From 4295a9c13e96fa915859343b2b1f945bdfac1e04 Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Thu, 28 May 2026 20:30:20 +0900 Subject: [PATCH] feat: change firmware reference values to single JSON blob format Change firmware-reference-values secret consumption from multi-key format (each measurement as a separate base64-encoded JSON array) to single JSON blob format (one 'json' key containing the full structure). This aligns firmware reference values with the pcrStash pattern and enables integration with values-secret.yaml.template path-based secret management. Before: - Vault/K8s secret has keys: mr_td, rtmr_1, rtmr_2, snp_launch_measurement, xfam - Each key individually base64-decoded and parsed After: - Vault/K8s secret has one key: json - Single base64-decode + JSON parse, then access fields directly - Fields are already arrays (no inner fromJson needed) BREAKING CHANGE: Existing deployments must update secret structure from multi-key to single-key format. See coco-pattern firmware collection script for updated workflow. --- templates/rvps-values-policies.yaml | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/templates/rvps-values-policies.yaml b/templates/rvps-values-policies.yaml index db67af7..5b97de0 100644 --- a/templates/rvps-values-policies.yaml +++ b/templates/rvps-values-policies.yaml @@ -46,26 +46,21 @@ spec: {{`{{- end -}}`}} {{`{{- $firmwareStash := (lookup "v1" "Secret" "trustee-operator-system" "firmware-reference-values") -}}`}} {{`{{- if $firmwareStash -}}`}} - {{`{{- $firmwareData := $firmwareStash.data -}}`}} + {{`{{- $firmwareData := $firmwareStash.data.json | base64dec | fromJson -}}`}} {{`{{- if $firmwareData.mr_td -}}`}} - {{`{{- $mrTdValues := ($firmwareData.mr_td | base64dec | fromJson) -}}`}} - {{`{{- $referenceValues = append $referenceValues (dict "name" "mr_td" "expiration" "2027-12-12T00:00:00Z" "value" $mrTdValues) -}}`}} + {{`{{- $referenceValues = append $referenceValues (dict "name" "mr_td" "expiration" "2027-12-12T00:00:00Z" "value" $firmwareData.mr_td) -}}`}} {{`{{- end -}}`}} {{`{{- if $firmwareData.rtmr_1 -}}`}} - {{`{{- $rtmr1Values := ($firmwareData.rtmr_1 | base64dec | fromJson) -}}`}} - {{`{{- $referenceValues = append $referenceValues (dict "name" "rtmr_1" "expiration" "2027-12-12T00:00:00Z" "value" $rtmr1Values) -}}`}} + {{`{{- $referenceValues = append $referenceValues (dict "name" "rtmr_1" "expiration" "2027-12-12T00:00:00Z" "value" $firmwareData.rtmr_1) -}}`}} {{`{{- end -}}`}} {{`{{- if $firmwareData.rtmr_2 -}}`}} - {{`{{- $rtmr2Values := ($firmwareData.rtmr_2 | base64dec | fromJson) -}}`}} - {{`{{- $referenceValues = append $referenceValues (dict "name" "rtmr_2" "expiration" "2027-12-12T00:00:00Z" "value" $rtmr2Values) -}}`}} + {{`{{- $referenceValues = append $referenceValues (dict "name" "rtmr_2" "expiration" "2027-12-12T00:00:00Z" "value" $firmwareData.rtmr_2) -}}`}} {{`{{- end -}}`}} {{`{{- if $firmwareData.snp_launch_measurement -}}`}} - {{`{{- $snpLaunchValues := ($firmwareData.snp_launch_measurement | base64dec | fromJson) -}}`}} - {{`{{- $referenceValues = append $referenceValues (dict "name" "snp_launch_measurement" "expiration" "2027-12-12T00:00:00Z" "value" $snpLaunchValues) -}}`}} + {{`{{- $referenceValues = append $referenceValues (dict "name" "snp_launch_measurement" "expiration" "2027-12-12T00:00:00Z" "value" $firmwareData.snp_launch_measurement) -}}`}} {{`{{- end -}}`}} {{`{{- if $firmwareData.xfam -}}`}} - {{`{{- $xfamValues := ($firmwareData.xfam | base64dec | fromJson) -}}`}} - {{`{{- $referenceValues = append $referenceValues (dict "name" "xfam" "expiration" "2027-12-12T00:00:00Z" "value" $xfamValues) -}}`}} + {{`{{- $referenceValues = append $referenceValues (dict "name" "xfam" "expiration" "2027-12-12T00:00:00Z" "value" $firmwareData.xfam) -}}`}} {{`{{- end -}}`}} {{`{{- end -}}`}} - complianceType: mustonlyhave