From adb4dfcacf143b95655ad49a35540b326c1c74e1 Mon Sep 17 00:00:00 2001 From: Manuel Lorenzo Date: Fri, 19 Dec 2025 15:13:26 +0100 Subject: [PATCH 01/18] Add documentation on values for the Supply Chain use case Signed-off-by: Manuel Lorenzo --- docs/supply-chain.md | 194 ++++++++++++ docs/values-patches/supply-chain.patch | 415 +++++++++++++++++++++++++ 2 files changed, 609 insertions(+) create mode 100644 docs/values-patches/supply-chain.patch diff --git a/docs/supply-chain.md b/docs/supply-chain.md index d2459fad..0d82849d 100644 --- a/docs/supply-chain.md +++ b/docs/supply-chain.md @@ -20,6 +20,200 @@ In our demo, we will use a number of additional ZTVP components. These component * [Multicloud Object Gateway](https://docs.redhat.com/en/documentation/red_hat_openshift_container_storage/4.8/html/managing_hybrid_and_multicloud_resources/index) is a data service for OpenShift that provides an S3-compatible object storage. In our case, this component is necessary to provide a storage system to Quay. * [Red Hat OpenShift Pipelines](https://docs.redhat.com/en/documentation/red_hat_openshift_pipelines/1.20) is a cloud-native CI/CD solution built on the Tekton framework. We will use this product to automate our secure supply chain process, but you could use your own CI/CD solution if one exists. +### Setting up the values + +We've seen the components we'll use in this use case. To configure them, we must add (uncomment) these parameters to the `values-hub.yaml` file + +* `clustergroup.namespaces`. Create the namespaces for the components. + + ```shell + - openshift-storage: + operatorGroup: true + targetNamespace: openshift-storage + annotations: + openshift.io/cluster-monitoring: "true" + argocd.argoproj.io/sync-wave: "-5" # Propagated to OperatorGroup by framework + - quay-enterprise: + annotations: + argocd.argoproj.io/sync-wave: "1" # Create before NooBaa and all Quay components + labels: + openshift.io/cluster-monitoring: "true" + - trusted-artifact-signer: + annotations: + argocd.argoproj.io/sync-wave: "1" # Auto-created by RHTAS operator + labels: + openshift.io/cluster-monitoring: "true" + - rhtpa-operator: + operatorGroup: true + targetNamespace: rhtpa-operator + annotations: + argocd.argoproj.io/sync-wave: "-5" # Create before operator subscription + - trusted-profile-analyzer: + annotations: + argocd.argoproj.io/sync-wave: "1" # Create before RHTPA components + labels: + openshift.io/cluster-monitoring: "true" + - openshift-pipelines + ``` + +* `clusterGroup.subscriptions`. Create the subscriptions for the components operators. + + ```shell + openshift-pipelines: + name: openshift-pipelines-operator-rh + namespace: openshift-operators + odf: + name: odf-operator + namespace: openshift-storage + channel: stable-4.20 + annotations: + argocd.argoproj.io/sync-wave: "-4" # Install after OperatorGroup (-5) + quay-operator: + name: quay-operator + namespace: openshift-operators + channel: stable-3.15 + annotations: + argocd.argoproj.io/sync-wave: "-3" # Install after ODF operator + rhtas-operator: + name: rhtas-operator + namespace: openshift-operators + channel: stable + annotations: + argocd.argoproj.io/sync-wave: "-2" # Install after Quay operator, before applications + catalogSource: redhat-operators + rhtpa-operator: + name: rhtpa-operator + namespace: rhtpa-operator # MUST use dedicated namespace (not openshift-operators) + channel: stable-v1.1 # Use stable-v1.1 channel for 1.1.x updates + catalogSource: redhat-operators + annotations: + argocd.argoproj.io/sync-wave: "-4" # Install after OperatorGroup (-5), before applications + ``` + +* `applications`: Configure the applications. + + ```shell + noobaa-mcg: + name: noobaa-mcg + namespace: openshift-storage + project: hub + path: charts/noobaa-mcg + annotations: + argocd.argoproj.io/sync-wave: "5" # Deploy after core services + quay-registry: + name: quay-registry + namespace: quay-enterprise + project: hub + path: charts/quay-registry + annotations: + argocd.argoproj.io/sync-wave: "10" # Deploy after NooBaa storage backend + trusted-artifact-signer: + name: trusted-artifact-signer + namespace: trusted-artifact-signer + project: hub + path: charts/rhtas-operator + annotations: + argocd.argoproj.io/sync-wave: "15" # Deploy after dependencies + overrides: + # OIDC Issuer Configuration - Both can be enabled simultaneously + # Enable SPIFFE issuer for workload identity + - name: rhtas.zeroTrust.spire.enabled + value: "true" + - name: rhtas.zeroTrust.spire.trustDomain + value: "apps.{{ $.Values.global.clusterDomain }}" + - name: rhtas.zeroTrust.spire.issuer + value: "https://spire-spiffe-oidc-discovery-provider.apps.{{ $.Values.global.clusterDomain }}" + # Enable Keycloak issuer for user/email authentication + - name: rhtas.zeroTrust.email.enabled + value: "true" + - name: rhtas.zeroTrust.email.issuer + value: https://keycloak.apps.