feat: BYO container registry support by minmzzhang · Pull Request #99 · validatedpatterns/layered-zero-trust

minmzzhang · 2026-02-18T17:22:27Z

Summary

Add support for Bring-Your-Own (BYO) container registry alongside the
existing built-in Quay and embedded OCP image registry options. A single
global.registry block in values-hub.yaml centralizes registry
credentials, and charts fall back to global defaults when local values
are empty.

Registry options (configure one in `values-hub.yaml`)

Option 1: Built-in Quay Registry
Option 2: BYO / External Registry (quay.io, ghcr.io, etc.)
Option 3: Embedded OCP Image Registry

Key changes

global.registry architecture

Shared domain, org, user, vaultPath, passwordVaultKey in
global.registry; per-app overrides only set option-specific flags
Qtodo container image derived from global.registry.domain/org inside
the chart (no VP --set overrides needed)

Supply-chain chart

Unified registry.* parameters with tpl domain resolution
Embedded OCP automation: auto-create image namespace, pipeline SA
system:image-builder RoleBinding, route-enabler Job (no oc CLI)
CronJob + sync-hook seed Job for pipeline SA token refresh to Vault
(SPIFFE JWT) on embedded OCP
ArgoCD hook annotations on Jobs (Sync + HookSucceeded)

Qtodo chart

Unified app.images.main.registry.* with tpl domain resolution
Registry ExternalSecret uses global fallback

ztvp-certificates chart

Node-level image pull trust for kubelet (imagePullTrust.*)
Per-hostname ingress CA ConfigMap in openshift-config
Patch image.config.openshift.io/cluster additionalTrustedCA + RBAC

ACS Central (bug fix)

Handle CA trust race on fresh bare-metal clusters: retry loop detects
x509 errors, restarts Central to reload CA bundle (up to 3 retries)
Add apps/deployments get+patch to SA Role for rollout restart

vault-utils / ACS init RBAC

Sync vault-utils.sh Helm global.pattern substitution for Ansible
Add list/watch deployments to ACS Central cluster-init Role

Test tooling

scripts/gen-byo-container-registry-variants.py: generate
values-hub.yaml variants for each registry option with full
supply-chain stack enabled

Documentation

Comprehensive docs/supply-chain.md with steps for all three options
values-secret.yaml.template: registry-user commented out by default
(only needed for Option 2 BYO)

Secrets model

Option	Secret source
1 - Quay	Auto-generated `quay-users` secret
2 - BYO	Manual `registry-user` in `~/values-secret-*.yaml`
3 - Embedded OCP	Token refresher CronJob writes to Vault

Signed-off-by: Min Zhang minzhang@redhat.com

Restructure registry configuration to support three deployment states: - Fresh install: No registry configured (both disabled by default) - Built-in Quay: quay.enabled=true uses hub/infra/quay/ vault path - External/BYO: externalRegistry.enabled=true uses hub/infra/registry/ path Changes: - Add externalRegistry.enabled flag to supply-chain and qtodo charts - Separate vault paths for built-in Quay vs external registry - Templates conditionally select vault path based on enabled flags - Update supply-chain.md with BYO registry setup instructions - Add helm template method and oc monitoring commands to supply-chain.md - Follow VP best practice: external registry secrets in local ~/values-secret.yaml To enable supply-chain: 1. Uncomment openshift-pipelines namespace and subscription 2. Uncomment supply-chain vault role (JWT auth) 3. Configure registry (BYO or built-in Quay) in application overrides - For BYO registry: - Set externalRegistry.enabled=true and configure registry settings - Add registry credentials to ~/values-secret.yaml - For built-in Quay: - Enable openshift-storage namespace - Enable ODF, NooBaa MCG - Enable Quay operator subscription, quay-registry application 4. RHTAS (signing): Enable rhtas-operator subscription and trusted-artifact-signer namespace 5. RHTPA (SBOM): Enable rhtpa-operator subscription, ODF, NooBaa, and trusted-profile-analyzer Signed-off-by: Min Zhang <minzhang@redhat.com>

minmzzhang · 2026-02-18T17:23:21Z

This is the same PR of #98, which got accidentally closed.

