feat: add feature-aware values-hub.yaml generator

.gitignore

@@ -14,6 +14,10 @@ super-linter-output
 # GitHub Actions leftovers
 github_conf
 
+# Python bytecode cache
+__pycache__/
+*.pyc
+
 # Editor and IDE specific files
 .cursorrules
 .cursor/

scripts/features/features.yaml

@@ -0,0 +1,43 @@
+# Feature registry for gen-feature-variants.py
+# Each feature maps to a YAML fragment file in this directory.
+# Dependencies are resolved automatically (topological order).
+features:
+  storage:
+    description: "ODF object storage + NooBaa MCG (S3 backend)"
+    depends_on: []
+
+  quay:
+    description: "Red Hat Quay container registry"
+    depends_on: [storage]
+
+  rhtas:
+    description: "Red Hat Trusted Artifact Signer (SPIFFE + Email)"
+    depends_on: []
+
+  rhtpa:
+    description: "Red Hat Trusted Profile Analyzer"
+    depends_on: [storage]
+
+  pipelines:
+    description: "OpenShift Pipelines"
+    depends_on: []
+
+  supply-chain:
+    description: "Full secure supply chain pipeline"
+    depends_on: [pipelines, rhtas, rhtpa, storage]
+    registry_option_required: true
+    org: ztvp
+    image_name: qtodo
+
+# Registry options (only used with supply-chain feature)
+# Each maps to a file under registry/ subdirectory.
+registry_options:
+  1:
+    label: "built-in-quay-registry"
+    file: "registry/option-1-quay.yaml"
+  2:
+    label: "byo-external-registry"
+    file: "registry/option-2-byo.yaml"
+  3:
+    label: "embedded-openshift-registry"
+    file: "registry/option-3-embedded-openshift.yaml"

scripts/features/pipelines.yaml

@@ -0,0 +1,10 @@
+# OpenShift Pipelines (Tekton)
+# Required for the secure supply chain pipeline flow
+clusterGroup:
+  namespaces:
+    - openshift-pipelines
+
+  subscriptions:
+    openshift-pipelines:
+      name: openshift-pipelines-operator-rh
+      namespace: openshift-operators

scripts/features/quay.yaml

@@ -0,0 +1,27 @@
+# Red Hat Quay container registry
+# Depends on: storage (ODF + NooBaa MCG for backend)
+clusterGroup:
+  namespaces:
+    - quay-enterprise:
+        annotations:
+          argocd.argoproj.io/sync-wave: "32"
+        labels:
+          openshift.io/cluster-monitoring: "true"
+
+  subscriptions:
+    quay-operator:
+      name: quay-operator
+      namespace: openshift-operators
+      channel: stable-3.15
+      annotations:
+        argocd.argoproj.io/sync-wave: "28"
+
+  applications:
+    quay-registry:
+      name: quay-registry
+      namespace: quay-enterprise
+      project: hub
+      chart: quay
+      chartVersion: 0.1.*
+      annotations:
+        argocd.argoproj.io/sync-wave: "41"

scripts/features/registry/option-1-quay.yaml

@@ -0,0 +1,58 @@
+# OPTION 1: Built-in Quay Registry
+# Enables global.registry pointing to the pattern's own Quay instance.
+# Includes Quay namespace, subscription, and application (only needed for option 1).
+# Adds quay.enabled and registry.tlsVerify overrides to supply-chain app.
+# Adds imagePullTrust to ztvp-certificates for node-level kubelet trust.
+global:
+  registry:
+    enabled: true
+    domain: "quay-registry-quay-quay-enterprise.apps.{{ .Values.global.clusterDomain }}"
+    # Placeholders auto-replaced by the generator (supply-chain defines org=ztvp, image_name=qtodo)
+    repository: org/image-name
+    user: quay-user
+    vaultPath: "secret/data/hub/infra/quay/quay-users"
+    passwordVaultKey: "quay-user-password"
+
+clusterGroup:
+  namespaces:
+    - quay-enterprise:
+        annotations:
+          argocd.argoproj.io/sync-wave: "32"
+        labels:
+          openshift.io/cluster-monitoring: "true"
+
+  subscriptions:
+    quay-operator:
+      name: quay-operator
+      namespace: openshift-operators
+      channel: stable-3.15
+      annotations:
+        argocd.argoproj.io/sync-wave: "28"
+
+  applications:
+    quay-registry:
+      name: quay-registry
+      namespace: quay-enterprise
+      project: hub
+      chart: quay
+      chartVersion: 0.1.*
+      annotations:
+        argocd.argoproj.io/sync-wave: "41"
+
+  merge_into_applications:
+    supply-chain:
+      overrides:
+        - name: quay.enabled
+          value: "true"
+        - name: registry.tlsVerify
+          value: "false"
+        - name: rhtas.enabled
+          value: "true"
+        - name: rhtpa.enabled
+          value: "true"
+    ztvp-certificates:
+      overrides:
+        - name: imagePullTrust.enabled
+          value: "true"
+        - name: imagePullTrust.registries[0]
+          value: "quay-registry-quay-quay-enterprise.apps.{{ $.Values.global.clusterDomain }}"