{{ $.Values.global.clusterDomain }}/realms/ztvp + trusted-profile-analyzer: + name: trusted-profile-analyzer + namespace: trusted-profile-analyzer + project: hub + path: charts/rhtpa-operator + annotations: + argocd.argoproj.io/sync-wave: "10" # Create chart resources (OBC, DB, etc.) + # Note: The TrustedProfileAnalyzer CR is created by ACM Policy at wave 50 + # to ensure the operator is fully ready (mitigates v1.1.0 initialization bug) + # Ignore differences to prevent OutOfSync status + ignoreDifferences: + # Ignore Job status changes (completion, failure counts, conditions) + # Jobs are created by hooks and their status changes don't require re-sync + - group: batch + kind: Job + jsonPointers: + - /status + overrides: + # Vault Integration + - name: rhtpa.zeroTrust.vault.url + value: https://vault.vault.svc.cluster.local:8200 + - name: rhtpa.modules.createImporters.importers.cve.cve.disabled + value: "false" + - name: rhtpa.modules.createImporters.importers.osv-github.osv.disabled + value: "false" + # Additional importers (disabled by default due to large datasets) + - name: rhtpa.modules.createImporters.importers.redhat-csaf.csaf.disabled + value: "false" + - name: rhtpa.modules.createImporters.importers.quay-redhat-user-workloads.quay.disabled + value: "false" + - name: rhtpa.modules.createImporters.importers.redhat-sboms.sbom.disabled + value: "false" + supply-chain: + name: supply-chain + project: hub + path: charts/supply-chain + ignoreDifferences: + - group: "" + kind: ServiceAccount + jqPathExpressions: + - .imagePullSecrets[]|select(.name | contains("-dockercfg-")) + overrides: + # Don't forget to uncomment the RHTAS and RHTPA components in this same file + - name: rhtas.enabled + value: true + - name: rhtpa.enabled + value: true + - name: registry.tlsVerify + value: "false" + - name: registry.user + value: quay-admin + - name: registry.passwordVaultKey + value: quay-admin-password + ``` + +* `applications.vault.jwt.roles.policies`: In the **Vault** polices, add the policy **rhtpa**. + + ```shell + - name: rhtpa + audience: rhtpa + subject: spiffe://apps.{{ $.Values.global.clusterDomain }}/ns/trusted-profile-analyzer/sa/rhtpa + policies: + - global-secret + ``` + +* `applications.qtodo.overrides`: Configure **qtodo** to use the Quay registry. + + ```shell + - name: app.images.main.name + value: quay-registry-quay-quay-enterprise.apps.{{ $.Values.global.clusterDomain }}/ztvp/qtodo + - name: app.images.main.version + value: latest + - name: app.images.main.registry.auth + value: true + - name: app.images.main.registry.user + value: quay-admin + - name: app.images.main.registry.passwordVaultKey + value: quay-admin-password + ``` + +You can apply this changes to your configuration using [this patch file](./values-patches/supply-chain.patch): + +```shell +git apply docs/values-patches/supply-chain.patch +``` + ## Automatic approach To automate the application building and certifying process, we will use _Red Hat OpenShift Pipelines_. diff --git a/docs/values-patches/supply-chain.patch b/docs/values-patches/supply-chain.patch new file mode 100644 index 00000000..ca76eaee --- /dev/null +++ b/docs/values-patches/supply-chain.patch @@ -0,0 +1,415 @@ +diff --git a/values-hub.yaml b/values-hub.yaml +index 65b3645..05d25ea 100644 +--- a/values-hub.yaml ++++ b/values-hub.yaml +@@ -28,34 +28,34 @@ clusterGroup: + targetNamespace: cert-manager-operator + # Layer 1: Storage and Registry + # Required for RHTPA and QUAY (provides NooBaa object storage backend) +- # - openshift-storage: +- # operatorGroup: true +- # targetNamespace: openshift-storage +- # annotations: +- # openshift.io/cluster-monitoring: "true" +- # argocd.argoproj.io/sync-wave: "-5" # Propagated to OperatorGroup by framework +- # - quay-enterprise: +- # annotations: +- # argocd.argoproj.io/sync-wave: "1" # Create before NooBaa and all Quay components +- # labels: +- # openshift.io/cluster-monitoring: "true" ++ - openshift-storage: ++ operatorGroup: true ++ targetNamespace: openshift-storage ++ annotations: ++ openshift.io/cluster-monitoring: "true" ++ argocd.argoproj.io/sync-wave: "-5" # Propagated to OperatorGroup by framework ++ - quay-enterprise: ++ annotations: ++ argocd.argoproj.io/sync-wave: "1" # Create before NooBaa and all Quay components ++ labels: ++ openshift.io/cluster-monitoring: "true" + # RHTAS namespace (required when RHTAS application is enabled) + # COMMENTED OUT: Uncomment to enable RHTAS with SPIFFE signing +- # - trusted-artifact-signer: +- # annotations: +- # argocd.argoproj.io/sync-wave: "1" # Auto-created by RHTAS operator +- # labels: +- # openshift.io/cluster-monitoring: "true" +- # - rhtpa-operator: +- # operatorGroup: true +- # targetNamespace: rhtpa-operator +- # annotations: +- # argocd.argoproj.io/sync-wave: "-5" # Create before operator subscription +- # - trusted-profile-analyzer: +- # annotations: +- # argocd.argoproj.io/sync-wave: "1" # Create before RHTPA