diff --git a/charts/qtodo/templates/registry-external-secret.yaml b/charts/qtodo/templates/registry-external-secret.yaml index 8646909d..6b6979c9 100644 --- a/charts/qtodo/templates/registry-external-secret.yaml +++ b/charts/qtodo/templates/registry-external-secret.yaml @@ -18,7 +18,7 @@ spec: .dockerconfigjson: | { "auths": { - "{{ .Values.app.images.main.registry.domain | default (printf "quay-registry-quay-quay-enterprise.%s" .Values.global.hubClusterDomain) }}": { + "{{ required "app.images.main.registry.domain is required when registry.auth is enabled" .Values.app.images.main.registry.domain }}": { "auth": "{{ `{{ printf "%s:%s" "` }}{{ .Values.app.images.main.registry.user }}{{ `" .password | b64enc }}` }}" } } @@ -26,6 +26,11 @@ spec: data: - secretKey: password remoteRef: - key: {{ .Values.app.images.main.registry.vaultPath }} - property: {{ .Values.app.images.main.registry.passwordVaultKey }} + {{- if .Values.app.images.main.registry.builtinQuay.enabled }} + key: {{ .Values.app.images.main.registry.builtinQuay.vaultPath }} + property: {{ .Values.app.images.main.registry.builtinQuay.passwordVaultKey }} + {{- else if .Values.app.images.main.registry.externalRegistry.enabled }} + key: {{ .Values.app.images.main.registry.externalRegistry.vaultPath }} + property: {{ .Values.app.images.main.registry.externalRegistry.passwordVaultKey }} + {{- end }} {{- end }} \ No newline at end of file diff --git a/charts/qtodo/values.yaml b/charts/qtodo/values.yaml index d5fd70c8..52b13d33 100644 --- a/charts/qtodo/values.yaml +++ b/charts/qtodo/values.yaml @@ -15,13 +15,26 @@ app: # Modified to Always to force a pull so we can test changes to the container image without requiring manual deletion of images or restarts of argo pullPolicy: Always registry: + # auth: controls whether to create registry auth secret + # Set to true when using private registry (built-in Quay or external) auth: false secretName: qtodo-registry-auth - user: quay-user - # domain: quay-registry-quay-quay-enterprise.apps.example.com - # Registry credentials - stored in quay path - vaultPath: secret/data/hub/infra/quay/quay-users - passwordVaultKey: quay-user-password + user: registry-user + # domain: registry.example.com # REQUIRED when auth is enabled + + # Built-in Quay registry (optional) + # When enabled, uses auto-generated credentials from Vault + builtinQuay: + enabled: false + vaultPath: secret/data/hub/infra/quay/quay-users + passwordVaultKey: quay-user-password + + # External/BYO registry (optional) + # When enabled, uses user-provided credentials from Vault + externalRegistry: + enabled: false + vaultPath: secret/data/hub/infra/registry/registry-user + passwordVaultKey: registry-password spiffeHelper: name: registry.redhat.io/zero-trust-workload-identity-manager/spiffe-helper-rhel9 version: v0.10.0 diff --git a/charts/supply-chain/templates/pipeline-qtodo.yaml b/charts/supply-chain/templates/pipeline-qtodo.yaml index 13ae2c8c..39fe8494 100644 --- a/charts/supply-chain/templates/pipeline-qtodo.yaml +++ b/charts/supply-chain/templates/pipeline-qtodo.yaml @@ -1,3 +1,12 @@ +{{- /* Determine registry domain: auto-construct for built-in Quay, require for external */ -}} +{{- $registryDomain := "" -}} +{{- if .Values.registry.domain -}} + {{- $registryDomain = .Values.registry.domain -}} +{{- else if .Values.quay.enabled -}} + {{- $registryDomain = printf "quay-registry-quay-quay-enterprise.%s" .Values.global.hubClusterDomain -}} +{{- else -}} + {{- fail "registry.domain is required for external registry" -}} +{{- end -}} --- apiVersion: tekton.dev/v1beta1 kind: Pipeline @@ -25,7 +34,7 @@ spec: - name: image-target type: string description: qtodo image push destination (e.g. quay.io/ztvp/qtodo:latest) - default: {{ .Values.registry.domain | default (printf "quay-registry-quay-quay-enterprise.%s" .Values.global.hubClusterDomain) }}/{{ .Values.registry.org }}/{{ .Values.registry.repo }}:{{ .Values.qtodo.tag }} + default: {{ $registryDomain }}/{{ .Values.registry.org }}/{{ .Values.registry.repo }}:{{ .Values.qtodo.tag }} - name: image-tls-verify type: string description: Whether to verify TLS when pushing to the OCI registry diff --git a/charts/supply-chain/templates/pipelinerun-qtodo.yaml b/charts/supply-chain/templates/pipelinerun-qtodo.yaml new file mode 100644 index 00000000..820c8da4 --- /dev/null +++ b/charts/supply-chain/templates/pipelinerun-qtodo.yaml @@ -0,0 +1,21 @@ +{{- if .Values.pipelinerun.enabled }} +--- +apiVersion: tekton.dev/v1beta1 +kind: PipelineRun +metadata: + generateName: qtodo-supply-chain- + namespace: {{ .Values.global.namespace }} + annotations: + argocd.argoproj.io/hook: PostSync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation +spec: + pipelineRef: + name: qtodo-supply-chain + workspaces: + - name: qtodo-source + persistentVolumeClaim: + claimName: qtodo-workspace-source + - name: registry-auth-config + secret: + secretName: {{ .Values.registry.authSecretName }} +{{- end }} diff --git a/charts/supply-chain/templates/rbac/registry-image-namespace.yaml b/charts/supply-chain/templates/rbac/registry-image-namespace.yaml new file mode 100644 index 00000000..35f3ab76 --- /dev/null +++ b/charts/supply-chain/templates/rbac/registry-image-namespace.yaml @@ -0,0 +1,28 @@ +{{- if and (index .Values.registry "embeddedOCP") (index .Values.registry.embeddedOCP "ensureImageNamespaceRBAC") }} +# When using the embedded OCP image registry, the pipeline pushes to a namespace +# that matches registry.org (e.g. ztvp). This ensures that namespace exists and +# the pipeline SA has system:image-builder so the push succeeds (transparent to the user). +--- +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Values.registry.org }} + annotations: + argocd.argoproj.io/sync-wave: "0" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: pipeline-image-builder + namespace: {{ .Values.registry.org }} + annotations: + argocd.argoproj.io/sync-wave: "0" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:image-builder +subjects: + - kind: ServiceAccount + name: pipeline + namespace: {{ .Values.global.namespace }} +{{- end }} diff --git a/charts/supply-chain/templates/secrets/qtodo-registry-pass.yaml b/charts/supply-chain/templates/secrets/qtodo-quay-pass.yaml similarity index 55% rename from charts/supply-chain/templates/secrets/qtodo-registry-pass.yaml rename to charts/supply-chain/templates/secrets/qtodo-quay-pass.yaml index 65406f8d..d66f6507 100644 --- a/charts/supply-chain/templates/secrets/qtodo-registry-pass.yaml +++ b/charts/supply-chain/templates/secrets/qtodo-quay-pass.yaml @@ -1,3 +1,10 @@ +{{/* + Quay User Provisioner Secret + Purpose: Provides password for the Quay user provisioner job to create/update users in built-in Quay + Used by: quay-user-job.yaml (CronJob that provisions Quay users) + Only created when: quay.enabled=true (built-in Quay registry) + Not used for: BYO/external registry (use qtodo-registry-auth.yaml instead) +*/}} {{- if eq .Values.quay.enabled true }} --- apiVersion: "external-secrets.io/v1beta1" @@ -19,6 +26,6 @@ spec: data: - secretKey: password remoteRef: - key: {{ .Values.registry.vaultPath }} - property: {{ .Values.registry.passwordVaultKey }} + key: {{ .Values.quay.vaultPath }} + property: {{ .Values.quay.passwordVaultKey }} {{- end }} \ No newline at end of file diff --git a/charts/supply-chain/templates/secrets/qtodo-registry-auth.yaml b/charts/supply-chain/templates/secrets/qtodo-registry-auth.yaml index 416e8020..eb889c9f 100644 --- a/charts/supply-chain/templates/secrets/qtodo-registry-auth.yaml +++ b/charts/supply-chain/templates/secrets/qtodo-registry-auth.yaml @@ -1,3 +1,25 @@ +{{/* + Pipeline Registry Auth Secret + Purpose: Provides dockerconfigjson for pipeline to push/pull images + Used by: Tekton pipeline tasks (build-image, sign-image, verify-image) + Created when: quay.enabled=true OR externalRegistry.enabled=true + Vault path: Automatically selects based on which registry is enabled + - Built-in Quay: quay.vaultPath (auto-generated credentials) + - BYO Registry: externalRegistry.vaultPath (user-provided credentials) + Registry domain: + - Built-in Quay: auto-constructed as quay-registry-quay-quay-enterprise. + - BYO Registry: must be explicitly set via registry.domain +*/}} +{{- if or .Values.quay.enabled .Values.externalRegistry.enabled }} +{{- /* Determine registry domain: auto-construct for built-in Quay, require for external */ -}} +{{- $registryDomain := "" -}} +{{- if .Values.registry.domain -}} + {{- $registryDomain = .Values.registry.domain -}} +{{- else if .Values.quay.enabled -}} + {{- $registryDomain = printf "quay-registry-quay-quay-enterprise.%s" .Values.global.hubClusterDomain -}} +{{- else -}} + {{- fail "registry.domain is required for external registry" -}} +{{- end -}} --- apiVersion: "external-secrets.io/v1beta1" kind: ExternalSecret @@ -17,7 +39,7 @@ spec: .dockerconfigjson: | { "auths": { - "{{ .Values.registry.domain | default (printf "quay-registry-quay-quay-enterprise.%s" .Values.global.hubClusterDomain) }}": { + "{{ $registryDomain }}": { "auth": "{{ `{{ printf "%s:%s" "` }}{{ .Values.registry.user }}{{ `" .password | b64enc }}` }}" } } @@ -25,5 +47,11 @@ spec: data: - secretKey: password remoteRef: - key: {{ .Values.registry.vaultPath }} - property: {{ .Values.registry.passwordVaultKey }} \ No newline at end of file + {{- if .Values.quay.enabled }} + key: {{ .Values.quay.vaultPath }} + property: {{ .Values.quay.passwordVaultKey }} + {{- else if .Values.externalRegistry.enabled }} + key: {{ .Values.externalRegistry.vaultPath }} + property: {{ .Values.externalRegistry.passwordVaultKey }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/supply-chain/values.yaml b/charts/supply-chain/values.yaml index 4a54d048..aed322b4 100644 --- a/charts/supply-chain/values.yaml +++ b/charts/supply-chain/values.yaml @@ -26,26 +26,55 @@ qtodo: buildCmd: "./mvnw -s settings.xml package -DskipTests -Dquarkus.package.jar.type=uber-jar" containerfile: "./Containerfile" -# quay registry configuration -# used to create a new user in quay. Generic registry configuration is below. +# =========================================================================== +# BUILT-IN QUAY REGISTRY (optional) +# When enabled, deploys internal Quay registry with auto-generated credentials +# =========================================================================== quay: enabled: true email: "quay-user@example.com" + # Vault path for auto-generated Quay credentials + vaultPath: "secret/data/hub/infra/quay/quay-users" + passwordVaultKey: "quay-user-password" + # User provisioner job settings job: image: registry.access.redhat.com/ubi9/ubi:9.7-1764794285 schedule: "*/5 * * * *" -# container registry configuration +# =========================================================================== +# EXTERNAL/BYO REGISTRY (optional) +# User-provided credentials for external registry (quay.io, ghcr.io, etc.) +# Enable this when using an external registry instead of built-in Quay +# =========================================================================== +externalRegistry: + enabled: false + # Vault path for user-provided credentials + vaultPath: "secret/data/hub/infra/registry/registry-user" + passwordVaultKey: "registry-password" + +# =========================================================================== +# COMMON REGISTRY SETTINGS (shared by both built-in Quay and external registry) +# =========================================================================== registry: - # Commented to generate it dynamically - # domain: "quay-registry-quay-quay-enterprise.hub.example.com" + # For built-in Quay: domain is auto-constructed from hubClusterDomain + # For external registry: REQUIRED - set explicitly (e.g., quay.io, ghcr.io) + # domain: "registry.example.com" org: "ztvp" repo: "qtodo" tlsVerify: "true" - user: "quay-user" - passwordVaultKey: "quay-user-password" - # Infrastructure secrets - stored in quay path - vaultPath: "secret/data/hub/infra/quay/quay-users" + user: "registry-user" + # Secret name for registry auth (dockerconfigjson) + authSecretName: "qtodo-registry-auth" + # Embedded OCP registry only: create image namespace (registry.org) and grant + # pipeline SA system:image-builder so the pipeline can push. Set to true only when + # using the in-cluster OpenShift image registry; leave false for quay.io or other external registries. + embeddedOCP: + ensureImageNamespaceRBAC: false + +# pipeline run configuration +pipelinerun: + # Set to true to automatically trigger a pipeline run on ArgoCD sync + enabled: false # spire configuration spire: diff --git a/docs/supply-chain.md b/docs/supply-chain.md index d2459fad..55cb4d9e 100644 --- a/docs/supply-chain.md +++ b/docs/supply-chain.md @@ -20,6 +20,99 @@ In our demo, we will use a number of additional ZTVP components. These component * [Multicloud Object Gateway](https://docs.redhat.com/en/documentation/red_hat_openshift_container_storage/4.8/html/managing_hybrid_and_multicloud_resources/index) is a data service for OpenShift that provides an S3-compatible object storage. In our case, this component is necessary to provide a storage system to Quay. * [Red Hat OpenShift Pipelines](https://docs.redhat.com/en/documentation/red_hat_openshift_pipelines/1.20) is a cloud-native CI/CD solution built on the Tekton framework. We will use this product to automate our secure supply chain process, but you could use your own CI/CD solution if one exists. +## Bring Your Own (BYO) Container Registry + +By default, ZTVP deploys a built-in Red Hat Quay registry. However, you can use your own container registry (e.g., quay.io, Docker Hub, GitHub Container Registry, or a private registry) instead. + +### Configuration Steps + +1. **Disable built-in Quay registry** (optional - if not using Quay): Comment out the Quay-related applications in `values-hub.yaml`: `quay-enterprise` namespace, `quay-operator` subscription, and `quay-registry` application. + +2. **Configure registry credentials in Vault**: Per VP rule, add your registry credentials to `~/values-secrets.yaml` (or `~/values-secret.yaml` / `~/values-secret-layered-zero-trust.yaml` per VP lookup order): + + ```bash + # Copy template to local file if not already done + cp values-secret.yaml.template ~/values-secrets.yaml + ``` + + Add the registry-user secret (same format for **BYO external registry** and **embedded OCP registry**): + + ```yaml + - name: registry-user + vaultPrefixes: + - hub/infra/registry + fields: + - name: registry-password + value: "REPLACE_WITH_REGISTRY_TOKEN" + onMissingValue: error + ``` + + Replace `REPLACE_WITH_REGISTRY_TOKEN` with: + * **Embedded OCP registry:** output of `oc whoami -t` (after `oc login`). + * **External registry (BYO):** your registry token or password (e.g. quay.io, ghcr.io). + + > **Note**: Never commit `~/values-secrets.yaml` (or your local values-secret file) to git. This file contains sensitive credentials and should remain local. + +3. **Set registry configuration in values-hub.yaml**: For the supply-chain application, add these overrides: + + ```yaml + overrides: + # Disable built-in Quay + - name: quay.enabled + value: "false" + # Enable external registry + - name: externalRegistry.enabled + value: "true" + # External registry settings + - name: registry.domain + value: "your-registry.example.com" + - name: registry.user + value: "your-username" + - name: registry.org + value: "your-org" + ``` + +4. **Configure qtodo for custom registry** (if pulling from custom registry): + + ```yaml + overrides: + - name: app.images.main.registry.auth + value: true + - name: app.images.main.registry.domain + value: "your-registry.example.com" + - name: app.images.main.registry.user + value: "your-username" + ``` + +### Required Configuration + +| Parameter | Description | Example | +| --------- | ----------- | ------- | +| `registry.domain` | Registry hostname (required for BYO only) | `quay.io`, `ghcr.io`, `registry.example.com` | +| `registry.org` | Organization/namespace | `my-org` | +| `registry.repo` | Repository name | `qtodo` | +| `registry.user` | Registry username | `my-robot-account` | +| `quay.enabled` | Set to `false` for BYO registry | `false` | + +> **Note**: For built-in Quay registry, `registry.domain` is automatically constructed as `quay-registry-quay-quay-enterprise.` and does not need to be specified. For BYO/external registries, `registry.domain` is **required**. + +### Vault Paths + +Registry credentials are stored at different paths based on registry type: + +| Registry Type | Vault Path | Password Key | +| --------------- | ---------------------------------------------- | -------------------- | +| Built-in Quay | `secret/data/hub/infra/quay/quay-users` | `quay-user-password` | +| BYO Registry | `secret/data/hub/infra/registry/registry-user` | `registry-password` | + +The chart automatically selects the correct vault path based on the enabled flags: + +* `quay.enabled=true`: Uses built-in Quay vault path +* `externalRegistry.enabled=true`: Uses external registry vault path +* Both disabled (default): No registry auth secret created (fresh install state) + +The Vault policy `hub-supply-chain-jwt-secret` grants read access to both paths for the pipeline service account. + ## Automatic approach To automate the application building and certifying process, we will use _Red Hat OpenShift Pipelines_. @@ -78,12 +171,55 @@ Using the previously created definition, start a new execution of the pipeline u oc create -f qtodo-pipeline.yaml ``` +#### Using Helm Template + +You can also trigger a pipeline run using the Helm template included in the chart. + +**For Built-in Quay Registry:** + +```shell +helm template supply-chain charts/supply-chain \ + --set pipelinerun.enabled=true \ + --set quay.enabled=true \ + --set global.namespace=layered-zero-trust-hub \ + --set global.hubClusterDomain=apps.example.com \ + --show-only templates/pipelinerun-qtodo.yaml | oc create -f - +``` + +> **Note**: For built-in Quay, `registry.domain` is auto-constructed from `global.hubClusterDomain`. + +**For BYO/External Registry:** + +```shell +helm template supply-chain charts/supply-chain \ + --set pipelinerun.enabled=true \ + --set externalRegistry.enabled=true \ + --set global.namespace=layered-zero-trust-hub \ + --set registry.domain=quay.io \ + --show-only templates/pipelinerun-qtodo.yaml | oc create -f - +``` + +This renders the PipelineRun template with the correct PVC and secret workspace bindings, then creates it in the cluster. + You can review the current pipeline logs using the [Tekton CLI](https://tekton.dev/docs/cli/). ```shell tkn pipeline logs -n layered-zero-trust-hub -L -f ``` +Or use `oc` commands to monitor progress: + +```shell +# List pipeline runs +oc get pipelinerun -n layered-zero-trust-hub + +# Check task status for a specific run +oc get taskruns -n layered-zero-trust-hub -l tekton.dev/pipelineRun= + +# View logs for a specific task +oc logs -n layered-zero-trust-hub -l tekton.dev/pipelineRun=,tekton.dev/pipelineTask= +``` + ### Pipeline tasks The pipeline we have prepared has the following steps: diff --git a/values-hub.yaml b/values-hub.yaml index b8da45d9..c5b506d4 100644 --- a/values-hub.yaml +++ b/values-hub.yaml @@ -286,6 +286,9 @@ clusterGroup: path "secret/data/hub/infra/quay/*" { capabilities = ["read"] } + path "secret/data/hub/infra/registry/*" { + capabilities = ["read"] + } path "secret/data/hub/infra/rhtpa/rhtpa-oidc-cli" { capabilities = ["read"] } @@ -434,8 +437,7 @@ clusterGroup: project: hub path: charts/qtodo ignoreDifferences: - - group: "" - kind: ServiceAccount + - kind: ServiceAccount jqPathExpressions: - .imagePullSecrets[]|select(.name | contains("-dockercfg-")) overrides: @@ -463,26 +465,61 @@ clusterGroup: # value: quay-user-password # Secure Supply Chain - Uncomment to enable # supply-chain: - # name: supply-chain - # project: hub - # path: charts/supply-chain - # ignoreDifferences: - # - group: "" - # kind: ServiceAccount - # jqPathExpressions: - # - .imagePullSecrets[]|select(.name | contains("-dockercfg-")) - # overrides: - # # Don't forget to uncomment the RHTAS and RHTPA components in this same file - # - name: rhtas.enabled - # value: true - # - name: rhtpa.enabled - # value: true - # - name: registry.tlsVerify - # value: "false" - # - name: registry.user - # value: quay-admin - # - name: registry.passwordVaultKey - # value: quay-admin-password + # name: supply-chain + # project: hub + # path: charts/supply-chain + # ignoreDifferences: + # - kind: ServiceAccount + # jqPathExpressions: + # - .imagePullSecrets[]|select(.name | contains("-dockercfg-")) + # overrides: + # # ============================================================ + # # OPTION 1: Built-in Quay Registry + # # Requires: quay-enterprise namespace, quay-operator, quay-registry app + # # Note: registry.domain is auto-constructed from hubClusterDomain + # # ============================================================ + # # - name: quay.enabled + # # value: "true" + # # - name: externalRegistry.enabled + # # value: "false" + # # - name: registry.tlsVerify + # # value: "false" + # # - name: registry.user + # # value: quay-user + # # ============================================================ + # # OPTION 2: BYO/External Registry + # # Requires: registry credentials in ~/values-secret.yaml + # # Note: registry.domain is REQUIRED for external registry + # # ============================================================ + # # - name: quay.enabled + # # value: "false" + # # - name: externalRegistry.enabled + # # value: "true" + # # - name: registry.domain + # # value: quay.io + # # - name: registry.org + # # value: your-org + # # - name: registry.user + # # value: your-username + # # ============================================================ + # # OPTION 3: Embedded OCP Registry (comment out Option 1, 2; uncomment below) + # # ============================================================ + # # - name: registry.domain + # # value: default-route-openshift-image-registry.apps. + # # - name: registry.org + # # value: ztvp + # # - name: registry.user + # # value: admin + # # Embedded OCP registry only: create image namespace and grant pipeline push (transparent) + # # - name: registry.embeddedOCP.ensureImageNamespaceRBAC + # # value: "true" + # # ============================================================ + # # Enable RHTAS signing + # # - name: rhtas.enabled + # # value: "true" + # # Enable RHTPA SBOM upload + # # - name: rhtpa.enabled + # # value: "true" argoCD: resourceHealthChecks: - check: | diff --git a/values-secret.yaml.template b/values-secret.yaml.template index e1f48ac9..16cbc205 100644 --- a/values-secret.yaml.template +++ b/values-secret.yaml.template @@ -16,7 +16,8 @@ version: "2.0" # Infrastructure Secrets (hub/infra/*): # hub/infra/keycloak/ - Keycloak infrastructure secrets # hub/infra/rhtpa/ - RHTPA infrastructure secrets -# hub/infra/quay/ - Quay registry credentials +# hub/infra/quay/ - Built-in Quay registry credentials (auto-generated) +# hub/infra/registry/ - BYO container registry credentials (user-provided) # hub/infra/users/ - User credentials managed by IdP # # Framework Secrets: @@ -150,34 +151,38 @@ secrets: vaultPolicy: alphaNumericPolicy # =========================================================================== - # QUAY INFRASTRUCTURE SECRETS (hub/infra/quay/) - # Registry credentials for Quay - # Policy: hub-infra-quay-secret (read access to hub/infra/quay/*) + # BUILT-IN QUAY REGISTRY SECRETS (hub/infra/quay/) + # Auto-generated credentials for built-in Quay registry + # Used by: Quay user provisioner job, supply-chain pipeline (when quay.enabled=true) + # Policy: hub-supply-chain-jwt-secret (read access to hub/infra/quay/*) # =========================================================================== - name: quay-users vaultPrefixes: - hub/infra/quay fields: - - name: quay-admin-password - onMissingValue: generate - vaultPolicy: validatedPatternDefaultPolicy - name: quay-user-password onMissingValue: generate vaultPolicy: validatedPatternDefaultPolicy - # External Registry Credentials (e.g., Quay.io, Docker Hub, GHCR) - # Reserved for future use with container signing workflows - # Uncomment and provide your credentials when needed - #- name: external-registry - # vaultPrefixes: - # - hub/infra - # fields: - # - name: username - # value: "your-registry-username" # Replace with your username - # onMissingValue: error - # - name: password - # value: "your-registry-token" # Replace with your token/password - # onMissingValue: error + # =========================================================================== + # BYO / EMBEDDED OCP REGISTRY SECRETS (hub/infra/registry/) + # User-provided credentials for external or embedded OCP registry. + # Used by: supply-chain pipeline (push), qtodo (pull) when externalRegistry.enabled=true + # Policy: hub-supply-chain-jwt-secret (read access to hub/infra/registry/*) + # + # VP rule: add this (with your token) to ~/values-secrets.yaml (or + # ~/values-secret.yaml / ~/values-secret-layered-zero-trust.yaml per VP lookup). + # Replace REPLACE_WITH_REGISTRY_TOKEN in your local file: + # - Embedded OCP registry: use output of oc whoami -t + # - External registry (BYO): use your registry token/password + # =========================================================================== + - name: registry-user + vaultPrefixes: + - hub/infra/registry + fields: + - name: registry-password + value: "REPLACE_WITH_REGISTRY_TOKEN" + onMissingValue: error # =========================================================================== # HUB-SPECIFIC SECRETS (hub/)