From 097f598ae9c95078a4a02793461b2ff22b99b01f Mon Sep 17 00:00:00 2001 From: hatiyildiz Date: Thu, 30 Apr 2026 06:04:36 +0200 Subject: [PATCH] feat(bp-sigstore): umbrella chart for security layer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Catalyst Blueprint umbrella chart for sigstore — security/policy layer. Pinned upstream + appVersion verified against the helm index on 2026-04-30. ServiceMonitor disabled per BLUEPRINT-AUTHORING.md §11.2. Solo-Sovereign defaults; per-Sovereign overlays bump to HA later. Part of security-stack umbrellas batch 3. --- platform/sigstore/blueprint.yaml | 13 ++++++ platform/sigstore/chart/.helmignore | 1 + platform/sigstore/chart/Chart.yaml | 29 ++++++++++++ platform/sigstore/chart/values.yaml | 68 +++++++++++++++++++++++++++++ 4 files changed, 111 insertions(+) create mode 100644 platform/sigstore/blueprint.yaml create mode 100644 platform/sigstore/chart/.helmignore create mode 100644 platform/sigstore/chart/Chart.yaml create mode 100644 platform/sigstore/chart/values.yaml diff --git a/platform/sigstore/blueprint.yaml b/platform/sigstore/blueprint.yaml new file mode 100644 index 00000000..6c1f041d --- /dev/null +++ b/platform/sigstore/blueprint.yaml @@ -0,0 +1,13 @@ +apiVersion: catalyst.openova.io/v1 +kind: Blueprint +metadata: + name: sigstore + labels: + catalyst.openova.io/section: pts-3-3-security-and-policy +spec: + version: 1.0.0 + card: + title: Sigstore Policy Controller + family: guardian + description: Admission controller for signed-image enforcement (Sigstore/Cosign). Verifies signatures + attestations on container images before admission. Pairs with bp-harbor/bp-cosign for the supply-chain trust path. + docs: https://docs.sigstore.dev/policy-controller/overview/ diff --git a/platform/sigstore/chart/.helmignore b/platform/sigstore/chart/.helmignore new file mode 100644 index 00000000..1c3f3902 --- /dev/null +++ b/platform/sigstore/chart/.helmignore @@ -0,0 +1 @@ +*.yaml.bak diff --git a/platform/sigstore/chart/Chart.yaml b/platform/sigstore/chart/Chart.yaml new file mode 100644 index 00000000..e90127cf --- /dev/null +++ b/platform/sigstore/chart/Chart.yaml @@ -0,0 +1,29 @@ +apiVersion: v2 +name: bp-sigstore +description: | + Catalyst Blueprint umbrella chart for Sigstore Policy Controller. + Depends on the upstream `policy-controller` chart (sigstore/helm-charts) + as a Helm subchart so `helm dependency build` pulls the upstream payload + into this artifact. Catalyst-curated values flow into the upstream + subchart under the `policy-controller:` key in values.yaml. + + Policy Controller is the supply-chain admission gate — verifies Cosign + signatures, in-toto attestations, and SBOMs on container images at + admission time. Pairs with bp-harbor (registry) and the Catalyst + build-pipeline that publishes signed bp-* OCI artifacts to GHCR. +type: application +version: 1.0.0 +appVersion: "0.13.1" +keywords: [catalyst, blueprint, sigstore, cosign, supply-chain, admission, security] +maintainers: + - name: OpenOva Catalyst + email: catalyst@openova.io + +# Pinned to sigstore/policy-controller 0.10.6 (appVersion 0.13.1) — +# current stable on 2026-04-29. Per docs/INVIOLABLE-PRINCIPLES.md #4 +# (never hardcode) the version is operator-bumpable via PR + Blueprint +# release. +dependencies: + - name: policy-controller + version: "0.10.6" + repository: "https://sigstore.github.io/helm-charts" diff --git a/platform/sigstore/chart/values.yaml b/platform/sigstore/chart/values.yaml new file mode 100644 index 00000000..be475771 --- /dev/null +++ b/platform/sigstore/chart/values.yaml @@ -0,0 +1,68 @@ +# Catalyst Blueprint umbrella metadata — the upstream chart is resolved as +# a Helm subchart via Chart.yaml `dependencies:`. Catalyst-curated values +# under the `policy-controller:` key flow into the upstream subchart unchanged. +# +# Per docs/INVIOLABLE-PRINCIPLES.md #4 (never hardcode), every operationally- +# meaningful value is configurable; cluster overlays in clusters// +# may override any of these without rebuilding the Blueprint OCI artifact. + +catalystBlueprint: + upstream: + chart: policy-controller + version: "0.10.6" + repo: "https://sigstore.github.io/helm-charts" + +# ─── Upstream chart values (subchart key: policy-controller) ───────────── +policy-controller: + # CRDs — installed by the umbrella so HelmRelease ordering works. + installCRDs: true + + loglevel: info + + # Webhook namespace selector — solo-Sovereign default is opt-in via + # `policy.sigstore.dev/include: "true"` namespace label. Per-Sovereign + # overlays MAY widen to all `bp-*` namespaces by patching the webhook + # ObjectSelector once the supply-chain rollout is complete. + webhook: + name: webhook + replicaCount: 1 + # Pin upstream image — DO NOT use floating tags per + # docs/INVIOLABLE-PRINCIPLES.md. + image: + repository: ghcr.io/sigstore/policy-controller/policy-controller + version: "sha256:0bcd60beb93f4427c29cf3a669743caf58490e98ded4380c33c09f092734a6ab" + pullPolicy: IfNotPresent + # failurePolicy=Ignore on solo-Sovereign so a single-pod webhook + # restart doesn't block all admission. Per-Sovereign overlays MAY flip + # to Fail once 3-replica HA is in place. + failurePolicy: Ignore + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 500m + memory: 256Mi + serviceAccount: + create: true + # The policy controller needs to reach Fulcio/Rekor/TUF for verification. + # Per-Sovereign overlays SET trust-root configuration via ClusterImagePolicy. + env: {} + envFrom: {} + + # ServiceMonitor — DEFAULT FALSE per docs/BLUEPRINT-AUTHORING.md §11.2. + serviceMonitor: + enabled: false + +# ─── Catalyst overlay values (consumed by templates/ in this chart) ────── +# Reserved for Catalyst-side overlays (NetworkPolicy, default +# ClusterImagePolicy that requires signatures on `ghcr.io/openova-io/*`) +# added in a follow-up PR once bp-sigstore is consumed in +# clusters/_template/. +sigstoreOverlay: + networkPolicy: + enabled: false + # Default ClusterImagePolicy — empty; per-Sovereign overlays SET to require + # signatures on `ghcr.io/openova-io/*` images and other supply-chain trust + # roots once bp-harbor + Cosign signing pipeline are wired. + defaultClusterImagePolicy: ""