Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Installing Red Hat Advanced Developer Suite - software supply chain

Red Hat Advanced Developer Suite - software supply chain 1.8

Learn how to install Red Hat Trusted Application Pipeline in your cluster.

Red Hat Customer Content Services

Abstract

This document provides information about how to install Red Hat Trusted Application Pipeline in your cluster.

Preface
Copy link

Red Hat Advanced Developer Suite - software supply chain (RHADS - SSC) is a suite of products that comprise a highly automated, customizable, and secure platform for building applications.

By default, RHADS - SSC includes the following products:

You can see exactly which versions of these products RHADS - SSC supports in the compatibility and support matrix of our Release notes.

Note

Red Hat Advanced Developer Suite - software supply chain supports many alternatives to this default combination of products. Later in the installation process, this documentation explains how to customize your deployment to meet your needs.

Because a fully-operational instance of RHADS - SSC involves all of the products listed above, installing RHADS - SSC takes some effort. However, we have automated the vast majority of this process with an installation program tool packaged as a container image.

The products that the installation program deploys are production ready, but they are sized for a proof of concept or a very small team. For larger teams, manual reconfiguration of the products is most likely necessary and should be done by following procedures documented for each individual product.

The RHADS - SSC subscription only includes Red Hat Developer Hub, Red Hat Trusted Artifact Signer, Red Hat Trusted Profile Analyzer, and Conforma. The RHADS - SSC installation program deploys all the other products listed above. There are no license requirements for these additional products.

Important

To integrate products and external service with RHADS - SSC, you must run integration commands. These commands support both of the following methods:

  • Manually enter the variable values in your terminal. This guide uses this method in all examples.
  • Create a private.env file and source it to make variables available in your shell session before running integration commands.

To install RHADS - SSC using the installation program, you must complete the following steps:

  1. Download the RHADS - SSC installation program image.
  2. Create a ConfigMap that controls the components and features to install. This configuration is stored in the cluster and used by the installation program during deployment.
  3. (Optional) Customize the ConfigMap to disable products you plan to integrate later.
  4. Integrate products and external services.
  5. Deploy RHADS - SSC.

The following pages of this document explain each of those installation steps in detail.

Hardware requirements for deploying Red Hat Advanced Developer Suite.

Red Hat Advanced Developer Suite (RHADS) installation is a complex, orchestrated deployment that requires a robust and correctly configured hardware environment. Meeting these requirements is critical for a successful installation and for the stable operation of the following RHADS components:

  • Red Hat Advanced Cluster Security (RHACS)
  • Red Hat Developer Hub (RHDH)
  • Conforma
  • OpenShift GitOps
  • OpenShift Pipelines
  • Red Hat Trusted Artifact Signer (RHTAS)
  • Red Hat Trusted Profile Analyzer (RHTPA)
  • Red Hat build of Keycloak

A full RHADS installation requires a minimum 3-node OpenShift Container Platform cluster. The hardware requirements for RHADS are an aggregation of the needs of its individual components, including Red Hat Advanced Cluster Security (RHACS), OpenShift Pipelines, Red Hat Trusted Artifact Signer (RHTAS), and Red Hat Trusted Profile Analyzer (RHTPA). The following table provides the minimum and recommended hardware specifications for each node.

Expand
RoleMinimum CPU (Cores)Minimum RAM (GiB)Recommended CPU (Cores)Recommended RAM (GiB)

Control plane

4 per node

16 per node

8 per node

32 per node

Worker

5 per node

17 per node

8 per node

24 per node

The minimum resource values for worker nodes are derived from combining the default resource requests of all RHADS components. The recommended values provide additional capacity to handle higher workloads, such as a large number of concurrent pipeline runs or a high volume of artifacts to scan and sign. For production deployments, it is crucial to provision resources that can accommodate future growth and potential spikes in activity. You can also customize your solution to meet specific requirements.

Note

All RHADS components require a storage solution with a default storage class that can dynamically provision persistent volumes. The type and capacity of the storage depend on your workload, specifically the number of artifacts stored, the size of pipeline workspaces, and the amount of data in the RHTAS database. Using Red Hat OpenShift Data Platform requires a minimum of 6 nodes.

Hardware requirements for deploying Red Hat Advanced Cluster Security (RHACS).

The minimum and recommended hardware specifications for RHACS include a Central component and several Secured Cluster components. The Central component provides the management interface and a database to store security data. Secured Cluster components, such as the Sensor and Collector, are deployed on each protected cluster to collect and send data to the Central component for analysis.

See Default requirements for Red Hat Advanced Cluster Security for information on the default requirements.

See Recommended requirements for Red Hat Advanced Cluster Security for information on the recommended requirements.

1.2. Red Hat Developer Hub hardware requirements
Copy link

Hardware requirements for deploying Red Hat Developer Hub (RHDH).

RHDH is a containerized application that requires specific hardware resources for its key components. These components include the Developer Hub application itself, its dedicated database, and the operator that manages its lifecycle on an OpenShift Container Platform cluster.

See Sizing requirements for RHDH for the minimum hardware requirements.

Note

The storage size for the OCP database might increase based on the number of software templates, components, and other data you store.

Hardware requirements for deploying Red Hat OpenShift GitOps.

