-
Notifications
You must be signed in to change notification settings - Fork 19
Expand file tree
/
Copy pathvalues-secret.yaml.template
More file actions
377 lines (350 loc) · 13.6 KB
/
values-secret.yaml.template
File metadata and controls
377 lines (350 loc) · 13.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
# A more formal description of this format can be found here:
# https://github.com/validatedpatterns/rhvp.cluster_utils/tree/main/roles/vault_utils#values-secret-file-format
version: "2.0"
# Ideally you NEVER COMMIT THESE VALUES TO GIT (although if all passwords are
# automatically generated inside the vault this should not really matter)
# Vault Secret Organization:
# --------------------------
# Secrets are organized for least-privilege access:
#
# Application Secrets (fine-grained isolation):
# apps/qtodo/ - QTodo application secrets (app-level isolation)
# apps/<myapp>/ - Add your app here for isolated secrets
#
# Infrastructure Secrets (hub/infra/*):
# hub/infra/keycloak/ - Keycloak infrastructure secrets
# hub/infra/rhtpa/ - RHTPA infrastructure secrets
# hub/infra/quay/ - Built-in Quay registry credentials (auto-generated)
# hub/infra/registry/ - BYO container registry credentials (user-provided)
# hub/infra/users/ - User credentials managed by IdP
#
# Framework Secrets:
# global/ - VP framework default (config-demo, etc.)
#
# Each path has a corresponding Vault policy granting access ONLY to its
# specific path (e.g., apps-qtodo-secret grants read to secret/data/apps/qtodo/*).
vaultPolicies:
basicPolicy: |
length=10
rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }
rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }
rule "charset" { charset = "0123456789" min-chars = 1 }
advancedPolicy: |
length=20
rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }
rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }
rule "charset" { charset = "0123456789" min-chars = 1 }
rule "charset" { charset = "!@#^&*" min-chars = 1 }
alphaNumericPolicy: |
length=32
rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }
rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }
rule "charset" { charset = "0123456789" min-chars = 1 }
secrets:
# ===========================================================================
# GLOBAL SECRETS (global/)
# VP framework default path for demo/test secrets
# ===========================================================================
- name: config-demo
vaultPrefixes:
- global
fields:
- name: secret
onMissingValue: generate
vaultPolicy: validatedPatternDefaultPolicy
# ===========================================================================
# QTODO APPLICATION SECRETS (apps/qtodo/)
# Secrets specific to the QTodo application - isolated at app level
# Policy: apps-qtodo-secret (read access to apps/qtodo/*)
# ===========================================================================
- name: qtodo-db
vaultPrefixes:
- apps/qtodo
fields:
- name: admin-password
onMissingValue: generate
vaultPolicy: validatedPatternDefaultPolicy
- name: db-password
onMissingValue: generate
vaultPolicy: validatedPatternDefaultPolicy
# qtodo-oidc-client secret is no longer needed — qtodo now authenticates
# to Keycloak using SPIFFE JWT SVID (federated client assertion)
#- name: qtodo-oidc-client
# vaultPrefixes:
# - apps/qtodo
# fields:
# - name: client-secret
# onMissingValue: generate
# vaultPolicy: alphaNumericPolicy
- name: qtodo-truststore
vaultPrefixes:
- apps/qtodo
fields:
- name: truststore-password
onMissingValue: generate
vaultPolicy: alphaNumericPolicy
# ===========================================================================
# ACS Secrets (Uncomment to enable)
# ===========================================================================
- name: acs-central
vaultPrefixes:
- hub/infra/acs
fields:
