Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 4. Integrating products and external services

Use this procedure to integrate existing products or replace default components before installing RHADS - SSC. Integrating pre-existing services helps avoid data duplication and unnecessary deployments.

The RHADS - SSC installer deploys a network of products that work together to form a secure, automated CI/CD platform. However, two of these products—Advanced Cluster Security (ACS) and Quay—might already be installed in your environment. If you have existing instances of either product, you can integrate them into your RHADS - SSC deployment.

Integration prevents data loss and avoids deploying duplicate services. If you do not integrate an existing instance, the installer automatically creates a new instance in a new namespace.

Additionally, you can replace the default Git, CI, and registry components with supported alternatives. You can enable more than one alternative for some categories, such as source code repositories or CI tools. The following table lists the default components, their purpose, and the alternatives you can use:

Expand
ProductPurposeSupported alternatives

GitHub

Source code repository

  • GitLab
  • Bitbucket Cloud

Tekton

CI pipeline engine

  • Jenkins
  • GitHub Actions
  • GitLab CI
  • Azure Pipelines (Technology Preview)

Quay

Artifact registry

  • JFrog Artifactory
  • Sonatype Nexus Repository
Note

CI pipeline alternatives conform to SLSA Build Level 2. Only Tekton conforms to SLSA Build Level 3.

Important

When you replace the default Git, CI, or registry providers, RHADS - SSC installs corresponding plugins in Red Hat Developer Hub. Most of these plugins are in Technology Preview or are community-maintained.

Replacing default components is not recommended for production environments due to potential security risks and limited support.

For details, see the plugin support matrix in the Red Hat Advanced Developer Suite - software supply chain release notes and the RHDH plugin documentation.

Note

To integrate products or customize your installation, you must run all relevant tssc commands inside a container that is logged in to your OpenShift cluster with cluster-admin privileges.

The following procedures explain how to customize your installation of RHADS - SSC by integrating pre-existing services and supported alternatives.

4.1. Integrating GitHub
Copy link

RHADS - SSC uses GitHub to authenticate users and to create and manage application repositories. Before you install RHADS - SSC, you must configure GitHub to support these capabilities.

To enable GitHub integration, complete the following procedures:

  1. Create a GitHub personal access token.
  2. Create a GitHub application.

Create a GitHub personal access token

You must own a GitHub organization to create a personal access token (PAT). You can use an existing GitHub organization, create a new one, or request ownership from an administrator.

After installation, the GitHub organization provides a location where users generate repositories for their applications.

Prerequisites

  • Ownership of a GitHub organization
  • A GitHub user account with permission to create personal access tokens
  • Access to GitHub Developer settings

Procedure

  1. Go to your Developer settings page on GitHub.
  2. In the left navigation panel, under Personal access tokens, click Tokens (classic).
  3. From the Generate new token drop-down menu, select Generate new token (classic). Authenticate if prompted.
  4. Enter a name, select an expiration date, and under Select scopes, select repo. This automatically includes all scopes from repo:status to security_events.
  5. Click Generate token. GitHub redirects you to a new page where your token is displayed.
  6. (Optional) Save the token to a file, such as values.txt, for reuse in later steps.

Create a GitHub application

Creating a GitHub application for RHADS - SSC allows developers to authenticate to Red Hat Developer Hub, the web-based interface for interacting with RHADS - SSC. It also allows RHADS - SSC to access your GitHub organization and create repositories.

You must create and install this application in the same GitHub organization that you plan to use with RHADS - SSC. The installer automates most of the configuration.

Prerequisites

  • A GitHub personal access token with repo scope
  • The name of your GitHub organization
  • A name to assign to your GitHub application
  • Valid credentials for registry.redhat.io
  • cluster-admin access to an OpenShift cluster
  • Access to the terminal or container where the tssc is installed

Procedure

  1. Run the following command to create the GitHub application: 

    bash-5.1$ tssc integration github-app \
  --create \
  --token="$GH_TOKEN" \
  --org="$GH_ORG_NAME" \
  $GH_APP_NAME

    Replace the following variables:

    • $GH_TOKEN: The GitHub personal access token
    • $GH_ORG_NAME: The GitHub organization name
    • $GH_APP_NAME: The name of the GitHub application
  2. Copy the URL from the command output and open it in a browser.
  3. Click Create your GitHub App.
  4. If prompted, authenticate to GitHub.
  5. Click Create GitHub App for <your organization>.
  6. When the application is created, click the link in the success message to install the application in your GitHub organization.
  7. On the redirected GitHub page, click Install.
  8. Select the GitHub organization that you are using for RHADS - SSC.

