Butler <[email protected]>

* fix: revert superlinter for now to simpler workflow

Signed-off-by: Chris Butler <[email protected]>

---------

Signed-off-by: Chris Butler <[email protected]>

Author: butler54

.github/workflows/conventional-pr.yml

@@ -0,0 +1,31 @@
+name: "Lint PR title"
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+    branches:
+      - 'main'
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  lint:
+    if: ${{ github.head_ref != 'develop' }}
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+      with:
+        persist-credentials: false
+    - name: Install dependencies
+      run: npm install @commitlint/cli @commitlint/config-conventional
+
+    - name: Validate PR title
+      run: |
+        PR_TITLE=$(jq -r '.pull_request.title' "$GITHUB_EVENT_PATH")
+        echo "$PR_TITLE" | npx commitlint --config commitlint.config.js

.github/workflows/superlinter.yml

@@ -1,16 +1,39 @@
 ---
-name: Super linter
-
-on:
-  pull_request:
-    branches: [main]
-
-permissions:
-  contents: read
-
-jobs:
-  lint:
-    uses: validatedpatterns/github-actions-library/.github/workflows/superlinter.yml@v1
-    with:
-      sl_env: |
-        VALIDATE_BIOME_FORMAT=false
+  name: Super linter
+  
+  on: [push, pull_request]
+  permissions: read-all
+  
+  jobs:
+    build:
+      # Name the Job
+      name: Super linter
+      # Set the agent to run on
+      runs-on: ubuntu-latest
+  
+      steps:
+        - name: Checkout Code
+          uses: actions/checkout@v5
+          with:
+            # Full git history is needed to get a proper list of changed files within `super-linter`
+            fetch-depth: 0
+  
+        ################################
+        # Run Linter against code base #
+        ################################
+        - name: Lint Code Base
+          uses: super-linter/super-linter/slim@v7
+          env:
+            VALIDATE_ALL_CODEBASE: true
+            DEFAULT_BRANCH: main
+            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+            # These are the validation we disable atm
+            # Temporarily
+            VALIDATE_CHECKOV: false
+            VALIDATE_JSON_PRETTIER: false
+            VALIDATE_KUBERNETES_KUBECONFORM: false
+            VALIDATE_MARKDOWN: false
+            VALIDATE_MARKDOWN_PRETTIER: false
+            VALIDATE_YAML: false
+            VALIDATE_YAML_PRETTIER: false
+  

.prettierrc

@@ -0,0 +1,4 @@
+{
+  "singleQuote": true,
+  "semi": false
+}

Chart.yaml

@@ -1,6 +1,9 @@
 apiVersion: v2
-description: A Helm chart to serve as the Validated Patterns Template
+description: A Helm chart to build and push polcies to support sandboxed containers into the spoke cluster of a validated pattern.
 keywords:
   - pattern
-name: vp-template
+  - sandboxed-containers
+  - confidential-computing
+  - confidential-containers
+name: sandboxed-policies
 version: 0.0.1

README.md

@@ -1,13 +1,29 @@
-# vp-template
+# sandboxed-policies
 
 ![Version: 0.0.1](https://img.shields.io/badge/Version-0.0.1-informational?style=flat-square)
 
-A Helm chart to serve as the Validated Patterns Template
+A Helm chart to build and push polcies to support sandboxed containers into the spoke cluster of a validated pattern.
 
-This chart is used to serve as the template for Validated Patterns Charts
+This chart is intended for use with the [coco-pattern](https://github.com/validatedpatterns/coco-pattern) and other validated patterns.
+
+It is part of three charts that are intended to be used together:
+
+1. [trustee](https://github.com/validatedpatterns/trustee-chart) intended to deploy the Key Broker Service (KBS) and related infrastructure to the ub cluster.
+2. [sandboxed-containers](https://github.com/validatedpatterns/sandboxed-containers-chart) intended to be deployed on an ACM spoke cluster where there is access to confidential hardware
+3. [sandboxed-policies](https://github.com/validatedpatterns/sandboxed-policies-chart), this chart, intended to be deployed on an ACM hub cluster which pushes polices to the spoke cluster.
+
+A small number of imperative jobs are also part of the coco pattern which are used to push the polices to the spoke cluster.
 
 ## Notable changes
 
+## Values
+
+| Key                                | Type   | Default                                                                      | Description |
+| ---------------------------------- | ------ | ---------------------------------------------------------------------------- | ----------- |
+| global.clusterPlatform             | string | `""`                                                                         |             |
+| global.coco.azure.VMFlavours       | string | `"Standard_DC2as_v5,Standard_DC4as_v5,Standard_DC8as_v5,Standard_DC16as_v5"` |             |
+| global.coco.azure.defaultVMFlavour | string | `"Standard_DC2as_v5"`                                                        |             |
+
 ---
 
 Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

README.md.gotmpl

@@ -5,7 +5,15 @@
 
 {{ template "chart.description" . }}
 
-This chart is used to serve as the template for Validated Patterns Charts
+This chart is intended for use with the [coco-pattern](https://github.com/validatedpatterns/coco-pattern) and other validated patterns.
+
+It is part of three charts that are intended to be used together:
+
+1. [trustee](https://github.com/validatedpatterns/trustee-chart) intended to deploy the Key Broker Service (KBS) and related infrastructure to the ub cluster.
+2. [sandboxed-containers](https://github.com/validatedpatterns/sandboxed-containers-chart) intended to be deployed on an ACM spoke cluster where there is access to confidential hardware
+3. [sandboxed-policies](https://github.com/validatedpatterns/sandboxed-policies-chart), this chart, intended to be deployed on an ACM hub cluster which pushes polices to the spoke cluster.
+
+A small number of imperative jobs are also part of the coco pattern which are used to push the polices to the spoke cluster.
 
