feat(bp-sigstore): umbrella chart for security layer

Catalyst Blueprint umbrella chart for sigstore — security/policy layer. Pinned upstream + appVersion verified against the helm index on 2026-04-30. ServiceMonitor disabled per BLUEPRINT-AUTHORING.md §11.2. Solo-Sovereign defaults; per-Sovereign overlays bump to HA later. Part of security-stack umbrellas batch 3.
2026-04-30 06:04:36 +02:00 · 2026-04-30 06:04:36 +02:00 · 097f598ae9
commit 097f598ae9
parent b707ec5bdd
4 changed files with 111 additions and 0 deletions
--- a/platform/sigstore/blueprint.yaml
+++ b/platform/sigstore/blueprint.yaml
@ -0,0 +1,13 @@
+apiVersion: catalyst.openova.io/v1
+kind: Blueprint
+metadata:
+  name: sigstore
+  labels:
+    catalyst.openova.io/section: pts-3-3-security-and-policy
+spec:
+  version: 1.0.0
+  card:
+    title: Sigstore Policy Controller
+    family: guardian
+    description: Admission controller for signed-image enforcement (Sigstore/Cosign). Verifies signatures + attestations on container images before admission. Pairs with bp-harbor/bp-cosign for the supply-chain trust path.
+    docs: https://docs.sigstore.dev/policy-controller/overview/
--- a/platform/sigstore/chart/.helmignore
+++ b/platform/sigstore/chart/.helmignore
@ -0,0 +1 @@
+*.yaml.bak
--- a/platform/sigstore/chart/Chart.yaml
+++ b/platform/sigstore/chart/Chart.yaml
@ -0,0 +1,29 @@
+apiVersion: v2
+name: bp-sigstore
+description: |
+  Catalyst Blueprint umbrella chart for Sigstore Policy Controller.
+  Depends on the upstream `policy-controller` chart (sigstore/helm-charts)
+  as a Helm subchart so `helm dependency build` pulls the upstream payload
+  into this artifact. Catalyst-curated values flow into the upstream
+  subchart under the `policy-controller:` key in values.yaml.
+
+  Policy Controller is the supply-chain admission gate — verifies Cosign
+  signatures, in-toto attestations, and SBOMs on container images at
+  admission time. Pairs with bp-harbor (registry) and the Catalyst
+  build-pipeline that publishes signed bp-* OCI artifacts to GHCR.
+type: application
+version: 1.0.0
+appVersion: "0.13.1"
+keywords: [catalyst, blueprint, sigstore, cosign, supply-chain, admission, security]
+maintainers:
+  - name: OpenOva Catalyst
+    email: catalyst@openova.io
+
+# Pinned to sigstore/policy-controller 0.10.6 (appVersion 0.13.1) —
+# current stable on 2026-04-29. Per docs/INVIOLABLE-PRINCIPLES.md #4
+# (never hardcode) the version is operator-bumpable via PR + Blueprint
+# release.
+dependencies:
+  - name: policy-controller
+    version: "0.10.6"
+    repository: "https://sigstore.github.io/helm-charts"
--- a/platform/sigstore/chart/values.yaml
+++ b/platform/sigstore/chart/values.yaml
@ -0,0 +1,68 @@
+# Catalyst Blueprint umbrella metadata — the upstream chart is resolved as
+# a Helm subchart via Chart.yaml `dependencies:`. Catalyst-curated values
+# under the `policy-controller:` key flow into the upstream subchart unchanged.
+#
+# Per docs/INVIOLABLE-PRINCIPLES.md #4 (never hardcode), every operationally-
+# meaningful value is configurable; cluster overlays in clusters/<sovereign>/
+# may override any of these without rebuilding the Blueprint OCI artifact.
+
+catalystBlueprint:
+  upstream:
+    chart: policy-controller
+    version: "0.10.6"
+    repo: "https://sigstore.github.io/helm-charts"
+
+# ─── Upstream chart values (subchart key: policy-controller) ─────────────
+policy-controller:
+  # CRDs — installed by the umbrella so HelmRelease ordering works.
+  installCRDs: true
+
+  loglevel: info
+
+  # Webhook namespace selector — solo-Sovereign default is opt-in via
+  # `policy.sigstore.dev/include: "true"` namespace label. Per-Sovereign
+  # overlays MAY widen to all `bp-*` namespaces by patching the webhook
+  # ObjectSelector once the supply-chain rollout is complete.
+  webhook:
+    name: webhook
+    replicaCount: 1
+    # Pin upstream image — DO NOT use floating tags per
+    # docs/INVIOLABLE-PRINCIPLES.md.
+    image:
+      repository: ghcr.io/sigstore/policy-controller/policy-controller
+      version: "sha256:0bcd60beb93f4427c29cf3a669743caf58490e98ded4380c33c09f092734a6ab"
+      pullPolicy: IfNotPresent
+    # failurePolicy=Ignore on solo-Sovereign so a single-pod webhook
+    # restart doesn't block all admission. Per-Sovereign overlays MAY flip
+    # to Fail once 3-replica HA is in place.
+    failurePolicy: Ignore
+    resources:
+      requests:
+        cpu: 100m
+        memory: 128Mi
+      limits:
+        cpu: 500m
+        memory: 256Mi
+    serviceAccount:
+      create: true
+    # The policy controller needs to reach Fulcio/Rekor/TUF for verification.
+    # Per-Sovereign overlays SET trust-root configuration via ClusterImagePolicy.
+    env: {}
+    envFrom: {}
+
+  # ServiceMonitor — DEFAULT FALSE per docs/BLUEPRINT-AUTHORING.md §11.2.
+  serviceMonitor:
+    enabled: false
+
+# ─── Catalyst overlay values (consumed by templates/ in this chart) ──────
+# Reserved for Catalyst-side overlays (NetworkPolicy, default
+# ClusterImagePolicy that requires signatures on `ghcr.io/openova-io/*`)
+# added in a follow-up PR once bp-sigstore is consumed in
+# clusters/_template/.
+sigstoreOverlay:
+  networkPolicy:
+    enabled: false
+  # Default ClusterImagePolicy — empty; per-Sovereign overlays SET to require
+  # signatures on `ghcr.io/openova-io/*` images and other supply-chain trust
+  # roots once bp-harbor + Cosign signing pipeline are wired.
+  defaultClusterImagePolicy: ""