  9. When prompted, select All repositories, and click Install.

    Note

    You may want to keep this GitHub page open. The banner includes a link (beginning with https://backstage-developer-hub-rhtap…​) to access RHADS - SSC after installation.

4.2. (Optional) Integrating RHACS
Copy link

Use this procedure to integrate an existing instance of Advanced Cluster Security (RHACS) into your RHADS - SSC installation.

Integrating RHACS ensures that your deployment uses your existing configuration and data instead of creating a new RHACS instance.

Prerequisites

  • Administrator access to an existing RHACS instance

Procedure

  1. Before you integrate RHACS, obtain an API token and the Central endpoint URL. The URL must include the protocol, hostname, and port. For example, https://central-rhacs.example.com:443.

    1. Follow the instructions at Create an RHACS API token to generate the token.
    2. Save the token to a file, such as values.txt, for reuse in later steps.
    3. Follow the instructions at Configure the Central endpoint URL to locate your ACS Central endpoint.
    4. Save the endpoint URL to a file, such as values.txt, for reuse in later steps.

  2. In your tssc container, run the following integration command: 

    bash-5.1$ tssc integration acs \
  --endpoint="$ACS_ENDPOINT" \
  --token="$ACS_TOKEN"

    Replace the following variables:

    • $ACS_ENDPOINT: The URL of your RHACS Central endpoint
    • $ACS_TOKEN: The RHACS API token

4.3. (Optional) Integrating Quay
Copy link

Use this procedure to integrate an existing Quay organization or a self-hosted Quay instance with RHADS - SSC as your container image registry.

Note

If you don’t integrate an existing Quay instance, the RHADS - SSC installer deploys a new instance of Quay. To use it, you must integrate this instance after RHADS - SSC is installed.

Prerequisites

  • A Quay account
  • Ownership of a Quay organization (any plan is supported, including free)

  • Two robot accounts configured in your Quay organization:

    • One with write permission.
    • One with read permission.
Note

Red Hat recommends using a robot account for this integration instead of a user account. A robot account allows automated systems and multiple users to authenticate to the Quay namespace after RHADS - SSC is installed.

To learn how to create and configure a robot account, see: Create and use a robot account in Red Hat Quay.

Procedure

  1. In a web browser, log in to your Quay account.

    1. Browse to your organization’s robot accounts.
    2. Select an appropriate robot account. For example, a robot account with write permission.
    3. In the popup, select Docker Configuration > View [username-robotaccount]-auth.json.
    4. Copy the string value (without quotation marks) that follows "auth":.
    5. Save the auth value and your Quay username to a file, such as values.txt, so that you can use them when constructing the Docker configuration.
    6. Repeat the steps 1b through 1e for the robot account with read permission.
  2. In a separate browser tab, go to the Repositories page.
  3. Under Users and Organizations, click the name of the organization you want to use with RHADS - SSC.
  4. In the left-hand navigation, click Applications.
  5. Click Create New Application and enter a name.
  6. Click the name of the application that you created.
  7. In the left-hand navigation, click Generate Token.
  8. In the permissions list, select View all visible repositories.
  9. Click Generate Access Token.
  10. Click Authorize Application. Quay displays the access token. Copy this token.
Note

You can use an OAuth application instead of a user or robot account. For more information, see: Creating an OAuth 2 access token.

Additionally, only the View all visible repositories permission is required.