Refactor supply-chain and qtodo charts to use a single, option-agnostic registry configuration instead of separate per-registry blocks. Registry options (configure one in values-hub.yaml): - Option 1: Built-in Quay Registry - Option 2: BYO/External Registry (quay.io, ghcr.io, etc.) - Option 3: Embedded OCP Image Registry Key changes: Supply-chain chart: * Unified registry.* parameters (domain, org, user, vaultPath, passwordVaultKey) * Use tpl function to resolve template expressions in registry.domain values passed as --set parameters from the validated patterns framework * Embedded OCP registry automation (registry.embeddedOCP.ensureImageNamespaceRBAC): - Auto-create image namespace matching registry.org - Grant pipeline SA system:image-builder via RoleBinding - Enable default route on OCP image registry via Kubernetes API (curl-based Job using ServiceAccount token, no oc CLI dependency) * ArgoCD hook annotations on the route-enabler Job (Sync + HookSucceeded) * Rename qtodo-registry-pass to qtodo-quay-pass for clarity Qtodo chart: * Unified app.images.main.registry.* parameters * Use tpl function in registry-external-secret.yaml for domain resolution ztvp-certificates chart: * Node-level image pull trust for kubelet (imagePullTrust.*) * Create ConfigMap with ingress CA per registry hostname in openshift-config * Patch image.config.openshift.io/cluster additionalTrustedCA * RBAC for patching image.config.openshift.io resources Documentation: * Comprehensive supply-chain.md with configuration steps for all three registry options, vault paths, and example overrides * Updated values-secret.yaml.template with registry credential examples Signed-off-by: Min Zhang <minzhang@redhat.com>

…try-fresh-install Signed-off-by: Min Zhang <minzhang@redhat.com> # Conflicts: # charts/ztvp-certificates/files/extract-certificates.sh.tpl # values-hub.yaml

…try-fresh-install Resolve conflict in values-hub.yaml: keep multi-option registry configuration from BYO branch and add sync-wave annotation (argocd.argoproj.io/sync-wave: "48") from PR validatedpatterns#109. Signed-off-by: Min Zhang <minzhang@redhat.com>

Add scripts/gen-byo-container-registry-variants.py that reads the base values-hub.yaml (all supply-chain components commented out) and produces up to 3 variants with the chosen registry option enabled: Option 1: Built-in Quay Registry Option 2: BYO / External Registry Option 3: Embedded OCP Image Registry Each variant also enables the common supply-chain stack (OpenShift Pipelines, ODF, NooBaa, RHTAS, RHTPA, and their namespaces, subscriptions, vault roles). Signed-off-by: Min Zhang <minzhang@redhat.com>

On a fresh bare-metal cluster the proxy trustedCA injection may not have propagated to Central's mounted CA bundle by the time the create-auth-provider Job runs. Central caches its TLS trust pool at startup, so all Job retries fail with "x509: certificate signed by unknown authority" when Central tries to validate the Keycloak OIDC discovery endpoint. - Add retry loop in create-auth-provider Job that detects the specific TLS CA error, restarts Central to reload the CA bundle, then retries (up to 3 times) - Add apps/deployments get+patch to the service account Role so the Job can run "oc rollout restart" - Refactor script: extract wait_for_central() and escape_sed() helpers Signed-off-by: Min Zhang <minzhang@redhat.com>

…odo image in chart Move shared registry credentials (domain, org, user, vaultPath, passwordVaultKey) into a single global.registry block in values-hub.yaml. Supply-chain and qtodo charts fall back to global.registry.* when local registry values are empty. Derive the qtodo container image from global.registry.domain/org when registry is enabled, avoiding Validated Patterns --set overrides (Helm templates are not available there). - Add global.registry defaults to supply-chain and qtodo chart values - Update templates to use | default .Values.global.registry.* - Simplify values-hub.yaml application overrides for option-specific flags - Rewrite gen-byo-container-registry-variants.py for the structure - Update docs/supply-chain.md for global.registry architecture Signed-off-by: Min Zhang <minzhang@redhat.com>

Sync common/scripts/vault-utils.sh (Helm global.pattern substitution for Ansible) and charts/acs-central cluster-init Role (list/watch deployments) from embedded-ocp-registry for parity across registry option branches. Signed-off-by: Min Zhang <minzhang@redhat.com>

Add CronJob and sync-hook seed Job for pipeline SA token refresh to Vault (SPIFFE JWT). Extend supply-chain values, docs/supply-chain.md, and values-hub for embedded OCP (merged with fresh-install baseline). Signed-off-by: Min Zhang <minzhang@redhat.com>

Two bugs in gen-byo-container-registry-variants.py: 1. The supply-chain JWT role subject regex used ns/pipeline which no longer matches after the namespace was changed to {{ $.Values.global.pattern }}-hub. Changed to sa/pipeline which matches both old and new formats. 2. enable_image_pull_trust looked for the stale <registry-hostname> placeholder. Changed to match by position (value line after the imagePullTrust.registries line) so it works regardless of the default value in the base file. Signed-off-by: Min Zhang <minzhang@redhat.com>

- Comment out registry-user in values-secret.yaml.template (was active by default but unnecessary for minimal deployments) - Update supply-chain.md step 2 to clarify that only Option 2 (BYO registry) needs the manual registry-user secret - Option 1 (Quay) uses auto-generated quay-users secret - Option 3 (embedded OCP) token refresher writes to Vault automatically Signed-off-by: Min Zhang <minzhang@redhat.com>

…efactor Update feature YAML files and gen-feature-variants script/docs for: - org -> repository (e.g. "ztvp/qtodo") - embeddedOCP -> embeddedOpenShift - Rename option-3-embedded-ocp.yaml -> option-3-embedded-openshift.yaml Signed-off-by: Min Zhang <minzhang@redhat.com>

- Rename org -> repository throughout (global.registry and supply-chain) - Rename embeddedOCP -> embeddedOpenShift in supply-chain templates and docs - Scope registry image rewrite via useRegistry flag in qtodo.image helper - Guard imagePullSecrets on vaultPath being set (not just registry.enabled) - Add Vault auth retry loop to refresh_registry_token.sh for seed Job timing - Extract image namespace from first path component of repository (splitList) - Update docs/supply-chain.md with new parameter names and examples Signed-off-by: Min Zhang <minzhang@redhat.com>

minmzzhang · 2026-04-14T13:01:24Z

Hi @minmzzhang

This is really good work! I did confirm that each of the 3 of the options were successful. I added a number of comments inline. However, there were a few areas that I'd like there t be further refinement:

Rename references of OCP to OpenShift as OCP is a particular subscription type

qtodo image: Review how to define and manage the reference to the qtodo image. Currently, the use can define the domain and namespace. However when the image is stored in a external registry, there is no guarantee that the name of the image will be qtodo

When using the internal OpenShift registry, what can be done to improve the handling of the token associated with the ServiceAccount token? The primary concern is that the CronJob that populates the token in Vault only runs (by default) every 6 hours. As a result, a secret may not be populated in Vault for a maximum six hours. I had to manually start the CronJob to utilize the pipeline.

For the token refresh, upon fresh install, the seed job (registry-token-refresher-seed) runs as an ArgoCD Sync hook on every sync to populate the token immediately. The 6 hours CronJob schedule was to handle the ongoing refresh given the 48 hours token lifetime configured by registry.embeddedOpenShift.tokenRefresher.tokenDuration. However, the seed job (first deploy) might fail if there is startup race condition between Vault and JWT-auth, thus, a retry was added to the seed job for the dependencies to stabilize.

…efactor Update feature YAML files and gen-feature-variants script/docs for: - org -> repository (e.g. "ztvp/qtodo") - embeddedOCP -> embeddedOpenShift - Rename option-3-embedded-ocp.yaml -> option-3-embedded-openshift.yaml Signed-off-by: Min Zhang <minzhang@redhat.com>

sabre1041

Additional comments based on testing

sabre1041 · 2026-04-16T05:05:19Z

+  namespace: {{ .Values.global.namespace }}
+  annotations:
+    # Run after wave 0 (ConfigMaps, RBAC, ztvp ns) and wave 1 (enable-registry-default-route hook).
+    argocd.argoproj.io/sync-wave: "10"


Is it a concern that this uses a sync wave of 10? Since there are ExternalSecrets at a lower sync wave (qtodo-registry-auth at sync wave 0), this job is never triggered

updated the sync-wave order in supply-chain

- Rename OCP_DOMAIN to OPENSHIFT_DOMAIN in vault-utils.sh - Use repository: ztvp/qtodo for all 3 registry options in values-hub.yaml - Add sync-wave "15" to qtodo-registry-auth ExternalSecret so it runs after the registry-token-refresher-seed Job at wave 10, preventing a deadlock where the ExternalSecret blocks Argo from reaching the seed - Update SYNC-WAVE-INVENTORY.md with full supply-chain chart internals Signed-off-by: Min Zhang <minzhang@redhat.com>

