validatedpatterns
diff --git a/‎.gitignore‎
Lines changed: 3 additions & 2 deletions b/‎.gitignore‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎ansible/initdata-default.toml.tpl‎
Lines changed: 41 additions & 0 deletions b/‎ansible/initdata-default.toml.tpl‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎charts/all/letsencrypt/values.yaml‎
Lines changed: 5 additions & 3 deletions b/‎charts/all/letsencrypt/values.yaml‎
Lines changed: 5 additions & 3 deletions
diff --git a/‎charts/coco-supported/hello-openshift/templates/_helpers.tpl‎
Lines changed: 63 additions & 0 deletions b/‎charts/coco-supported/hello-openshift/templates/_helpers.tpl‎
Lines changed: 63 additions & 0 deletions
diff --git a/‎charts/coco-supported/hello-openshift/templates/insecure-policy-pod.yaml‎
Lines changed: 1 addition & 1 deletion b/‎charts/coco-supported/hello-openshift/templates/insecure-policy-pod.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎charts/coco-supported/hello-openshift/templates/secure-pod.yaml‎
Lines changed: 1 addition & 1 deletion b/‎charts/coco-supported/hello-openshift/templates/secure-pod.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎charts/coco-supported/hello-openshift/templates/standard-pod.yaml‎
Lines changed: 0 additions & 1 deletion b/‎charts/coco-supported/hello-openshift/templates/standard-pod.yaml‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎charts/coco-supported/hello-openshift/values.yaml‎
Lines changed: 5 additions & 2 deletions b/‎charts/coco-supported/hello-openshift/values.yaml‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎charts/coco-supported/kbs-access/values.yaml‎
Lines changed: 5 additions & 1 deletion b/‎charts/coco-supported/kbs-access/values.yaml‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎charts/coco-supported/sandbox/templates/kata-config.yaml‎
Lines changed: 1 addition & 3 deletions b/‎charts/coco-supported/sandbox/templates/kata-config.yaml‎
Lines changed: 1 addition & 3 deletions
@@ -16,7 +16,8 @@ install-config.yaml
 azure-env.sh
 .openshift*
 .DS_Store
-openshift-install
+openshift-install*
 node_modules
 .envrc
-.ansible/
+.ansible/
+__pycache__/
@@ -25,3 +25,44 @@ kbs_cert = """
 {{ trustee_cert }}
 """
 '''
+
+"policy.rego" = '''
+package agent_policy
+
+default AddARPNeighborsRequest := true
+default AddSwapRequest := true
+default CloseStdinRequest := true
+default CopyFileRequest := true
+default CreateContainerRequest := true
+default CreateSandboxRequest := true
+default DestroySandboxRequest := true
+default ExecProcessRequest := false
+default GetMetricsRequest := true
+default GetOOMEventRequest := true
+default GuestDetailsRequest := true
+default ListInterfacesRequest := true
+default ListRoutesRequest := true
+default MemHotplugByProbeRequest := true
+default OnlineCPUMemRequest := true
+default PauseContainerRequest := true
+default PullImageRequest := true
+default ReadStreamRequest := false
+default RemoveContainerRequest := true
+default RemoveStaleVirtiofsShareMountsRequest := true
+default ReseedRandomDevRequest := true
+default ResumeContainerRequest := true
+default SetGuestDateTimeRequest := true
+default SetPolicyRequest := true
+default SignalProcessRequest := true
+default StartContainerRequest := true
+default StartTracingRequest := true
+default StatsContainerRequest := true
+default StopTracingRequest := true
+default TtyWinResizeRequest := true
+default UpdateContainerRequest := true
+default UpdateEphemeralMountsRequest := true
+default UpdateInterfaceRequest := true
+default UpdateRoutesRequest := true
+default WaitProcessRequest := true
+default WriteStreamRequest := true
+'''
@@ -3,6 +3,8 @@
 global:
   ## -- String containing the domain including the apps. prefix. Gets set by the Validated Pattern framework
   localClusterDomain: "apps.example.com"
+  ## -- String defining the cluster platform: "Azure" or "AWS" (overridden by values-global.yaml)
+  clusterPlatform: ""
 
 
 # -- This section contains all the parameters for the letsencrypt chart in
@@ -55,7 +57,7 @@ letsencrypt:
   azure:
     secretStoreKey: 'secret/data/global/azure'
 
-
+# Secret store configuration (overridden by values-global.yaml)
 secretStore:
-  name: vault-backend
-  kind: ClusterSecretStore
+  name: ""
+  kind: ""
@@ -0,0 +1,63 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "hello-openshift.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "hello-openshift.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "hello-openshift.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "hello-openshift.labels" -}}
+helm.sh/chart: {{ include "hello-openshift.chart" . }}
+{{ include "hello-openshift.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "hello-openshift.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "hello-openshift.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Determine runtime class name based on cluster platform
+Returns "kata-remote" for Azure/AWS, "kata-cc" for other platforms
+*/}}
+{{- define "hello-openshift.runtimeClassName" -}}
+{{- if or (eq .Values.global.clusterPlatform "Azure") (eq .Values.global.clusterPlatform "AWS") -}}
+kata-remote
+{{- else -}}
+kata-cc
+{{- end -}}
+{{- end }}
@@ -7,7 +7,7 @@ metadata:
   annotations:
     io.katacontainers.config.agent.policy: '{{ tpl ( .Files.Get "insecure-policy.rego") . | b64enc }}'
 spec:
-  runtimeClassName: kata-remote
+  runtimeClassName: {{ include "hello-openshift.runtimeClassName" . }}
   containers:
     - name: hello-openshift
       image: quay.io/openshift/origin-hello-openshift
 
@@ -7,7 +7,7 @@ metadata:
   annotations:
     peerpods: "true"
 spec:
-  runtimeClassName: kata-remote
+  runtimeClassName: {{ include "hello-openshift.runtimeClassName" . }}
   containers:
     - name: hello-openshift
       image: quay.io/openshift/origin-hello-openshift
 
@@ -5,7 +5,6 @@ metadata:
   labels:
     app: standard
 spec:
-  runtimeClassName: {{ .Values.global.runtimeClass }}
   containers:
     - name: hello-openshift
       image: quay.io/openshift/origin-hello-openshift
 
@@ -1,3 +1,6 @@
+# Chart-specific values
+# Common values are inherited from values-global.yaml
+
+# Global values used by this chart (overridden by values-global.yaml)
 global:
-  coco:
-    runtimeClassName: kata-remote
+  clusterPlatform: ""  # Cluster platform: "Azure" or "AWS" - determines runtime class
@@ -1,3 +1,7 @@
+# Chart-specific values
+# Common values are inherited from values-global.yaml
+
+# Global values used by this chart (overridden by values-global.yaml)
 global:
   coco:
-    runtimeClassName: kata-remote
+    runtimeClassName: ""  # Runtime class for confidential containers
@@ -1,10 +1,8 @@
-{{ if .Values.sandbox.deploy }}
 apiVersion: kataconfiguration.openshift.io/v1
 kind: KataConfig
 metadata:
   annotations:
     argocd.argoproj.io/sync-wave: "100"
   name: default-kata-config
 spec:
-  enablePeerPods: true
-{{ end }}
+  enablePeerPods: {{ if or (eq .Values.global.clusterPlatform "Azure") (eq .Values.global.clusterPlatform "AWS") }}true{{ else }}false{{ end }}