Red Hat OpenShift GitOps is a continuous delivery tool that runs as an Operator on an OpenShift Container Platform cluster. It is composed of several containerized services, each with its own resource requests and limits to ensure proper scheduling and performance within the cluster. Without adequate resources, the cluster might not be able to schedule the necessary pods, which could lead to service instability.

See Sizing requirements for GitOps for minimum hardware requirements.

See Sizing requirements for ArgoCD and Redis for additional hardware requirements.

Note

The resource requirements for each workload can be modified postinstallation to suit the specific needs of your environment.

Hardware requirements for deploying Red Hat OpenShift Pipelines.

Red Hat OpenShift Pipelines is a continuous integration and delivery (CI/CD) solution that is deployed as an Operator on an OpenShift Container Platform cluster. Its resource requirements are specified as requests and limits for the individual pods it uses. These resources are allocated from the underlying OpenShift Container Platform cluster. The following table provides the default CPU and memory allocations for the primary components of Red Hat OpenShift Pipelines.

Expand
ComponentCPU Requests (millicores)CPU Limits (millicores)Memory Requests (MiB)Memory Limits (MiB)

tekton-pipelines-controller

100m

200m

128 MiB

256 MiB

tekton-pipelines-webhook

10m

20m

128 MiB

256 MiB

openshift-pipelines-operator

50m

100m

64 MiB

128 MiB

The actual resource consumption can vary depending on the complexity and number of concurrent pipeline runs. These values can be adjusted after installation to accommodate your specific workload and to optimize resource usage within your cluster.

Important

Persistent storage is a minimum requirement for Red Hat OpenShift Pipelines. This is primarily for workspaces, which allow tasks to share files. The cluster must have a default storage class defined to enable dynamic provisioning of PersistentVolumeClaims (PVCs).

Hardware requirements for deploying Red Hat Trusted Profile Analyzer (RHTPA).

RHTPA is a service that is deployed as an Operator on OpenShift Container Platform. Its resource requirements are defined as requests for CPU and memory from the underlying cluster.

See Resource recommendations for deploying on OpenShift for RHTPA resource recommendations.

These are the minimum default resource requests to ensure that the RHTPA pods can be scheduled and run stably. The actual resource consumption can vary depending on the workload, such as the number and size of the Software Bills of Materials (SBOMs) being analyzed.

Hardware requirements for deploying Red Hat Trusted Artifact Signer (RHTAS).

RHTAS is an Operator that deploys a service that runs on OpenShift Container Platform. The key infrastructure component to consider is the Trillian database, which is a transparent, highly scalable, and cryptographically verifiable data store for all signing and verifying requests. The hardware requirements for RHTAS are primarily driven by the resource needs of this database. The number of CPUs and the amount of memory consumed by the database increase as the number of signing and verifying requests grows.

See Resource recommendations for deploying on OpenShift for the RHTAS resource recommendations.

Red Hat recommends using a dedicated database for production workloads to ensure optimal performance and stability. You can also customize your database solution to meet specific requirements.

The resource requirements for the Red Hat build of Keycloak scale dynamically based on your workload, which includes the number of users, sessions, and concurrent requests.

CPU requirements depend on the number of concurrent requests, with password-based logins being particularly CPU-intensive. It is recommended to have sufficient CPU headroom to handle unexpected load spikes. Memory requirements scale linearly with the number of active user sessions. Each Pod requires a base amount of memory, with additional memory needed for every active session to ensure stable performance. Database requirements necessitate a separate, production-ready database such as PostgreSQL. Its storage and resource needs will grow with the number of users and the amount of data stored.

For a detailed explanation of Keycloak resource sizing, see Concepts for sizing CPU and memory resources.

The Red Hat Advanced Developer Suite - software supply chain (RHADS - SSC) installation program is not a package manager. It does not support upgrades. The installation program installs the first deployment of RHADS - SSC. After installation, you must manage each product within RHADS - SSC separately.

If you are upgrading an existing installation of RHADS - SSC, update the components individually.

Upgrading Red Hat Developer Hub

To upgrade Red Hat Developer Hub (RHDH), you must upgrade the Operator. For Red Hat Advanced Developer Suite - software supply chain 1.8, use RHDH Operator version 1.8.

See Upgrading the Red Hat Developer Hub Operator for details.

Upgrading Red Hat Advanced Cluster Security

To upgrade Red Hat Advanced Cluster Security (RHACS), you must upgrade the Operatoror. For Red Hat Advanced Developer Suite - software supply chain 1.8, use RHACS Operator version 4.8.

See Upgrading the Red Hat Developer Hub Operator for details.

Upgrading Red Hat Trusted Profile Analyzer

To upgrade Red Hat Trusted Profile Analyzer (RHTPA) to version 1.3, you must migrate the data and use the RHTPA 2.1 Helm chart for OpenShift.

See Migrating your data before an upgrade for details.

Upgrading Red Hat Trusted Artifact Signer

To upgrade Red Hat Trusted Artifact Signer (RHTAS), you must upgrade the Operator to version 2.1 using the Operator Lifecycle Manager.

See Installing Trusted Artifact Signer using the Operator Lifecycle Manager for details. See Preparing for an Operator update for additional details.

Upgrading Red Hat OpenShift Pipelines

To upgrade Red Hat OpenShift Pipelines, you must upgrade the Operator to version 1.20 using the Operator Lifecycle Manager.

See Installing the Red Hat OpenShift Pipelines Operator in web console for upgrade details. See Preparing for an Operator update for additional details.

Use this procedure to download the Red Hat Advanced Developer Suite - software supply chain (RHADS - SSC) installation program image, and start the container. The installation program CLI (tssc) runs inside this container and automates the deployment and integration of RHADS - SSC components.

This step ensures that your environment is securely configured before you begin the installation.

Prerequisites

  • A container management tool on your workstation, such as Podman or Docker.

Procedure

  1. Download the RHADS - SSC installation program image by running the following command: 

    $ podman pull quay.io/redhat-tssc/cli:1.8.1
    Copy to Clipboard Toggle word wrap

  2. Start the installation program container by running the following command: 

    $ podman run \
  -it \
  --entrypoint bash \
  --publish 8228:8228 \
  --rm \
  cli:1.8.1
    Copy to Clipboard Toggle word wrap
    --entrypoint bash
    Opens the container with an interactive Bash shell.
    --publish 8228:8228
    Exposes port 8228, which is required for GitHub or GitLab App creation during the integration process.
    cli:1.8.1
    Specifies the RHADS - SSC installation program image you pulled in the previous step.

Chapter 4. Creating the config.yaml file
Copy link

Use this procedure to create the config.yaml file. This file defines how Red Hat Advanced Developer Suite - software supply chain (RHADS - SSC) is deployed in your OpenShift cluster. It also enables RHADS - SSC to detect and use any external integrations that you configure during installation.

Prerequisites

  • cluster-admin access to your OpenShift Container Platform (OCP) cluster
  • An active tssc container session

Procedure

  1. In the tssc container, log in to your OpenShift cluster as a cluster administrator: 

    bash-5.1$ oc login https://api.<cluster-domain>:6443 \
  --username=cluster-admin \
  --password=<your-password>
    Copy to Clipboard Toggle word wrap

  2. Create the default configuration file: 

    bash-5.1$ tssc config --create
    Copy to Clipboard Toggle word wrap
    Note

    This command creates a config.yaml file that defines which components RHADS - SSC installs and supports integration with pre-existing services. You can customize this file later to match your environment and deployment requirements.

Chapter 5. Customizing the config.yaml file
Copy link

Customize the config.yaml file before integrating external products and services to preserve your integration settings during installation.

Prerequisites

  • You have access to the OpenShift Web Console.
  • You plan to integrate at least one external product or service (For example, RHACS or Quay).

  • (Optional) Forked software catalog repository URL. RHADS - SSC provides a catalog of software templates that help developers scaffold applications. To customize these templates, fork the repository before installation.

    1. In your browser, go to the RHADS - SSC software catalog repository.

    2. Click Fork to fork the repository.

      1. Clear the box labeled Copy the main branch only.
    3. When the fork is created, copy its URL and save it in the private.env file.
    4. In the forked repository, click main to open the branch/tag dropdown.

    5. Under Tags, select the release that matches your RHADS - SSC version.

      Note

      Update your fork periodically to include changes from the upstream repository.

Procedure

  1. In the OpenShift console, switch to the Administrator perspective.
  2. Go to Workloads > ConfigMaps.
  3. From the Project drop down list, select tssc.
  4. Open the tssc-config ConfigMap.

  5. Select the YAML view and navigate to where config.yaml parameters are defined.

    Note

    To avoid reinstalling operator subscriptions already present on your cluster, set manageSubscription: false.

    • manageSubscription: true (default): The installation program manages and installs all required operator subscriptions.
    • manageSubscription: false: The installation program skips installing required operator subscriptions. When set to false, Operators installed before deploying RHADS must have Update Approval set to Automatic. If it is set to Manual, the installation might fail with a timeout.
    • Ensure that existing operators are compatible with RHADS - SSC. Incompatible versions might cause installation failure.

Customize the tssc.products section to adjust the default products and features. The config.yaml file is structured under the main tssc object with these key attributes:

  • namespace: Defines the default installation namespace (typically tssc), serving as the primary operational area.
  • settings: Controls global deployment settings and properties.
  • products: Lists products and features for deployment, each identified by a unique name with associated properties.

Procedure

  1. To use a custom software catalog, set the catalogURL: 

        - name: Developer Hub
      properties:
        catalogURL: https://github.com/redhat-appstudio/tssc-sample-templates/blob/release-v1.7.x/all.yaml
    Copy to Clipboard Toggle word wrap

  2. To disable automatic installation of components that are already integrated externally, set enabled: false: 

        - name: Advanced Cluster Security
      enabled: false
      namespace: tssc-acs
    Copy to Clipboard Toggle word wrap
    Note

    If external integrations are not correctly reflected in the config.yaml, the installation program will deploy default components. Update the file to prevent unintended provisioning.

  3. To select your Identity and Access Management (IAM) provider, set authProvider: 

        - name: Developer Hub
        authProvider: <github|gitlab>
    Copy to Clipboard Toggle word wrap

    You can specify github (default) or gitlab.

    Important

    You must integrate the authentication provider that you choose.

