diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 1a076d1..fd99ed0 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -23,7 +23,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false @@ -48,7 +48,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false diff --git a/.github/workflows/jsonschema.yaml b/.github/workflows/jsonschema.yaml index c65e401..afb8ccb 100644 --- a/.github/workflows/jsonschema.yaml +++ b/.github/workflows/jsonschema.yaml @@ -25,7 +25,7 @@ jobs: steps: - name: Checkout Code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false diff --git a/.github/workflows/yaml-lint.yaml b/.github/workflows/yaml-lint.yaml new file mode 100644 index 0000000..57853db --- /dev/null +++ b/.github/workflows/yaml-lint.yaml @@ -0,0 +1,37 @@ +--- +name: Validate YAML + +on: + push: + paths: + - 'catalog/**' + pull_request: + paths: + - 'catalog/**' + +permissions: read-all # zizmor: ignore[excessive-permissions] + +jobs: + yaml_lint: + name: YAML lint + runs-on: ubuntu-latest + + steps: + - name: Checkout Code + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false + + - name: Set up Python + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + with: + python-version: "3.11" + + - name: Install yamllint + run: pip install yamllint + + - name: Lint YAML files + run: >- + yamllint -s -d + '{extends: default, rules: {line-length: disable, document-start: disable}}' + catalog/ diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index ffcceb7..4abadf3 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false diff --git a/.gitignore b/.gitignore index ba7c2ff..1e55aa7 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ pattern-catalog.Dockerfile +pattern-ui-catalog.Dockerfile diff --git a/README.md b/README.md index d5b0e32..b398b4c 100644 --- a/README.md +++ b/README.md @@ -142,6 +142,10 @@ extra_features: external_requirements: null org: my-org spoke: null +variants: + - name: default + default: true + description: Default deployment variant ``` **`catalog//values-secret.yaml.template`** - metadata for secret material diff --git a/catalog/catalog.yaml b/catalog/catalog.yaml index d7413f1..b3f851c 100644 --- a/catalog/catalog.yaml +++ b/catalog/catalog.yaml @@ -1,4 +1,4 @@ -generated_at: "2026-05-28T15:34:12Z" +generated_at: "2026-06-25T12:56:50Z" generator_version: "1.0" catalog_description: '(Tech-Preview) Additional patterns can be found here: validatedpatterns.io' catalog_logo: "https://validatedpatterns.io/images/logo.png" diff --git a/catalog/layered-zero-trust/values-secret.yaml.template b/catalog/layered-zero-trust/values-secret.yaml.template index a5b715c..8261b16 100644 --- a/catalog/layered-zero-trust/values-secret.yaml.template +++ b/catalog/layered-zero-trust/values-secret.yaml.template @@ -219,17 +219,54 @@ secrets: # Used by: supply-chain pipeline (push), qtodo (pull) when registry enabled # Policy: hub-supply-chain-jwt-secret (read access to hub/infra/registry/*) # - # Uncomment and replace REPLACE_WITH_REGISTRY_TOKEN with your registry - # token/password in your local ~/values-secret-layered-zero-trust.yaml. + # Store your registry token in a local file to avoid plaintext in YAML: + # echo -n "your-registry-token" > ~/.config/validated-patterns/registry-token # =========================================================================== #- name: registry-user # vaultPrefixes: # - hub/infra/registry # fields: # - name: registry-password - # value: "REPLACE_WITH_REGISTRY_TOKEN" + # path: ~/.config/validated-patterns/registry-token # onMissingValue: error + # =========================================================================== + # SUPPLY CHAIN GIT CREDENTIALS (hub/supply-chain/) + # Credentials for cloning protected Git repositories in Tekton pipelines + # Policy: hub-supply-chain-jwt-secret (read access to hub/supply-chain/*) + # + # Choose ONE of the two options below depending on your auth type: + # Option A: HTTPS basic auth (username + PAT) + # Option B: SSH key auth (ssh-privatekey + known_hosts) + # =========================================================================== + # Option