feat: BYO container registry support

Restructure registry configuration to support three deployment states:
- Fresh install: No registry configured (both disabled by default)
- Built-in Quay: quay.enabled=true uses hub/infra/quay/ vault path
- External/BYO: externalRegistry.enabled=true uses hub/infra/registry/ path

Changes:
- Add externalRegistry.enabled flag to supply-chain and qtodo charts
- Separate vault paths for built-in Quay vs external registry
- Templates conditionally select vault path based on enabled flags
- Update supply-chain.md with BYO registry setup instructions
- Add helm template method and oc monitoring commands to supply-chain.md
- Follow VP best practice: external registry secrets in local ~/values-secret.yaml

To enable supply-chain:
1. Uncomment openshift-pipelines namespace and subscription
2. Uncomment supply-chain vault role (JWT auth)
3. Configure registry (BYO or built-in Quay) in application overrides
   - For BYO registry:
     - Set externalRegistry.enabled=true and configure registry settings
     - Add registry credentials to ~/values-secret.yaml
   - For built-in Quay:
     - Enable openshift-storage namespace
     - Enable ODF, NooBaa MCG
     - Enable Quay operator subscription, quay-registry application
4. RHTAS (signing): Enable rhtas-operator subscription and trusted-artifact-signer namespace
5. RHTPA (SBOM): Enable rhtpa-operator subscription, ODF, NooBaa, and trusted-profile-analyzer

Signed-off-by: Min Zhang <minzhang@redhat.com>

Author: minmzzhang

charts/qtodo/templates/registry-external-secret.yaml

@@ -18,14 +18,19 @@ spec:
         .dockerconfigjson: |
           {
             "auths": {
-              "{{ .Values.app.images.main.registry.domain | default (printf "quay-registry-quay-quay-enterprise.%s" .Values.global.hubClusterDomain) }}": {
+              "{{ required "app.images.main.registry.domain is required when registry.auth is enabled" .Values.app.images.main.registry.domain }}": {
                 "auth": "{{ `{{ printf "%s:%s" "` }}{{ .Values.app.images.main.registry.user }}{{ `" .password | b64enc }}` }}"
               }
             }
           }
   data:
   - secretKey: password
     remoteRef:
-      key: {{ .Values.app.images.main.registry.vaultPath }}
-      property: {{ .Values.app.images.main.registry.passwordVaultKey }}
+      {{- if .Values.app.images.main.registry.builtinQuay.enabled }}
+      key: {{ .Values.app.images.main.registry.builtinQuay.vaultPath }}
+      property: {{ .Values.app.images.main.registry.builtinQuay.passwordVaultKey }}
+      {{- else if .Values.app.images.main.registry.externalRegistry.enabled }}
+      key: {{ .Values.app.images.main.registry.externalRegistry.vaultPath }}
+      property: {{ .Values.app.images.main.registry.externalRegistry.passwordVaultKey }}
+      {{- end }}
 {{- end }}

charts/qtodo/values.yaml

@@ -15,13 +15,26 @@ app:
       # Modified to Always to force a pull so we can test changes to the container image without requiring manual deletion of images or restarts of argo
       pullPolicy: Always
       registry:
+        # auth: controls whether to create registry auth secret
+        # Set to true when using private registry (built-in Quay or external)
         auth: false
         secretName: qtodo-registry-auth
-        user: quay-user
-        # domain: quay-registry-quay-quay-enterprise.apps.example.com
-        # Registry credentials - stored in quay path
-        vaultPath: secret/data/hub/infra/quay/quay-users
-        passwordVaultKey: quay-user-password
+        user: registry-user
+        # domain: registry.example.com  # REQUIRED when auth is enabled
+
+        # Built-in Quay registry (optional)
+        # When enabled, uses auto-generated credentials from Vault
+        builtinQuay:
+          enabled: false
+          vaultPath: secret/data/hub/infra/quay/quay-users
+          passwordVaultKey: quay-user-password
+
+        # External/BYO registry (optional)
+        # When enabled, uses user-provided credentials from Vault
+        externalRegistry:
+          enabled: false
+          vaultPath: secret/data/hub/infra/registry/registry-user
+          passwordVaultKey: registry-password
     spiffeHelper:
       name: registry.redhat.io/zero-trust-workload-identity-manager/spiffe-helper-rhel9
       version: v0.10.0

charts/supply-chain/templates/pipeline-qtodo.yaml

@@ -1,3 +1,12 @@
+{{- /* Determine registry domain: auto-construct for built-in Quay, require for external */ -}}
+{{- $registryDomain := "" -}}
+{{- if .Values.registry.domain -}}
+  {{- $registryDomain = .Values.registry.domain -}}
+{{- else if .Values.quay.enabled -}}
+  {{- $registryDomain = printf "quay-registry-quay-quay-enterprise.%s" .Values.global.hubClusterDomain -}}
+{{- else -}}
+  {{- fail "registry.domain is required for external registry" -}}
+{{- end -}}
 ---
 apiVersion: tekton.dev/v1beta1
 kind: Pipeline
@@ -25,7 +34,7 @@ spec:
     - name: image-target
       type: string
       description: qtodo image push destination (e.g. quay.io/ztvp/qtodo:latest)
-      default: {{ .Values.registry.domain | default (printf "quay-registry-quay-quay-enterprise.%s" .Values.global.hubClusterDomain) }}/{{ .Values.registry.org }}/{{ .Values.registry.repo }}:{{ .Values.qtodo.tag }}
+      default: {{ $registryDomain }}/{{ .Values.registry.org }}/{{ .Values.registry.repo }}:{{ .Values.qtodo.tag }}
     - name: image-tls-verify
       type: string
       description: Whether to verify TLS when pushing to the OCI registry

charts/supply-chain/templates/pipelinerun-qtodo.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.pipelinerun.enabled }}
+---
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  generateName: qtodo-supply-chain-
+  namespace: {{ .Values.global.namespace }}
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+spec:
+  pipelineRef:
+    name: qtodo-supply-chain
+  workspaces:
+    - name: qtodo-source
+      persistentVolumeClaim:
+        claimName: qtodo-workspace-source
+    - name: registry-auth-config
+      secret:
+        secretName: {{ .Values.registry.authSecretName }}
+{{- end }}

…mplates/secrets/qtodo-registry-pass.yaml …n/templates/secrets/qtodo-quay-pass.yamlcharts/supply-chain/templates/secrets/qtodo-registry-pass.yaml renamed to charts/supply-chain/templates/secrets/qtodo-quay-pass.yaml charts/supply-chain/templates/secrets/qtodo-registry-pass.yaml renamed to charts/supply-chain/templates/secrets/qtodo-quay-pass.yaml

@@ -1,3 +1,10 @@
+{{/*
+  Quay User Provisioner Secret
+  Purpose: Provides password for the Quay user provisioner job to create/update users in built-in Quay
+  Used by: quay-user-job.yaml (CronJob that provisions Quay users)
+  Only created when: quay.enabled=true (built-in Quay registry)
+  Not used for: BYO/external registry (use qtodo-registry-auth.yaml instead)
+*/}}
 {{- if eq .Values.quay.enabled true }}
 ---
 apiVersion: "external-secrets.io/v1beta1"
@@ -19,6 +26,6 @@ spec:
   data:
   - secretKey: password
     remoteRef:
-      key: {{ .Values.registry.vaultPath }}
-      property: {{ .Values.registry.passwordVaultKey }}
+      key: {{ .Values.quay.vaultPath }}
+      property: {{ .Values.quay.passwordVaultKey }}
 {{- end }}

charts/supply-chain/templates/secrets/qtodo-registry-auth.yaml

@@ -1,3 +1,25 @@
+{{/*
+  Pipeline Registry Auth Secret
+  Purpose: Provides dockerconfigjson for pipeline to push/pull images
+  Used by: Tekton pipeline tasks (build-image, sign-image, verify-image)
+  Created when: quay.enabled=true OR externalRegistry.enabled=true
+  Vault path: Automatically selects based on which registry is enabled
+    - Built-in Quay: quay.vaultPath (auto-generated credentials)
+    - BYO Registry: externalRegistry.vaultPath (user-provided credentials)
+  Registry domain:
+    - Built-in Quay: auto-constructed as quay-registry-quay-quay-enterprise.<hubClusterDomain>
+    - BYO Registry: must be explicitly set via registry.domain
+*/}}
+{{- if or .Values.quay.enabled .Values.externalRegistry.enabled }}
+{{- /* Determine registry domain: auto-construct for built-in Quay, require for external */ -}}
+{{- $registryDomain := "" -}}
+{{- if .Values.registry.domain -}}
+  {{- $registryDomain = .Values.registry.domain -}}
+{{- else if .Values.quay.enabled -}}
+  {{- $registryDomain = printf "quay-registry-quay-quay-enterprise.%s" .Values.global.hubClusterDomain -}}
+{{- else -}}
+  {{- fail "registry.domain is required for external registry" -}}
+{{- end -}}
 ---
 apiVersion: "external-secrets.io/v1beta1"
 kind: ExternalSecret
@@ -17,13 +39,19 @@ spec:
         .dockerconfigjson: |
           {
             "auths": {
-              "{{ .Values.registry.domain | default (printf "quay-registry-quay-quay-enterprise.%s" .Values.global.hubClusterDomain) }}": {
+              "{{ $registryDomain }}": {
                 "auth": "{{ `{{ printf "%s:%s" "` }}{{ .Values.registry.user }}{{ `" .password | b64enc }}` }}"
               }
             }
           }
   data:
   - secretKey: password
     remoteRef:
-      key: {{ .Values.registry.vaultPath }}
-      property: {{ .Values.registry.passwordVaultKey }}
+      {{- if .Values.quay.enabled }}
+      key: {{ .Values.quay.vaultPath }}
+      property: {{ .Values.quay.passwordVaultKey }}
+      {{- else if .Values.externalRegistry.enabled }}
+      key: {{ .Values.externalRegistry.vaultPath }}
+      property: {{ .Values.externalRegistry.passwordVaultKey }}
+      {{- end }}
+{{- end }}

charts/supply-chain/values.yaml

@@ -26,26 +26,50 @@ qtodo:
   buildCmd: "./mvnw -s settings.xml package -DskipTests -Dquarkus.package.jar.type=uber-jar"
   containerfile: "./Containerfile"
 
-# quay registry configuration
-# used to create a new user in quay. Generic registry configuration is below.
+# ===========================================================================
+# BUILT-IN QUAY REGISTRY (optional)
+# When enabled, deploys internal Quay registry with auto-generated credentials
+# ===========================================================================
 quay:
   enabled: true
   email: "quay-user@example.com"
+  # Vault path for auto-generated Quay credentials
+  vaultPath: "secret/data/hub/infra/quay/quay-users"
+  passwordVaultKey: "quay-user-password"
+  # User provisioner job settings
   job:
     image: registry.access.redhat.com/ubi9/ubi:9.7-1764794285
     schedule: "*/5 * * * *"
 
-# container registry configuration
+# ===========================================================================
+# EXTERNAL/BYO REGISTRY (optional)
+# User-provided credentials for external registry (quay.io, ghcr.io, etc.)
+# Enable this when using an external registry instead of built-in Quay
+# ===========================================================================
+externalRegistry:
+  enabled: false
+  # Vault path for user-provided credentials
+  vaultPath: "secret/data/hub/infra/registry/registry-user"
+  passwordVaultKey: "registry-password"
+
+# ===========================================================================
+# COMMON REGISTRY SETTINGS (shared by both built-in Quay and external registry)
+# ===========================================================================
 registry:
-  # Commented to generate it dynamically
-  # domain: "quay-registry-quay-quay-enterprise.hub.example.com"
+  # For built-in Quay: domain is auto-constructed from hubClusterDomain
+  # For external registry: REQUIRED - set explicitly (e.g., quay.io, ghcr.io)
+  # domain: "registry.example.com"
   org: "ztvp"
   repo: "qtodo"
   tlsVerify: "true"
-  user: "quay-user"
-  passwordVaultKey: "quay-user-password"
-  # Infrastructure secrets - stored in quay path
-  vaultPath: "secret/data/hub/infra/quay/quay-users"
+  user: "registry-user"
+  # Secret name for registry auth (dockerconfigjson)
+  authSecretName: "qtodo-registry-auth"
+
+# pipeline run configuration
+pipelinerun:
+  # Set to true to automatically trigger a pipeline run on ArgoCD sync
+  enabled: false
 
 # spire configuration
 spire: