coco-pattern/values-secret.yaml.template at main · validatedpatterns/coco-pattern · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
# A more formal description of this format can be found here:
# https://github.com/validatedpatterns/common/tree/main/ansible/roles/vault_utils#values-secret-file-format

version: "2.0"
# Ideally you NEVER COMMIT THESE VALUES TO GIT (although if all passwords are
# automatically generated inside the vault this should not really matter)

secrets:


  # SSH keys for podvm debug access (optional).
  # To enable: set global.coco.enableSSHDebug=true in values-global.yaml,
  # run COCO_ENABLE_SSH_DEBUG=true ./scripts/gen-secrets.sh,
  # then uncomment the block below.
  #- name: sshKey
  #  vaultPrefixes:
  #  - global
  #  fields:
  #  - name: id_rsa.pub
  #    path: ~/.coco-pattern/id_rsa.pub
  #  - name: id_rsa
  #    path: ~/.coco-pattern/id_rsa

  - name: securityPolicyConfig
    vaultPrefixes:
    - hub
    fields:
    # Accept all images without verification (INSECURE - dev/testing only)
    - name: insecure
      value: |
        {
          "default": [{"type": "insecureAcceptAnything"}],
          "transports": {}
        }
    # Reject all images (useful for testing policy enforcement)
    - name: reject
      value: |
        {
          "default": [{"type": "reject"}],
          "transports": {}
        }
    # Only accept signed images (production)
    # Edit the transports section to add your signed images.
    # Each image needs a corresponding cosign public key in cosign-keys secret.
    # The keys much line up with the keys below
    - name: signed
      value: |
        {
          "default": [{"type": "reject"}],
          "transports": {
            "docker": {
              "registry.example.com/my-image": [
                {
                  "type": "sigstoreSigned",
                  "keyPath": "kbs:///default/cosign-keys/key-0"
                }
              ]
            }
          }
        }

  # Cosign public keys for image signature verification
  # Required when using the "signed" policy above.
  # Add your cosign public key files here.
  # Generate a cosign key pair: cosign generate-key-pair
  #- name: cosign-keys
  #  vaultPrefixes:
  #  - hub
  #  fields:
  #  - name: key-0
  #    path: ~/.coco-pattern/cosign-key-0.pub


  # PCR measurements for attestation.
  # Required: run ./scripts/get-pcr.sh before deploying.
  - name: pcrStash
    vaultPrefixes:
    - hub
    fields:
    - name: json
      path: ~/.coco-pattern/measurements.json


  - name: attestationStatus
    vaultPrefixes:
    - hub
    fields:
    - name: status
      value: 'attested'
    - name: random
      value: ''
      onMissingValue: generate
      vaultPolicy: validatedPatternDefaultPolicy

  - name: kbsPublicKey
    vaultPrefixes:
    - hub
    fields:
    - name: publicKey
      path: ~/.coco-pattern/kbsPublicKey


  - name: kbsres1
    vaultPrefixes:
    - hub
    fields:
    - name: key1
      value: ''
      onMissingValue: generate
      vaultPolicy: validatedPatternDefaultPolicy
    - name: key2
      value: ''
      onMissingValue: generate
      vaultPolicy: validatedPatternDefaultPolicy
    - name: key3
      value: ''
      onMissingValue: generate
      vaultPolicy: validatedPatternDefaultPolicy

  - name: passphrase
    vaultPrefixes:
    - hub
    fields:
    - name: passphrase
      value: ''
      onMissingValue: generate
      vaultPolicy: validatedPatternDefaultPolicy