Add solar OCM components

.github/workflows/release-ocm-components.yml

@@ -18,6 +18,8 @@ jobs:
           - ./cloudnative-pg
           - ./keycloak
           - ./ocm-demo
+          - ./solution-arsenal
+          - ./solution-arsenal-discovery
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6

README.md

@@ -117,6 +117,29 @@ helm install artifact-conduit artifact-conduit/arc-0.1.0.tgz \
 
 **Note**: Artifact Conduit is an early-stage project (356+ commits, 8 contributors) not yet recommended for production without thorough testing. It provides a declarative way to transfer artifacts across security boundaries with automated scanning and policy compliance.
 
+### Solution Arsenal
+
+OCM-based Application Catalog and Fleet Rollout Manager
+
+- **Status**: Early Stage (pre-release, active development)
+- **License**: Apache 2.0
+- **Configurations**:
+  - Minimal (single instance, development / evaluation)
+  - Production (3 replicas each, leader election, metrics enabled)
+- **Documentation**: [solution-arsenal/README.md](solution-arsenal/README.md)
+
+### Solution Arsenal Discovery
+
+Standalone OCI Registry Scanner for OCM Packages
+
+- **Status**: Early Stage (pre-release, active development)
+- **License**: Apache 2.0
+- **Configurations**:
+  - Minimal (single instance, scan-only mode, no webhook)
+  - Production (2 replicas, webhook listener enabled, anti-affinity)
+- **Documentation**: [solution-arsenal-discovery/README.md](solution-arsenal-discovery/README.md)
+
+
 ### ocm-demo (v0.1.0)
 
 Minimal example component used to demonstrate OCM packaging, transfer, and runtime image localization.

solution-arsenal-discovery/README.md

@@ -0,0 +1,47 @@
+# Solution Arsenal Discovery (SolAr Discovery) OCM Component
+
+This directory contains the OCM (Open Component Model) packaging for [SolAr Discovery](https://github.com/opendefensecloud/solution-arsenal), a standalone OCI registry scanner that discovers OCM packages and populates the Solution Arsenal catalog.
+
+## Component structure
+
+```
+solution-arsenal-discovery/
+├── component-constructor.yaml  # OCM component descriptor
+├── minimal-values.yaml         # Helm values: single-instance dev/test profile
+├── production-values.yaml      # Helm values: HA production profile
+```
+
+## Prerequisites
+
+### Required
+- **Kubernetes**
+- **Helm**
+
+
+## Quick start
+
+### 1. Build the CTF archive
+
+Run from the `solution-arsenal-discovery/` directory of this repo:
+
+```bash
+ocm add componentversion --version 0.1.0 --create --file ./ctf component-constructor.yaml
+```
+
+### 2. Transfer to a registry
+
+```bash
+# Public registry (replace with your org)
+ocm transfer ctf --copy-local-resources ./ctf ghcr.io/your-org
+
+# Local registry for testing
+ocm transfer ctf --copy-local-resources ./ctf localhost:5001
+```
+
+The `--copy-local-resources` flag rewrites the image references inside the component to point to the target registry. The RGD picks up these rewritten references at runtime so images are pulled from the correct location.
+
+## Resources
+
+- [Solution Arsenal repository](https://github.com/opendefensecloud/solution-arsenal)
+- [SolAr documentation](https://solar.opendefense.cloud)
+- [OCM specification](https://ocm.software)