Signed-off-by: Min Zhang <minzhang@redhat.com>

- Rename org -> repository: ztvp/qtodo for Options 1 and 3 - Rename Embedded OCP -> Embedded OpenShift throughout - Rename embeddedOCP -> embeddedOpenShift in supply-chain overrides - Update domain/org -> domain/repository in comments Signed-off-by: Min Zhang <minzhang@redhat.com>

… mirror fix Bootstrapping: registry seed image Job (qtodo chart) - New registry-seed-job.yaml: mirrors upstream qtodo image into the configured registry (embedded OpenShift, built-in Quay, or BYO) so the deployment can pull before the supply-chain pipeline runs. - Adds seedImage config block to qtodo/values.yaml (disabled by default). - Handles all three registry types: SA token auth for embedded OpenShift, dockerconfigjson secret for Quay/BYO, with registry-reachability retry. - Uses -a flag for oc image mirror auth (not skopeo --dest-creds flags). - Sync hook with HookSucceeded delete policy; runs at wave 0+5 (before the qtodo deployment at wave 51). Pipeline auto-trigger: PostSync Job wrapper (supply-chain chart) - pipelinerun-qtodo.yaml now creates a PostSync Job that imperatively runs `oc create` to launch the PipelineRun. This works around the upstream clustergroup chart's resourceExclusions for tekton.dev PipelineRun/TaskRun, which silently blocks direct PipelineRun hooks. - Dedicated pipelinerun-launcher ServiceAccount + Role + RoleBinding with minimal RBAC (create pipelineruns, get secret/PVC). Post-pipeline qtodo refresh (supply-chain chart) - New restart-qtodo Tekton Task + RBAC (pipeline-qtodo-restarter Role/RoleBinding in qtodo namespace). - Added `finally` section to pipeline-qtodo.yaml that runs restart-qtodo after successful image verification, forcing the qtodo deployment to pull the newly built and signed image. ArgoCD PVC health check (values-hub.yaml) - Added custom resourceHealthCheck for PersistentVolumeClaim: treats Pending as Healthy. WaitForFirstConsumer PVCs stay Pending until a pod mounts them, which causes ArgoCD to report the app as Progressing indefinitely and prevents PostSync hooks from firing. This is a common pattern for gp3-csi (AWS), lvms-vg1 (bare metal), etc. - Preserves existing KeycloakRealmImport health check. Generator script updates - gen-byo-container-registry-variants.py: uncomments pipelinerun.enabled and app.seedImage.enabled flags when generating supply-chain variants. Other - registry-external-secret.yaml: added sync-wave 36 annotation. - values-hub.yaml: clean base with new flags commented out; RHTAS pinned to stable-v1.3. - SYNC-WAVE-INVENTORY.md: updated qtodo and supply-chain sections. Signed-off-by: Min Zhang <minzhang@redhat.com>

… loops A Sync hook failure triggers ArgoCD retry loops for the entire sync operation (up to 20 retries with timeouts), blocking all higher sync waves and creating an unrecoverable deadlock. Wrap the seed logic in a function guarded by an unconditional exit 0 so the hook always succeeds regardless of registry availability: - No auth secret (built-in Quay first install): skip gracefully - Registry unreachable: warn and exit 0 - Mirror failure: warn and exit 0 Also tune Job parameters: - backoffLimit: 0 (K8s retries unnecessary since job always exits 0) - activeDeadlineSeconds: 600 (hard safety net) - Registry poll MAX_WAIT: 480s (enough for embedded registry startup) - hook-delete-policy: BeforeHookCreation,HookSucceeded Signed-off-by: Min Zhang <minzhang@redhat.com>

On fresh install the PostSync hook can fire before the built-in Quay registry is fully ready, causing the pipeline to fail when pushing images. Add a readiness poll loop that waits up to 480s for the registry /v2/ endpoint to respond before creating the PipelineRun. Also increase activeDeadlineSeconds from 120 to 600 to accommodate the wait. Works for all registry types (built-in Quay, embedded OpenShift, BYO) since it uses global.registry.domain. Signed-off-by: Min Zhang <minzhang@redhat.com>