 ## Notable changes
 

commitlint.config.js

@@ -0,0 +1 @@
+module.exports = { extends: ['@commitlint/config-conventional'] }

templates/.keep

@@ -0,0 +1,68 @@
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  name: hub-to-spoke-initdata-policy
+  namespace: imperative
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  remediationAction: enforce
+  disabled: false
+  policy-templates:
+  - objectDefinition:
+      apiVersion: policy.open-cluster-management.io/v1
+      kind: ConfigurationPolicy
+      metadata:
+        name: hub-to-spoke-initdata-cp
+        namespace: imperative
+      spec:
+        remediationAction: enforce
+        severity: medium
+        namespaceSelector:
+          include:
+            - imperative
+        object-templates:
+        - complianceType: mustonlyhave
+          objectDefinition:
+            apiVersion: v1
+            kind: ConfigMap
+            metadata:
+              name: initdata
+              namespace: imperative
+            data:
+              INITDATA: '{{ `{{hub fromConfigMap "imperative" "initdata" "INITDATA" hub}}` }}'
+
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: PlacementBinding
+metadata:
+  name: hub-to-spoke-initdata-placement-binding
+  namespace: imperative
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+placementRef:
+  name: hub-to-spoke-initdata-placement-rule
+  kind: PlacementRule
+  apiGroup: apps.open-cluster-management.io
+subjects:
+  - name: hub-to-spoke-initdata-policy
+    kind: Policy
+    apiGroup: policy.open-cluster-management.io
+
+---
+apiVersion: apps.open-cluster-management.io/v1
+kind: PlacementRule
+metadata:
+  name: hub-to-spoke-initdata-placement-rule
+  namespace: imperative
+spec:
+  clusterConditions:
+    - status: 'True'
+      type: ManagedClusterConditionAvailable
+  clusterSelector:
+    matchExpressions:
+      # Only apply to spoke clusters (exclude local-cluster which is typically the hub)
+      - key: name
+        operator: NotIn
+        values: ["local-cluster"]

templates/hub-to-spoke-initdata-policy.yaml

@@ -0,0 +1,68 @@
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  name: peerpods-cm-policy
+spec:
+  remediationAction: enforce
+  disabled: false
+  policy-templates:
+  - objectDefinition:
+      apiVersion: policy.open-cluster-management.io/v1
+      kind: ConfigurationPolicy
+      metadata:
+        name: peerpods-cm-cp
+      spec:
+        remediationAction: enforce
+        severity: medium
+        object-templates:
+
+        - complianceType: mustonlyhave
+          objectDefinition:
+            apiVersion: v1
+            kind: ConfigMap
+            metadata:
+              name: peer-pods-cm
+              namespace: openshift-sandboxed-containers-operator
+            data:
+              CLOUD_PROVIDER: "azure"
+              VXLAN_PORT: "9000"
+              AZURE_IMAGE_ID: '{{ `{{if (lookup "v1" "ConfigMap" "openshift-sandboxed-containers-operator" "peer-pods-cm").metadata.name }}{{ fromConfigMap "openshift-sandboxed-containers-operator" "peer-pods-cm" "AZURE_IMAGE_ID" }}{{ else }}{{ end }}` }}'
+              AZURE_INSTANCE_SIZE: "{{ .Values.global.coco.azure.defaultVMFlavour }}" 
+              AZURE_INSTANCE_SIZES: "{{ .Values.global.coco.azure.VMFlavours }}" 
+              AZURE_RESOURCE_GROUP: '{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).vnetResourceGroup }}` }}'
+              AZURE_REGION: '{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).location }}` }}'
+              AZURE_SUBNET_ID: '/subscriptions/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).subscriptionId }}` }}/resourceGroups/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).vnetResourceGroup }}` }}/providers/Microsoft.Network/virtualNetworks/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).vnetName }}` }}/subnets/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).subnetName }}` }}'
+              AZURE_NSG_ID: '/subscriptions/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).subscriptionId }}` }}/resourceGroups/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).resourceGroup }}` }}/providers/Microsoft.Network/networkSecurityGroups/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).securityGroupName }}` }}'
+              DISABLECVM: "false"
+              PROXY_TIMEOUT: "5m"
+              INITDATA: '{{ `{{ fromConfigMap "imperative" "initdata" "INITDATA" }}` }}'
+
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: PlacementBinding
+metadata:
+  name: peerpods-placement-binding
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+placementRef:
+  name: peerpods-placement-rule
+  kind: PlacementRule
+  apiGroup: apps.open-cluster-management.io
+subjects:
+  - name: peerpods-cm-policy
+    kind: Policy
+    apiGroup: policy.open-cluster-management.io
+---
+apiVersion: apps.open-cluster-management.io/v1
+kind: PlacementRule
+metadata:
+  name: peerpods-placement-rule
+spec:
+  clusterConditions:
+    - status: 'True'
+      type: ManagedClusterConditionAvailable
+  clusterSelector:
+    matchLabels:
+      cloud: Azure
+---