feat: add feature-aware values-hub.yaml generator (#119)

* feat: add feature-aware values-hub.yaml generator

Add a declarative, composable YAML generator using ruamel.yaml
for producing values-hub.yaml overrides per deployment scenario.

Features are defined as small YAML fragment files under
scripts/features/ with automatic dependency resolution.
Supported scenarios: rhtpa, quay, rhtas, pipelines, storage,
and full supply-chain (with registry option 1/2/3).

Usage:
  python3 scripts/gen-feature-variants.py --features rhtpa
  python3 scripts/gen-feature-variants.py --features supply-chain --registry-option all
Signed-off-by: Min Zhang <minzhang@redhat.com>

* fix: address review feedback for gen-feature-variants

- Rename _merge_into to merge_into_applications for clarity
  on which section it targets (review: Manuel)
- Strip comments from clusterGroup.namespaces/subscriptions/
  applications in generated output to avoid confusing placement
  of commented-out blocks near merged content; preserve all
  other comments (top-level headers, spire, sharedValueFiles,
  imperative, etc.)
- Add gen-feature-variants.md with environment setup and usage

Signed-off-by: Min Zhang <minzhang@redhat.com>

* fix: align gen-feature-variants with PR #99 review refactor

Update feature YAML files and gen-feature-variants script/docs for:
- org -> repository (e.g. "ztvp/qtodo")
- embeddedOCP -> embeddedOpenShift
- Rename option-3-embedded-ocp.yaml -> option-3-embedded-openshift.yaml

Signed-off-by: Min Zhang <minzhang@redhat.com>

* chore: add __pycache__ and *.pyc to .gitignore

Signed-off-by: Min Zhang <minzhang@redhat.com>

* fix: rename embedded-ocp to embedded-openshift in output filenames

Signed-off-by: Min Zhang <minzhang@redhat.com>

* fix: sync supply-chain feature with PR review feedback

- Add empty supply-chain and qtodo override placeholders in
  features/supply-chain.yaml for future enablement
- Pin RHTAS operator channel to stable-v1.3

Signed-off-by: Min Zhang <minzhang@redhat.com>

* chore: remove legacy gen-byo-container-registry-variants.py

The new gen-feature-variants.py covers all registry options
declaratively; no need to maintain two generators.

Signed-off-by: Min Zhang <minzhang@redhat.com>

* Override value job.image in quay-registry application

---------

Signed-off-by: Min Zhang <minzhang@redhat.com>
Co-authored-by: Manuel Lorenzo <mlorenzofr@gmail.com>

Author: minmzzhang

.gitignore

@@ -14,6 +14,10 @@ super-linter-output
 # GitHub Actions leftovers
 github_conf
 
+# Python bytecode cache
+__pycache__/
+*.pyc
+
 # Editor and IDE specific files
 .cursorrules
 .cursor/

scripts/features/features.yaml

@@ -0,0 +1,43 @@
+# Feature registry for gen-feature-variants.py
+# Each feature maps to a YAML fragment file in this directory.
+# Dependencies are resolved automatically (topological order).
+features:
+  storage:
+    description: "ODF object storage + NooBaa MCG (S3 backend)"
+    depends_on: []
+
+  quay:
+    description: "Red Hat Quay container registry"
+    depends_on: [storage]
+
+  rhtas:
+    description: "Red Hat Trusted Artifact Signer (SPIFFE + Email)"
+    depends_on: []
+
+  rhtpa:
+    description: "Red Hat Trusted Profile Analyzer"
+    depends_on: [storage]
+
+  pipelines:
+    description: "OpenShift Pipelines"
+    depends_on: []
+
+  supply-chain:
+    description: "Full secure supply chain pipeline"
+    depends_on: [pipelines, rhtas, rhtpa, storage]
+    registry_option_required: true
+    org: ztvp
+    image_name: qtodo
+
+# Registry options (only used with supply-chain feature)
+# Each maps to a file under registry/ subdirectory.
+registry_options:
+  1:
+    label: "built-in-quay-registry"
+    file: "registry/option-1-quay.yaml"
+  2:
+    label: "byo-external-registry"
+    file: "registry/option-2-byo.yaml"
+  3:
+    label: "embedded-openshift-registry"
+    file: "registry/option-3-embedded-openshift.yaml"

scripts/features/pipelines.yaml

@@ -0,0 +1,10 @@
+# OpenShift Pipelines (Tekton)
+# Required for the secure supply chain pipeline flow
+clusterGroup:
+  namespaces:
+    - openshift-pipelines
+
+  subscriptions:
+    openshift-pipelines:
+      name: openshift-pipelines-operator-rh
+      namespace: openshift-operators