  4. To enable role-based access control (RBAC) for Developer Hub, set RBAC.enabled to true: 

        - name: Developer Hub
        authProvider: <github|gitlab>
        RBAC:
          enabled: true
        # adminUsers:
        #   - <username>
        # orgs:
        #   - <github_org>
    Copy to Clipboard Toggle word wrap
    Note

    If you do not define adminUsers, the installation program defaults to the GitHub or GitLab credentials specified during integration. If you specify GitHub as your IAM provider, you can specify an orgs list, but if you specify GitLab it will ignore the orgs list and default to the organization specified in the integration configuration.

  5. To use custom namespace prefixes instead of the default ones, configure the namespacePrefixes property. By default, RHADS - SSC creates the following namespaces during installation:

    • tssc-app-ci: For continuous integration pipeline workloads

    • tssc-app-development, tssc-app-stage, and tssc-app-prod: For development, staging, and production deployments

      You can customize the prefixes for these namespaces and define additional sets. For example: 

          - name: Developer Hub
      namespacePrefixes:
        - my_prefix1  # This generates the following namespaces: `my_prefix1-app-ci`, `my_prefix1-app-development`, `my_prefix1-app-stage`, `my_prefix1-app-prod`
        - my_prefix2 # This generates the following namespaces: `my_prefix2-app-ci`, `my_prefix2-app-development`, `my_prefix2-app-stage`, `my_prefix2-app-prod`
      Copy to Clipboard Toggle word wrap
  6. After you complete all necessary changes, you can push it to the cluster using the tssc config --create ` command. If you are updating a configuration that you have already pushed, specify the `--force option too. Once you push the configuration, you can run the tssc deploy command again to implement the changes.

You must integrate existing products or replace default components before installing Red Hat Advanced Developer Suite - software supply chain (RHADS - SSC). Integrating pre-existing services helps avoid data duplication and unnecessary deployments.

The RHADS - SSC installation program deploys a network of products that work together to form a secure, automated CI/CD platform. However, one of these products, Advanced Cluster Security (ACS), might already be installed in your environment. If you have an existing instance, you can integrate it into your RHADS - SSC deployment.

Integration prevents data loss and avoids deploying duplicate services. If you do not integrate an existing instance, the installation program automatically creates a new instance in a new namespace.

Additionally, you can replace the default Git, CI, and registry components with supported alternatives. You can enable more than one alternative for some categories, such as source code repositories or CI tools. The following table lists the default components, their purpose, and the alternatives you can use:

Expand
ProductPurposeSupported alternatives

GitHub

Source code repository

  • GitLab
  • Bitbucket Cloud

Tekton

CI pipeline engine

  • Jenkins
  • GitHub Actions
  • GitLab CI
  • Azure Pipelines (Technology Preview)

Quay

Artifact registry

  • JFrog Artifactory
  • Sonatype Nexus Repository
Note

To integrate products or customize your installation, you must run all relevant tssc commands inside a container that is logged in to your OpenShift cluster with cluster-admin privileges.

CI pipeline alternatives conform to SLSA Build Level 2. Only Tekton conforms to SLSA Build Level 3.

Important

When you replace the default Git, CI, or registry providers, RHADS - SSC installs corresponding plugins in Red Hat Developer Hub. Most of these plugins are in Technology Preview or are community-maintained.

Replacing default components is not recommended for production environments due to potential security risks and limited support.

For details, see the plugin support matrix in the Red Hat Advanced Developer Suite - software supply chain release notes and the RHDH plugin documentation.

As of version 1.7, RHADS - SSC does not install Quay by default. You must integrate Quay, JFrog Artifactory, or Sonatype Nexus Repository to use as your container image registry or installation will fail.

The following procedures explain how to customize your installation of RHADS - SSC by integrating pre-existing services and supported alternatives.

6.1. Integrating GitHub
Copy link

Red Hat Advanced Developer Suite - software supply chain (RHADS - SSC) uses GitHub by default to authenticate users and to create and manage application repositories. Before you install RHADS - SSC, you must configure GitHub to support these capabilities if you have specified GitHub as your Identity and Access Management (IAM) provider.

To enable GitHub integration, complete the following procedures:

  1. Create a GitHub personal access token.
  2. Create a GitHub application.

6.1.1. Creating a GitHub personal access token
Copy link

You must own a GitHub organization to create a personal access token (PAT). You can use an existing GitHub organization, create a new one, or request ownership from an administrator.

After installation, the GitHub organization provides a location where users generate repositories for their applications.

Prerequisites

  • Ownership of a GitHub organization
  • A GitHub user account with permission to create personal access tokens
  • Access to GitHub Developer settings

Procedure

  1. Go to your Developer settings page on GitHub.
  2. In the left navigation panel, under Personal access tokens, click Tokens (classic).
  3. From the Generate new token drop-down menu, select Generate new token (classic). Authenticate if prompted.
  4. Enter a name, select an expiration date, and under Select scopes, select repo. This automatically includes all scopes from repo:status to security_events.
  5. Click Generate token. GitHub redirects you to a new page where your token is displayed.
  6. (Optional) Save the token to a file, such as values.txt, for reuse in later steps.

6.1.2. Creating a GitHub application
Copy link

Creating a GitHub application for RHADS - SSC allows developers to authenticate to Red Hat Developer Hub, the web-based interface for interacting with RHADS - SSC. It also allows RHADS - SSC to access your GitHub organization and create repositories.

