From 90e8d94f7c291fec4808b2ac7330a407a2b0582e Mon Sep 17 00:00:00 2001 From: Manuel Lorenzo Date: Sat, 14 Mar 2026 13:32:59 +0100 Subject: [PATCH 1/2] Add supply-chain.yaml. 1st Draft Signed-off-by: Manuel Lorenzo --- docs/conf/supply-chain.yaml | 163 ++++++++++++++++++++++++++++++++++++ 1 file changed, 163 insertions(+) create mode 100644 docs/conf/supply-chain.yaml diff --git a/docs/conf/supply-chain.yaml b/docs/conf/supply-chain.yaml new file mode 100644 index 00000000..a941cf0e --- /dev/null +++ b/docs/conf/supply-chain.yaml @@ -0,0 +1,163 @@ +--- +clusterGroup: + namespaces: + - openshift-storage: + operatorGroup: true + targetNamespace: openshift-storage + annotations: + openshift.io/cluster-monitoring: "true" + argocd.argoproj.io/sync-wave: "-5" + - quay-enterprise: + annotations: + argocd.argoproj.io/sync-wave: "1" + labels: + openshift.io/cluster-monitoring: "true" + - trusted-artifact-signer: + annotations: + argocd.argoproj.io/sync-wave: "1" + labels: + openshift.io/cluster-monitoring: "true" + - rhtpa-operator: + operatorGroup: true + targetNamespace: rhtpa-operator + annotations: + argocd.argoproj.io/sync-wave: "-5" + - trusted-profile-analyzer: + annotations: + argocd.argoproj.io/sync-wave: "1" + labels: + openshift.io/cluster-monitoring: "true" + - openshift-pipelines + subscriptions: + openshift-pipelines: + name: openshift-pipelines-operator-rh + namespace: openshift-operators + odf: + name: odf-operator + namespace: openshift-storage + channel: stable-4.20 + annotations: + argocd.argoproj.io/sync-wave: "-4" + quay-operator: + name: quay-operator + namespace: openshift-operators + channel: stable-3.15 + annotations: + argocd.argoproj.io/sync-wave: "-3" + rhtas-operator: + name: rhtas-operator + namespace: openshift-operators + channel: stable + annotations: + argocd.argoproj.io/sync-wave: "-2" + catalogSource: redhat-operators + rhtpa-operator: + name: rhtpa-operator + namespace: rhtpa-operator + channel: stable-v1.1 + catalogSource: redhat-operators + annotations: + argocd.argoproj.io/sync-wave: "-4" + applications: + vault: + jwt: + roles: + - name: rhtpa + audience: rhtpa + subject: spiffe://apps.{{ $.Values.global.clusterDomain }}/ns/trusted-profile-analyzer/sa/rhtpa + policies: + - hub-infra-rhtpa-jwt-secret + - name: supply-chain + audience: supply-chain + subject: spiffe://apps.{{ $.Values.global.clusterDomain }}/ns/pipeline/sa/pipeline + policies: + - hub-supply-chain-jwt-secret + noobaa-mcg: + name: noobaa-mcg + namespace: openshift-storage + project: hub + path: charts/noobaa-mcg + annotations: + argocd.argoproj.io/sync-wave: "5" + quay-registry: + name: quay-registry + namespace: quay-enterprise + project: hub + path: charts/quay-registry + annotations: + argocd.argoproj.io/sync-wave: "10" + trusted-artifact-signer: + name: trusted-artifact-signer + namespace: trusted-artifact-signer + project: hub + path: charts/rhtas-operator + annotations: + argocd.argoproj.io/sync-wave: "15" + overrides: + - name: rhtas.zeroTrust.spire.enabled + value: "true" + - name: rhtas.zeroTrust.spire.trustDomain + value: "apps.{{ $.Values.global.clusterDomain }}" + - name: rhtas.zeroTrust.spire.issuer + value: "https://spire-spiffe-oidc-discovery-provider.apps.{{ $.Values.global.clusterDomain }}" + - name: rhtas.zeroTrust.email.enabled + value: "true" + - name: rhtas.zeroTrust.email.issuer + value: https://keycloak.apps.{{ $.Values.global.clusterDomain }}/realms/ztvp + trusted-profile-analyzer: + name: trusted-profile-analyzer + namespace: trusted-profile-analyzer + project: hub + path: charts/rhtpa-operator + annotations: + argocd.argoproj.io/sync-wave: "10" + ignoreDifferences: + - group: batch + kind: Job + jsonPointers: + - /status + overrides: + - name: rhtpa.zeroTrust.vault.url + value: https://vault.vault.svc.cluster.local:8200 + - name: rhtpa.modules.createImporters.importers.cve.cve.disabled + value: "false" + - name: rhtpa.modules.createImporters.importers.osv-github.osv.disabled + value: "false" + - name: rhtpa.modules.createImporters.importers.redhat-csaf.csaf.disabled + value: "false" + - name: rhtpa.modules.createImporters.importers.quay-redhat-user-workloads.quay.disabled + value: "false" + - name: rhtpa.modules.createImporters.importers.redhat-sboms.sbom.disabled + value: "false" + qtodo: + overrides: + - name: app.images.main.name + value: quay-registry-quay-quay-enterprise.apps.