scripts/features/registry/option-2-byo.yaml

@@ -0,0 +1,23 @@
+# OPTION 2: BYO/External Registry (quay.io, ghcr.io, etc.)
+# Enables global.registry pointing to an external registry.
+# No imagePullTrust needed (external registries use public CAs).
+# After generating, update domain/repository/user below and set the password
+# in ~/values-secret.yaml (see docs/supply-chain.md for details).
+global:
+  registry:
+    enabled: true
+    domain: quay.io
+    # Placeholders auto-replaced by the generator (supply-chain defines org=ztvp, image_name=qtodo)
+    repository: org/image-name
+    user: your-username
+    vaultPath: "secret/data/hub/infra/registry/registry-user"
+    passwordVaultKey: "registry-password"
+
+clusterGroup:
+  merge_into_applications:
+    supply-chain:
+      overrides:
+        - name: rhtas.enabled
+          value: "true"
+        - name: rhtpa.enabled
+          value: "true"

scripts/features/registry/option-3-embedded-openshift.yaml

@@ -0,0 +1,32 @@
+# OPTION 3: Embedded OpenShift Image Registry
+# Enables global.registry pointing to the built-in OpenShift image registry.
+# Adds embeddedOpenShift overrides to supply-chain app.
+# Adds imagePullTrust to ztvp-certificates for node-level kubelet trust.
+global:
+  registry:
+    enabled: true
+    domain: "default-route-openshift-image-registry.apps.{{ .Values.global.clusterDomain }}"
+    # Placeholders auto-replaced by the generator (supply-chain defines org=ztvp, image_name=qtodo)
+    repository: org/image-name
+    user: _token
+    vaultPath: "secret/data/hub/infra/registry/registry-user"
+    passwordVaultKey: "registry-password"
+
+clusterGroup:
+  merge_into_applications:
+    supply-chain:
+      overrides:
+        - name: registry.embeddedOpenShift.ensureImageNamespaceRBAC
+          value: "true"
+        - name: registry.embeddedOpenShift.tokenRefresher.enabled
+          value: "true"
+        - name: rhtas.enabled
+          value: "true"
+        - name: rhtpa.enabled
+          value: "true"
+    ztvp-certificates:
+      overrides:
+        - name: imagePullTrust.enabled
+          value: "true"
+        - name: imagePullTrust.registries[0]
+          value: "default-route-openshift-image-registry.apps.{{ $.Values.global.clusterDomain }}"

scripts/features/rhtas.yaml

@@ -0,0 +1,38 @@
+# Red Hat Trusted Artifact Signer (RHTAS) with SPIFFE + Email issuers
+# Depends on: Vault, SPIRE, Keycloak (all in base config)
+clusterGroup:
+  namespaces:
+    - trusted-artifact-signer:
+        annotations:
+          argocd.argoproj.io/sync-wave: "32"
+        labels:
+          openshift.io/cluster-monitoring: "true"
+
+  subscriptions:
+    rhtas-operator:
+      name: rhtas-operator
+      namespace: openshift-operators
+      channel: stable
+      annotations:
+        argocd.argoproj.io/sync-wave: "29"
+      catalogSource: redhat-operators
+
+  applications:
+    trusted-artifact-signer:
+      name: trusted-artifact-signer
+      namespace: trusted-artifact-signer
+      project: hub
+      path: charts/rhtas-operator
+      annotations:
+        argocd.argoproj.io/sync-wave: "46"
+      overrides:
+        - name: rhtas.zeroTrust.spire.enabled
+          value: "true"
+        - name: rhtas.zeroTrust.spire.trustDomain
+          value: "apps.{{ $.Values.global.clusterDomain }}"
+        - name: rhtas.zeroTrust.spire.issuer
+          value: "https://spire-spiffe-oidc-discovery-provider.apps.{{ $.Values.global.clusterDomain }}"
+        - name: rhtas.zeroTrust.email.enabled
+          value: "true"
+        - name: rhtas.zeroTrust.email.issuer
+          value: "https://keycloak.apps.{{ $.Values.global.clusterDomain }}/realms/ztvp"

scripts/features/rhtpa.yaml

@@ -0,0 +1,47 @@
+# Red Hat Trusted Profile Analyzer (RHTPA) with SPIFFE Integration
+# Depends on: storage (NooBaa MCG), Vault, SPIRE, Keycloak
+clusterGroup:
+  namespaces:
+    - rhtpa-operator:
+        operatorGroup: true
+        targetNamespace: rhtpa-operator
+        annotations:
+          argocd.argoproj.io/sync-wave: "26"
+    - trusted-profile-analyzer:
+        annotations:
+          argocd.argoproj.io/sync-wave: "32"
+        labels:
+          openshift.io/cluster-monitoring: "true"
+
+  subscriptions:
+    rhtpa-operator:
+      name: rhtpa-operator
+      namespace: rhtpa-operator
+      channel: stable-v1.1
+      catalogSource: redhat-operators
+      annotations:
+        argocd.argoproj.io/sync-wave: "27"
+
+  applications:
+    trusted-profile-analyzer:
+      name: trusted-profile-analyzer
+      namespace: trusted-profile-analyzer
+      project: hub
+      path: charts/rhtpa-operator
+      annotations:
+        argocd.argoproj.io/sync-wave: "41"
+      ignoreDifferences:
+        - group: batch
+          kind: Job
+          jsonPointers:
+            - /status
+
+  merge_into_applications:
+    vault:
+      jwt:
+        roles:
+          - name: rhtpa
+            audience: rhtpa
+            subject: "spiffe://apps.{{ $.Values.global.clusterDomain }}/ns/trusted-profile-analyzer/sa/rhtpa"
+            policies:
+              - hub-infra-rhtpa-jwt-secret

scripts/features/storage.yaml

@@ -0,0 +1,27 @@
+# ODF + NooBaa MCG: shared object storage backend
+# Required for RHTPA and Quay (provides S3-compatible storage via NooBaa MCG)
+clusterGroup:
+  namespaces:
+    - openshift-storage:
+        operatorGroup: true
+        targetNamespace: openshift-storage
+        annotations:
+          openshift.io/cluster-monitoring: "true"
+          argocd.argoproj.io/sync-wave: "26"
+
+  subscriptions:
+    odf:
+      name: odf-operator
+      namespace: openshift-storage
+      channel: stable-4.20
+      annotations:
+        argocd.argoproj.io/sync-wave: "27"
+
+  applications:
+    noobaa-mcg:
+      name: noobaa-mcg
+      namespace: openshift-storage
+      project: hub
+      path: charts/noobaa-mcg
+      annotations:
+        argocd.argoproj.io/sync-wave: "36"

scripts/features/supply-chain.yaml

@@ -0,0 +1,25 @@
+# Secure Supply Chain application + vault role
+# Depends on: pipelines, rhtas, rhtpa, storage (all resolved automatically)
+# Requires --registry-option to select the registry backend.
+clusterGroup:
+  applications:
+    supply-chain:
+      name: supply-chain
+      project: hub
+      path: charts/supply-chain
+      annotations:
+        argocd.argoproj.io/sync-wave: "48"
+      ignoreDifferences:
+        - kind: ServiceAccount
+          jqPathExpressions:
+            - ".imagePullSecrets[]|select(.name | contains(\"-dockercfg-\"))"
+
+  merge_into_applications:
+    vault:
+      jwt:
+        roles:
+          - name: supply-chain
+            audience: supply-chain
+            subject: "spiffe://apps.{{ $.Values.global.clusterDomain }}/ns/{{ $.Values.global.pattern }}-hub/sa/pipeline"
+            policies:
+              - hub-supply-chain-jwt-secret