You must create and install this application in the same GitHub organization that you plan to use with RHADS - SSC. The installation program automates most of the configuration.

Prerequisites

  • A GitHub personal access token with repo scope
  • The name of your GitHub organization
  • A name to assign to your GitHub application
  • Valid credentials for registry.redhat.io
  • cluster-admin access to an OpenShift cluster
  • Access to the terminal or container where the tssc is installed

Procedure

  1. Set the GitLab API token to an environment variable by running the following command: 

    bash-5.1$ export GL_API_TOKEN=<api_token>
    Copy to Clipboard Toggle word wrap

  2. Set the GitLab organization name to an environment variable by running the following command: 

    bash-5.1$ export GL_ORG_NAME="<gitlab_org_name>"
    Copy to Clipboard Toggle word wrap

  3. Set the GitLab application name to an environment variable by running the following command: 

    bash-5.1$ export GL_APP_NAME="<gitlab_org_name>"
    Copy to Clipboard Toggle word wrap

  4. Create the GitHub application by running the following command: 

    bash-5.1$ tssc integration github-app \
  --create \
  --token="$GL_API_TOKEN" \
  --org="$GH_ORG_NAME" \
  $GH_APP_NAME
    Copy to Clipboard Toggle word wrap
  5. Copy the URL from the command output and open it in a browser.
  6. Click Create your GitHub App.
  7. If prompted, authenticate to GitHub.
  8. Click Create GitHub App for <your organization>.
  9. When the application is created, click the link in the success message to install the application in your GitHub organization.
  10. On the redirected GitHub page, click Install.
  11. Select the GitHub organization that you are using for RHADS - SSC.

  12. When prompted, select All repositories, and click Install.

    Note

    You might want to keep this GitHub page open. The banner includes a link (beginning with https://backstage-developer-hub-rhtap…​) to access RHADS - SSC after installation.

6.2. Integrating GitLab
Copy link

Red Hat Advanced Developer Suite - software supply chain (RHADS - SSC) uses GitHub as your Identity and Access Management (IAM) provider by default to authenticate users and to create and manage application repositories. Use this procedure if you want to use GitLab instead of GitHub as your IAM provider, and host your source code or act as a continuous integration (CI) provider with RHADS - SSC.

Prerequisites

  • You must have the required permissions to create and manage GitLab jobs.
  • You must have the application ID and secret.
  • You must have a personal access token. For instructions, see the GitLab API token documentation.
  • You must have a GitLab host URL if you plan to integrate with a custom GitLab host. If you do not specify a host, the system defaults to gitlab.com.
  • You must have the GitLab group name that contains your repositories.
  • You must have access to the tssc container CLI.

Procedure

  1. Set the application ID to an environment variable by running the following command: 

    bash-5.1$ export GL_APP_ID=<app_id>
    Copy to Clipboard Toggle word wrap

  2. Set the application secret to an environment variable by running the following command: 

    bash-5.1$ export GL_APP_SECRET=<app_secret>
    Copy to Clipboard Toggle word wrap

  3. Set the GitLab API token to an environment variable by running the following command: 

    bash-5.1$ export GL_API_TOKEN=<api_token>
    Copy to Clipboard Toggle word wrap

  4. Set the GitLab URL to an environment variable by running the following command: 

    bash-5.1$ export GL_URL=<url>
    Copy to Clipboard Toggle word wrap

  5. Set the GitLab group to an environment variable by running the following command: 

    bash-5.1$ export GL_GROUP=tssc
    Copy to Clipboard Toggle word wrap

  6. Integrate GitLab by running the following command: 

    bash-5.1$ tssc integration gitlab \
  --token="$GL_API_TOKEN" \
  --host="$GL_URL" \
  --group $GL_GROUP \
  --app-id $GL_APP_ID \
  --app-secret $GL_APP_SECRET
  --insecure
    Copy to Clipboard Toggle word wrap

6.3. Integrating RHACS
Copy link

Use this procedure to integrate an existing instance of Advanced Cluster Security (RHACS) into your RHADS - SSC installation.

Integrating RHACS ensures that your deployment uses your existing configuration and data instead of creating a new RHACS instance.

Prerequisites

  • Administrator access to an existing RHACS instance

Procedure

  1. Before you integrate RHACS, obtain an API token and the Central endpoint URL. The URL must include the protocol, hostname, and port. For example, https://central-rhacs.example.com:443.

    1. Follow the instructions at Create an RHACS API token to generate the token.
    2. Save the token to a file, such as values.txt, for reuse in later steps.
    3. Follow the instructions at Configure the Central endpoint URL to locate your ACS Central endpoint.
    4. Save the endpoint URL to a file, such as values.txt, for reuse in later steps.

  2. In your tssc container, run the following integration command: 

    bash-5.1$ tssc integration acs \
  --endpoint="$ACS_ENDPOINT" \
  --token="$ACS_TOKEN"
    Copy to Clipboard Toggle word wrap

    Replace the following variables:

    • $ACS_ENDPOINT: The URL of your RHACS Central endpoint
    • $ACS_TOKEN: The RHACS API token

6.4. Integrating Bitbucket
Copy link

Use this procedure if you want to use Bitbucket Cloud to host your source code for use with RHADS - SSC.