{{ $.Values.global.clusterDomain }}/ztvp/qtodo + - name: app.images.main.version + value: latest + - name: app.images.main.registry.auth + value: true + - name: app.images.main.registry.user + value: quay-user + - name: app.images.main.registry.passwordVaultKey + value: quay-user-password + supply-chain: + name: supply-chain + project: hub + path: charts/supply-chain + ignoreDifferences: + - group: "" + kind: ServiceAccount + jqPathExpressions: + - .imagePullSecrets[]|select(.name | contains("-dockercfg-")) + overrides: + - name: rhtas.enabled + value: true + - name: rhtpa.enabled + value: true + - name: registry.tlsVerify + value: "false" + - name: registry.user + value: quay-admin + - name: registry.passwordVaultKey + value: quay-admin-password From b8f8850c579de1e69f1004b183fe1f14347ea9ba Mon Sep 17 00:00:00 2001 From: Manuel Lorenzo Date: Mon, 23 Mar 2026 16:55:14 +0100 Subject: [PATCH 2/2] Update ArgoCD sync-wave values Signed-off-by: Manuel Lorenzo --- docs/conf/supply-chain.yaml | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/docs/conf/supply-chain.yaml b/docs/conf/supply-chain.yaml index a941cf0e..2460524b 100644 --- a/docs/conf/supply-chain.yaml +++ b/docs/conf/supply-chain.yaml @@ -6,25 +6,25 @@ clusterGroup: targetNamespace: openshift-storage annotations: openshift.io/cluster-monitoring: "true" - argocd.argoproj.io/sync-wave: "-5" + argocd.argoproj.io/sync-wave: "26" - quay-enterprise: annotations: - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "32" labels: openshift.io/cluster-monitoring: "true" - trusted-artifact-signer: annotations: - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "32" labels: openshift.io/cluster-monitoring: "true" - rhtpa-operator: operatorGroup: true targetNamespace: rhtpa-operator annotations: - argocd.argoproj.io/sync-wave: "-5" + argocd.argoproj.io/sync-wave: "26" - trusted-profile-analyzer: annotations: - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "32" labels: openshift.io/cluster-monitoring: "true" - openshift-pipelines @@ -37,19 +37,19 @@ clusterGroup: namespace: openshift-storage channel: stable-4.20 annotations: - argocd.argoproj.io/sync-wave: "-4" + argocd.argoproj.io/sync-wave: "27" quay-operator: name: quay-operator namespace: openshift-operators channel: stable-3.15 annotations: - argocd.argoproj.io/sync-wave: "-3" + argocd.argoproj.io/sync-wave: "28" rhtas-operator: name: rhtas-operator namespace: openshift-operators channel: stable annotations: - argocd.argoproj.io/sync-wave: "-2" + argocd.argoproj.io/sync-wave: "29" catalogSource: redhat-operators rhtpa-operator: name: rhtpa-operator @@ -57,7 +57,7 @@ clusterGroup: channel: stable-v1.1 catalogSource: redhat-operators annotations: - argocd.argoproj.io/sync-wave: "-4" + argocd.argoproj.io/sync-wave: "27" applications: vault: jwt: @@ -78,21 +78,21 @@ clusterGroup: project: hub path: charts/noobaa-mcg annotations: - argocd.argoproj.io/sync-wave: "5" + argocd.argoproj.io/sync-wave: "36" quay-registry: name: quay-registry namespace: quay-enterprise project: hub path: charts/quay-registry annotations: - argocd.argoproj.io/sync-wave: "10" + argocd.argoproj.io/sync-wave: "41" trusted-artifact-signer: name: trusted-artifact-signer namespace: trusted-artifact-signer project: hub path: charts/rhtas-operator annotations: - argocd.argoproj.io/sync-wave: "15" + argocd.argoproj.io/sync-wave: "46" overrides: - name: rhtas.zeroTrust.spire.enabled value: "true" @@ -110,7 +110,7 @@ clusterGroup: project: hub path: charts/rhtpa-operator annotations: - argocd.argoproj.io/sync-wave: "10" + argocd.argoproj.io/sync-wave: "41" ignoreDifferences: - group: batch kind: Job @@ -138,13 +138,15 @@ clusterGroup: - name: app.images.main.registry.auth value: true - name: app.images.main.registry.user - value: quay-user + value: quay-admin - name: app.images.main.registry.passwordVaultKey - value: quay-user-password + value: quay-admin-password supply-chain: name: supply-chain project: hub path: charts/supply-chain + annotations: + argocd.argoproj.io/sync-wave: "48" ignoreDifferences: - group: "" kind: ServiceAccount