feat: BYO container registry support#99
Open
minmzzhang wants to merge 15 commits intovalidatedpatterns:mainfrom
Open
feat: BYO container registry support#99minmzzhang wants to merge 15 commits intovalidatedpatterns:mainfrom
minmzzhang wants to merge 15 commits intovalidatedpatterns:mainfrom
Conversation
Restructure registry configuration to support three deployment states:
- Fresh install: No registry configured (both disabled by default)
- Built-in Quay: quay.enabled=true uses hub/infra/quay/ vault path
- External/BYO: externalRegistry.enabled=true uses hub/infra/registry/ path
Changes:
- Add externalRegistry.enabled flag to supply-chain and qtodo charts
- Separate vault paths for built-in Quay vs external registry
- Templates conditionally select vault path based on enabled flags
- Update supply-chain.md with BYO registry setup instructions
- Add helm template method and oc monitoring commands to supply-chain.md
- Follow VP best practice: external registry secrets in local ~/values-secret.yaml
To enable supply-chain:
1. Uncomment openshift-pipelines namespace and subscription
2. Uncomment supply-chain vault role (JWT auth)
3. Configure registry (BYO or built-in Quay) in application overrides
- For BYO registry:
- Set externalRegistry.enabled=true and configure registry settings
- Add registry credentials to ~/values-secret.yaml
- For built-in Quay:
- Enable openshift-storage namespace
- Enable ODF, NooBaa MCG
- Enable Quay operator subscription, quay-registry application
4. RHTAS (signing): Enable rhtas-operator subscription and trusted-artifact-signer namespace
5. RHTPA (SBOM): Enable rhtpa-operator subscription, ODF, NooBaa, and trusted-profile-analyzer
Signed-off-by: Min Zhang <minzhang@redhat.com>
Collaborator
Author
|
This is the same PR of #98, which got accidentally closed. |
Refactor supply-chain and qtodo charts to use a single, option-agnostic
registry configuration instead of separate per-registry blocks.
Registry options (configure one in values-hub.yaml):
- Option 1: Built-in Quay Registry
- Option 2: BYO/External Registry (quay.io, ghcr.io, etc.)
- Option 3: Embedded OCP Image Registry
Key changes:
Supply-chain chart:
* Unified registry.* parameters (domain, org, user, vaultPath, passwordVaultKey)
* Use tpl function to resolve template expressions in registry.domain values
passed as --set parameters from the validated patterns framework
* Embedded OCP registry automation (registry.embeddedOCP.ensureImageNamespaceRBAC):
- Auto-create image namespace matching registry.org
- Grant pipeline SA system:image-builder via RoleBinding
- Enable default route on OCP image registry via Kubernetes API
(curl-based Job using ServiceAccount token, no oc CLI dependency)
* ArgoCD hook annotations on the route-enabler Job (Sync + HookSucceeded)
* Rename qtodo-registry-pass to qtodo-quay-pass for clarity
Qtodo chart:
* Unified app.images.main.registry.* parameters
* Use tpl function in registry-external-secret.yaml for domain resolution
ztvp-certificates chart:
* Node-level image pull trust for kubelet (imagePullTrust.*)
* Create ConfigMap with ingress CA per registry hostname in openshift-config
* Patch image.config.openshift.io/cluster additionalTrustedCA
* RBAC for patching image.config.openshift.io resources
Documentation: * Comprehensive supply-chain.md with configuration steps for all three
registry options, vault paths, and example overrides
* Updated values-secret.yaml.template with registry credential examples
Signed-off-by: Min Zhang <minzhang@redhat.com>
minmzzhang
force-pushed
the
byo-container-registry-fresh-install
branch
from
19faccc to
b1203c1
Compare
minmzzhang
requested review from
mlorenzofr and
sabre1041
and removed request for
sabre1041