Prerequisites

  • A Bitbucket username. To find your Bitbucket username:

    1. In Bitbucket, click your profile picture in the sidebar and select View profile.
    2. In the sidebar, click Settings. Your username is displayed in the account settings.
  • An app password

Procedure

  1. In the tssc container, run the following integration command: 

    bash-5.1$ tssc integration bitbucket \
  --username="$BB_USERNAME" \
  --app-password="$BB_TOKEN" \
  --host="$BB_URL"
    Copy to Clipboard Toggle word wrap

    Replace the following variables:

    • $BB_USERNAME: Your Bitbucket username
    • $BB_TOKEN: Your Bitbucket app password

    • $BB_URL: Your Bitbucket host URL (optional)

      Note

      If you are using the default Bitbucket Cloud host (bitbucket.org), you can omit the --host option.

6.5. (Optional) Integrating GitHub Actions
Copy link

If you want to use GitHub Actions as an alternative continuous integration (CI) provider, no additional configuration is required before installation.

The GitHub application that you created earlier enables GitHub Actions integration for RHADS - SSC.

6.6. Integrating Jenkins
Copy link

Use this procedure to integrate Jenkins as a continuous integration (CI) provider for RHADS - SSC.

Prerequisites

  • You must have the required permissions to create and manage Jenkins jobs.

  • You must have the following Jenkins credentials:

Procedure

  1. In the tssc container, run the following integration command: 

    bash-5.1$ tssc integration jenkins \
  --token="$JK_API_TOKEN" \
  --url="$JK_URL" \
  --username="$JK_USERNAME"
    Copy to Clipboard Toggle word wrap

    Replace the following variables:

    • $JK_API_TOKEN: Your Jenkins API token
    • $JK_URL: The URL of your Jenkins instance
    • $JK_USERNAME: Your Jenkins user ID

6.7. Integrating Azure Pipelines
Copy link

Use this procedure to integrate Azure Pipelines with RHADS - SSC.

Prerequisites

  • You must have the required permissions in your Azure subscription to register applications and manage API permissions.
  • You must register a personal access token (PAT). For detailed steps, see the Microsoft documentation: How to generate personal access tokens in Azure DevOps

  • You must collect the following values:

    • AZURE_ORGANIZATION: The name of your Azure DevOps organization (for example, my-org-name)

    • AZURE_HOST_URL: The base URL of your Azure DevOps environment. The default value is dev.azure.com.

      Note

      You must collect AZURE_API_TOKEN, a personal access token used to authenticate with Azure DevOps.

Procedure

  1. In the tssc container, run the following integration command: 

    bash-5.1$ tssc integration azure \
  --organization="$AZURE_ORGANIZATION" \
  --host="$AZURE_HOST_URL" \
  --token="$AZURE_API_TOKEN" \
    Copy to Clipboard Toggle word wrap

    Replace the following variables:

    • $AZURE_ORGANIZATION: Your Azure DevOps organization name.
    • $AZURE_HOST_URL: Your DevOps base URL (omit this option if using the default dev.azure.com).
    • $AZURE_API_TOKEN: Your personal access token.

6.8. Integrating Quay
Copy link

Use this procedure to integrate an existing Quay organization or a self-hosted Quay instance with Red Hat Advanced Developer Suite - software supply chain (RHADS - SSC) as your container image registry.

Prerequisites

  • A Quay account.
  • Ownership of a Quay organization (any plan is supported, including free).
  • A team in the organization with Creator permissions.

  • Two robot accounts configured in your Quay organization:

    • One with write permission.
    • One with read permission.
  • The write robot account must be a member of the team with Creator permissions.
Note

Red Hat recommends using robot accounts for this integration instead of a user account. A robot account allows automated systems and multiple users to authenticate to the Quay namespace after RHADS - SSC is installed.

To learn how to create and configure a robot account, see Create and use a robot account in Red Hat Quay.

To learn how to add a robot account to a team, see Adding users to a team.

To learn how to configure a team with Creator permissions, see Setting a team role.

Procedure

  1. In a web browser, log in to your Quay account.

    1. Browse to your organization’s robot accounts.
    2. Select an appropriate robot account. For example, a robot account with write permission.
    3. In the pop-up, select Docker Configuration > View [username-robotaccount]-auth.json.
    4. Copy the string value (without quotation marks) that follows "auth":.
    5. Save the auth value and your Quay username to a file, such as values.txt, so that you can use them when constructing the Docker configuration.
    6. Repeat the steps 1b through 1e for the robot account with read permission.
  2. In a separate browser tab, go to the Repositories page.
  3. Under Users and Organizations, click the name of the organization you want to use with RHADS - SSC.
  4. In the navigation, click Applications.
  5. Click Create New Application and enter a name.
  6. Click the name of the application that you created.
  7. In the navigation, click Generate Token.
  8. In the permissions list, select View all visible repositories.
  9. Click Generate Access Token.

  10. Click Authorize Application. Quay displays the access token. Copy this token.

    Note

    You can use an OAuth application instead of a user or robot account. For more information, see: Creating an OAuth 2 access token.

    Additionally, only the View all visible repositories permission is required.