scripts/features/quay.yaml

@@ -0,0 +1,27 @@
+# Red Hat Quay container registry
+# Depends on: storage (ODF + NooBaa MCG for backend)
+clusterGroup:
+  namespaces:
+    - quay-enterprise:
+        annotations:
+          argocd.argoproj.io/sync-wave: "32"
+        labels:
+          openshift.io/cluster-monitoring: "true"
+
+  subscriptions:
+    quay-operator:
+      name: quay-operator
+      namespace: openshift-operators
+      channel: stable-3.15
+      annotations:
+        argocd.argoproj.io/sync-wave: "28"
+
+  applications:
+    quay-registry:
+      name: quay-registry
+      namespace: quay-enterprise
+      project: hub
+      chart: quay
+      chartVersion: 0.1.*
+      annotations:
+        argocd.argoproj.io/sync-wave: "41"

scripts/features/registry/option-1-quay.yaml

@@ -0,0 +1,61 @@
+# OPTION 1: Built-in Quay Registry
+# Enables global.registry pointing to the pattern's own Quay instance.
+# Includes Quay namespace, subscription, and application (only needed for option 1).
+# Adds quay.enabled and registry.tlsVerify overrides to supply-chain app.
+# Adds imagePullTrust to ztvp-certificates for node-level kubelet trust.
+global:
+  registry:
+    enabled: true
+    domain: "quay-registry-quay-quay-enterprise.apps.{{ .Values.global.clusterDomain }}"
+    # Placeholders auto-replaced by the generator (supply-chain defines org=ztvp, image_name=qtodo)
+    repository: org/image-name
+    user: quay-user
+    vaultPath: "secret/data/hub/infra/quay/quay-users"
+    passwordVaultKey: "quay-user-password"
+
+clusterGroup:
+  namespaces:
+    - quay-enterprise:
+        annotations:
+          argocd.argoproj.io/sync-wave: "32"
+        labels:
+          openshift.io/cluster-monitoring: "true"
+
+  subscriptions:
+    quay-operator:
+      name: quay-operator
+      namespace: openshift-operators
+      channel: stable-3.15
+      annotations:
+        argocd.argoproj.io/sync-wave: "28"
+
+  applications:
+    quay-registry:
+      name: quay-registry
+      namespace: quay-enterprise
+      project: hub
+      chart: quay
+      chartVersion: 0.1.*
+      annotations:
+        argocd.argoproj.io/sync-wave: "41"
+      overrides:
+        - name: job.image
+          value: "registry.redhat.io/openshift4/ose-cli:latest"
+
+  merge_into_applications:
+    supply-chain:
+      overrides:
+        - name: quay.enabled
+          value: "true"
+        - name: registry.tlsVerify
+          value: "false"
+        - name: rhtas.enabled
+          value: "true"
+        - name: rhtpa.enabled
+          value: "true"
+    ztvp-certificates:
+      overrides:
+        - name: imagePullTrust.enabled
+          value: "true"
+        - name: imagePullTrust.registries[0]
+          value: "quay-registry-quay-quay-enterprise.apps.{{ $.Values.global.clusterDomain }}"

scripts/features/registry/option-2-byo.yaml

@@ -0,0 +1,23 @@
+# OPTION 2: BYO/External Registry (quay.io, ghcr.io, etc.)
+# Enables global.registry pointing to an external registry.
+# No imagePullTrust needed (external registries use public CAs).
+# After generating, update domain/repository/user below and set the password
+# in ~/values-secret.yaml (see docs/supply-chain.md for details).
+global:
+  registry:
+    enabled: true
+    domain: quay.io
+    # Placeholders auto-replaced by the generator (supply-chain defines org=ztvp, image_name=qtodo)
+    repository: org/image-name
+    user: your-username
+    vaultPath: "secret/data/hub/infra/registry/registry-user"
+    passwordVaultKey: "registry-password"
+
+clusterGroup:
+  merge_into_applications:
+    supply-chain:
+      overrides:
+        - name: rhtas.enabled
+          value: "true"
+        - name: rhtpa.enabled
+          value: "true"

scripts/features/registry/option-3-embedded-openshift.yaml

@@ -0,0 +1,32 @@
+# OPTION 3: Embedded OpenShift Image Registry
+# Enables global.registry pointing to the built-in OpenShift image registry.
+# Adds embeddedOpenShift overrides to supply-chain app.
+# Adds imagePullTrust to ztvp-certificates for node-level kubelet trust.
+global:
+  registry:
+    enabled: true
+    domain: "default-route-openshift-image-registry.apps.{{ .Values.global.clusterDomain }}"
+    # Placeholders auto-replaced by the generator (supply-chain defines org=ztvp, image_name=qtodo)
+    repository: org/image-name
+    user: _token
+    vaultPath: "secret/data/hub/infra/registry/registry-user"
+    passwordVaultKey: "registry-password"
+
+clusterGroup:
+  merge_into_applications:
+    supply-chain:
+      overrides:
+        - name: registry.embeddedOpenShift.ensureImageNamespaceRBAC
+          value: "true"
+        - name: registry.embeddedOpenShift.tokenRefresher.enabled
+          value: "true"
+        - name: rhtas.enabled
+          value: "true"
+        - name: rhtpa.enabled
+          value: "true"
+    ztvp-certificates:
+      overrides:
+        - name: imagePullTrust.enabled
+          value: "true"
+        - name: imagePullTrust.registries[0]
+          value: "default-route-openshift-image-registry.apps.{{ $.Values.global.clusterDomain }}"