components +- # labels: +- # openshift.io/cluster-monitoring: "true" ++ - trusted-artifact-signer: ++ annotations: ++ argocd.argoproj.io/sync-wave: "1" # Auto-created by RHTAS operator ++ labels: ++ openshift.io/cluster-monitoring: "true" ++ - rhtpa-operator: ++ operatorGroup: true ++ targetNamespace: rhtpa-operator ++ annotations: ++ argocd.argoproj.io/sync-wave: "-5" # Create before operator subscription ++ - trusted-profile-analyzer: ++ annotations: ++ argocd.argoproj.io/sync-wave: "1" # Create before RHTPA components ++ labels: ++ openshift.io/cluster-monitoring: "true" + - zero-trust-workload-identity-manager: + operatorGroup: true + targetNamespace: zero-trust-workload-identity-manager +@@ -65,7 +65,7 @@ clusterGroup: + annotations: + openshift.io/cluster-monitoring: "true" + # Secure Supply Chain: Uncomment to enable OpenShift Pipelines +- # - openshift-pipelines ++ - openshift-pipelines + subscriptions: + acm: + name: advanced-cluster-management +@@ -78,9 +78,9 @@ clusterGroup: + channel: stable-v1 + catalogSource: redhat-marketplace + # Secure Supply Chain: Uncomment to enable OpenShift Pipelines +- # openshift-pipelines: +- # name: openshift-pipelines-operator-rh +- # namespace: openshift-operators ++ openshift-pipelines: ++ name: openshift-pipelines-operator-rh ++ namespace: openshift-operators + rhbk: + name: rhbk-operator + namespace: keycloak-system +@@ -102,37 +102,37 @@ clusterGroup: + # Storage and Registry operator subscriptions + # Required for RHTPA and QUAY (provides NooBaa object storage backend) + # ODF provides object storage backend (NooBaa) for RHTPA and optionally Quay +- # odf: +- # name: odf-operator +- # namespace: openshift-storage +- # channel: stable-4.20 +- # annotations: +- # argocd.argoproj.io/sync-wave: "-4" # Install after OperatorGroup (-5) +- # quay-operator: +- # name: quay-operator +- # namespace: openshift-operators +- # channel: stable-3.15 +- # annotations: +- # argocd.argoproj.io/sync-wave: "-3" # Install after ODF operator ++ odf: ++ name: odf-operator ++ namespace: openshift-storage ++ channel: stable-4.20 ++ annotations: ++ argocd.argoproj.io/sync-wave: "-4" # Install after OperatorGroup (-5) ++ quay-operator: ++ name: quay-operator ++ namespace: openshift-operators ++ channel: stable-3.15 ++ annotations: ++ argocd.argoproj.io/sync-wave: "-3" # Install after ODF operator + # RHTAS operator subscription (required when RHTAS application is enabled) + # COMMENTED OUT: Uncomment to enable RHTAS with SPIFFE integration +- # rhtas-operator: +- # name: rhtas-operator +- # namespace: openshift-operators +- # channel: stable +- # annotations: +- # argocd.argoproj.io/sync-wave: "-2" # Install after Quay operator, before applications +- # catalogSource: redhat-operators ++ rhtas-operator: ++ name: rhtas-operator ++ namespace: openshift-operators ++ channel: stable ++ annotations: ++ argocd.argoproj.io/sync-wave: "-2" # Install after Quay operator, before applications ++ catalogSource: redhat-operators + # RHTPA operator subscription + # Channel: stable-v1.1 provides latest 1.1.x patch updates + # Note: No direct upgrade path from 1.1.x to 2.x (requires fresh install) +- # rhtpa-operator: +- # name: rhtpa-operator +- # namespace: rhtpa-operator # MUST use dedicated namespace (not openshift-operators) +- # channel: stable-v1.1 # Use stable-v1.1 channel for 1.1.x updates +- # catalogSource: redhat-operators +- # annotations: +- # argocd.argoproj.io/sync-wave: "-4" # Install after OperatorGroup (-5), before applications ++ rhtpa-operator: ++ name: rhtpa-operator ++ namespace: rhtpa-operator # MUST use dedicated namespace (not openshift-operators) ++ channel: stable-v1.1 # Use stable-v1.1 channel for 1.1.x updates ++ catalogSource: redhat-operators ++ annotations: ++ argocd.argoproj.io/sync-wave: "-4" # Install after OperatorGroup (-5), before applications + projects: + - hub + # Explicitly mention the cluster-state based overrides we plan to use for this pattern. +@@ -212,103 +212,104 @@ clusterGroup: + policies: + - global-secret + # RHTPA vault role +- # - name: rhtpa +- # audience: rhtpa +- # subject: spiffe://apps.{{ $.Values.global.clusterDomain }}/ns/trusted-profile-analyzer/sa/rhtpa +- # policies: +- # - global-secret ++ - name: rhtpa ++ audience: rhtpa ++ subject: spiffe://apps.