  11. In your tssc container, run the following command to integrate Quay with RHADS - SSC, passing all required values inline: 

    # Docker configuration JSON string for the read/write robot account
bash-5.1$ tssc integration quay \
  --dockerconfigjson='{"auths":{"quay.io":{"auth":"<auth_token_write_permission>","email":""}}}' \
  --dockerconfigjsonreadonly='{"auths":{"quay.io":{"auth":"<auth_token_read_permission>","email":""}}}' \
  --token="<quay_access_token>" \
  --url="https://quay.io"
    Copy to Clipboard Toggle word wrap

    Replace the following values:

    • <auth_token_write_permission>: The value from the auth.json file under "auth": for read and write robot account.
    • <auth_token_read_permission>: The value from the auth.json file under "auth": for read only robot account.
    • <quay_access_token>: The access token you generated via the OAuth application

    • https://quay.io: The Quay instance URL (use your custom URL if self-hosted)

      Note

      Make sure to enclose the entire --dockerconfigjson value in single quotes to preserve JSON formatting.

6.9. Integrating JFrog Artifactory
Copy link

Use this procedure to integrate an existing instance of JFrog Artifactory with RHADS - SSC. This integration allows you to use your Artifactory repository as the artifact registry during CI/CD operations.

This module helps you configure authentication between RHADS - SSC and your Artifactory instance, enabling seamless storage and retrieval of container images.

Prerequisites

  • Administrator access to an instance of JFrog Artifactory
  • A repository in Artifactory that you want to use with RHADS - SSC

Procedure

  1. In the Artifactory web UI, go to the Administration view.
  2. Click the Set Up Client/CI Tool button next to the repository that you want to use.
  3. Select Docker Client.

  4. Follow the instructions in the UI to authenticate from your CLI:

    1. The UI generates a token that is used as your Docker password. Save the token to a file, such as values.txt, for reuse in later steps

    2. After logging in to JFrog via the CLI, you should see a message that your password was saved in a file such as ~/.docker/config.json.

      Note

      If you do not see this message, you can manually generate the config.json content in a later step.

  5. In your tssc container, run the following integration command: 

    bash-5.1$ tssc integration artifactory \
  --url="$AF_URL" \
  --dockerconfigjson='$AF_DOCKERCONFIGJSON' \
  --token="$AF_API_TOKEN"
    Copy to Clipboard Toggle word wrap

    Replace the following variables:

    • $AF_URL: The URL of your JFrog instance (for example, https://myusername.jfrog.io)
    • $AF_DOCKERCONFIGJSON: The contents of the config.json file where the password was stored

    • $AF_API_TOKEN: The token generated by JFrog

      Note

      Make sure to wrap the $AF_DOCKERCONFIGJSON value in single quotes to preserve the JSON structure.

      If the CLI did not generate the config.json file, you can manually create its contents by using the following format: 

      {
  "auths": {
    "<jfrog_instance_url>": {
      "auth": "<base64_format_of_username:password>",
      "email": ""
    }
  }
}
      Copy to Clipboard Toggle word wrap

6.10. Integrating Sonatype Nexus Repository
Copy link

Use this procedure to integrate an existing instance of Sonatype Nexus Repository with RHADS - SSC. This integration allows you to use your Nexus repository as an artifact registry during CI/CD operations.

Prerequisites

  • A URL of your Nexus container registry
  • Username and password for your Nexus registry

Procedure

  1. (Optional) Create temporary environment variables and store the following values: 

    REGISTRY_URL="<url to the nexus container registry>"
AUTHFILE='auth.json'  # This file will be created in the next step.
    Copy to Clipboard Toggle word wrap

    If you choose not to create these variables, remember to replace the variables in the code examples with relevant values.

  2. Log in to your Nexus container registry using Podman and generate a Docker-compatible authentication file: 

    podman login --authfile="${AUTHFILE}" "${REGISTRY_URL}"
    Copy to Clipboard Toggle word wrap

    This command logs in to Nexus, creates an auth.json file, and stores your Nexus username and password in it.

  3. In your tssc container, run the following integration command: 

    tssc integration nexus \
  --url="${REGISTRY_URL}" \
  --dockerconfigjson="$(cat ${AUTHFILE})"
    Copy to Clipboard Toggle word wrap

  4. Remove the local auth.json file as it is no longer needed. 

    rm "${AUTHFILE}"
    Copy to Clipboard Toggle word wrap

Chapter 7. Deploying RHADS - SSC
Copy link

Use this procedure to install Red Hat Advanced Developer Suite - software supply chain (RHADS - SSC) after completing all required configurations.

Prerequisites

  • The tssc container is running.
  • You are logged into your OpenShift cluster with cluster-admin access.
  • You have customized the config.yaml file.

Procedure

  1. In the container terminal, run the deployment command: 

    bash-5.1$ tssc deploy
    Copy to Clipboard Toggle word wrap
    Note

    The installation process typically takes around an hour to complete if all the components are deployed. Additionally, Advanced Cluster Security (ACS) checks can take up to 45 minutes to complete and might fail due to a timeout. If deployment fails, run the tssc deploy command again before contacting support.

    You can run the installation program multiple times, but doing so after manually changing the configuration of a product might have unpredictable results.

  2. Monitor the command output. As the deployment progresses, the CLI prints useful information, including URLs and access instructions for the deployed components. You can save the output to a file, such as values.txt, for future reference. The output might include:

    1. The Developer Hub (Backstage) URL
    2. ACS, and other dashboards (if deployed)
    3. Component-specific guidance or status messages

  3. To access the Developer Hub UI, use the link provided on your GitHub App page or the one shown in the installation output. It begins with: 

    https://backstage-developer-hub-tssc-dh.apps.<cluster_name>.<base_domain>
    Copy to Clipboard Toggle word wrap

Chapter 8. RHADS credentials reference
Copy link

After deploying Red Hat Advanced Developer Suite (RHADS), retrieve the credentials from secrets to access the components. Use the oc CLI in the relevant namespace. Replace <cluster_name> with your OpenShift Container Platform cluster name and <base_domain> with your base domain.

Note

Secrets contain sensitive data, such as admin passwords or client secrets. Retrieve them securely, rotate immediately in production, and follow your organization’s access policies. Handle secrets securely. Avoid echoing to logs or sharing in plain text. Use tools like oc with --dry-run for testing.

Use the following tables for quick access to namespaces, logins, secrets, passwords, and endpoints.

Expand
Table 8.1. Red Hat Advanced Cluster Security (RHACS)
PropertyDetails

Namespace

tssc-acs

Login

admin

Secret

central-htpasswd

Password 

$ oc -n tssc-acs get secret central-htpasswd \
-o go-template='{{printf "%s\n"
(index .data "password" | base64decode)}}'
Copy to Clipboard Toggle word wrap

Endpoints

https://central-tssc-acs.apps.<cluster_name>.<base_domain>

Expand
Table 8.2. Red Hat OpenShift GitOps (ArgoCD)
PropertyDetails

Namespace

tssc-gitops

Login

admin

Admin Secret

tssc-gitops-cluster

Admin Password 

$ oc -n tssc-gitops get secret tssc-gitops-cluster \
  -o go-template='{{printf "%s\n"
  (index .data "admin.password" | base64decode)}}'
Copy to Clipboard Toggle word wrap

Integration Secret

tssc-argocd-integration

Integration Password 

$ oc -n tssc-gitops get secret tssc-argocd-integration \
  -o go-template='{{printf "%s\n"
  (index .data "admin.password" | base64decode)}}'
Copy to Clipboard Toggle word wrap

Endpoints

https://tssc-gitops-server-tssc-gitops.apps.<cluster_name>.<base_domain>

Expand
Table 8.3. Red Hat Advanced Cluster Security (RHACS)
PropertyDetails

Namespace

tssc-keycloak

Login

admin

Secret

keycloak-initial-admin

Password 

oc -n tssc-keycloak get secret keycloak-initial-admin \
  -o go-template='{{printf "%s\n"
  (index .data "password" | base64decode)}}'
Copy to Clipboard Toggle word wrap

Endpoints

https://sso.apps.<cluster_name>.<base_domain>

Expand
Table 8.4. Red Hat Trusted Artifact Signer (RHTAS)
PropertyDetails

Namespace

tssc-tas

Login

(Via Keycloak realm: trusted-artifact-signer)

Secret

trusted-artifact-signer-user

Password 

$ oc -n tssc-tas get secret trusted-artifact-signer-user \
  -o go-template='{{printf "%s\n"
  (index .data "password" | base64decode)}}'
Copy to Clipboard Toggle word wrap

Endpoints

https://sso.apps.<cluster_name>.<base_domain>/realms/trusted-artifact-signer/account/

Expand
Table 8.5. Red Hat Trusted Profile Analyzer (RHTPA)
PropertyDetails

Namespace

tssc-tpa

Login

admin (chicken realm)

Secret

tpa-realm-chicken-admin (Additional clients: tpa-realm-chicken-clients)

Password 

$ oc -n tssc-tpa get secret tpa-realm-chicken-admin \
  -o go-template='{{printf "%s\n"
  (index .data "password" | base64decode)}}'
Copy to Clipboard Toggle word wrap

Endpoints

  • Keycloak: https://sso.apps.<cluster_name>.<base_domain>/realms/chicken
  • Bombastic API: sbom-tssc-tpa.apps.<cluster_name>.<base_domain>
  • Documentation: https://docs-tssc-tpa.apps.<cluster_name>.<base_domain>
  • SPOG API: api-tssc-tpa.apps.<cluster_name>.<base_domain>
Expand
Table 8.6. Red Hat Developer Hub (RHDH)
PropertyDetails

Namespace

tssc-dh

Login

admin

Secret

oc get secrets -n tssc-dh | grep admin

Password 

$ oc -n tssc-dh get secret <rhdh-admin-secret> \
  -o go-template='{{printf "%s\n"
  (index .data "admin-password" | base64decode)}}'
Copy to Clipboard Toggle word wrap

Endpoints

https://backstage-developer-hub-tssc-dh.apps.<cluster_name>.<base_domain>

Tip
  • Run password commands with oc in the listed namespace.
  • Run oc get routes -n <namespace> for available endpoints in each namespace.
  • You can also get secrets from the OpenShift Container Platform console under Workloads > Secrets.
  • You can also get routes from the OpenShift Container Platform console under Workloads > Topology.

Revised on 2026-02-04 23:24:14 UTC

Legal Notice
Copy link

Copyright © Red Hat.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top