Add container registry configuration docs and simplify build plane setup

[isala404]

Summary

• adds container registry configuration guide for production registries (ECR, GCR, ACR, GHCR, Docker Hub)
• simplifies build plane setup in try-it-out guides with clearer registry options
• k3d: uses in-cluster docker-registry via helm
• existing cluster: ttl.sh (easiest) or host registry via docker

Test plan

• verify docs build without errors
• check all cross-references work
• confirm sidebar shows new operations doc

relates to openchoreo/openchoreo#1565

[Copilot]

Pull request overview

This PR updates documentation and Helm reference values to reflect a new, externalized Build Plane registry model and adds a focused operations guide for configuring container registries, while also tightening observability and security-related Helm docs. It also simplifies the “try it out” flows for both self-hosted and managed Kubernetes by presenting clearer registry setup options.

Changes:

• Added an Operations guide for container registry configuration and surfaced it in the sidebar.
• Updated Helm reference docs for build-plane, control-plane, data-plane, and observability-plane to align with external registries (host/repoPath model), new security parameters, and additional observability configuration knobs.
• Simplified Build Plane setup steps in the self-hosted and managed Kubernetes “try it out” guides by providing concrete registry options (in-cluster Twuni registry for k3d, ttl.sh, host registry, and cloud provider registries) and linking to the new container registry configuration guide.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
sidebars.ts	Adds the new “Container Registry Configuration” operations doc to the Operator Manual sidebar, making the new guide discoverable.
docs/reference/helm/observability-plane.mdx	Documents a tail-sampling enable flag and expands Prometheus/Alertmanager/Grafana/PrometheusRule selection parameters, aligning observability-plane Helm values with more advanced configurations.
docs/reference/helm/data-plane.mdx	Bumps the gateway-operator subchart version and introduces an explicit api-platform.gateway.helm.chartVersion value, matching updated API Platform gateway packaging.
docs/reference/helm/control-plane.mdx	Clarifies Backstage feature flags and adds new security and Thunder bootstrap configuration parameters for roles, external OIDC clients, and system app bootstrap.
docs/reference/helm/build-plane.mdx	Removes the embedded Twuni docker-registry subchart, introduces global.defaultResources.registry.host/repoPath/tlsVerify, and clarifies buildpack cache semantics to reflect reliance on external registries.
docs/operations/container-registry-configuration.mdx	New operations guide that explains required Build Plane registry parameters, provides provider-specific examples (ECR, Artifact Registry, ACR, GHCR, Docker Hub), and covers push/pull auth and basic troubleshooting.
docs/getting-started/try-it-out/on-self-hosted-kubernetes.mdx	Reworks Step 3 to install a Twuni registry for k3d, and for existing clusters offers ttl.sh and host-registry options using the new registry.host/repoPath/tlsVerify values, then points to the new operations guide.
docs/getting-started/try-it-out/on-managed-kubernetes.mdx	Simplifies Build Plane setup on managed clusters by focusing on ttl.sh and cloud-provider registries, again using the new registry Helm values and linking to the container registry configuration guide.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The troubleshooting advice for the "x509: certificate signed by unknown authority" error suggests setting tlsVerify=false, which disables TLS certificate verification for registry access. Using this workaround with external registries on untrusted networks allows man-in-the-middle attackers to impersonate the registry and serve malicious images that the platform will build and deploy. Prefer guidance that keeps tlsVerify=true and instructs operators to fix the certificate chain or configure the appropriate CA trust, reserving tlsVerify=false strictly for ephemeral local development.