{{ $.Values.global.clusterDomain }}/ns/trusted-profile-analyzer/sa/rhtpa ++ policies: ++ - global-secret + # Shared Object Storage Backend + # Required for RHTPA and QUAY (provides S3-compatible storage via NooBaa MCG) + # NooBaa MCG provides S3-compatible object storage for multiple applications +- # noobaa-mcg: +- # name: noobaa-mcg +- # namespace: openshift-storage +- # project: hub +- # path: charts/noobaa-mcg +- # annotations: +- # argocd.argoproj.io/sync-wave: "5" # Deploy after core services ++ noobaa-mcg: ++ name: noobaa-mcg ++ namespace: openshift-storage ++ project: hub ++ path: charts/noobaa-mcg ++ annotations: ++ argocd.argoproj.io/sync-wave: "5" # Deploy after core services + # Quay Container Registry (uses NooBaa for storage) +- # quay-registry: +- # name: quay-registry +- # namespace: quay-enterprise +- # project: hub +- # path: charts/quay-registry +- # annotations: +- # argocd.argoproj.io/sync-wave: "10" # Deploy after NooBaa storage backend ++ quay-registry: ++ name: quay-registry ++ namespace: quay-enterprise ++ project: hub ++ path: charts/quay-registry ++ annotations: ++ argocd.argoproj.io/sync-wave: "10" # Deploy after NooBaa storage backend + # RHTAS with SPIFFE Integration + # COMMENTED OUT: Uncomment to enable RHTAS with SPIFFE and Email issuers + # Depends on: Vault, SPIRE, Keycloak (for Email OIDC issuer if used) +- # trusted-artifact-signer: +- # name: trusted-artifact-signer +- # namespace: trusted-artifact-signer +- # project: hub +- # path: charts/rhtas-operator +- # annotations: +- # argocd.argoproj.io/sync-wave: "15" # Deploy after dependencies +- # overrides: +- # # OIDC Issuer Configuration - Both can be enabled simultaneously +- # # Enable SPIFFE issuer for workload identity +- # - name: rhtas.zeroTrust.spire.enabled +- # value: "true" +- # - name: rhtas.zeroTrust.spire.trustDomain +- # value: "apps.{{ $.Values.global.clusterDomain }}" +- # - name: rhtas.zeroTrust.spire.issuer +- # value: "https://spire-spiffe-oidc-discovery-provider.apps.{{ $.Values.global.clusterDomain }}" +- # # Enable Keycloak issuer for user/email authentication +- # - name: rhtas.zeroTrust.email.enabled +- # value: "true" +- # - name: rhtas.zeroTrust.email.issuer +- # value: https://keycloak.apps.{{ $.Values.global.clusterDomain }}/realms/ztvp ++ trusted-artifact-signer: ++ name: trusted-artifact-signer ++ namespace: trusted-artifact-signer ++ project: hub ++ path: charts/rhtas-operator ++ annotations: ++ argocd.argoproj.io/sync-wave: "15" # Deploy after dependencies ++ overrides: ++ # OIDC Issuer Configuration - Both can be enabled simultaneously ++ # Enable SPIFFE issuer for workload identity ++ - name: rhtas.zeroTrust.spire.enabled ++ value: "true" ++ - name: rhtas.zeroTrust.spire.trustDomain ++ value: "apps.{{ $.Values.global.clusterDomain }}" ++ - name: rhtas.zeroTrust.spire.issuer ++ value: "https://spire-spiffe-oidc-discovery-provider.apps.{{ $.Values.global.clusterDomain }}" ++ # Enable Keycloak issuer for user/email authentication ++ - name: rhtas.zeroTrust.email.enabled ++ value: "true" ++ - name: rhtas.zeroTrust.email.issuer ++ value: https://keycloak.apps.{{ $.Values.global.clusterDomain }}/realms/ztvp + # RHTPA (Red Hat Trusted Profile Analyzer) with SPIFFE Integration + # Depends on: NooBaa MCG (storage), Vault (secrets), SPIRE (identity), Keycloak (auth) +- # trusted-profile-analyzer: +- # name: trusted-profile-analyzer +- # namespace: trusted-profile-analyzer +- # project: hub +- # path: charts/rhtpa-operator +- # annotations: +- # argocd.argoproj.io/sync-wave: "10" # Create chart resources (OBC, DB, etc.) +- # # Note: The TrustedProfileAnalyzer CR is created by ACM Policy at wave 50 +- # # to ensure the operator is fully ready (mitigates v1.1.0 initialization bug) +- # # Ignore differences to prevent OutOfSync status +- # ignoreDifferences: +- # # Ignore Job status changes (completion, failure counts, conditions) +- # # Jobs are created by hooks and their status changes don't require re-sync +- # - group: batch +- # kind: Job +- # jsonPointers: +- # - /status +- # overrides: +- # # Vault Integration +- # # - name: rhtpa.zeroTrust.vault.url +- # # value: https://vault.vault.svc.cluster.local:8200 +- # # Keycloak URL is automatically constructed from global.localClusterDomain +- # # TLS Configuration - Custom Ingress CA (for Azure/AWS/GCP with custom certs) +- # # For standard OpenShift deployments, auto-detection works without overrides +- # # For cloud platforms with custom ingress certs in non-standard locations: +- # # - name: rhtpa.tls.ingressCA.customSource.enabled +- # # value: "true" +- # # - name: rhtpa.tls.ingressCA.customSource.secretName +- # # value: "custom-ingress-cert" +- # # - name: rhtpa.tls.ingressCA.customSource.secretNamespace +- # # value: "openshift-ingress" +- # # - name: rhtpa.tls.ingressCA.customSource.secretKey +- # # value: "tls.crt" +- # # Importer Configuration +- # # Enable all 5 importers explicitly (chart defaults: cve and osv-github enabled) +- # # Period defaults to 1d for all importers (configured in chart) +- # # Default importers +- # # - name: rhtpa.modules.createImporters.importers.cve.cve.disabled +- # # value: "false" +- # # - name: rhtpa.modules.createImporters.importers.osv-github.osv.disabled +- # # value: "false" +- # # Additional importers (disabled by default due to large datasets) +- # # - name: rhtpa.modules.createImporters.importers.redhat-csaf.csaf.disabled +- # # value: "false" +- # # - name: rhtpa.modules.createImporters.importers.quay-redhat-user-workloads.quay.disabled +- # # value: "false" +- # # - name: rhtpa.modules.createImporters.importers.redhat-sboms.sbom.disabled +- # # value: "false" ++ trusted-profile-analyzer: ++ name: trusted-profile-analyzer ++ namespace: trusted-profile-analyzer ++ project: hub ++ path: charts/rhtpa-operator ++ annotations: ++ argocd.argoproj.io/sync-wave: "10" # Create chart resources (OBC, DB, etc.) ++ # Note: The TrustedProfileAnalyzer CR is created by ACM Policy at wave 50 ++ # to ensure the operator is fully ready (mitigates v1.1.0 initialization bug) ++ # Ignore differences to prevent OutOfSync status ++ ignoreDifferences: ++ # Ignore Job status changes (completion, failure counts, conditions) ++ # Jobs are created by hooks and their status changes don't require re-sync ++ - group: batch ++ kind: Job ++ jsonPointers: ++ - /status ++ overrides: ++ # Vault Integration ++ - name: rhtpa.zeroTrust.vault.url ++ value: https://vault.vault.svc.cluster.local:8200 ++ # Keycloak URL is automatically constructed from global.localClusterDomain ++ # TLS Configuration - Custom Ingress CA (for Azure/AWS/GCP with custom certs) ++ # For standard OpenShift deployments, auto-detection works without overrides ++ # For cloud platforms with custom ingress certs in non-standard locations: ++ # - name: rhtpa.tls.ingressCA.customSource.enabled ++ # value: "true" ++ # - name: rhtpa.tls.ingressCA.customSource.secretName ++ # value: "custom-ingress-cert" ++ # - name: rhtpa.tls.ingressCA.customSource.secretNamespace ++ # value: "openshift-ingress" ++ # - name: rhtpa.tls.ingressCA.customSource.secretKey ++ # value: "tls.crt" ++ # Importer Configuration ++ # Enable all 5 importers explicitly (chart defaults: cve and osv-github enabled) ++ # Period defaults to 1d for all importers (configured in chart) ++ # Default importers ++ - name: rhtpa.modules.createImporters.importers.cve.cve.disabled ++ value: "false" ++ - name: rhtpa.modules.createImporters.importers.osv-github.osv.disabled ++ value: "false" ++ # Additional importers (disabled by default due to large datasets) ++ - name: rhtpa.modules.createImporters.importers.redhat-csaf.csaf.disabled ++ value: "false" ++ - name: rhtpa.modules.createImporters.importers.quay-redhat-user-workloads.quay.disabled ++ value: "false" ++ - name: rhtpa.modules.createImporters.importers.redhat-sboms.sbom.disabled ++ value: "false" ++ # COMMENTED OUT - Uncomment to enable RHTPA + golang-external-secrets: + name: golang-external-secrets + namespace: golang-external-secrets +@@ -350,39 +351,39 @@ clusterGroup: + - name: app.vault.secretPath + value: secret/data/global/qtodo + # For Secure Supply Chain, we changed the qtodo image to use the one built in the secure supply chain +- # - name: app.images.main.name +- # value: quay-registry-quay-quay-enterprise.apps.{{ $.Values.global.clusterDomain }}/ztvp/qtodo +- # - name: app.images.main.version +- # value: latest ++ - name: app.images.main.name ++ value: quay-registry-quay-quay-enterprise.apps.{{ $.Values.global.clusterDomain }}/ztvp/qtodo ++ - name: app.images.main.version ++ value: latest + # Uncomment to enable registry authentication +- # - name: app.images.main.registry.auth +- # value: true +- # - name: app.images.main.registry.user +- # value: quay-user +- # - name: app.images.main.registry.passwordVaultKey +- # value: quay-user-password ++ - name: app.images.main.registry.auth ++ value: true ++ - name: app.images.main.registry.user ++ value: quay-admin ++ - name: app.images.main.registry.passwordVaultKey ++ value: quay-admin-password + # Secure Supply Chain - Uncomment to enable +- # supply-chain: +- # name: supply-chain +- # project: hub +- # path: charts/supply-chain +- # ignoreDifferences: +- # - group: "" +- # kind: ServiceAccount +- # jqPathExpressions: +- # - .imagePullSecrets[]|select(.name | contains("-dockercfg-")) +- # overrides: +- # # Don't forget to uncomment the RHTAS and RHTPA components in this same file +- # - name: rhtas.enabled +- # value: true +- # - name: rhtpa.enabled +- # value: true +- # - name: registry.tlsVerify +- # value: "false" +- # - name: registry.user +- # value: quay-admin +- # - name: registry.passwordVaultKey +- # value: quay-admin-password ++ supply-chain: ++ name: supply-chain ++ project: hub ++ path: charts/supply-chain ++ ignoreDifferences: ++ - group: "" ++ kind: ServiceAccount ++ jqPathExpressions: ++ - .imagePullSecrets[]|select(.name | contains("-dockercfg-")) ++ overrides: ++ # Don't forget to uncomment the RHTAS and RHTPA components in this same file ++ - name: rhtas.enabled ++ value: true ++ - name: rhtpa.enabled ++ value: true ++ - name: registry.tlsVerify ++ value: "false" ++ - name: registry.user ++ value: quay-admin ++ - name: registry.passwordVaultKey ++ value: quay-admin-password + argoCD: + resourceHealthChecks: + - check: | From ce54c5ea11ebcb3258569d63634a28ae5e253b7b Mon Sep 17 00:00:00 2001 From: Manuel Lorenzo Date: Mon, 5 Jan 2026 18:41:02 +0100 Subject: [PATCH 02/18] Update docs/supply-chain.md Co-authored-by: Andrew Block --- docs/supply-chain.