You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* feat: BYO container registry support
Restructure registry configuration to support three deployment states:
- Fresh install: No registry configured (both disabled by default)
- Built-in Quay: quay.enabled=true uses hub/infra/quay/ vault path
- External/BYO: externalRegistry.enabled=true uses hub/infra/registry/ path
Changes:
- Add externalRegistry.enabled flag to supply-chain and qtodo charts
- Separate vault paths for built-in Quay vs external registry
- Templates conditionally select vault path based on enabled flags
- Update supply-chain.md with BYO registry setup instructions
- Add helm template method and oc monitoring commands to supply-chain.md
- Follow VP best practice: external registry secrets in local ~/values-secret.yaml
To enable supply-chain:
1. Uncomment openshift-pipelines namespace and subscription
2. Uncomment supply-chain vault role (JWT auth)
3. Configure registry (BYO or built-in Quay) in application overrides
- For BYO registry:
- Set externalRegistry.enabled=true and configure registry settings
- Add registry credentials to ~/values-secret.yaml
- For built-in Quay:
- Enable openshift-storage namespace
- Enable ODF, NooBaa MCG
- Enable Quay operator subscription, quay-registry application
4. RHTAS (signing): Enable rhtas-operator subscription and trusted-artifact-signer namespace
5. RHTPA (SBOM): Enable rhtpa-operator subscription, ODF, NooBaa, and trusted-profile-analyzer
Signed-off-by: Min Zhang <minzhang@redhat.com>
* feat: unified registry configuration with multi-registry support
Refactor supply-chain and qtodo charts to use a single, option-agnostic
registry configuration instead of separate per-registry blocks.
Registry options (configure one in values-hub.yaml):
- Option 1: Built-in Quay Registry
- Option 2: BYO/External Registry (quay.io, ghcr.io, etc.)
- Option 3: Embedded OCP Image Registry
Key changes:
Supply-chain chart:
* Unified registry.* parameters (domain, org, user, vaultPath, passwordVaultKey)
* Use tpl function to resolve template expressions in registry.domain values
passed as --set parameters from the validated patterns framework
* Embedded OCP registry automation (registry.embeddedOCP.ensureImageNamespaceRBAC):
- Auto-create image namespace matching registry.org
- Grant pipeline SA system:image-builder via RoleBinding
- Enable default route on OCP image registry via Kubernetes API
(curl-based Job using ServiceAccount token, no oc CLI dependency)
* ArgoCD hook annotations on the route-enabler Job (Sync + HookSucceeded)
* Rename qtodo-registry-pass to qtodo-quay-pass for clarity
Qtodo chart:
* Unified app.images.main.registry.* parameters
* Use tpl function in registry-external-secret.yaml for domain resolution
ztvp-certificates chart:
* Node-level image pull trust for kubelet (imagePullTrust.*)
* Create ConfigMap with ingress CA per registry hostname in openshift-config
* Patch image.config.openshift.io/cluster additionalTrustedCA
* RBAC for patching image.config.openshift.io resources
Documentation: * Comprehensive supply-chain.md with configuration steps for all three
registry options, vault paths, and example overrides
* Updated values-secret.yaml.template with registry credential examples
Signed-off-by: Min Zhang <minzhang@redhat.com>
* feat: add script to generate registry option test variants
Add scripts/gen-byo-container-registry-variants.py that reads the base
values-hub.yaml (all supply-chain components commented out) and produces
up to 3 variants with the chosen registry option enabled:
Option 1: Built-in Quay Registry
Option 2: BYO / External Registry
Option 3: Embedded OCP Image Registry
Each variant also enables the common supply-chain stack (OpenShift
Pipelines, ODF, NooBaa, RHTAS, RHTPA, and their namespaces,
subscriptions, vault roles).
Signed-off-by: Min Zhang <minzhang@redhat.com>
* fix(acs-central): handle CA trust race on fresh cluster deployment
On a fresh bare-metal cluster the proxy trustedCA injection may not
have propagated to Central's mounted CA bundle by the time the
create-auth-provider Job runs. Central caches its TLS trust pool at
startup, so all Job retries fail with "x509: certificate signed by
unknown authority" when Central tries to validate the Keycloak OIDC
discovery endpoint.
- Add retry loop in create-auth-provider Job that detects the specific
TLS CA error, restarts Central to reload the CA bundle, then retries
(up to 3 times)
- Add apps/deployments get+patch to the service account Role so the
Job can run "oc rollout restart"
- Refactor script: extract wait_for_central() and escape_sed() helpers
Signed-off-by: Min Zhang <minzhang@redhat.com>
* refactor: centralize registry config in global.registry and derive qtodo image in chart
Move shared registry credentials (domain, org, user, vaultPath, passwordVaultKey)
into a single global.registry block in values-hub.yaml. Supply-chain and qtodo
charts fall back to global.registry.* when local registry values are empty.
Derive the qtodo container image from global.registry.domain/org when registry
is enabled, avoiding Validated Patterns --set overrides (Helm templates are not
available there).