  1. In your tssc container, run the following command to integrate Quay with RHADS - SSC, passing all required values inline: 

    # Docker configuration JSON string for the read/write robot account
bash-5.1$ tssc integration quay \
  --dockerconfigjson='{"auths":{"quay.io":{"auth":"<auth_token_write_permission>","email":""}}}' \
  --dockerconfigjsonreadonly='{"auths":{"quay.io":{"auth":"<auth_token_read_permission>","email":""}}}'
  --token="<quay_access_token>" \
  --url="https://quay.io"

    Replace the following values:

    • <auth_token_write_permission>: The value from the auth.json file under "auth": for read and write robot account.
    • <auth_token_read_permission>: The value from the auth.json file under "auth": for read only robot account.
    • <quay_access_token>: The access token you generated via the OAuth application
    • https://quay.io: The Quay instance URL (use your custom URL if self-hosted)
Note

Make sure to enclose the entire --dockerconfigjson value in single quotes to preserve JSON formatting.

4.4. (Optional) Integrating Bitbucket
Copy link

Use this procedure if you want to use Bitbucket Cloud to host your source code for use with RHADS - SSC.

Prerequisites

  • A Bitbucket username. To find your Bitbucket username:

    1. In Bitbucket, click your profile picture in the sidebar and select View profile.
    2. In the sidebar, click Settings. Your username is displayed in the account settings.
  • An app password

Procedure

  1. In the tssc container, run the following integration command: 

    bash-5.1$ tssc integration bitbucket \
  --username="$BB_USERNAME" \
  --app-password="$BB_TOKEN" \
  --host="$BB_URL"

    Replace the following variables:

    • $BB_USERNAME: Your Bitbucket username
    • $BB_TOKEN: Your Bitbucket app password

    • $BB_URL: Your Bitbucket host URL (optional)

      Note

      If you are using the default Bitbucket Cloud host (bitbucket.org), you can omit the --host option.

4.5. (Optional) Integrating GitHub Actions
Copy link

If you want to use GitHub Actions as an alternative continuous integration (CI) provider, no additional configuration is required before installation.

The GitHub application that you created earlier enables GitHub Actions integration for RHADS - SSC.

4.6. (Optional) Integrating GitLab
Copy link

Use this procedure if you want to use GitLab to host your source code or as a continuous integration (CI) provider with RHADS - SSC.

Prerequisites

  • You must have the required permissions to create and manage GitLab jobs.
  • You must have a personal access token. For instructions, see the GitLab API token documentation.
  • You must have a GitLab host URL if you plan to integrate with a custom GitLab host. If you do not specify a host, the system defaults to gitlab.com.
  • You must have the GitLab group name that contains your repositories.

Procedure

  1. In the tssc container, run the following integration command: 

    bash-5.1$ tssc integration gitlab \
  --token="$GL_API_TOKEN" \
  --host="$GL_URL" \
  --group="$GL_GROUP"

    Replace the following variables:

    • $GL_API_TOKEN: Your GitLab personal access token
    • $GL_URL: Your GitLab host URL (omit this option if using gitlab.com)
    • $GL_GROUP: The GitLab group name that contains your repositories

4.7. (Optional) Integrating Jenkins
Copy link

Use this procedure to integrate Jenkins as a continuous integration (CI) provider for RHADS - SSC.

Prerequisites

  • You must have the required permissions to create and manage Jenkins jobs.

  • You must have the following Jenkins credentials:

Procedure

  1. In the tssc container, run the following integration command: 

    bash-5.1$ tssc integration jenkins \
  --token="$JK_API_TOKEN" \
  --url="$JK_URL" \
  --username="$JK_USERNAME"

    Replace the following variables:

    • $JK_API_TOKEN: Your Jenkins API token
    • $JK_URL: The URL of your Jenkins instance
    • $JK_USERNAME: Your Jenkins user ID

4.8. (Optional) Integrating Azure Pipelines
Copy link

Use this procedure to integrate Azure Pipelines with RHADS - SSC.

Prerequisites

  • You must have the required permissions in your Azure subscription to register applications and manage API permissions.
  • You must register a personal access token (PAT). For detailed steps, see the Microsoft documentation: How to generate personal access tokens in Azure DevOps

  • You must collect the following values:

    • AZURE_ORGANIZATION: The name of your Azure DevOps organization (for example, my-org-name)
    • AZURE_HOST_URL: The base URL of your Azure DevOps environment. The default value is dev.azure.com.

