From 888967337060527950424c9a7469b67f494ce20b Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Fri, 17 Apr 2026 16:40:44 +0200 Subject: [PATCH 1/9] Improve readme instructions --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 9405951..d5b0e32 100644 --- a/README.md +++ b/README.md @@ -189,8 +189,8 @@ oc create configmap patterns-operator-config \ --from-literal=catalog.image=quay.io/my-org/pattern-ui-catalog:1.0.0 ``` -The operator picks up the change on its next reconciliation loop and performs a -rolling update of the catalog deployment. +The operator manager pod needs to be deleted for the change to be picked up. +After that the UI will point to the new catalog. ## Authenticated container registries From 0627f6866c980ce6f1193183d80971be9c70c339 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 22 Apr 2026 13:57:45 +0000 Subject: [PATCH 2/9] Bump zizmorcore/zizmor-action from 0.5.2 to 0.5.3 Bumps [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) from 0.5.2 to 0.5.3. - [Release notes](https://github.com/zizmorcore/zizmor-action/releases) - [Commits](https://github.com/zizmorcore/zizmor-action/compare/71321a20a9ded102f6e9ce5718a2fcec2c4f70d8...b1d7e1fb5de872772f31590499237e7cce841e8e) --- updated-dependencies: - dependency-name: zizmorcore/zizmor-action dependency-version: 0.5.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/zizmor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 2cb6071..29ce057 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -23,4 +23,4 @@ jobs: persist-credentials: false - name: Run zizmor - uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 From f09309c98ceedb69ce25712a2b5577cef2a73c38 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 22 Apr 2026 13:57:51 +0000 Subject: [PATCH 3/9] Bump actions/upload-artifact from 7.0.0 to 7.0.1 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 7.0.0 to 7.0.1. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/bbbca2ddaa5d8feaa63e36b76fdaad77386f024f...043fb46d1a93c77aae656e7c1c64a875d1fc6a0a) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/build-and-push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index d370251..b6dd18d 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -62,7 +62,7 @@ jobs: buildah push "${CONTAINER}-${TARGETARCH}" "docker-archive:/tmp/image-${TARGETARCH}.tar:${CONTAINER}-${TARGETARCH}" - name: Upload image artifact - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: image-${{ matrix.targetarch }}-${{ github.run_id }} path: /tmp/image-${{ matrix.targetarch }}.tar From e468225888de3b07107f8fb49068caff209c5dd3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 May 2026 14:14:47 +0000 Subject: [PATCH 4/9] Bump sigstore/cosign-installer from 4.1.1 to 4.1.2 Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 4.1.1 to 4.1.2. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003...6f9f17788090df1f26f669e9d70d6ae9567deba6) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-version: 4.1.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/build-and-push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index b6dd18d..1a076d1 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -116,7 +116,7 @@ jobs: echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" - name: Install cosign - uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 with: cosign-release: "v2.2.4" From 44dc4b1ea7a9f731ad7fda0378455b0640355f6c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 May 2026 16:44:54 +0000 Subject: [PATCH 5/9] Bump zizmorcore/zizmor-action from 0.5.3 to 0.5.6 Bumps [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) from 0.5.3 to 0.5.6. - [Release notes](https://github.com/zizmorcore/zizmor-action/releases) - [Commits](https://github.com/zizmorcore/zizmor-action/compare/b1d7e1fb5de872772f31590499237e7cce841e8e...5f14fd08f7cf1cb1609c1e344975f152c7ee938d) --- updated-dependencies: - dependency-name: zizmorcore/zizmor-action dependency-version: 0.5.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/zizmor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 29ce057..ffcceb7 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -23,4 +23,4 @@ jobs: persist-credentials: false - name: Run zizmor - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 From 9ca033479bd6397175280fcb4d9753677c028033 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Thu, 28 May 2026 11:19:24 +0200 Subject: [PATCH 6/9] Add an example for overriding the destination --- Makefile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Makefile b/Makefile index 1b3cd3f..83e14c3 100644 --- a/Makefile +++ b/Makefile @@ -11,6 +11,8 @@ PATTERN_CATALOG_DOCKERFILE ?