Skip to content

feat: update operator CSV pins and trustee chartVersion for OSC 1.13 / Trustee 1.2#100

Open
butler54 wants to merge 4 commits into
validatedpatterns:mainfrom
butler54:dev/osc-1.13-upgrade
Open

feat: update operator CSV pins and trustee chartVersion for OSC 1.13 / Trustee 1.2#100
butler54 wants to merge 4 commits into
validatedpatterns:mainfrom
butler54:dev/osc-1.13-upgrade

Conversation

@butler54

Copy link
Copy Markdown
Collaborator

Summary

Update coco-pattern topology values files to reference Trustee 1.2.0 / OSC 1.13.0 operators and trustee-chart v0.9.x.

Operator Subscription CSV Pins

  • trustee-operator: v1.1.0 → v1.2.0 (all topology files)
  • sandboxed-containers-operator: v1.12.0 → v1.13.0 (all topology files)

Trustee Chart Version

  • chartVersion: 0.8.* → 0.9.* (baremetal, azure, trusted-hub)
  • targetRevision: dev/osc-1.13-upgrade added to baremetal trustee app for branch-based testing

Files Changed

  • values-baremetal.yaml
  • values-azure.yaml
  • values-trusted-hub.yaml

What's NOT Changed (by design)

  • sandboxed-containers-chart chartVersion stays at 0.2.* (D-10: zero changes needed)
  • sandboxed-policies-chart chartVersion stays at 0.2.* (D-11: zero changes needed)
  • Workload charts unchanged (D-12: CDH URI format is version-independent)
  • Initdata templates confirmed version-insensitive (D-08 audit complete)

Companion PR

Test plan

  • Deploy on fresh OCP cluster with OSC 1.13 / Trustee 1.2 operators (Phase 15)
  • Verify ArgoCD resolves trustee-chart from dev/osc-1.13-upgrade branch
  • Verify operator subscriptions install correct CSV versions

@butler54
butler54 requested a review from a team July 16, 2026 23:06
…C 1.13 / Trustee 1.2

- Bump sandboxed-containers-operator CSV from v1.12.0 to v1.13.0 (baremetal, azure)
- Bump trustee-operator CSV from v1.1.0 to v1.2.0 (baremetal, azure, trusted-hub)
- Update trustee chartVersion from 0.8.* to 0.9.* across all topologies
- Add targetRevision: dev/osc-1.13-upgrade to baremetal trustee application for testing
- Preserve sandbox/policies chartVersion at 0.2.* (D-10, D-11)
- Preserve workload chart paths unchanged (D-12)
butler54 added a commit to butler54/trustee-chart that referenced this pull request Jul 16, 2026
…tee 1.1 compat (validatedpatterns#35)

* fix: use external-secrets.io/v1 API for Red Hat ESO compatibility

* fix: add admin.type=DenyAll for Trustee 1.1 KBS compatibility

* feat: add credential to extraSecrets for authenticated registry support

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: add ACM policy for pull secret credential — replaces ansible imperative job

Implements declarative pull secret propagation via ACM ConfigurationPolicy.
Uses fromSecret to copy .dockerconfigjson from openshift-config/pull-secret
to trustee-operator-system/credential with key regcred.

- Gated on global.coco.secured (only active when attestation enabled)
- Sync-wave 5 (after vault, before RVPS)
- Continuously reconciled by ACM - no cron job needed
- Replaces imperative ansible playbook approach

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: add ACM policy for pull-secret distribution

Replace ExternalSecrets approach with ACM ConfigurationPolicy that:
- Copies openshift-config/pull-secret
- Transforms .dockerconfigjson key to regcred
- Places in trustee-operator-system/credential secret
- Available to KBS as kbs:///default/credential/regcred

Sync wave 5 ensures this runs before trustee deployment (wave 7).

Resolves Phase 5-6 registry authentication requirement.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* fix: remove duplicate pull-secret-policy.yaml

The pull-secret-credential-policy.yaml file already contains the
ACM Policy, PlacementRule, and PlacementBinding for distributing
pull-secret credentials. The old pull-secret-policy.yaml was causing
duplicate resource warnings in ArgoCD.

This fixes the trustee app OutOfSync status.

* feat(phase6): add Red Hat GPG public key for signature verification

* feat: add Red Hat sigstore public key secret

Add sigstore-keys secret with Red Hat release key 3 for
sigstore signature verification.

This enables sigstoreSigned policy type which stores signatures
as OCI artifacts in the registry (unlike GPG lookaside).

Secret will be mounted to KBS repository via KbsConfig.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* chore: bump version to 0.8.0

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: support for ESO

Signed-off-by: Chris Butler <chris.butler@redhat.com>

* ci: ignore attestation-policy.yaml in jscpd duplicate detection

TDX and SEV-SNP attestation policy blocks share intentional structural
similarity. This is not accidental duplication — the policies have
different field values but the same YAML shape.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: remove embedded Red Hat GPG and sigstore key secrets

These templates create Kubernetes Secrets with hardcoded Red Hat public
keys, but nothing consumes them — they are not in kbsSecretResources
and no active security policy references them.

Keys should be fetched from official Red Hat URLs at install time
(via Makefile targets in coco-pattern), not embedded in source.

See: validatedpatterns/coco-pattern#100

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: fix actions/checkout version comment to match SHA

zizmor ref-version-mismatch: SHA de0fac2e maps to v6.0.2, not v6.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Signed-off-by: Chris Butler <chris.butler@redhat.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@butler54
butler54 force-pushed the dev/osc-1.13-upgrade branch from f8e13d7 to 4acb3d2 Compare July 16, 2026 23:09
butler54 and others added 3 commits July 16, 2026 23:43
Trustee 1.2 uses authorization_mode = "DenyAll" — no admin
API access exists. Remove the now-unused:
- kbsPublicKey and kbsPrivateKey from values-secret template
- ed25519 keypair generation from gen-secrets.sh

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ion (D-01)

- Remove kbs.tdx.collateralService override pointing to local PCCS
- Chart default (api.trustedservices.intel.com) takes effect per D-01
Trustee chart 0.9.0 not yet published to charts.validatedpatterns.io
(latest is 0.8.0). Switch from chart/chartVersion to repoURL/path
pointing at butler54/trustee-chart dev/osc-1.13-upgrade branch,
same pattern used during Milestone 1 testing (f228913).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant