feat: unified registry configuration with multi-registry support

Refactor supply-chain and qtodo charts to use a single, option-agnostic
registry configuration instead of separate per-registry blocks.

Registry options (configure one in values-hub.yaml):
  - Option 1: Built-in Quay Registry
  - Option 2: BYO/External Registry (quay.io, ghcr.io, etc.)
  - Option 3: Embedded OCP Image Registry

Key changes:

Supply-chain chart:
  * Unified registry.* parameters (domain, org, user, vaultPath, passwordVaultKey)
  * Use tpl function to resolve template expressions in registry.domain values
    passed as --set parameters from the validated patterns framework
  * Embedded OCP registry automation (registry.embeddedOCP.ensureImageNamespaceRBAC):
    - Auto-create image namespace matching registry.org
    - Grant pipeline SA system:image-builder via RoleBinding
    - Enable default route on OCP image registry via Kubernetes API
      (curl-based Job using ServiceAccount token, no oc CLI dependency)
  * ArgoCD hook annotations on the route-enabler Job (Sync + HookSucceeded)
  * Rename qtodo-registry-pass to qtodo-quay-pass for clarity

Qtodo chart:
  * Unified app.images.main.registry.* parameters
  * Use tpl function in registry-external-secret.yaml for domain resolution

ztvp-certificates chart:
  * Node-level image pull trust for kubelet (imagePullTrust.*)
  * Create ConfigMap with ingress CA per registry hostname in openshift-config
  * Patch image.config.openshift.io/cluster additionalTrustedCA
  * RBAC for patching image.config.openshift.io resources

Documentation: * Comprehensive supply-chain.md with configuration steps for all three
    registry options, vault paths, and example overrides
  * Updated values-secret.yaml.template with registry credential examples

Signed-off-by: Min Zhang <minzhang@redhat.com>

Author: minmzzhang

.gitignore

@@ -15,5 +15,6 @@ super-linter-output
 github_conf
 
 # Editor and IDE specific files
+.cursor/
 .cursorrules
 .vscode/

charts/qtodo/templates/registry-external-secret.yaml

@@ -18,19 +18,14 @@ spec:
         .dockerconfigjson: |
           {
             "auths": {
-              "{{ required "app.images.main.registry.domain is required when registry.auth is enabled" .Values.app.images.main.registry.domain }}": {
+              "{{ tpl (required "app.images.main.registry.domain is required when registry.auth is enabled" .Values.app.images.main.registry.domain) $ }}": {
                 "auth": "{{ `{{ printf "%s:%s" "` }}{{ .Values.app.images.main.registry.user }}{{ `" .password | b64enc }}` }}"
               }
             }
           }
   data:
   - secretKey: password
     remoteRef:
-      {{- if .Values.app.images.main.registry.builtinQuay.enabled }}
-      key: {{ .Values.app.images.main.registry.builtinQuay.vaultPath }}
-      property: {{ .Values.app.images.main.registry.builtinQuay.passwordVaultKey }}
-      {{- else if .Values.app.images.main.registry.externalRegistry.enabled }}
-      key: {{ .Values.app.images.main.registry.externalRegistry.vaultPath }}
-      property: {{ .Values.app.images.main.registry.externalRegistry.passwordVaultKey }}
-      {{- end }}
-{{- end }}
+      key: {{ required "app.images.main.registry.vaultPath is required when registry.auth is enabled" .Values.app.images.main.registry.vaultPath }}
+      property: {{ required "app.images.main.registry.passwordVaultKey is required when registry.auth is enabled" .Values.app.images.main.registry.passwordVaultKey }}
+{{- end }}

charts/qtodo/values.yaml

@@ -15,26 +15,14 @@ app:
       # Modified to Always to force a pull so we can test changes to the container image without requiring manual deletion of images or restarts of argo
       pullPolicy: Always
       registry:
-        # auth: controls whether to create registry auth secret
-        # Set to true when using private registry (built-in Quay or external)
+        # Set to true to create registry auth secret for image pulls
         auth: false
         secretName: qtodo-registry-auth
         user: registry-user
         # domain: registry.example.com  # REQUIRED when auth is enabled
-
-        # Built-in Quay registry (optional)
-        # When enabled, uses auto-generated credentials from Vault
-        builtinQuay:
-          enabled: false
-          vaultPath: secret/data/hub/infra/quay/quay-users
-          passwordVaultKey: quay-user-password
-
-        # External/BYO registry (optional)
-        # When enabled, uses user-provided credentials from Vault
-        externalRegistry:
-          enabled: false
-          vaultPath: secret/data/hub/infra/registry/registry-user
-          passwordVaultKey: registry-password
+        # Vault path and key for registry password (set for your scenario)
+        vaultPath: ""
+        passwordVaultKey: ""
     spiffeHelper:
       name: registry.redhat.io/zero-trust-workload-identity-manager/spiffe-helper-rhel9
       version: v0.10.0

charts/supply-chain/templates/pipeline-qtodo.yaml

@@ -1,12 +1,3 @@
-{{- /* Determine registry domain: auto-construct for built-in Quay, require for external */ -}}
-{{- $registryDomain := "" -}}
-{{- if .Values.registry.domain -}}
-  {{- $registryDomain = .Values.registry.domain -}}
-{{- else if .Values.quay.enabled -}}
-  {{- $registryDomain = printf "quay-registry-quay-quay-enterprise.%s" .Values.global.hubClusterDomain -}}
-{{- else -}}
-  {{- fail "registry.domain is required for external registry" -}}
-{{- end -}}
 ---
 apiVersion: tekton.dev/v1beta1
 kind: Pipeline
@@ -34,7 +25,7 @@ spec:
     - name: image-target
       type: string
       description: qtodo image push destination (e.g. quay.io/ztvp/qtodo:latest)
-      default: {{ $registryDomain }}/{{ .Values.registry.org }}/{{ .Values.registry.repo }}:{{ .Values.qtodo.tag }}
+      default: {{ tpl (required "registry.domain is required" .Values.registry.domain) $ }}/{{ .Values.registry.org }}/{{ .Values.registry.repo }}:{{ .Values.qtodo.tag }}
     - name: image-tls-verify
       type: string
       description: Whether to verify TLS when pushing to the OCI registry

charts/supply-chain/templates/quay/quay-user-job.yaml

@@ -19,7 +19,7 @@ spec:
               command: ["python3", "/app/create_user.py"]
               env:
                 - name: QUAY_HOST
-                  value: {{ .Values.registry.domain | default (printf "quay-registry-quay-quay-enterprise.%s" .Values.global.hubClusterDomain) }}
+                  value: {{ tpl (.Values.registry.domain | default (printf "quay-registry-quay-quay-enterprise.%s" .Values.global.hubClusterDomain)) $ }}
                 - name: QUAY_ADMIN_USER
                   value: {{ .Values.registry.user }}
                 - name: QUAY_ADMIN_PASSWORD

charts/supply-chain/templates/rbac/registry-image-namespace.yaml

@@ -25,4 +25,95 @@ subjects:
   - kind: ServiceAccount
     name: pipeline
     namespace: {{ .Values.global.namespace }}
+---
+# Enable the default route on the embedded OCP image registry so that
+# the pipeline can push and external clients can pull images via the route.
+# Uses a Job because the imageregistry config is a cluster-singleton managed
+# by the image-registry operator; declarative ownership would conflict.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: registry-route-enabler
+  namespace: {{ .Values.global.namespace }}
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.global.namespace }}-registry-route-enabler
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+rules:
+- apiGroups: ["imageregistry.operator.openshift.io"]
+  resources: ["configs"]
+  verbs: ["get", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Values.global.namespace }}-registry-route-enabler
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.global.namespace }}-registry-route-enabler
+subjects:
+- kind: ServiceAccount
+  name: registry-route-enabler
+  namespace: {{ .Values.global.namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: enable-registry-default-route
+  namespace: {{ .Values.global.namespace }}
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+    argocd.argoproj.io/hook: Sync
+    argocd.argoproj.io/hook-delete-policy: HookSucceeded
+spec:
+  backoffLimit: 3
+  template:
+    spec:
+      serviceAccountName: registry-route-enabler
+      restartPolicy: Never
+      containers:
+      - name: enable-route
+        image: registry.access.redhat.com/ubi9/ubi:9.7-1764794285
+        command:
+        - /bin/sh
+        - -ce
+        - |
+          APISERVER="https://kubernetes.default.svc"
+          TOKEN="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
+          CACERT="/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+          RESOURCE_URL="${APISERVER}/apis/imageregistry.operator.openshift.io/v1/configs/cluster"
+          AUTH_HEADER="Authorization: Bearer ${TOKEN}"
+
+          echo "Checking current defaultRoute status..."
+          BODY=$(curl -sS --cacert "${CACERT}" -H "${AUTH_HEADER}" "${RESOURCE_URL}")
+          rc=$?; if [ $rc -ne 0 ]; then echo "ERROR: GET failed (curl rc=${rc})"; exit 1; fi
+
+          # Parse defaultRoute from JSON without jq/grep dependency
+          case "${BODY}" in
+            *'"defaultRoute":true'*) echo "Default route already enabled, nothing to do."; exit 0 ;;
+          esac
+
+          echo "Enabling default route on embedded OCP image registry..."
+          RESP=$(curl -sS -w "\n%{http_code}" --cacert "${CACERT}" \
+            -H "${AUTH_HEADER}" \
+            -H "Content-Type: application/merge-patch+json" \
+            -X PATCH -d '{"spec":{"defaultRoute":true}}' \
+            "${RESOURCE_URL}")
+          HTTP_CODE=$(echo "${RESP}" | tail -1)
+
+          if [ "${HTTP_CODE}" -ge 200 ] 2>/dev/null && [ "${HTTP_CODE}" -lt 300 ] 2>/dev/null; then
+            echo "Default route enabled successfully (HTTP ${HTTP_CODE})."
+          else
+            echo "ERROR: PATCH failed (HTTP ${HTTP_CODE})."
+            echo "${RESP}" | head -5
+            exit 1
+          fi
 {{- end }}

charts/supply-chain/templates/secrets/qtodo-quay-pass.yaml

@@ -3,7 +3,7 @@
   Purpose: Provides password for the Quay user provisioner job to create/update users in built-in Quay
   Used by: quay-user-job.yaml (CronJob that provisions Quay users)
   Only created when: quay.enabled=true (built-in Quay registry)
-  Not used for: BYO/external registry (use qtodo-registry-auth.yaml instead)
+  Uses unified registry.vaultPath and registry.passwordVaultKey
 */}}
 {{- if eq .Values.quay.enabled true }}
 ---
@@ -26,6 +26,6 @@ spec:
   data:
   - secretKey: password
     remoteRef:
-      key: {{ .Values.quay.vaultPath }}
-      property: {{ .Values.quay.passwordVaultKey }}
-{{- end }}
+      key: {{ .Values.registry.vaultPath }}
+      property: {{ .Values.registry.passwordVaultKey }}
+{{- end }}

charts/supply-chain/templates/secrets/qtodo-registry-auth.yaml

@@ -2,56 +2,38 @@
   Pipeline Registry Auth Secret
   Purpose: Provides dockerconfigjson for pipeline to push/pull images
   Used by: Tekton pipeline tasks (build-image, sign-image, verify-image)
-  Created when: quay.enabled=true OR externalRegistry.enabled=true
-  Vault path: Automatically selects based on which registry is enabled
-    - Built-in Quay: quay.vaultPath (auto-generated credentials)
-    - BYO Registry: externalRegistry.vaultPath (user-provided credentials)
-  Registry domain:
-    - Built-in Quay: auto-constructed as quay-registry-quay-quay-enterprise.<hubClusterDomain>
-    - BYO Registry: must be explicitly set via registry.domain
+  Created when: registry.enabled=true
+  Registry-agnostic: works for built-in Quay, BYO (quay.io, ghcr.io), or embedded OCP.
+  Set registry.domain, registry.vaultPath, and registry.passwordVaultKey for your scenario.
 */}}
-{{- if or .Values.quay.enabled .Values.externalRegistry.enabled }}
-{{- /* Determine registry domain: auto-construct for built-in Quay, require for external */ -}}
-{{- $registryDomain := "" -}}
-{{- if .Values.registry.domain -}}
-  {{- $registryDomain = .Values.registry.domain -}}
-{{- else if .Values.quay.enabled -}}
-  {{- $registryDomain = printf "quay-registry-quay-quay-enterprise.%s" .Values.global.hubClusterDomain -}}
-{{- else -}}
-  {{- fail "registry.domain is required for external registry" -}}
-{{- end -}}
+{{- if .Values.registry.enabled }}
 ---
 apiVersion: "external-secrets.io/v1beta1"
 kind: ExternalSecret
 metadata:
-  name: qtodo-registry-auth
+  name: {{ .Values.registry.authSecretName }}
   namespace: {{ .Release.Namespace | default .Values.global.namespace }}
 spec:
   refreshInterval: 15s
   secretStoreRef:
     name: {{ .Values.global.secretStore.name }}
     kind: {{ .Values.global.secretStore.kind }}
   target:
-    name: qtodo-registry-auth
+    name: {{ .Values.registry.authSecretName }}
     template:
       type: kubernetes.io/dockerconfigjson
       data:
         .dockerconfigjson: |
           {
             "auths": {
-              "{{ $registryDomain }}": {
+              "{{ tpl (required "registry.domain is required when registry.enabled=true" .Values.registry.domain) $ }}": {
                 "auth": "{{ `{{ printf "%s:%s" "` }}{{ .Values.registry.user }}{{ `" .password | b64enc }}` }}"
               }
             }
           }
   data:
   - secretKey: password
     remoteRef:
-      {{- if .Values.quay.enabled }}
-      key: {{ .Values.quay.vaultPath }}
-      property: {{ .Values.quay.passwordVaultKey }}
-      {{- else if .Values.externalRegistry.enabled }}
-      key: {{ .Values.externalRegistry.vaultPath }}
-      property: {{ .Values.externalRegistry.passwordVaultKey }}
-      {{- end }}
-{{- end }}
+      key: {{ required "registry.vaultPath is required when registry.enabled=true" .Values.registry.vaultPath }}
+      property: {{ required "registry.passwordVaultKey is required when registry.enabled=true" .Values.registry.passwordVaultKey }}
+{{- end }}

charts/supply-chain/values.yaml

@@ -27,47 +27,59 @@ qtodo:
   containerfile: "./Containerfile"
 
 # ===========================================================================
-# BUILT-IN QUAY REGISTRY (optional)
-# When enabled, deploys internal Quay registry with auto-generated credentials
+# QUAY USER PROVISIONER (only for built-in Quay registry)
+# When enabled, runs a CronJob that provisions users in the built-in Quay instance.
+# This is Quay-specific and not needed for BYO or embedded OCP registries.
 # ===========================================================================
 quay:
-  enabled: true
+  enabled: false
   email: "quay-user@example.com"
-  # Vault path for auto-generated Quay credentials
-  vaultPath: "secret/data/hub/infra/quay/quay-users"
-  passwordVaultKey: "quay-user-password"
-  # User provisioner job settings
   job:
     image: registry.access.redhat.com/ubi9/ubi:9.7-1764794285
     schedule: "*/5 * * * *"
 
 # ===========================================================================
-# EXTERNAL/BYO REGISTRY (optional)
-# User-provided credentials for external registry (quay.io, ghcr.io, etc.)
-# Enable this when using an external registry instead of built-in Quay
-# ===========================================================================
-externalRegistry:
-  enabled: false
-  # Vault path for user-provided credentials
-  vaultPath: "secret/data/hub/infra/registry/registry-user"
-  passwordVaultKey: "registry-password"
-
-# ===========================================================================
-# COMMON REGISTRY SETTINGS (shared by both built-in Quay and external registry)
+# REGISTRY CONFIGURATION (option-agnostic)
+# Works for all registry types: built-in Quay, BYO (quay.io, ghcr.io, etc.),
+# or embedded OCP image registry. Set the values for your scenario.
+#
+# Scenario-specific values (set in values-hub.yaml overrides):
+#   Built-in Quay:
+#     domain: quay-registry-quay-quay-enterprise.apps.<clusterDomain>
+#     vaultPath: secret/data/hub/infra/quay/quay-users
+#     passwordVaultKey: quay-user-password
+#   BYO (quay.io, ghcr.io, etc.):
+#     domain: quay.io (or your registry hostname)
+#     vaultPath: secret/data/hub/infra/registry/registry-user
+#     passwordVaultKey: registry-password
+#   Embedded OCP:
+#     domain: default-route-openshift-image-registry.apps.<clusterDomain>
+#     vaultPath: secret/data/hub/infra/registry/registry-user
+#     passwordVaultKey: registry-password
+#     embeddedOCP.ensureImageNamespaceRBAC: true
 # ===========================================================================
 registry:
-  # For built-in Quay: domain is auto-constructed from hubClusterDomain
-  # For external registry: REQUIRED - set explicitly (e.g., quay.io, ghcr.io)
-  # domain: "registry.example.com"
+  # Set to true to create the registry auth secret (dockerconfigjson)
+  enabled: false
+  # Registry hostname (REQUIRED when enabled)
+  domain: ""
+  # Organization/namespace within the registry
   org: "ztvp"
+  # Repository name
   repo: "qtodo"
+  # Whether to verify TLS when pushing to the registry
   tlsVerify: "true"
+  # Registry username
   user: "registry-user"
+  # Vault path to the secret containing the registry password
+  vaultPath: ""
+  # Key within the Vault secret that holds the password
+  passwordVaultKey: ""
   # Secret name for registry auth (dockerconfigjson)
   authSecretName: "qtodo-registry-auth"
   # Embedded OCP registry only: create image namespace (registry.org) and grant
   # pipeline SA system:image-builder so the pipeline can push. Set to true only when
-  # using the in-cluster OpenShift image registry; leave false for quay.io or other external registries.
+  # using the in-cluster OpenShift image registry; leave false for other registries.
   embeddedOCP:
     ensureImageNamespaceRBAC: false