…try-fresh-install Signed-off-by: Min Zhang <minzhang@redhat.com> # Conflicts: # charts/ztvp-certificates/files/extract-certificates.sh.tpl # values-hub.yaml
…try-fresh-install Resolve conflict in values-hub.yaml: keep multi-option registry configuration from BYO branch and add sync-wave annotation (argocd.argoproj.io/sync-wave: "48") from PR validatedpatterns#109. Signed-off-by: Min Zhang <minzhang@redhat.com>
minmzzhang
force-pushed
the
byo-container-registry-fresh-install
branch
10 times, most recently
from
78bb62c to
4c89939
Compare
Add scripts/gen-byo-container-registry-variants.py that reads the base values-hub.yaml (all supply-chain components commented out) and produces up to 3 variants with the chosen registry option enabled: Option 1: Built-in Quay Registry Option 2: BYO / External Registry Option 3: Embedded OCP Image Registry Each variant also enables the common supply-chain stack (OpenShift Pipelines, ODF, NooBaa, RHTAS, RHTPA, and their namespaces, subscriptions, vault roles). Signed-off-by: Min Zhang <minzhang@redhat.com>
On a fresh bare-metal cluster the proxy trustedCA injection may not have propagated to Central's mounted CA bundle by the time the create-auth-provider Job runs. Central caches its TLS trust pool at startup, so all Job retries fail with "x509: certificate signed by unknown authority" when Central tries to validate the Keycloak OIDC discovery endpoint. - Add retry loop in create-auth-provider Job that detects the specific TLS CA error, restarts Central to reload the CA bundle, then retries (up to 3 times) - Add apps/deployments get+patch to the service account Role so the Job can run "oc rollout restart" - Refactor script: extract wait_for_central() and escape_sed() helpers Signed-off-by: Min Zhang <minzhang@redhat.com>
…odo image in chart Move shared registry credentials (domain, org, user, vaultPath, passwordVaultKey) into a single global.registry block in values-hub.yaml. Supply-chain and qtodo charts fall back to global.registry.* when local registry values are empty. Derive the qtodo container image from global.registry.domain/org when registry is enabled, avoiding Validated Patterns --set overrides (Helm templates are not available there). - Add global.registry defaults to supply-chain and qtodo chart values - Update templates to use | default .Values.global.registry.* - Simplify values-hub.yaml application overrides for option-specific flags - Rewrite gen-byo-container-registry-variants.py for the structure - Update docs/supply-chain.md for global.registry architecture Signed-off-by: Min Zhang <minzhang@redhat.com>
Sync common/scripts/vault-utils.sh (Helm global.pattern substitution for Ansible) and charts/acs-central cluster-init Role (list/watch deployments) from embedded-ocp-registry for parity across registry option branches. Signed-off-by: Min Zhang <minzhang@redhat.com>
minmzzhang
force-pushed
the
byo-container-registry-fresh-install
branch
from
f6d956b to
f716fcd
Compare
Add CronJob and sync-hook seed Job for pipeline SA token refresh to Vault (SPIFFE JWT). Extend supply-chain values, docs/supply-chain.md, and values-hub for embedded OCP (merged with fresh-install baseline). Signed-off-by: Min Zhang <minzhang@redhat.com>
minmzzhang
force-pushed
the
byo-container-registry-fresh-install
branch
from
f716fcd to
78229ad
Compare
Two bugs in gen-byo-container-registry-variants.py:
1. The supply-chain JWT role subject regex used ns/pipeline which no
longer matches after the namespace was changed to
{{ $.Values.global.pattern }}-hub. Changed to sa/pipeline which
matches both old and new formats.
2. enable_image_pull_trust looked for the stale <registry-hostname>
placeholder. Changed to match by position (value line after the
imagePullTrust.registries line) so it works regardless of the
default value in the base file.