A: HTTPS basic auth (uncomment for HTTPS protected repositories) + # Store your Git username and PAT in local files to avoid plaintext in YAML: + # echo -n "your-git-username" > ~/.config/validated-patterns/git-username + # echo -n "your-personal-access-token" > ~/.config/validated-patterns/git-token + #- name: git-credentials + # vaultPrefixes: + # - hub/supply-chain + # fields: + # - name: username + # path: ~/.config/validated-patterns/git-username + # onMissingValue: error + # - name: password + # path: ~/.config/validated-patterns/git-token + # onMissingValue: error + + # Option B: SSH key auth (uncomment for SSH protected repositories) + # The private key must NOT be password-protected (passphrase-less). + # Generate a passwordless key: ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_ztvp -N "" + # Generate known_hosts: ssh-keyscan github.com > ~/.ssh/known_hosts_github + #- name: git-credentials + # vaultPrefixes: + # - hub/supply-chain + # fields: + # - name: ssh-privatekey + # path: ~/.ssh/id_ed25519_ztvp # Replace with your SSH private key path + # - name: known_hosts + # path: ~/.ssh/known_hosts_github # Replace with your known_hosts file path + # =========================================================================== # COCO (CONFIDENTIAL CONTAINERS) SECRETS # Uncomment the secrets below when deploying with CoCo support. @@ -397,3 +434,69 @@ secrets: # fields: # - name: content # path: ~/.kube/kubeconfig-ztvp-spoke-2 + +# =========================================================================== +# BOOTSTRAP SECRETS - Private Repository Access +# =========================================================================== +# Uncomment ONE of the sections below if deploying this pattern from a +# private git repository. These secrets are created directly as Kubernetes +# Secrets (not via Vault) so that ArgoCD can authenticate to the private +# repository before any other component is deployed. +# +# After uncommenting and filling in the values, deploy with: +# ./pattern.sh make TOKEN_SECRET=private-repo TOKEN_NAMESPACE=openshift-operators install +# +# See docs/private-repos.md for full instructions. +# =========================================================================== + +# --- OPTION A: SSH key authentication --- +# Generate a passwordless deploy key: +# ssh-keygen -t ed25519 -f ~/.ssh/ztvp-deploy-key -N "" +# Add the public key (~/.ssh/ztvp-deploy-key.pub) as a deploy key in +# your Git hosting provider (GitHub, GitLab, etc.) +# +# insecureIgnoreHostKey is required because the ArgoCD repo-server runs +# in a container that does not have the Git host's SSH fingerprint in its +# known_hosts file. Without this flag, SSH connections fail with +# "knownhosts: key is unknown". +# +# The VP operator copies this secret as vp-private-repo-credentials into +# vp-gitops (its managed ArgoCD namespace). The ACM chart (0.2.x+) reads +# global.vpArgoNamespace which the VP operator sets automatically. + +#bootstrap_secrets: +#- name: private-repo +# targetNamespaces: +# - openshift-operators +# labels: +# argocd.argoproj.io/secret-type: repository +# fields: +# - name: type +# value: git +# - name: url +# value: git@github.com:YOUR-ORG/layered-zero-trust.git +# - name: insecureIgnoreHostKey +# value: "true" +# - name: sshPrivateKey +# path: ~/.ssh/ztvp-deploy-key + +# --- OPTION B: HTTPS with Personal Access Token (PAT) --- +# Create a PAT with read access to your repository. +# For GitHub: Settings -> Developer settings -> Personal access tokens +# For GitLab: Settings -> Access Tokens (username must be "oauth2") + +#bootstrap_secrets: +#- name: private-repo +# targetNamespaces: +# - openshift-operators +# labels: +# argocd.argoproj.io/secret-type: repository +# fields: +# - name: type +# value: git +# - name: url +# value: https://github.com/YOUR-ORG/layered-zero-trust.git +# - name: username +# value: YOUR-USERNAME +# - name: password +# path: ~/.config/validated-patterns/git-pat diff --git a/catalog/multicloud-gitops/pattern.yaml b/catalog/multicloud-gitops/pattern.yaml