gen-feature-variants.py generates values-hub.yaml variants by composing
declarative feature fragments. Features live as small YAML files under
scripts/features/ and dependencies between them are resolved automatically.
- Python 3.9+
ruamel.yamllibrary
cd layered-zero-trust
python3 -m venv .venv
source .venv/bin/activate
pip install -r scripts/requirements.txtpip install --user -r scripts/requirements.txtpodman run --rm -it \
-v "$(pwd):/work:Z" -w /work \
python:3.12-slim \
bash -c "pip install -r scripts/requirements.txt && \
python3 scripts/gen-feature-variants.py --list-features"# List available features and registry options
python3 scripts/gen-feature-variants.py --list-features
# Enable a single feature (dependencies are resolved automatically)
python3 scripts/gen-feature-variants.py --features rhtpa
# Enable multiple features
python3 scripts/gen-feature-variants.py --features rhtpa,rhtas
# Enable Tekton Chains (auto-resolves: pipelines -> rhtas -> tekton-chains)
python3 scripts/gen-feature-variants.py --features tekton-chains
# Full supply chain: pick a registry option (1, 2, or 3)
python3 scripts/gen-feature-variants.py --features supply-chain --registry-option 1
# Generate all three supply-chain registry variants at once
python3 scripts/gen-feature-variants.py --features supply-chain --registry-option all
# Supply chain with protected (private) Git repository support
python3 scripts/gen-feature-variants.py \
--features supply-chain,protected-repos \
--registry-option 2 \
--git-repo https://github.com/your-org/qtodo.git
# Custom base file and output directory
python3 scripts/gen-feature-variants.py \
--features rhtpa --base values-hub.yaml --outdir /tmpGenerated files are written to /tmp by default (override with --outdir).
The output directory is created automatically if it does not exist.
| Option | Description | Notes |
|---|---|---|
| 1 | Built-in Quay registry | Deploys Quay inside the cluster |
| 2 | BYO / external registry | Uses an external registry (e.g. quay.io) |
| 3 | Embedded OpenShift image registry | Uses the built-in OpenShift image registry |
Note: The registry option fragments use generic
org/image-nameplaceholders in therepositoryfield. When a feature definesorgandimage_name(thesupply-chainfeature sets them toztvpandqtodo), the generator replaces both placeholders automatically, so the output already containsztvp/qtodo. If you use a custom feature without these fields, replace the placeholders manually before applying the generated file.
When the protected-repos feature is enabled, the --git-repo argument is
required. It specifies the private Git repository URL that the Tekton
pipeline will clone. The generator auto-detects the authentication mode
(HTTPS or SSH) from the URL scheme and sets git.credentials.authType and
git.credentials.host accordingly:
# HTTPS (basic-auth with username + PAT)
python3 scripts/gen-feature-variants.py \
--features supply-chain,protected-repos \
--registry-option 1 \
--git-repo https://github.com/your-org/qtodo.git
# SSH (key-based auth)
python3 scripts/gen-feature-variants.py \
--features supply-chain,protected-repos \
--registry-option 1 \
--git-repo git@github.com:your-org/qtodo.gitFor an HTTPS URL the generated values-hub.yaml will include:
- name: git.credentials.authType
value: "https"
- name: git.credentials.host
value: "https://github.com"For an SSH URL:
- name: git.credentials.authType
value: "ssh"
- name: git.credentials.host
value: "github.com"See Protected Repositories for the full setup (Vault credentials, ExternalSecret, workspace selection).
- The script reads the base
values-hub.yaml. - For each requested feature it loads the matching fragment from
scripts/features/<feature>.yamland merges it into the base tree. clusterGroupsections use type-aware merge strategies:- namespaces: appended only if not already present
- subscriptions / applications: add-if-absent
- merge_into_applications: deep-merge into existing application configs (e.g. adding Vault JWT roles or chart overrides)
- Comments inside
clusterGroup.namespaces,clusterGroup.subscriptions, andclusterGroup.applicationsare stripped from the generated output to avoid confusion from commented-out blocks mixing with merged content. All other comments (top-level headers,spire,sharedValueFiles,imperative, etc.) are preserved as-is. - Basic validation checks for duplicates before writing the result.
- Create
scripts/features/<name>.yamlmirroring thevalues-hub.yamlstructure (namespaces, subscriptions, applications). - Register it in
scripts/features/features.yamlwith a description and anydepends_onentries. - If the feature needs to modify an existing application (e.g. add a Vault
JWT role), use the
merge_into_applicationskey underclusterGroup.