Signed-off-by: Min Zhang <minzhang@redhat.com>
- Comment out registry-user in values-secret.yaml.template (was active by default but unnecessary for minimal deployments) - Update supply-chain.md step 2 to clarify that only Option 2 (BYO registry) needs the manual registry-user secret - Option 1 (Quay) uses auto-generated quay-users secret - Option 3 (embedded OCP) token refresher writes to Vault automatically Signed-off-by: Min Zhang <minzhang@redhat.com>
minmzzhang
force-pushed
the
byo-container-registry-fresh-install
branch
from
6455f14 to
808914a
Compare
sabre1041
requested changes
Apr 12, 2026
Collaborator
sabre1041
left a comment
sabre1041
left a comment
There was a problem hiding this comment.
Hi @minmzzhang
This is really good work! I did confirm that each of the 3 of the options were successful. I added a number of comments inline. However, there were a few areas that I'd like there t be further refinement:
- Rename references of
OCPtoOpenShiftas OCP is a particular subscription type - qtodo image: Review how to define and manage the reference to the qtodo image. Currently, the use can define the domain and namespace. However when the image is stored in a external registry, there is no guarantee that the name of the image will be
qtodo - When using the internal OpenShift registry, what can be done to improve the handling of the token associated with the ServiceAccount token? The primary concern is that the
CronJobthat populates the token in Vault only runs (by default) every 6 hours. As a result, a secret may not be populated in Vault for a maximum six hours. I had to manually start theCronJobto utilize the pipeline.
minmzzhang
added a commit
to minmzzhang/layered-zero-trust
that referenced
this pull request
Apr 13, 2026
…efactor Update feature YAML files and gen-feature-variants script/docs for: - org -> repository (e.g. "ztvp/qtodo") - embeddedOCP -> embeddedOpenShift - Rename option-3-embedded-ocp.yaml -> option-3-embedded-openshift.yaml Signed-off-by: Min Zhang <minzhang@redhat.com>
minmzzhang
added a commit
to minmzzhang/layered-zero-trust
that referenced
this pull request
Apr 14, 2026
…efactor Update feature YAML files and gen-feature-variants script/docs for: - org -> repository (e.g. "ztvp/qtodo") - embeddedOCP -> embeddedOpenShift - Rename option-3-embedded-ocp.yaml -> option-3-embedded-openshift.yaml Signed-off-by: Min Zhang <minzhang@redhat.com>
- Rename org -> repository throughout (global.registry and supply-chain) - Rename embeddedOCP -> embeddedOpenShift in supply-chain templates and docs - Scope registry image rewrite via useRegistry flag in qtodo.image helper - Guard imagePullSecrets on vaultPath being set (not just registry.enabled) - Add Vault auth retry loop to refresh_registry_token.sh for seed Job timing - Extract image namespace from first path component of repository (splitList) - Update docs/supply-chain.md with new parameter names and examples Signed-off-by: Min Zhang <minzhang@redhat.com>
Collaborator
Author
For the token refresh, upon fresh install, the seed job (registry-token-refresher-seed) runs as an ArgoCD Sync hook on every sync to populate the token immediately. The 6 hours CronJob schedule was to handle the ongoing refresh given the 48 hours token lifetime configured by |
minmzzhang
added a commit
to minmzzhang/layered-zero-trust
that referenced
this pull request
Apr 14, 2026
…efactor Update feature YAML files and gen-feature-variants script/docs for: - org -> repository (e.g. "ztvp/qtodo") - embeddedOCP -> embeddedOpenShift - Rename option-3-embedded-ocp.yaml -> option-3-embedded-openshift.yaml Signed-off-by: Min Zhang <minzhang@redhat.com>
minmzzhang
added a commit
to minmzzhang/layered-zero-trust
that referenced
this pull request
Apr 14, 2026
…efactor Update feature YAML files and gen-feature-variants script/docs for: - org -> repository (e.g. "ztvp/qtodo") - embeddedOCP -> embeddedOpenShift - Rename option-3-embedded-ocp.yaml -> option-3-embedded-openshift.yaml Signed-off-by: Min Zhang <minzhang@redhat.com>
minmzzhang
added a commit
to minmzzhang/layered-zero-trust
that referenced
this pull request
Apr 14, 2026
…efactor Update feature YAML files and gen-feature-variants script/docs for: - org -> repository (e.g. "ztvp/qtodo") - embeddedOCP -> embeddedOpenShift - Rename option-3-embedded-ocp.yaml -> option-3-embedded-openshift.yaml Signed-off-by: Min Zhang <minzhang@redhat.com>
sabre1041
requested changes
Apr 16, 2026
Collaborator
sabre1041
left a comment
sabre1041
left a comment
There was a problem hiding this comment.