The clustergroup chart requires all override values to be strings. Bare YAML booleans (true/false) cause Helm template error: "wrong type for value; expected string; got bool" Quote compliance.storage.enabled, app.oidc.enabled, and app.spire.enabled values. Signed-off-by: Min Zhang <minzhang@redhat.com>

Add documentation for: - First-install image availability (registry-seed-image best-effort job) - ArgoCD PVC health check for WaitForFirstConsumer storage classes - Automatic pipeline trigger via PostSync hook Job with registry readiness check - restart-qtodo finally task that restarts the deployment after a successful pipeline run - Updated Helm template section to reflect Job wrapper change Signed-off-by: Min Zhang <minzhang@redhat.com>

Change BYO registry repository from ztvp/qtodo to your-org/qtodo. quay.io uses org/repo format and users must replace this with their own org. Options 1 and 3 (internal registries) keep ztvp/qtodo since they control the namespace. Signed-off-by: Min Zhang <minzhang@redhat.com>

sabre1041

Thanks @minmzzhang for not looking into the remaining issues that was referenced previously, but looking into adding additional features to this integration.

While I certainly appreciate thinking ahead and enabling additional capabilities, such as the automated mirroring or the qtodo image to avoid out of sync errors, I am concerned that it my not be applicable in the long run. Specifically, once we enabling tighter controls surrounding the images that are deployed, we would want the qtodo image to go through the pipeline which would package and sign the content. If we enable stricter control for the image, the mirrored image would not be admitted anyways.

In addition, to demonstrate the secure supply chain use case, we would not want to start the Pipeline automatically and instead, have the user start the pipeline and see the real value of this solution.

I'd recommend lets stick to the goals of this PR and if we want to explore additional avenues, we can do so in subsequent PR's

sabre1041 · 2026-04-17T22:26:11Z

+          hs.message = "PVC is bound"
+        elseif obj.status.phase == "Pending" then
+          hs.status = "Healthy"
+          hs.message = "PVC is pending (WaitForFirstConsumer)"


Should the message be more generic? There is no assurance that a Pending PVC is in a state that it is waiting for a consumer

updated (removed the WaitForFirstConsumer)

sabre1041 · 2026-04-18T00:31:41Z

+        #!/usr/bin/env bash
+        set -euo pipefail
+        echo "Restarting qtodo deployment to pull the latest image..."
+        oc rollout restart deployment/qtodo -n qtodo


There is a chance that the Deployment may not be present if the Pipeline is autostarted upon Argo sync

added the condition check

- PVC health check: use generic "PVC is pending" message instead of assuming WaitForFirstConsumer binding mode - Disable auto pipeline trigger (pipelinerun.enabled) and seed image mirroring (app.seedImage.enabled) by default; keep templates gated behind flags for future enablement - Guard restart-qtodo task against missing Deployment - Remove auto-trigger and seed image sections from supply-chain docs - Remove pipelinerun/seedImage uncomment logic from gen-byo script Signed-off-by: Min Zhang <minzhang@redhat.com>

Signed-off-by: Min Zhang <minzhang@redhat.com>

minmzzhang · 2026-04-18T03:33:09Z

Thanks @minmzzhang for not looking into the remaining issues that was referenced previously, but looking into adding additional features to this integration.

While I certainly appreciate thinking ahead and enabling additional capabilities, such as the automated mirroring or the qtodo image to avoid out of sync errors, I am concerned that it my not be applicable in the long run. Specifically, once we enabling tighter controls surrounding the images that are deployed, we would want the qtodo image to go through the pipeline which would package and sign the content. If we enable stricter control for the image, the mirrored image would not be admitted anyways.

In addition, to demonstrate the secure supply chain use case, we would not want to start the Pipeline automatically and instead, have the user start the pipeline and see the real value of this solution.

I'd recommend lets stick to the goals of this PR and if we want to explore additional avenues, we can do so in subsequent PR's

Disabled auto pipeline trigger (pipelinerun.enabled) and seed image mirroring (app.seedImage.enabled) by default

sabre1041

Looking really good. Thanks @minmzzhang for working through the requested enhancements. Let's integrate this in now. There may be some additional opportunities for enhancements that could be made. however, this is a large feature that impacts other work, so its best to integrate it in now.

