Add toolbx workflow and changes for quay.io

This describes the whole toolbx workflow as it is and how it will be from F39+.
Also describes the changes that need to be done in pipeline to make this work.

Signed-off-by: Michal Konecny <mkonecny@redhat.com>

docs/registry_to_quay/toolbox.rst

@@ -9,13 +9,74 @@ It also describes changes needed to make it work with `quay.io <https://quay.io>
 Current workflow
 ----------------
 
-The toolbox images are built using OSBS. The OSBS submits builds to
+The toolbx images are currently built using OSBS. The OSBS submits builds to
 `candidate-registry.fedoraproject.org <https://candidate-registry.fedoraproject.org/>`_ using
-dockercfg and releng script then push it to
+dockercfg and user can create an update in Bodhi. After testing period is finished or the update
+gets enough karma it is moved by bodhi to
 `registry.fedoraproject_org <https://registry.fedoraproject.org/>`_.
 
+This will change in F39 where the images will be built by
+`koji-flatpak <https://pagure.io/koji-flatpak>`_ plugin. This plugin will submit the builds to
+both `registry.fedoraproject_org <https://registry.fedoraproject.org/>`_ and
+`quay.io <https://quay.io>`_.
+
 .. image:: ../_static/toolbox_workflow_registry.drawio.png
     :target: ../_images/toolbox_workflow_registry.drawio.png
 
 Changes for quay.io
 -------------------
+
+This section will describe changes that are needed to make quay.io work with current setup.
+It will go through pipeline step by step and describe what needs to be changed in case of
+toolbx workflow.
+
+OSBS
+^^^^
+OSBS is using Openshift local container registry, which is configured by
+`dockercfg <https://pagure.io/fedora-infra/ansible/blob/main/f/files/osbs/dockercfg-production-secret.j2>`_
+file and pointing to candidate-registry. There is dockercfg for
+`production <https://pagure.io/fedora-infra/ansible/blob/main/f/files/osbs/dockercfg-production-secret.j2>`_ and `staging <https://pagure.io/fedora-infra/ansible/blob/main/f/files/osbs/dockercfg-staging-secret.j2>`_.
+This dockercfg is used as a secret in OSBS and it's deployed in
+`setup-worker-namespace <https://pagure.io/fedora-infra/ansible/blob/main/f/playbooks/groups/osbs/setup-worker-namespace.yml>`_ playbook.
+To make this work with quay.io we need to replace the dockercfg with new one pointing to quay.io.
+
+.. note::
+
+   OSBS could have trouble reaching to quay.io, this needs to be solved for this to work.
+
+Koji
+^^^^
+There is currently a initiative that is trying to remove OSBS from flatpak build pipeline. At
+the time of writing this document this is only enabled for F39. But as the F38 flaptak runtime
+will be considered EOL the `koji-flatpak <https://pagure.io/koji-flatpak>`_ module will be the only
+way.
+
+The koji-flatpak module is much direct, there is just one
+`configuration file <https://pagure.io/fedora-infra/ansible/blob/main/f/roles/koji_builder/templates/flatpak.conf>`_
+used to specify where the koji builders should push the build container. The `candidate-registry`
+variable is set in `tasks/main`.
+
+Currently the builders don't have access to quay.io. The firewall settings needs to be adjusted
+so they could push containers.
+
+Bodhi
+^^^^^
+
+Bodhi is pushing the container builds from candidate-registry.fedoraproject.org to
+registry.fedoraproject.org and this is configured in
+`production.ini template <https://pagure.io/fedora-infra/ansible/blob/main/f/roles/bodhi2/base/templates/production.ini.j2>`_
+in ansible.
+
+To make it work with quay.io we just need to change `container.destination_registry` and
+`container.source_registry` variables.
+
+.. note::
+
+   Bodhi wouldn't be part of the toolbx workflow in Fedora 39 and later. So no need to change
+   anything here.
+
+Toolbx
+^^^^^^
+
+Toolbx has the `registry.fedoraproject_org <https://registry.fedoraproject.org/>`_ set in code.
+This needs to be changed before we completely switch to `quay.io <https://quay.io>`_.