  • (Optional) If you use a registered Azure Active Directory (AAD) application to authenticate, also collect:

    Note

    If you do not use a registered AAD application, you must also collect AZURE_API_TOKEN, a personal access token used to authenticate with Azure DevOps.

Procedure

  1. In the tssc container, run the following integration command: 

    bash-5.1$ tssc integration azure \
  --organization="$AZURE_ORGANIZATION" \
  --host="$AZURE_HOST_URL" \
  --token="$AZURE_API_TOKEN" \
  --tenantID="$AZURE_TENANT_ID" \
  --client-id="$AZURE_CLIENT_ID" \
  --client-secret="$AZURE_CLIENT_SECRET"

    Replace the following variables:

    • $AZURE_ORGANIZATION: Your Azure DevOps organization name
    • $AZURE_HOST_URL: Your DevOps base URL (omit this option if using the default dev.azure.com)
    • $AZURE_API_TOKEN: Your personal access token
    • $AZURE_TENANT_ID: (Optional) The AAD tenant ID
    • $AZURE_CLIENT_ID: (Optional) The AAD application client ID
    • $AZURE_CLIENT_SECRET: (Optional) The AAD application client secret

4.9. (Optional) Integrating JFrog Artifactory
Copy link

Use this procedure to integrate an existing instance of JFrog Artifactory with RHADS - SSC. This integration allows you to use your Artifactory repository as the artifact registry during CI/CD operations.

This module helps you configure authentication between RHADS - SSC and your Artifactory instance, enabling seamless storage and retrieval of container images.

Prerequisites

  • Administrator access to an instance of JFrog Artifactory
  • A repository in Artifactory that you want to use with RHADS - SSC

Procedure

  1. In the Artifactory web UI, go to the Administration view.
  2. Click the green Set Up Client/CI Tool button next to the repository that you want to use.
  3. Select Docker Client.

  4. Follow the instructions in the UI to authenticate from your CLI:

    1. The UI generates a token that is used as your Docker password. Save the token to a file, such as values.txt, for reuse in later steps

    2. After logging in to JFrog via the CLI, you should see a message that your password was saved in a file such as ~/.docker/config.json.

      Note

      If you do not see this message, you can manually generate the config.json content in a later step.

  5. In your tssc container, run the following integration command: 

    bash-5.1$ tssc integration artifactory \
  --url="$AF_URL" \
  --dockerconfigjson='$AF_DOCKERCONFIGJSON' \
  --token="$AF_API_TOKEN"

    Replace the following variables:

    • $AF_URL: The URL of your JFrog instance (for example, https://myusername.jfrog.io)
    • $AF_DOCKERCONFIGJSON: The contents of the config.json file where the password was stored

    • $AF_API_TOKEN: The token generated by JFrog

      Note

      Make sure to wrap the $AF_DOCKERCONFIGJSON value in single quotes to preserve the JSON structure.

      If the CLI did not generate the config.json file, you can manually create its contents using the following format: 

      {
  "auths": {
    "<URL for your JFrog instance>": {
      "auth": "<base64 format of username:password>",
      "email": ""
    }
  }
}

Use this procedure to integrate an existing instance of Sonatype Nexus Repository with RHADS - SSC. This integration allows you to use your Nexus repository as an artifact registry during CI/CD operations.

Prerequisites

  • A URL of your Nexus container registry
  • Username and password for your Nexus registry

Procedure

  1. (Optional) Create temporary environment variables and store the following values: 

    REGISTRY_URL="<url to the nexus container registry>"
AUTHFILE='auth.json'  # This file will be created in the next step.

    If you choose not to create these variables, remember to replace the variables in the code examples with relevant values.

  2. Log in to your Nexus container registry using Podman and generate a Docker-compatible authentication file: 

    podman login --authfile="${AUTHFILE}" "${REGISTRY_URL}"

    This command logs in to Nexus, creates an auth.json file, and stores your Nexus username and password in it.

  3. In your tssc container, run the following integration command: 

    tssc integration nexus \
  --url="${REGISTRY_URL}" \
  --dockerconfigjson="$(cat ${AUTHFILE})"

  4. Remove the local auth.json file as it is no longer needed. 

    rm "${AUTHFILE}"
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top