scripts/features/rhtas.yaml

@@ -0,0 +1,38 @@
+# Red Hat Trusted Artifact Signer (RHTAS) with SPIFFE + Email issuers
+# Depends on: Vault, SPIRE, Keycloak (all in base config)
+clusterGroup:
+  namespaces:
+    - trusted-artifact-signer:
+        annotations:
+          argocd.argoproj.io/sync-wave: "32"
+        labels:
+          openshift.io/cluster-monitoring: "true"
+
+  subscriptions:
+    rhtas-operator:
+      name: rhtas-operator
+      namespace: openshift-operators
+      channel: stable-v1.3
+      annotations:
+        argocd.argoproj.io/sync-wave: "29"
+      catalogSource: redhat-operators
+
+  applications:
+    trusted-artifact-signer:
+      name: trusted-artifact-signer
+      namespace: trusted-artifact-signer
+      project: hub
+      path: charts/rhtas-operator
+      annotations:
+        argocd.argoproj.io/sync-wave: "46"
+      overrides:
+        - name: rhtas.zeroTrust.spire.enabled
+          value: "true"
+        - name: rhtas.zeroTrust.spire.trustDomain
+          value: "apps.{{ $.Values.global.clusterDomain }}"
+        - name: rhtas.zeroTrust.spire.issuer
+          value: "https://spire-spiffe-oidc-discovery-provider.apps.{{ $.Values.global.clusterDomain }}"
+        - name: rhtas.zeroTrust.email.enabled
+          value: "true"
+        - name: rhtas.zeroTrust.email.issuer
+          value: "https://keycloak.apps.{{ $.Values.global.clusterDomain }}/realms/ztvp"

scripts/features/rhtpa.yaml

@@ -0,0 +1,47 @@
+# Red Hat Trusted Profile Analyzer (RHTPA) with SPIFFE Integration
+# Depends on: storage (NooBaa MCG), Vault, SPIRE, Keycloak
+clusterGroup:
+  namespaces:
+    - rhtpa-operator:
+        operatorGroup: true
+        targetNamespace: rhtpa-operator
+        annotations:
+          argocd.argoproj.io/sync-wave: "26"
+    - trusted-profile-analyzer:
+        annotations:
+          argocd.argoproj.io/sync-wave: "32"
+        labels:
+          openshift.io/cluster-monitoring: "true"
+
+  subscriptions:
+    rhtpa-operator:
+      name: rhtpa-operator
+      namespace: rhtpa-operator
+      channel: stable-v1.1
+      catalogSource: redhat-operators
+      annotations:
+        argocd.argoproj.io/sync-wave: "27"
+
+  applications:
+    trusted-profile-analyzer:
+      name: trusted-profile-analyzer
+      namespace: trusted-profile-analyzer
+      project: hub
+      path: charts/rhtpa-operator
+      annotations:
+        argocd.argoproj.io/sync-wave: "41"
+      ignoreDifferences:
+        - group: batch
+          kind: Job
+          jsonPointers:
+            - /status
+
+  merge_into_applications:
+    vault:
+      jwt:
+        roles:
+          - name: rhtpa
+            audience: rhtpa
+            subject: "spiffe://apps.{{ $.Values.global.clusterDomain }}/ns/trusted-profile-analyzer/sa/rhtpa"
+            policies:
+              - hub-infra-rhtpa-jwt-secret

scripts/features/storage.yaml

@@ -0,0 +1,27 @@
+# ODF + NooBaa MCG: shared object storage backend
+# Required for RHTPA and Quay (provides S3-compatible storage via NooBaa MCG)
+clusterGroup:
+  namespaces:
+    - openshift-storage:
+        operatorGroup: true
+        targetNamespace: openshift-storage
+        annotations:
+          openshift.io/cluster-monitoring: "true"
+          argocd.argoproj.io/sync-wave: "26"
+
+  subscriptions:
+    odf:
+      name: odf-operator
+      namespace: openshift-storage
+      channel: stable-4.20
+      annotations:
+        argocd.argoproj.io/sync-wave: "27"
+
+  applications:
+    noobaa-mcg:
+      name: noobaa-mcg
+      namespace: openshift-storage
+      project: hub
+      path: charts/noobaa-mcg
+      annotations:
+        argocd.argoproj.io/sync-wave: "36"