- Add global.registry defaults to supply-chain and qtodo chart values
- Update templates to use | default .Values.global.registry.*
- Simplify values-hub.yaml application overrides for option-specific flags
- Rewrite gen-byo-container-registry-variants.py for the structure
- Update docs/supply-chain.md for global.registry architecture
Signed-off-by: Min Zhang <minzhang@redhat.com>
* fix: align vault-utils JWT placeholders and ACS init RBAC
Sync common/scripts/vault-utils.sh (Helm global.pattern substitution for
Ansible) and charts/acs-central cluster-init Role (list/watch deployments)
from embedded-ocp-registry for parity across registry option branches.
Signed-off-by: Min Zhang <minzhang@redhat.com>
* feat(supply-chain): embedded OCP registry token refresh and Vault JWT
Add CronJob and sync-hook seed Job for pipeline SA token refresh to Vault
(SPIFFE JWT). Extend supply-chain values, docs/supply-chain.md, and
values-hub for embedded OCP (merged with fresh-install baseline).
Signed-off-by: Min Zhang <minzhang@redhat.com>
* fix(gen-variants): fix subject regex and imagePullTrust matching
Two bugs in gen-byo-container-registry-variants.py:
1. The supply-chain JWT role subject regex used ns/pipeline which no
longer matches after the namespace was changed to
{{ $.Values.global.pattern }}-hub. Changed to sa/pipeline which
matches both old and new formats.
2. enable_image_pull_trust looked for the stale <registry-hostname>
placeholder. Changed to match by position (value line after the
imagePullTrust.registries line) so it works regardless of the
default value in the base file.
Signed-off-by: Min Zhang <minzhang@redhat.com>
* docs: clarify registry secret is only needed for BYO registry
- Comment out registry-user in values-secret.yaml.template (was active
by default but unnecessary for minimal deployments)
- Update supply-chain.md step 2 to clarify that only Option 2 (BYO
registry) needs the manual registry-user secret
- Option 1 (Quay) uses auto-generated quay-users secret
- Option 3 (embedded OCP) token refresher writes to Vault automatically
Signed-off-by: Min Zhang <minzhang@redhat.com>
* refactor: address PR #99 review feedback
- Rename org -> repository throughout (global.registry and supply-chain)
- Rename embeddedOCP -> embeddedOpenShift in supply-chain templates and docs
- Scope registry image rewrite via useRegistry flag in qtodo.image helper
- Guard imagePullSecrets on vaultPath being set (not just registry.enabled)
- Add Vault auth retry loop to refresh_registry_token.sh for seed Job timing
- Extract image namespace from first path component of repository (splitList)
- Update docs/supply-chain.md with new parameter names and examples
Signed-off-by: Min Zhang <minzhang@redhat.com>
* fix: address PR review feedback (naming, sync-wave, docs)
- Rename OCP_DOMAIN to OPENSHIFT_DOMAIN in vault-utils.sh
- Use repository: ztvp/qtodo for all 3 registry options in values-hub.yaml
- Add sync-wave "15" to qtodo-registry-auth ExternalSecret so it runs
after the registry-token-refresher-seed Job at wave 10, preventing a
deadlock where the ExternalSecret blocks Argo from reaching the seed
- Update SYNC-WAVE-INVENTORY.md with full supply-chain chart internals
Signed-off-by: Min Zhang <minzhang@redhat.com>
* fix: rename OCP to OpenShift in gen-byo-container-registry-variants.py
Signed-off-by: Min Zhang <minzhang@redhat.com>
* fix: apply remaining OCP to OpenShift renames in values-hub.yaml
- Rename org -> repository: ztvp/qtodo for Options 1 and 3
- Rename Embedded OCP -> Embedded OpenShift throughout
- Rename embeddedOCP -> embeddedOpenShift in supply-chain overrides
- Update domain/org -> domain/repository in comments
Signed-off-by: Min Zhang <minzhang@redhat.com>
* feat: seed image job, pipeline auto-trigger, PVC health check, and oc mirror fix
Bootstrapping: registry seed image Job (qtodo chart)
- New registry-seed-job.yaml: mirrors upstream qtodo image into the
configured registry (embedded OpenShift, built-in Quay, or BYO) so
the deployment can pull before the supply-chain pipeline runs.
- Adds seedImage config block to qtodo/values.yaml (disabled by default).
- Handles all three registry types: SA token auth for embedded OpenShift,
dockerconfigjson secret for Quay/BYO, with registry-reachability retry.
- Uses -a flag for oc image mirror auth (not skopeo --dest-creds flags).
- Sync hook with HookSucceeded delete policy; runs at wave 0+5 (before
the qtodo deployment at wave 51).
Pipeline auto-trigger: PostSync Job wrapper (supply-chain chart)
- pipelinerun-qtodo.yaml now creates a PostSync Job that imperatively
runs `oc create` to launch the PipelineRun. This works around the
upstream clustergroup chart's resourceExclusions for tekton.dev
PipelineRun/TaskRun, which silently blocks direct PipelineRun hooks.