- name: admin-password
onMissingValue: generate
vaultPolicy: validatedPatternDefaultPolicy
# NOTE: Init bundle is NOT needed for same-cluster deployments.
# The RHACS operator auto-generates authentication when Central and
# SecuredCluster are on the same cluster. Only uncomment for multi-cluster
# scenarios where you need to connect remote secured clusters.
#- name: acs-init-bundle
# vaultPrefixes:
# - hub/infra/acs
# fields:
# - name: init-bundle
# onMissingValue: ignore # Must be generated manually via roxctl
# ===========================================================================
# KEYCLOAK INFRASTRUCTURE SECRETS (hub/infra/keycloak/)
# Secrets for Keycloak infrastructure deployment
# Policy: hub-infra-keycloak-secret (read access to hub/infra/keycloak/*)
# ===========================================================================
- name: keycloak
vaultPrefixes:
- hub/infra/keycloak
fields:
- name: admin-password
onMissingValue: generate
vaultPolicy: validatedPatternDefaultPolicy
- name: db-password
onMissingValue: generate
vaultPolicy: validatedPatternDefaultPolicy
# ===========================================================================
# RHTPA INFRASTRUCTURE SECRETS (hub/infra/rhtpa/)
# Secrets for Red Hat Trusted Profile Analyzer infrastructure
# Policy: hub-infra-rhtpa-secret (read access to hub/infra/rhtpa/*)
# ===========================================================================
- name: rhtpa-db
vaultPrefixes:
- hub/infra/rhtpa
fields:
- name: db-password
onMissingValue: generate
vaultPolicy: alphaNumericPolicy
- name: rhtpa-oidc-cli
vaultPrefixes:
- hub/infra/rhtpa
fields:
- name: client-secret
onMissingValue: generate
vaultPolicy: alphaNumericPolicy
# ===========================================================================
# USER CREDENTIALS (hub/infra/users/)
# User passwords managed by Keycloak for application access
# Policy: hub-infra-users-secret (Keycloak needs to provision these)
# ===========================================================================
- name: keycloak-users
vaultPrefixes:
- hub/infra/users
fields:
- name: qtodo-admin-password
onMissingValue: generate
vaultPolicy: validatedPatternDefaultPolicy
- name: qtodo-user1-password
onMissingValue: generate
vaultPolicy: validatedPatternDefaultPolicy
- name: rhtas-user-password
onMissingValue: generate
vaultPolicy: validatedPatternDefaultPolicy
- name: rhtpa-user-password
onMissingValue: generate
vaultPolicy: alphaNumericPolicy
# ===========================================================================
# BUILT-IN QUAY REGISTRY SECRETS (hub/infra/quay/)
# Auto-generated credentials for built-in Quay registry
# Used by: Quay user provisioner job, supply-chain pipeline (when quay.enabled=true)
# Policy: hub-supply-chain-jwt-secret (read access to hub/infra/quay/*)
# ===========================================================================
- name: quay-users
vaultPrefixes:
- hub/infra/quay
fields:
- name: quay-user-password
onMissingValue: generate
vaultPolicy: validatedPatternDefaultPolicy
# ===========================================================================
# BYO REGISTRY SECRETS (hub/infra/registry/)
# Only needed for Option 2 (BYO/external registry, e.g. quay.io, ghcr.io).
# NOT needed for Option 1 (built-in Quay uses quay-users secret) or
# Option 3 (embedded OpenShift registry with token refresher writes to Vault
# automatically -- see docs/supply-chain.md).
# Used by: supply-chain pipeline (push), qtodo (pull) when registry enabled
# Policy: hub-supply-chain-jwt-secret (read access to hub/infra/registry/*)
#
# Uncomment and replace REPLACE_WITH_REGISTRY_TOKEN with your registry
# token/password in your local ~/values-secret-layered-zero-trust.yaml.
# ===========================================================================
#- name: registry-user
# vaultPrefixes:
# - hub/infra/registry
# fields:
# - name: registry-password
# value: "REPLACE_WITH_REGISTRY_TOKEN"
# onMissingValue: error
# ===========================================================================
# COCO (CONFIDENTIAL CONTAINERS) SECRETS
# Uncomment the secrets below when deploying with CoCo support.
# Pre-deployment steps:
# 1. Run ./scripts/gen-secrets-coco.sh to generate KBS keypair
# 2. Run ./scripts/get-pcr.sh to retrieve PCR measurements
# ===========================================================================
# SSH keys for podvm debug access (optional).
# Note: dm-verity based podvm images do not support SSH key injection by design.
# This only works with non-dm-verity images built with SSH debug enabled.
#- name: sshKey
# vaultPrefixes:
# - global
# fields:
# - name: id_rsa.pub
# path: ~/.config/validated-patterns/id_rsa.pub
# - name: id_rsa
# path: ~/.config/validated-patterns/id_rsa
# Container Image Signature Verification Policy
# Controls which container images are allowed to run in confidential containers.
# The policy is fetched by the TEE via initdata using image_security_policy_uri.
#
# Three policy variants are provided:
# - insecure: Accept all images (for development/testing only)
# - reject: Reject all images (useful for testing policy enforcement)
# - signed: Only accept images signed with cosign (for production)
#
# Select policy in initdata:
# image_security_policy_uri = 'kbs:///default/security-policy/insecure'
#
# TODO: Rename to 'container-image-policy' in trustee-chart to better reflect
# that this is about container image signature verification, not general security policy.
#- name: securityPolicyConfig
# vaultPrefixes:
# - hub
# fields:
# # Accept all images without verification (INSECURE - dev/testing only)
# - name: insecure
# value: |
# {
# "default": [{"type": "insecureAcceptAnything"}],
# "transports": {}
# }
# # Reject all images (useful for testing policy enforcement)
# - name: reject
# value: |
# {
# "default": [{"type": "reject"}],
# "transports": {}
# }
# # Only accept signed images (production)
# # Edit the transports section to add your signed images.
# # Each image needs a corresponding cosign public key in cosign-keys secret.
# - name: signed
# value: |
# {
# "default": [{"type": "reject"}],
# "transports": {
# "docker": {
# "registry.example.com/my-image": [
# {
# "type": "sigstoreSigned",
# "keyPath": "kbs:///default/cosign-keys/key-0"
# }
# ]
# }
# }
# }
# PCR measurements for attestation.
# Required: run ./scripts/get-pcr.sh before deploying.
#- name: pcrStash
# vaultPrefixes:
# - hub
# fields:
# - name: json
# path: ~/.config/validated-patterns/trustee/measurements.json
# Attestation status resource accessible via KBS/CDH from inside the TEE.
# Workloads can fetch this to confirm they are running in an attested environment.
#- name: attestationStatus
# vaultPrefixes:
# - hub
# fields:
# - name: status
# value: 'attested'
# - name: random
# value: ''
# onMissingValue: generate
# vaultPolicy: validatedPatternDefaultPolicy
# Cosign public keys for image signature verification
# Required when using the "signed" policy above.
# Add your cosign public key files here.
# Generate a cosign key pair: cosign generate-key-pair
#- name: cosign-keys
# vaultPrefixes:
# - hub
# fields:
# - name: key-0
# path: ~/.config/validated-patterns/trustee/cosign-key-0.pub
# KBS authentication keys (Ed25519) for Trustee admin API
# Generate with:
# mkdir -p ~/.config/validated-patterns/trustee
# openssl genpkey -algorithm ed25519 > ~/.config/validated-patterns/trustee/kbsPrivateKey
# openssl pkey -in ~/.config/validated-patterns/trustee/kbsPrivateKey -pubout -out ~/.config/validated-patterns/trustee/kbsPublicKey
# chmod 600 ~/.config/validated-patterns/trustee/kbsPrivateKey
#- name: kbsPublicKey
# vaultPrefixes:
# - hub
# fields:
# - name: publicKey
# path: ~/.config/validated-patterns/trustee/kbsPublicKey
#- name: passphrase
# vaultPrefixes:
# - hub
# fields:
# - name: passphrase
# value: ''
# onMissingValue: generate
# vaultPolicy: validatedPatternDefaultPolicy
# ===========================================================================
# HUB-SPECIFIC SECRETS (hub/)
# Secrets for hub cluster management (spoke kubeconfigs, etc.)
# Policy: hub-secret (built-in VP policy)
# ===========================================================================
# If you use clusterPools you will need to uncomment the following lines
#- name: aws
# fields:
# - name: aws_access_key_id
# ini_file: ~/.aws/credentials
# ini_section: default
# ini_key: aws_access_key_id
# - name: aws_secret_access_key
# ini_file: ~/.aws/credentials
# ini_key: aws_secret_access_key
#- name: publickey
# fields:
# - name: content
# path: ~/.ssh/id_rsa.pub
#- name: privatekey
# fields:
# - name: content
# path: ~/.ssh/id_rsa
#- name: openshiftPullSecret
# fields:
# - name: content
# path: ~/.pullsecret.json
# If you are going to import spoke clusters, add here their kubeconfig entries
#- name: kubeconfig-spoke-1
# vaultPrefixes:
# - hub
# fields:
# - name: content
# path: ~/.kube/kubeconfig-ztvp-spoke
#- name: kubeconfig-spoke-2
# vaultPrefixes:
# - hub
# fields:
# - name: content
# path: ~/.kube/kubeconfig-ztvp-spoke-2