Great work again!

…efactor Update feature YAML files and gen-feature-variants script/docs for: - org -> repository (e.g. "ztvp/qtodo") - embeddedOCP -> embeddedOpenShift - Rename option-3-embedded-ocp.yaml -> option-3-embedded-openshift.yaml Signed-off-by: Min Zhang <minzhang@redhat.com>

* feat: add feature-aware values-hub.yaml generator Add a declarative, composable YAML generator using ruamel.yaml for producing values-hub.yaml overrides per deployment scenario. Features are defined as small YAML fragment files under scripts/features/ with automatic dependency resolution. Supported scenarios: rhtpa, quay, rhtas, pipelines, storage, and full supply-chain (with registry option 1/2/3). Usage: python3 scripts/gen-feature-variants.py --features rhtpa python3 scripts/gen-feature-variants.py --features supply-chain --registry-option all Signed-off-by: Min Zhang <minzhang@redhat.com> * fix: address review feedback for gen-feature-variants - Rename _merge_into to merge_into_applications for clarity on which section it targets (review: Manuel) - Strip comments from clusterGroup.namespaces/subscriptions/ applications in generated output to avoid confusing placement of commented-out blocks near merged content; preserve all other comments (top-level headers, spire, sharedValueFiles, imperative, etc.) - Add gen-feature-variants.md with environment setup and usage Signed-off-by: Min Zhang <minzhang@redhat.com> * fix: align gen-feature-variants with PR #99 review refactor Update feature YAML files and gen-feature-variants script/docs for: - org -> repository (e.g. "ztvp/qtodo") - embeddedOCP -> embeddedOpenShift - Rename option-3-embedded-ocp.yaml -> option-3-embedded-openshift.yaml Signed-off-by: Min Zhang <minzhang@redhat.com> * chore: add __pycache__ and *.pyc to .gitignore Signed-off-by: Min Zhang <minzhang@redhat.com> * fix: rename embedded-ocp to embedded-openshift in output filenames Signed-off-by: Min Zhang <minzhang@redhat.com> * fix: sync supply-chain feature with PR review feedback - Add empty supply-chain and qtodo override placeholders in features/supply-chain.yaml for future enablement - Pin RHTAS operator channel to stable-v1.3 Signed-off-by: Min Zhang <minzhang@redhat.com> * chore: remove legacy gen-byo-container-registry-variants.py The new gen-feature-variants.py covers all registry options declaratively; no need to maintain two generators. Signed-off-by: Min Zhang <minzhang@redhat.com> * Override value job.image in quay-registry application --------- Signed-off-by: Min Zhang <minzhang@redhat.com> Co-authored-by: Manuel Lorenzo <mlorenzofr@gmail.com>

) * feat: add feature-aware values-hub.yaml generator Add a declarative, composable YAML generator using ruamel.yaml for producing values-hub.yaml overrides per deployment scenario. Features are defined as small YAML fragment files under scripts/features/ with automatic dependency resolution. Supported scenarios: rhtpa, quay, rhtas, pipelines, storage, and full supply-chain (with registry option 1/2/3). Usage: python3 scripts/gen-feature-variants.py --features rhtpa python3 scripts/gen-feature-variants.py --features supply-chain --registry-option all Signed-off-by: Min Zhang <minzhang@redhat.com> * fix: address review feedback for gen-feature-variants - Rename _merge_into to merge_into_applications for clarity on which section it targets (review: Manuel) - Strip comments from clusterGroup.namespaces/subscriptions/ applications in generated output to avoid confusing placement of commented-out blocks near merged content; preserve all other comments (top-level headers, spire, sharedValueFiles, imperative, etc.) - Add gen-feature-variants.md with environment setup and usage Signed-off-by: Min Zhang <minzhang@redhat.com> * fix: align gen-feature-variants with PR validatedpatterns#99 review refactor Update feature YAML files and gen-feature-variants script/docs for: - org -> repository (e.g. "ztvp/qtodo") - embeddedOCP -> embeddedOpenShift - Rename option-3-embedded-ocp.yaml -> option-3-embedded-openshift.yaml Signed-off-by: Min Zhang <minzhang@redhat.com> * chore: add __pycache__ and *.pyc to .gitignore Signed-off-by: Min Zhang <minzhang@redhat.com> * fix: rename embedded-ocp to embedded-openshift in output filenames Signed-off-by: Min Zhang <minzhang@redhat.com> * fix: sync supply-chain feature with PR review feedback - Add empty supply-chain and qtodo override placeholders in features/supply-chain.yaml for future enablement - Pin RHTAS operator channel to stable-v1.3 Signed-off-by: Min Zhang <minzhang@redhat.com> * chore: remove legacy gen-byo-container-registry-variants.py The new gen-feature-variants.py covers all registry options declaratively; no need to maintain two generators. Signed-off-by: Min Zhang <minzhang@redhat.com> * Override value job.image in quay-registry application --------- Signed-off-by: Min Zhang <minzhang@redhat.com> Co-authored-by: Manuel Lorenzo <mlorenzofr@gmail.com>