index bb7472f..598184d 100644 --- a/catalog/multicloud-gitops/pattern.yaml +++ b/catalog/multicloud-gitops/pattern.yaml @@ -60,6 +60,12 @@ extra_features: hypershift_support: true spoke_support: true external_requirements: null +variants: + - name: hub + default: true + description: Default multicluster hub/spoke Multicloud Gitops variant + - name: standalone + description: Single cluster Multicloud Gitops (no ACM) variant org: validatedpatterns spoke: null clustergroupname: hub diff --git a/catalog/rag-llm-gitops/values-secret.yaml.template b/catalog/rag-llm-gitops/values-secret.yaml.template index d38e970..7e5f48f 100644 --- a/catalog/rag-llm-gitops/values-secret.yaml.template +++ b/catalog/rag-llm-gitops/values-secret.yaml.template @@ -2,15 +2,8 @@ # https://github.com/validatedpatterns/common/tree/main/ansible/roles/vault_utils#values-secret-file-format version: "2.0" -# Ideally you NEVER COMMIT THESE VALUES TO GIT (although if all passwords are -# automatically generated inside the vault this should not really matter) - -# In order to use huggingface models, you will need to -# provide your token as a value for hftoken below. - -# EDB Postgres Operator requires authentication to pull images from docker.enterprisedb.com -# Register for a free trial at: https://www.enterprisedb.com/accounts/register -# Get your token from: https://www.enterprisedb.com/repos-downloads +# Do not update sensitive secrets (db credentials) in this file and commit to git. +# Copy this template file to ~/values-secret-rag-llm-gitops and update secrets in your home directory backingStore: vault @@ -22,15 +15,37 @@ vaultPolicies: rule "charset" { charset = "0123456789" min-chars = 1 } secrets: + # This must be set to use models requiring huggingface authentication + # The default model (ibm-granite/granite-3.3-8b-instruct) does not require authentication - name: hfmodel fields: - name: hftoken value: null + + # Only used when .global.db is set to PGVECTOR in values-global.yaml + - name: pgvector + fields: + - name: username + value: postgres + - name: password + onMissingValue: generate + override: true + vaultPolicy: basicPolicy + - name: dbname + value: rag_blueprint + + # Only used when .global.db is set to EDB in values-global.yaml + # EDB Postgres Operator requires authentication to pull images from docker.enterprisedb.com + # Register for a free trial at: https://www.enterprisedb.com/accounts/register + # Get your token from: https://www.enterprisedb.com/repos-downloads - name: edb fields: - name: token value: null description: EDB subscription token for pulling certified operator images + + # Only used when .global.db is set to MSSQL in values-global.yaml + # The pattern creates a local SQL Server deployment. To use an existing SQL Server DB on Azure, use secret below. - name: mssql fields: - name: sa-pass @@ -38,6 +53,9 @@ secrets: override: true vaultPolicy: basicPolicy description: mssql password for sa user + + # Only used when .global.db is set to AZURESQL in values-global.yaml + # The Azure SQL Server database needs to be created outside of the pattern. - name: azuresql fields: - name: user diff --git a/pattern.schema.json b/pattern.schema.json index 819379e..7b82fc0 100644 --- a/pattern.schema.json +++ b/pattern.schema.json @@ -143,6 +143,14 @@ "type": "string", "description": "URL or path to a logo image for the pattern", "format": "uri" + }, + "variants": { + "type": "array", + "description": "Deployment variants for the pattern", + "items": { + "$ref": "#/$defs/variant" + }, + "minItems": 1 } }, "$defs": { @@ -191,6 +199,26 @@ "$ref": "#/$defs/nodePoolSpec" } } + }, + "variant": { + "type": "object", + "description": "A deployment variant of the pattern", + "required": ["name"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "description": "Unique identifier for the variant" + }, + "default": { + "type": "boolean", + "description": "Whether this is the default variant" + }, + "description": { + "type": "string", + "description": "Human-readable description of the variant" + } + } } } }