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/supply-chain.md b/docs/supply-chain.md index 0d82849d..f2406033 100644 --- a/docs/supply-chain.md +++ b/docs/supply-chain.md @@ -24,7 +24,7 @@ In our demo, we will use a number of additional ZTVP components. These component We've seen the components we'll use in this use case. To configure them, we must add (uncomment) these parameters to the `values-hub.yaml` file -* `clustergroup.namespaces`. Create the namespaces for the components. +* In the `clustergroup.namespaces` section, create the namespaces for the components by uncommenting the following ```shell - openshift-storage: From 4520be85b3821d0df6007518230b4083e0646df8 Mon Sep 17 00:00:00 2001 From: Manuel Lorenzo Date: Mon, 5 Jan 2026 18:41:17 +0100 Subject: [PATCH 03/18] Update docs/supply-chain.md Co-authored-by: Andrew Block --- docs/supply-chain.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/supply-chain.md b/docs/supply-chain.md index f2406033..e7aa4dab 100644 --- a/docs/supply-chain.md +++ b/docs/supply-chain.md @@ -56,7 +56,7 @@ We've seen the components we'll use in this use case. To configure them, we must - openshift-pipelines ``` -* `clusterGroup.subscriptions`. Create the subscriptions for the components operators. +* In the `clusterGroup.subscriptions` section, create the subscriptions for the components operators by uncommenting the following: ```shell openshift-pipelines: From cd00395d9f281865a438aa0d8c60b425f694566c Mon Sep 17 00:00:00 2001 From: Manuel Lorenzo Date: Mon, 5 Jan 2026 18:41:29 +0100 Subject: [PATCH 04/18] Update docs/supply-chain.md Co-authored-by: Andrew Block --- docs/supply-chain.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/supply-chain.md b/docs/supply-chain.md index e7aa4dab..37f89b91 100644 --- a/docs/supply-chain.md +++ b/docs/supply-chain.md @@ -90,7 +90,7 @@ We've seen the components we'll use in this use case. To configure them, we must argocd.argoproj.io/sync-wave: "-4" # Install after OperatorGroup (-5), before applications ``` -* `applications`: Configure the applications. +* `Configure the Argo CD applications`: ```shell noobaa-mcg: From 0b7e93596acd2d97625e75c3674ab9d7c7294a73 Mon Sep 17 00:00:00 2001 From: Manuel Lorenzo Date: Mon, 5 Jan 2026 18:41:54 +0100 Subject: [PATCH 05/18] Update docs/supply-chain.md Co-authored-by: Andrew Block --- docs/supply-chain.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/supply-chain.md b/docs/supply-chain.md index 37f89b91..22382685 100644 --- a/docs/supply-chain.md +++ b/docs/supply-chain.md @@ -183,7 +183,7 @@ We've seen the components we'll use in this use case. To configure them, we must value: quay-admin-password ``` -* `applications.vault.jwt.roles.policies`: In the **Vault** polices, add the policy **rhtpa**. +* `applications.vault.jwt.roles.policies`: In the **Vault** policies section, uncomment the following: ```shell - name: rhtpa From fc7d4a95baf4772e47eb9a0b37559007a38cdb72 Mon Sep 17 00:00:00 2001 From: Manuel Lorenzo Date: Mon, 5 Jan 2026 18:42:17 +0100 Subject: [PATCH 06/18] Update docs/supply-chain.md Co-authored-by: Andrew Block --- docs/supply-chain.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/supply-chain.md b/docs/supply-chain.md index 22382685..9f1bd65a 100644 --- a/docs/supply-chain.md +++ b/docs/supply-chain.md @@ -208,7 +208,7 @@ We've seen the components we'll use in this use case. To configure them, we must value: quay-admin-password ``` -You can apply this changes to your configuration using [this patch file](./values-patches/supply-chain.patch): +The proceeding changes can also be configured by applying [this patch file](./values-patches/supply-chain.patch): ```shell git apply docs/values-patches/supply-chain.patch From 8fc038777350a04ccab2d6d8ecdfc0097db696b0 Mon Sep 17 00:00:00 2001 From: Manuel Lorenzo Date: Mon, 5 Jan 2026 18:42:42 +0100 Subject: [PATCH 07/18] Update docs/supply-chain.md Co-authored-by: Andrew Block --- docs/supply-chain.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/supply-chain.md b/docs/supply-chain.md index 9f1bd65a..5cd59f7a 100644 --- a/docs/supply-chain.md +++ b/docs/supply-chain.md @@ -193,7 +193,7 @@ We've seen the components we'll use in this use case. To configure them, we must - global-secret ``` -* `applications.qtodo.overrides`: Configure **qtodo** to use the Quay registry. +* `applications.qtodo.overrides`: In the **qtodo** overrides section, specify the following to source content from the Quay registry instance. ```shell - name: app.images.main.name From 74283824b358c5e72d282ae1802f472fc2599018 Mon Sep 17 00:00:00 2001 From: Manuel Lorenzo Date: Mon, 5 Jan 2026 18:49:38 +0100 Subject: [PATCH 08/18] Add link for values-hub.yaml Signed-off-by: Manuel Lorenzo --- docs/supply-chain.