= pattern-ui-catalog.Dockerfile .PHONY: help help: ## Display this help. @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-40s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) + @echo "" + @echo "Override catalog destination with: make UPLOADREGISTRY=quay.io/rhn_support_mbaldess VERSION=partnertest pattern-ui-catalog-build" ##@ Pattern Catalog From 9edaf92fef4a074e5e84a377b345d1369e793673 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Thu, 28 May 2026 11:19:42 +0200 Subject: [PATCH 7/9] Add support for catalog_logo --- catalog.schema.json | 6 ++++++ generate-catalog.sh | 2 ++ 2 files changed, 8 insertions(+) diff --git a/catalog.schema.json b/catalog.schema.json index 2a052af..69d1b19 100644 --- a/catalog.schema.json +++ b/catalog.schema.json @@ -21,6 +21,12 @@ "type": "string", "description": "Description shown in the catalog UI" }, + "catalog_logo": { + "type": "string", + "description": "URL of the logo image displayed on the catalog page", + "format": "uri", + "default": "https://validatedpatterns.io/images/logo.png" + }, "patterns": { "type": "array", "description": "List of pattern identifiers included in the catalog", diff --git a/generate-catalog.sh b/generate-catalog.sh index 7964a51..ff68a6b 100755 --- a/generate-catalog.sh +++ b/generate-catalog.sh @@ -14,6 +14,7 @@ ORGS=(${ORGS[@]:-"validatedpatterns" "validatedpatterns-sandbox"}) TOPIC=${TOPIC:-"ui-catalog-enabled"} GENERATOR_VERSION="1.0" CATALOG_DIR="catalog" +CATALOG_LOGO="https://validatedpatterns.io/images/logo.png" # Normalize a single pattern-metadata.yaml (JSON from yq) into catalog schema. # Reads JSON on stdin, writes normalized JSON on stdout. @@ -140,6 +141,7 @@ CATALOG_DESCRIPTION=${CATALOG_DESCRIPTION:-'(Tech-Preview) Additional patterns c echo "generated_at: \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\"" echo "generator_version: \"${GENERATOR_VERSION}\"" echo "catalog_description: '${CATALOG_DESCRIPTION}'" + echo "catalog_logo: \"${CATALOG_LOGO}\"" echo "patterns:" for name in "${pattern_names[@]}"; do echo " - ${name}" From 37a14b8badc2da54296b4026d741722d49443247 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Thu, 28 May 2026 11:20:00 +0200 Subject: [PATCH 8/9] Regenerate catalog --- catalog/catalog.yaml | 3 +- catalog/hypershift/pattern.yaml | 2 +- .../hypershift/values-secret.yaml.template | 8 +++ .../values-secret.yaml.template | 61 +++++++++++++------ 4 files changed, 55 insertions(+), 19 deletions(-) diff --git a/catalog/catalog.yaml b/catalog/catalog.yaml index dd17025..b13441e 100644 --- a/catalog/catalog.yaml +++ b/catalog/catalog.yaml @@ -1,6 +1,7 @@ -generated_at: "2026-04-16T11:34:50Z" +generated_at: "2026-05-28T09:09:10Z" generator_version: "1.0" catalog_description: '(Tech-Preview) Additional patterns can be found here: validatedpatterns.io' +catalog_logo: "https://validatedpatterns.io/images/logo.png" patterns: - ansible-edge-gitops - layered-zero-trust diff --git a/catalog/hypershift/pattern.yaml b/catalog/hypershift/pattern.yaml index 5454bb2..97befec 100644 --- a/catalog/hypershift/pattern.yaml +++ b/catalog/hypershift/pattern.yaml @@ -40,4 +40,4 @@ external_requirements: s3_bucket: true org: validatedpatterns-sandbox spoke: null -clustergroupname: prod +clustergroupname: staging diff --git a/catalog/hypershift/values-secret.yaml.template b/catalog/hypershift/values-secret.yaml.template index a2be8ec..8755967 100644 --- a/catalog/hypershift/values-secret.yaml.template +++ b/catalog/hypershift/values-secret.yaml.template @@ -19,6 +19,14 @@ secrets: fields: - name: credentials path: ~/.aws/credentials + + - name: hypershift-iam + vaultPrefixes: + - hub + fields: + - name: role-arn + value: "arn:aws:iam:accNumber::role/hypershift_cli_role" + # Begin groupsync/oauth config # - name: oauthCreds # fields: diff --git a/catalog/layered-zero-trust/values-secret.yaml.template b/catalog/layered-zero-trust/values-secret.yaml.template index 9185fc4..a5b715c 100644 --- a/catalog/layered-zero-trust/values-secret.yaml.template +++ b/catalog/layered-zero-trust/values-secret.yaml.template @@ -16,7 +16,8 @@ version: "2.0" # Infrastructure Secrets (hub/infra/*): # hub/infra/keycloak/ - Keycloak infrastructure secrets # hub/infra/rhtpa/ - RHTPA infrastructure secrets -# hub/infra/quay/ - Quay registry credentials +# hub/infra/quay/ - Built-in Quay registry credentials (auto-generated) +# hub/infra/registry/ - BYO container registry credentials (user-provided) # hub/infra/users/ - User credentials managed by IdP # # Framework Secrets: @@ -84,6 +85,17 @@ secrets: # onMissingValue: generate # vaultPolicy: alphaNumericPolicy + # qtodo-oidc-entraid — Microsoft Entra ID (Azure AD) OIDC for QTodo + # This secret supplies the client secret for the Entra app registration + # that backs app.oidc.clientId. The value is read from a local file at 'path' + # Create the client secret in Azure Portal and store it in that file + #- name: qtodo-oidc-entraid + # vaultPrefixes: + # - apps/qtodo + # fields: + # - name: client-secret + # path: ~/.azure/ztvp-entraid-secret + - name: qtodo-truststore vaultPrefixes: - apps/qtodo @@ -151,6 +163,17 @@ secrets: onMissingValue: generate vaultPolicy: alphaNumericPolicy + # Microsoft Entra ID (Azure AD) OIDC for RHTPA + # This secret supplies the client secret for the Entra app registration + # that backs zeroTrust.oidc.clients.cli The value is read from a local file at 'path' + # Create the client secret in Azure Portal and store it in that file + #- name: rhtpa-oidc-cli + # vaultPrefixes: + # - hub/infra/rhtpa + # fields: + # - name: client-secret + # path: ~/.azure/ztvp-entraid-secret + # =========================================================================== # USER CREDENTIALS (hub/infra/users/) # User passwords managed by Keycloak for application access @@ -174,33 +197,37 @@ secrets: vaultPolicy: alphaNumericPolicy # =========================================================================== - # QUAY INFRASTRUCTURE SECRETS (hub/infra/quay/) - # Registry credentials for Quay - # Policy: hub-infra-quay-secret (read access to hub/infra/quay/*) + # BUILT-IN QUAY REGISTRY SECRETS (hub/infra/quay/) + # Auto-generated credentials for built-in Quay registry + # Used by: Quay user provisioner job, supply-chain pipeline (when quay.enabled=true) + # Policy: hub-supply-chain-jwt-secret (read access to hub/infra/quay/*) # =========================================================================== - name: quay-users vaultPrefixes: - hub/infra/quay fields: - - name: quay-admin-password - onMissingValue: generate - vaultPolicy: validatedPatternDefaultPolicy - name: quay-user-password onMissingValue: generate vaultPolicy: validatedPatternDefaultPolicy - # External Registry Credentials (e.g., Quay.io, Docker Hub, GHCR) - # Reserved for future use with container signing workflows - # Uncomment and provide your credentials when needed - #- name: external-registry + # =========================================================================== + # BYO REGISTRY SECRETS (hub/infra/registry/) + # Only needed for Option 2 (BYO/external registry, e.g. quay.io, ghcr.io). + # NOT needed for Option 1 (built-in Quay uses quay-users secret) or + # Option 3 (embedded OpenShift registry with token refresher writes to Vault + # automatically -- see docs/supply-chain.md). + # Used by: supply-chain pipeline (push), qtodo (pull) when registry enabled + # Policy: hub-supply-chain-jwt-secret (read access to hub/infra/registry/*) + # + # Uncomment and replace REPLACE_WITH_REGISTRY_TOKEN with your registry + # token/password in your local ~/values-secret-layered-zero-trust.yaml. + # =========================================================================== + #- name: registry-user # vaultPrefixes: - # - hub/infra + # - hub/infra/registry # fields: - # - name: username - # value: "your-registry-username" # Replace with your username - # onMissingValue: error - # - name: password - # value: "your-registry-token" # Replace with your token/password + # - name: registry-password + # value: "REPLACE_WITH_REGISTRY_TOKEN" # onMissingValue: error # =========================================================================== From 8c2760111cc42d3715a3b9c11ee1b10b35dbae5f Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Thu, 28 May 2026 12:24:07 +0200 Subject: [PATCH 9/9] Clarify local file support in schema --- catalog.schema.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/catalog.schema.json b/catalog.schema.json index 69d1b19..fd3858a 100644 --- a/catalog.schema.json +++ b/catalog.schema.json @@ -23,7 +23,7 @@ }, "catalog_logo": { "type": "string", - "description": "URL of the logo image displayed on the catalog page", + "description": "URL or filename of the logo image displayed on the catalog page. If a filename it just needs adding to the catalog/ folder", "format": "uri", "default": "https://validatedpatterns.io/images/logo.png" },