Additional comments based on testing
| namespace: {{ .Values.global.namespace }} | ||
| annotations: | ||
| # Run after wave 0 (ConfigMaps, RBAC, ztvp ns) and wave 1 (enable-registry-default-route hook). | ||
| argocd.argoproj.io/sync-wave: "10" |
Collaborator
There was a problem hiding this comment.
Is it a concern that this uses a sync wave of 10? Since there are ExternalSecrets at a lower sync wave (qtodo-registry-auth at sync wave 0), this job is never triggered
Collaborator
Author
There was a problem hiding this comment.
updated the sync-wave order in supply-chain
- Rename OCP_DOMAIN to OPENSHIFT_DOMAIN in vault-utils.sh - Use repository: ztvp/qtodo for all 3 registry options in values-hub.yaml - Add sync-wave "15" to qtodo-registry-auth ExternalSecret so it runs after the registry-token-refresher-seed Job at wave 10, preventing a deadlock where the ExternalSecret blocks Argo from reaching the seed - Update SYNC-WAVE-INVENTORY.md with full supply-chain chart internals Signed-off-by: Min Zhang <minzhang@redhat.com>
Signed-off-by: Min Zhang <minzhang@redhat.com>
- Rename org -> repository: ztvp/qtodo for Options 1 and 3 - Rename Embedded OCP -> Embedded OpenShift throughout - Rename embeddedOCP -> embeddedOpenShift in supply-chain overrides - Update domain/org -> domain/repository in comments Signed-off-by: Min Zhang <minzhang@redhat.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add support for Bring-Your-Own (BYO) container registry alongside the
existing built-in Quay and embedded OCP image registry options. A single
global.registryblock invalues-hub.yamlcentralizes registrycredentials, and charts fall back to global defaults when local values
are empty.
Registry options (configure one in
values-hub.yaml)Key changes
global.registry architecture
domain,org,user,vaultPath,passwordVaultKeyinglobal.registry; per-app overrides only set option-specific flagsglobal.registry.domain/orginsidethe chart (no VP
--setoverrides needed)Supply-chain chart
registry.*parameters withtpldomain resolutionsystem:image-builderRoleBinding, route-enabler Job (noocCLI)(SPIFFE JWT) on embedded OCP
Qtodo chart
app.images.main.registry.*withtpldomain resolutionztvp-certificates chart
imagePullTrust.*)openshift-configimage.config.openshift.io/clusteradditionalTrustedCA + RBACACS Central (bug fix)
x509 errors, restarts Central to reload CA bundle (up to 3 retries)
apps/deploymentsget+patch to SA Role for rollout restartvault-utils / ACS init RBAC
vault-utils.shHelmglobal.patternsubstitution for Ansiblelist/watchdeployments to ACS Central cluster-init RoleTest tooling
scripts/gen-byo-container-registry-variants.py: generatevalues-hub.yamlvariants for each registry option with fullsupply-chain stack enabled
Documentation
docs/supply-chain.mdwith steps for all three optionsvalues-secret.yaml.template: registry-user commented out by default(only needed for Option 2 BYO)
Secrets model
quay-userssecretregistry-userin~/values-secret-*.yamlSigned-off-by: Min Zhang minzhang@redhat.com