solution-arsenal-discovery/component-constructor.yaml

@@ -0,0 +1,45 @@
+components:
+  - name: opendefense.cloud/solution-arsenal-discovery
+    provider:
+      name: opendefense.cloud
+    labels:
+      - name: app.kubernetes.io/name
+        value: solution-arsenal-discovery
+      - name: app.kubernetes.io/component
+        value: registry-scanner
+      - name: app.kubernetes.io/part-of
+        value: solution-arsenal
+    resources:
+      # SolutionArsenal Discovery Helm Chart
+      - name: solution-arsenal-discovery-chart
+        type: helmChart
+        version: v0.1.1
+        relation: external
+        access:
+          type: ociArtifact
+          imageReference: ghcr.io/opendefensecloud/charts/solar-discovery:0.1.1
+
+      # Solar Discovery Container Image
+      - name: solution-arsenal-discovery-image
+        type: ociImage
+        version: v0.1.1
+        relation: external
+        access:
+          type: ociArtifact
+          imageReference: ghcr.io/opendefensecloud/solar-discovery:0.1.1
+
+      # Minimal Configuration (single instance, scan-only mode)
+      - name: solution-arsenal-discovery-minimal-config
+        type: yaml
+        relation: local
+        input:
+          type: file
+          path: minimal-values.yaml
+
+      # Production Configuration (2 replicas, webhook enabled, anti-affinity)
+      - name: solution-arsenal-discovery-production-config
+        type: yaml
+        relation: local
+        input:
+          type: file
+          path: production-values.yaml

solution-arsenal-discovery/minimal-values.yaml

@@ -0,0 +1,48 @@
+# Minimal SolutionArsenal Discovery Configuration
+# Single-instance setup suitable for:
+# - Development environments
+# - Testing and evaluation
+# - Resource-constrained environments (kind, minikube)
+# - Scan-only mode (no webhook required)
+
+image:
+  repository: ghcr.io/opendefensecloud/solar-discovery
+  tag: latest
+  pullPolicy: IfNotPresent
+
+replicaCount: 1
+
+# No registries configured by default — add your registries here
+# registries:
+#   - name: my-registry
+#     hostname: registry.example.com
+#     scanInterval: 24h
+#     credentials:
+#       username: ${REGISTRY_USERNAME}
+#       password: ${REGISTRY_PASSWORD}
+
+# Namespace where discovered Component/ComponentVersion resources are created
+namespace: ""
+
+# Webhook service enabled but no ingress — webhook can be added later
+service:
+  enabled: true
+  type: ClusterIP
+  port: 8080
+
+# Minimal resource requests
+resources:
+  limits:
+    cpu: 500m
+    memory: 128Mi
+  requests:
+    cpu: 10m
+    memory: 64Mi
+
+# CA bundle disabled for minimal setup
+caBundle:
+  enabled: false
+
+# RBAC enabled
+rbac:
+  create: true

solution-arsenal-discovery/production-values.yaml

@@ -0,0 +1,71 @@
+# Production SolutionArsenal Discovery Configuration
+# Highly-available  setup suitable for:
+# - Production environments
+# - Environments with private registries requiring TLS trust
+
+image:
+  repository: ghcr.io/opendefensecloud/solar-discovery
+  tag: latest
+  pullPolicy: IfNotPresent
+
+replicaCount: 2
+
+# Configure registries to scan — use envFrom to inject credentials from Secrets
+# registries:
+#   - name: internal-registry
+#     hostname: registry.internal.example.com
+#     scanInterval: 12h
+#     credentials:
+#       username: ${REGISTRY_USERNAME}
+#       password: ${REGISTRY_PASSWORD}
+#     webhookPath: events
+#     flavor: zot
+
+# Namespace where discovered Component/ComponentVersion resources are created
+namespace: ""
+
+# Webhook service for event-driven registry notifications
+service:
+  enabled: true
+  type: ClusterIP
+  port: 8080
+
+# Production resource limits
+resources:
+  limits:
+    cpu: 500m
+    memory: 128Mi
+  requests:
+    cpu: 50m
+    memory: 64Mi
+
+# Spread replicas across nodes for resilience
+affinity:
+  podAntiAffinity:
+    preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 100
+        podAffinityTerm:
+          labelSelector:
+            matchExpressions:
+              - key: app.kubernetes.io/name
+                operator: In
+                values:
+                  - solar-discovery
+          topologyKey: kubernetes.io/hostname
+
+# CA bundle for private registry TLS trust
+# Point to a ConfigMap containing your CA certificates
+# (e.g., produced by trust-manager's root-bundle)
+caBundle:
+  enabled: true
+  configMapName: registry-ca-bundle
+  key: trust-bundle.pem
+
+# Inject registry credentials from a Secret
+# envFrom:
+#   - secretRef:
+#       name: registry-credentials
+
+# RBAC enabled
+rbac:
+  create: true