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/supply-chain.md b/docs/supply-chain.md index 5cd59f7a..77235388 100644 --- a/docs/supply-chain.md +++ b/docs/supply-chain.md @@ -22,7 +22,7 @@ In our demo, we will use a number of additional ZTVP components. These component ### Setting up the values -We've seen the components we'll use in this use case. To configure them, we must add (uncomment) these parameters to the `values-hub.yaml` file +We've seen the components we'll use in this use case. To configure them, we must add (uncomment) these parameters to the [values-hub.yaml](../values-hub.yaml) file * In the `clustergroup.namespaces` section, create the namespaces for the components by uncommenting the following From cc18378e3c1aec86720b6e4fd36c2fcd29143c06 Mon Sep 17 00:00:00 2001 From: Manuel Lorenzo Date: Mon, 12 Jan 2026 12:22:24 +0100 Subject: [PATCH 09/18] Update docs/supply-chain.md Co-authored-by: Andrew Block --- docs/supply-chain.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/supply-chain.md b/docs/supply-chain.md index 77235388..1da2e5f9 100644 --- a/docs/supply-chain.md +++ b/docs/supply-chain.md @@ -20,7 +20,7 @@ In our demo, we will use a number of additional ZTVP components. These component * [Multicloud Object Gateway](https://docs.redhat.com/en/documentation/red_hat_openshift_container_storage/4.8/html/managing_hybrid_and_multicloud_resources/index) is a data service for OpenShift that provides an S3-compatible object storage. In our case, this component is necessary to provide a storage system to Quay. * [Red Hat OpenShift Pipelines](https://docs.redhat.com/en/documentation/red_hat_openshift_pipelines/1.20) is a cloud-native CI/CD solution built on the Tekton framework. We will use this product to automate our secure supply chain process, but you could use your own CI/CD solution if one exists. -### Setting up the values +### Defining the values We've seen the components we'll use in this use case. To configure them, we must add (uncomment) these parameters to the [values-hub.yaml](../values-hub.yaml) file From 85bf0192197bf2f72a1e5bbe9e55890d1db667b7 Mon Sep 17 00:00:00 2001 From: Manuel Lorenzo Date: Mon, 12 Jan 2026 12:22:57 +0100 Subject: [PATCH 10/18] Update docs/supply-chain.md Co-authored-by: Andrew Block --- docs/supply-chain.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/supply-chain.md b/docs/supply-chain.md index 1da2e5f9..d10e1adb 100644 --- a/docs/supply-chain.md +++ b/docs/supply-chain.md @@ -22,7 +22,7 @@ In our demo, we will use a number of additional ZTVP components. These component ### Defining the values -We've seen the components we'll use in this use case. To configure them, we must add (uncomment) these parameters to the [values-hub.yaml](../values-hub.yaml) file +To enable this use case, the following parameters should be defined within the [values-hub.yaml](../values-hub.yaml) file * In the `clustergroup.namespaces` section, create the namespaces for the components by uncommenting the following From 34ff570d9671d6129fbca6fb48b7101dad20458c Mon Sep 17 00:00:00 2001 From: Manuel Lorenzo Date: Mon, 12 Jan 2026 12:23:17 +0100 Subject: [PATCH 11/18] Update docs/supply-chain.md Co-authored-by: Andrew Block --- docs/supply-chain.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/supply-chain.md b/docs/supply-chain.md index d10e1adb..f631581e 100644 --- a/docs/supply-chain.md +++ b/docs/supply-chain.md @@ -90,7 +90,7 @@ To enable this use case, the following parameters should be defined within the [ argocd.argoproj.io/sync-wave: "-4" # Install after OperatorGroup (-5), before applications ``` -* `Configure the Argo CD applications`: +* Configure the Argo CD _Applications_: ```shell noobaa-mcg: From eae10595286db9707b641e546bb6e560f929dc36 Mon Sep 17 00:00:00 2001 From: Manuel Lorenzo Date: Mon, 12 Jan 2026 12:23:32 +0100 Subject: [PATCH 12/18] Update docs/supply-chain.md Co-authored-by: Andrew Block --- docs/supply-chain.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/supply-chain.md b/docs/supply-chain.md index f631581e..fe79847e 100644 --- a/docs/supply-chain.md +++ b/docs/supply-chain.md @@ -24,7 +24,7 @@ In our demo, we will use a number of additional ZTVP components. These component To enable this use case, the following parameters should be defined within the [values-hub.yaml](../values-hub.yaml) file -* In the `clustergroup.namespaces` section, create the namespaces for the components by uncommenting the following +* In the `clustergroup.namespaces` section, create the _Namespaces_ for the components by uncommenting the following ```shell - openshift-storage: From c3d298a6b8b376370987186c445a2bb05d7e2911 Mon Sep 17 00:00:00 2001 From: Manuel Lorenzo Date: Mon, 12 Jan 2026 12:23:45 +0100 Subject: [PATCH 13/18] Update docs/supply-chain.md Co-authored-by: Andrew Block --- docs/supply-chain.