- Dedicated pipelinerun-launcher ServiceAccount + Role + RoleBinding
with minimal RBAC (create pipelineruns, get secret/PVC).
Post-pipeline qtodo refresh (supply-chain chart)
- New restart-qtodo Tekton Task + RBAC (pipeline-qtodo-restarter
Role/RoleBinding in qtodo namespace).
- Added `finally` section to pipeline-qtodo.yaml that runs restart-qtodo
after successful image verification, forcing the qtodo deployment to
pull the newly built and signed image.
ArgoCD PVC health check (values-hub.yaml)
- Added custom resourceHealthCheck for PersistentVolumeClaim: treats
Pending as Healthy. WaitForFirstConsumer PVCs stay Pending until a pod
mounts them, which causes ArgoCD to report the app as Progressing
indefinitely and prevents PostSync hooks from firing. This is a common
pattern for gp3-csi (AWS), lvms-vg1 (bare metal), etc.
- Preserves existing KeycloakRealmImport health check.
Generator script updates
- gen-byo-container-registry-variants.py: uncomments pipelinerun.enabled
and app.seedImage.enabled flags when generating supply-chain variants.
Other
- registry-external-secret.yaml: added sync-wave 36 annotation.
- values-hub.yaml: clean base with new flags commented out; RHTAS pinned
to stable-v1.3.
- SYNC-WAVE-INVENTORY.md: updated qtodo and supply-chain sections.
Signed-off-by: Min Zhang <minzhang@redhat.com>
* fix: make registry-seed-image job best-effort to prevent ArgoCD retry loops
A Sync hook failure triggers ArgoCD retry loops for the entire sync
operation (up to 20 retries with timeouts), blocking all higher sync
waves and creating an unrecoverable deadlock.
Wrap the seed logic in a function guarded by an unconditional exit 0
so the hook always succeeds regardless of registry availability:
- No auth secret (built-in Quay first install): skip gracefully
- Registry unreachable: warn and exit 0
- Mirror failure: warn and exit 0
Also tune Job parameters:
- backoffLimit: 0 (K8s retries unnecessary since job always exits 0)
- activeDeadlineSeconds: 600 (hard safety net)
- Registry poll MAX_WAIT: 480s (enough for embedded registry startup)
- hook-delete-policy: BeforeHookCreation,HookSucceeded
Signed-off-by: Min Zhang <minzhang@redhat.com>
* fix: add registry readiness check to pipeline launcher job
On fresh install the PostSync hook can fire before the built-in Quay
registry is fully ready, causing the pipeline to fail when pushing
images. Add a readiness poll loop that waits up to 480s for the
registry /v2/ endpoint to respond before creating the PipelineRun.
Also increase activeDeadlineSeconds from 120 to 600 to accommodate
the wait. Works for all registry types (built-in Quay, embedded
OpenShift, BYO) since it uses global.registry.domain.
Signed-off-by: Min Zhang <minzhang@redhat.com>
* fix: quote boolean override values as strings in values-hub.yaml
The clustergroup chart requires all override values to be strings.
Bare YAML booleans (true/false) cause Helm template error:
"wrong type for value; expected string; got bool"
Quote compliance.storage.enabled, app.oidc.enabled, and
app.spire.enabled values.
Signed-off-by: Min Zhang <minzhang@redhat.com>
* docs: update supply-chain.md with new automation features
Add documentation for:
- First-install image availability (registry-seed-image best-effort job)
- ArgoCD PVC health check for WaitForFirstConsumer storage classes
- Automatic pipeline trigger via PostSync hook Job with registry
readiness check
- restart-qtodo finally task that restarts the deployment after a
successful pipeline run
- Updated Helm template section to reflect Job wrapper change
Signed-off-by: Min Zhang <minzhang@redhat.com>
* fix: use placeholder repository path for BYO registry option
Change BYO registry repository from ztvp/qtodo to your-org/qtodo.
quay.io uses org/repo format and users must replace this with their
own org. Options 1 and 3 (internal registries) keep ztvp/qtodo
since they control the namespace.
Signed-off-by: Min Zhang <minzhang@redhat.com>
* fix: address PR review feedback
- PVC health check: use generic "PVC is pending" message instead of
assuming WaitForFirstConsumer binding mode
- Disable auto pipeline trigger (pipelinerun.enabled) and seed image
mirroring (app.seedImage.enabled) by default; keep templates gated
behind flags for future enablement
- Guard restart-qtodo task against missing Deployment
- Remove auto-trigger and seed image sections from supply-chain docs
- Remove pipelinerun/seedImage uncomment logic from gen-byo script
Signed-off-by: Min Zhang <minzhang@redhat.com>
* fix: pin clustergroup chart to 0.9.47
Signed-off-by: Min Zhang <minzhang@redhat.com>
---------
Signed-off-by: Min Zhang <minzhang@redhat.com>
0 commit comments