RHTAS with Azure Entra ID: supply-chain integration and documentation

[mlorenzofr]

This work lets the supply chain use RHTAS with Azure Entra ID (instead of only SPIRE/SPIFFE), and documents how to register the app and configure pattern values on Azure and in ZTVP.

Changes

Prepare supply chain to integrate RHTAS with Entra ID

• Supply chain values:
  • Introduced rhtas.spire and rhtas.oidc (client ID, issuer, identity, optional Kubernetes secret / Vault paths).
  • RHTPA settings were reshaped under rhtpa.url and rhtpa.oidc.*.
  • qtodo now uses qtodo.image.name / qtodo.image.version (digest-friendly)
• _helpers.tpl: Centralized helpers for registry URL, RHTAS OIDC issuer/identity (ZTWIM vs Entra), RHTPA URLs, and shared Sigstore task parameters and environment variables.
• rhtas.sh:
  • cosign sign / sign-blob optionally receive --oidc-client-id and --oidc-client-secret-file when set.
  • Added logging and a checks.
• Pipeline and verify-image tasks:
  • Default params and Sigstore env wiring use the new includes
  • SPIRE CSI volume and SPIFFE_ENDPOINT_SOCKET are only mounted/injected when rhtas.spire.enabled is true.

Add RHTAS setup to Azure Entra ID documentation

• docs/entraid.md: New RHTAS subsection with Azure CLI steps and ZTVP values-hub.yaml overrides for trusted-artifact-signer and supply-chain when using Entra ID instead of Spire.