minmzzhang force-pushed the byo-container-registry-fresh-install branch from 19faccc to b1203c1 Compare February 18, 2026 18:08

minmzzhang requested review from mlorenzofr and sabre1041 and removed request for sabre1041 February 18, 2026 18:14

minmzzhang added 2 commits March 27, 2026 13:09

Merge remote-tracking branch 'upstream/main' into byo-container-regis…

13a08c9

…try-fresh-install Signed-off-by: Min Zhang <minzhang@redhat.com> # Conflicts: # charts/ztvp-certificates/files/extract-certificates.sh.tpl # values-hub.yaml

minmzzhang force-pushed the byo-container-registry-fresh-install branch 10 times, most recently from 78bb62c to 4c89939 Compare April 4, 2026 03:29

minmzzhang added 4 commits April 7, 2026 10:55

minmzzhang force-pushed the byo-container-registry-fresh-install branch from f6d956b to f716fcd Compare April 7, 2026 15:03

minmzzhang force-pushed the byo-container-registry-fresh-install branch from f716fcd to 78229ad Compare April 7, 2026 16:48

minmzzhang added 2 commits April 7, 2026 13:17

minmzzhang force-pushed the byo-container-registry-fresh-install branch from 6455f14 to 808914a Compare April 7, 2026 22:29

sabre1041 requested changes Apr 16, 2026

View reviewed changes

minmzzhang added 9 commits April 16, 2026 08:00

fix: rename OCP to OpenShift in gen-byo-container-registry-variants.py

876f945

Signed-off-by: Min Zhang <minzhang@redhat.com>

sabre1041 requested changes Apr 18, 2026

View reviewed changes

minmzzhang added 2 commits April 17, 2026 22:10

fix: pin clustergroup chart to 0.9.47

0196776

Signed-off-by: Min Zhang <minzhang@redhat.com>

sabre1041 approved these changes Apr 18, 2026

View reviewed changes

sabre1041 merged commit 1b56520 into validatedpatterns:main Apr 18, 2026
3 checks passed

This was referenced Apr 18, 2026

fix/ESO upgrade #123

Open

Qtodo OIDC refactor #118

Merged

minmzzhang deleted the byo-container-registry-fresh-install branch May 6, 2026 12:55

Conversation

minmzzhang commented Feb 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Registry options (configure one in values-hub.yaml)

Key changes

Secrets model

Uh oh!

minmzzhang commented Feb 18, 2026

Uh oh!

minmzzhang commented Apr 14, 2026

Uh oh!

sabre1041 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

sabre1041 Apr 16, 2026

Choose a reason for hiding this comment

Uh oh!

minmzzhang Apr 16, 2026

Choose a reason for hiding this comment

Uh oh!

sabre1041 left a comment

Choose a reason for hiding this comment

Uh oh!

sabre1041 Apr 17, 2026

Choose a reason for hiding this comment

Uh oh!

minmzzhang Apr 18, 2026

Choose a reason for hiding this comment

Uh oh!

sabre1041 Apr 18, 2026

Choose a reason for hiding this comment

Uh oh!

minmzzhang Apr 18, 2026

Choose a reason for hiding this comment

Uh oh!

minmzzhang commented Apr 18, 2026

Uh oh!

sabre1041 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

minmzzhang commented Feb 18, 2026 •

edited

Loading

Registry options (configure one in `values-hub.yaml`)