-
Notifications
You must be signed in to change notification settings - Fork 12
Expand file tree
/
Copy pathvalues-secret.yaml.template
More file actions
195 lines (176 loc) · 5.84 KB
/
values-secret.yaml.template
File metadata and controls
195 lines (176 loc) · 5.84 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
# A more formal description of this format can be found here:
# https://github.com/validatedpatterns/common/tree/main/ansible/roles/vault_utils#values-secret-file-format
version: "2.0"
# Ideally you NEVER COMMIT THESE VALUES TO GIT (although if all passwords are
# automatically generated inside the vault this should not really matter)
secrets:
# ===================================================================
# Core KBS Secrets (Always Required)
# ===================================================================
# KBS public key - used by workloads to verify KBS identity
- name: kbsPublicKey
vaultPrefixes:
- hub
fields:
- name: publicKey
path: ~/.coco-pattern/kbsPublicKey
# KBS private key - used by KBS to sign responses
# Generated by gen-secrets.sh alongside kbsPublicKey
- name: kbsPrivateKey
vaultPrefixes:
- global
fields:
- name: privateKey
path: ~/.coco-pattern/kbsPrivateKey
# Auto-generated test secrets provided by KBS
- name: kbsres1
vaultPrefixes:
- hub
fields:
- name: key1
value: ''
onMissingValue: generate
vaultPolicy: validatedPatternDefaultPolicy
- name: key2
value: ''
onMissingValue: generate
vaultPolicy: validatedPatternDefaultPolicy
- name: key3
value: ''
onMissingValue: generate
vaultPolicy: validatedPatternDefaultPolicy
# Auto-generated passphrase (example secret)
- name: passphrase
vaultPrefixes:
- hub
fields:
- name: passphrase
value: ''
onMissingValue: generate
vaultPolicy: validatedPatternDefaultPolicy
# Attestation status tracking
- name: attestationStatus
vaultPrefixes:
- hub
fields:
- name: status
value: 'attested'
- name: random
value: ''
onMissingValue: generate
vaultPolicy: validatedPatternDefaultPolicy
# ===================================================================
# Security Policies & Attestation
# ===================================================================
# Image security policies (insecure, reject, signed)
# Controls which container images are allowed to run in confidential pods
- name: securityPolicyConfig
vaultPrefixes:
- hub
fields:
# Accept all images without verification (INSECURE - dev/testing only)
- name: insecure
value: |
{
"default": [{"type": "insecureAcceptAnything"}],
"transports": {}
}
# Reject all images (useful for testing policy enforcement)
- name: reject
value: |
{
"default": [{"type": "reject"}],
"transports": {}
}
# Only accept signed images (production)
# Edit the transports section to add your signed images.
# Each image needs a corresponding cosign public key in cosign-keys secret.
# The keys much line up with the keys below
- name: signed
value: |
{
"default": [{"type": "reject"}],
"transports": {
"docker": {
"registry.example.com/my-image": [
{
"type": "sigstoreSigned",
"keyPath": "kbs:///default/cosign-keys/key-0"
}
]
}
}
}
# Cosign public keys for image signature verification
# Required when using the "signed" policy above.
# Add your cosign public key files here.
# Generate a cosign key pair: cosign generate-key-pair
#- name: cosign-keys
# vaultPrefixes:
# - hub
# fields:
# - name: key-0
# path: ~/.coco-pattern/cosign-key-0.pub
# PCR measurements for attestation.
# Azure: run ./scripts/get-pcr.sh to extract from peer-pod image
# Bare metal: manually collect from running confidential VM
# See docs/pcr-reference-values-bare-metal.md for collection procedure
- name: pcrStash
vaultPrefixes:
- hub
fields:
- name: json
path: ~/.coco-pattern/measurements.json
# ===================================================================
# Optional - SSH Debug Access
# ===================================================================
# SSH keys for podvm debug access (optional).
# To enable: set global.coco.enableSSHDebug=true in values-global.yaml,
# run COCO_ENABLE_SSH_DEBUG=true ./scripts/gen-secrets.sh,
# then uncomment the block below.
#- name: sshKey
# vaultPrefixes:
# - global
# fields:
# - name: id_rsa.pub
# path: ~/.coco-pattern/id_rsa.pub
# - name: id_rsa
# path: ~/.coco-pattern/id_rsa
# ===================================================================
# Optional - Bare Metal Intel TDX
# ===================================================================
# PCCS secrets for bare metal Intel TDX deployments.
# Uncomment these sections for bare metal deployments.
# Run ./scripts/gen-secrets.sh first to generate tokens and certificates.
# You must provide your Intel PCS API key in the api_key field.
# Get an API key from: https://api.portal.trustedservices.intel.com/
#- name: pccs
# vaultPrefixes:
# - hub
# fields:
# - name: api_key
# value: '<your-intel-pcs-api-key>'
# - name: user_token_hash
# path: ~/.coco-pattern/pccs_user_token_hash
# - name: user_token
# path: ~/.coco-pattern/pccs_user_token
# - name: admin_token_hash
# path: ~/.coco-pattern/pccs_admin_token_hash
# - name: admin_token
# path: ~/.coco-pattern/pccs_admin_token
# - name: db_username
# value: ''
# onMissingValue: generate
# vaultPolicy: validatedPatternDefaultPolicy
# - name: db_password
# value: ''
# onMissingValue: generate
# vaultPolicy: validatedPatternDefaultPolicy
#- name: pccs-tls
# vaultPrefixes:
# - hub
# fields:
# - name: private_key
# path: ~/.coco-pattern/pccs_private.pem
# - name: certificate
# path: ~/.coco-pattern/pccs_certificate.pem