trustee

A Helm chart to provide an opinionated deployment of Trustee in a validated pattern

This chart is intended for use with the coco-pattern and other validated patterns.

It is part of three charts that are intended to be used together:

trustee indended to deploy the Key Broker Service (KBS) and related infrastructure (this chart))
1. This should be deployed on an ACM hub cluster
sandboxed-containers intended to be deployed on an ACM spoke cluster where there is access to confidential hardware
sandboxed-policies intended to be deployed on an ACM hub cluster which pushes polices to the spoke cluster.

In order to use this chart, you will need to:

Have a security policy created and available. This is a container security policy that will be used to verify the inside a kata vm.
1. See here for more information: https://docs.redhat.com/en/documentation/openshift_sandboxed_containers/1.10/html/deploying_red_hat_build_of_trustee/deploying-trustee_azure-trustee#creating-image-verification-policy_azure-trustee
Have a public key created and available. This is a public key that will be used to authenticate the KBS management API.
Have a list of secret resources to be added to the KBS as a list of name, key pairs where key is the path to the secret in the secret store. These will be used to authenticate the KBS management API.

Values

Key	Type	Default
attestation.commonName	string	`"kbs-trustee-operator-system"`
attestation.organization	string	`"Red Hat"`
global.coco.attestationStatus	string	`"secret/data/hub/attestationStatus"`
global.coco.secured	bool	`false`
global.coco.securityPolicy	string	`"secret/data/hub/securityPolicyConfig"`
global.coco.securityPolicyFlavour	string	`"insecure"`
global.secretStore.backend	string	`""`
kbs.cosignKeys	string	`"secret/data/hub/coSignKeys"`
kbs.extraSecrets	list	`[]`
kbs.publicKey	string	`"secret/data/hub/kbsPublicKey"`
kbs.secretResources[0].key	string	`"secret/data/hub/kbsres1"`
kbs.secretResources[0].name	string	`"kbsres1"`
kbs.secretResources[1].key	string	`"secret/data/hub/passphrase"`
kbs.secretResources[1].name	string	`"passphrase"`
kbs.tdx.collateralService	string	`"https://api.trustedservices.intel.com/sgx/certification/v4/"`
kbs.tdx.enabled	bool	`false`
secretStore.kind	string	`"ClusterSecretStore"`
secretStore.name	string	`"vault-backend"`

Autogenerated from chart metadata using helm-docs v1.14.2

Name		Name	Last commit message	Last commit date
Latest commit History 16 Commits
.github		.github
templates		templates
.gitignore		.gitignore
.prettierrc		.prettierrc
.releaserc.yaml		.releaserc.yaml
Chart.yaml		Chart.yaml
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
README.md.gotmpl		README.md.gotmpl
commitlint.config.js		commitlint.config.js
package-lock.json		package-lock.json
package.json		package.json
values.yaml		values.yaml