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/supply-chain.md b/docs/supply-chain.md index fe79847e..2ffa665a 100644 --- a/docs/supply-chain.md +++ b/docs/supply-chain.md @@ -56,7 +56,7 @@ To enable this use case, the following parameters should be defined within the [ - openshift-pipelines ``` -* In the `clusterGroup.subscriptions` section, create the subscriptions for the components operators by uncommenting the following: +* In the `clusterGroup.subscriptions` section, create the _Subscriptions_ for the components operators by uncommenting the following: ```shell openshift-pipelines: From f69dbc4e9278274f1053f03f61e9d11fd64613e2 Mon Sep 17 00:00:00 2001 From: Manuel Lorenzo Date: Mon, 12 Jan 2026 12:24:02 +0100 Subject: [PATCH 14/18] Update docs/supply-chain.md Co-authored-by: Andrew Block --- docs/supply-chain.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/supply-chain.md b/docs/supply-chain.md index 2ffa665a..78901b40 100644 --- a/docs/supply-chain.md +++ b/docs/supply-chain.md @@ -183,7 +183,7 @@ To enable this use case, the following parameters should be defined within the [ value: quay-admin-password ``` -* `applications.vault.jwt.roles.policies`: In the **Vault** policies section, uncomment the following: +* `applications.vault.jwt.roles.policies`: In the _Vault_ policies section, uncomment the following: ```shell - name: rhtpa From 895954a3f76c62e93b34875350c22f3b512ef9a3 Mon Sep 17 00:00:00 2001 From: Manuel Lorenzo Date: Mon, 12 Jan 2026 12:24:12 +0100 Subject: [PATCH 15/18] Update docs/supply-chain.md Co-authored-by: Andrew Block --- docs/supply-chain.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/supply-chain.md b/docs/supply-chain.md index 78901b40..49cce499 100644 --- a/docs/supply-chain.md +++ b/docs/supply-chain.md @@ -193,7 +193,7 @@ To enable this use case, the following parameters should be defined within the [ - global-secret ``` -* `applications.qtodo.overrides`: In the **qtodo** overrides section, specify the following to source content from the Quay registry instance. +* `applications.qtodo.overrides`: In the _qtodo_ overrides section, specify the following to source content from the Quay registry instance. ```shell - name: app.images.main.name From 6874786b2a17d030e2337c2ae292325596dcd0cf Mon Sep 17 00:00:00 2001 From: Manuel Lorenzo Date: Mon, 12 Jan 2026 12:24:40 +0100 Subject: [PATCH 16/18] Update docs/supply-chain.md Co-authored-by: Andrew Block --- docs/supply-chain.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/supply-chain.md b/docs/supply-chain.md index 49cce499..6abe6716 100644 --- a/docs/supply-chain.md +++ b/docs/supply-chain.md @@ -208,7 +208,7 @@ To enable this use case, the following parameters should be defined within the [ value: quay-admin-password ``` -The proceeding changes can also be configured by applying [this patch file](./values-patches/supply-chain.patch): +To simplify setting the appropriate values for this use case, [this Git patch file](./values-patches/supply-chain.patch) can be used to automate applying the desired configurations by executing the following command from the root of the repository: ```shell git apply docs/values-patches/supply-chain.patch From f2a5861816873f9d76c2c23c6425c6511dfd960d Mon Sep 17 00:00:00 2001 From: Manuel Lorenzo Date: Mon, 12 Jan 2026 12:24:59 +0100 Subject: [PATCH 17/18] Update docs/supply-chain.md Co-authored-by: Andrew Block --- docs/supply-chain.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/supply-chain.md b/docs/supply-chain.md index 6abe6716..3a95ca52 100644 --- a/docs/supply-chain.md +++ b/docs/supply-chain.md @@ -214,7 +214,7 @@ To simplify setting the appropriate values for this use case, [this Git patch fi git apply docs/values-patches/supply-chain.patch ``` -## Automatic approach +## Automated Secure Supply Chain Pipeline To automate the application building and certifying process, we will use _Red Hat OpenShift Pipelines_. From 9e7cc33273b992fbb317afda59877f856ac45dfb Mon Sep 17 00:00:00 2001 From: Manuel Lorenzo Date: Mon, 12 Jan 2026 12:39:23 +0100 Subject: [PATCH 18/18] Add additional notes for git apply Signed-off-by: Manuel Lorenzo --- docs/supply-chain.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/docs/supply-chain.md b/docs/supply-chain.md index 3a95ca52..ef0cc02f 100644 --- a/docs/supply-chain.md +++ b/docs/supply-chain.md @@ -214,6 +214,18 @@ To simplify setting the appropriate values for this use case, [this Git patch fi git apply docs/values-patches/supply-chain.patch ``` +> [!NOTE] +> Ensure you commit the applied changes to a feature branch and push that branch to your remote Git repository. +> +> For example: +> +> ```shell +> git checkout -b supply-chain-setup +> git add . +> git commit -m "Apply supply chain configuration patch" +> git push origin supply-chain-setup +> ``` + ## Automated Secure Supply Chain Pipeline To automate the application building and certifying process, we will use _Red Hat OpenShift Pipelines_.