solution-arsenal/README.md

@@ -0,0 +1,47 @@
+# Solution Arsenal (SolAr) OCM Component
+
+This directory contains the OCM (Open Component Model) packaging for [Solution Arsenal (SolAr)](https://github.com/opendefensecloud/solution-arsenal), an application catalog and fleet rollout manager.
+
+## Component structure
+
+```
+solution-arsenal/
+├── component-constructor.yaml  # OCM component descriptor
+├── minimal-values.yaml         # Helm values: single-instance dev/test profile
+├── production-values.yaml      # Helm values: HA production profile
+```
+
+## Prerequisites
+
+### Required
+- **Kubernetes**
+- **Helm**
+- **cert-manager**
+
+## Quick start
+
+### 1. Build the CTF archive
+
+Run from the `solution-arsenal/` directory of this repo:
+
+```bash
+ocm add componentversion --version 0.1.0 --create --file ./ctf component-constructor.yaml
+```
+
+### 2. Transfer to a registry
+
+```bash
+# Public registry (replace with your org)
+ocm transfer ctf --copy-local-resources ./ctf ghcr.io/your-org
+
+# Local registry for testing
+ocm transfer ctf --copy-local-resources ./ctf localhost:5001
+```
+
+The `--copy-local-resources` flag rewrites the image references inside the component to point to the target registry. The RGD picks up these rewritten references at runtime so images are pulled from the correct location.
+
+## Resources
+
+- [Solution Arsenal repository](https://github.com/opendefensecloud/solution-arsenal)
+- [SolAr documentation](https://solar.opendefense.cloud)
+- [OCM specification](https://ocm.software)

solution-arsenal/component-constructor.yaml

@@ -0,0 +1,72 @@
+components:
+  - name: opendefense.cloud/solution-arsenal
+    provider:
+      name: opendefense.cloud
+    labels:
+      - name: app.kubernetes.io/name
+        value: solution-arsenal
+      - name: app.kubernetes.io/component
+        value: solution-catalog
+      - name: app.kubernetes.io/part-of
+        value: solution-arsenal
+    resources:
+      # SolutionArsenal Helm Chart
+      - name: solution-arsenal-chart
+        type: helmChart
+        version: v0.1.1
+        relation: external
+        access:
+          type: ociArtifact
+          imageReference: ghcr.io/opendefensecloud/charts/solar:0.1.1
+
+      # API Server Container Image
+      - name: solution-arsenal-apiserver-image
+        type: ociImage
+        version: v0.1.1
+        relation: external
+        access:
+          type: ociArtifact
+          imageReference: ghcr.io/opendefensecloud/solar-apiserver:0.1.1
+
+      # Controller Manager Container Image
+      - name: solution-arsenal-controller-manager-image
+        type: ociImage
+        version: v0.1.1
+        relation: external
+        access:
+          type: ociArtifact
+          imageReference: ghcr.io/opendefensecloud/solar-controller-manager:0.1.1
+
+      # Renderer Container Image
+      - name: solution-arsenal-renderer-image
+        type: ociImage
+        version: 0.1.1
+        relation: external
+        access:
+          type: ociArtifact
+          imageReference: ghcr.io/opendefensecloud/solar-renderer:0.1.1
+
+      # etcd Container Image
+      - name: etcd-image
+        type: ociImage
+        version: v3.6.10
+        relation: external
+        access:
+          type: ociArtifact
+          imageReference: quay.io/coreos/etcd:v3.6.10
+
+      # Minimal Configuration (single instance, development)
+      - name: solution-arsenal-minimal-config
+        type: yaml
+        relation: local
+        input:
+          type: file
+          path: minimal-values.yaml
+
+      # Production Configuration (HA with replicas, metrics enabled)
+      - name: solution-arsenal-production-config
+        type: yaml
+        relation: local
+        input:
+          type: file
+          path: production-values.yaml