Red Hat SummitCustomizing Red Hat Trusted Application Pipeline
Learn how to customize default software templates and build pipeline configurations.
Abstract
Preface
RHTAP empowers teams with its ready-to-use software templates and build pipeline configurations, designed to seamlessly integrate security practices into your development processes. These tools not only alleviate the burden of security considerations for developers but also enhance focus on innovation.
Cluster administrators play a pivotal role in tailoring these resources to fit the unique requirements of their on-prem environments, including:
- Customizing software templates to meet specific organizational needs
- Modifying build pipeline configurations to align with project goals
- Configuring GitLab Webhooks for automated pipeline triggers
Such customizations streamline development workflows, addressing common concerns around pipelines, vulnerabilities, and policy compliance, thereby letting developers prioritize coding.
Chapter 1. Customizing sample software templates
Learn how to customize ready-to-use software templates for your on-prem environment. Cluster administrators have full control over this process, including modifying metadata and specifications.
Prerequisites
- You have used the forked repository URL from tssc-sample-templates during the RHTAP install process.
Procedure
- Clone your forked repository, and then open it in your preferred text editor, such as Visual Studio Code.
Locate the properties file within your project directory. This file stores the default values that can customize. Open it for editing and update the following key-value pairs according to your environment.
Key Description export GITHUB_DEFAULT_HOST
Set this to your on-prem GitHub host fully qualified domain name. That is, the URL without the
HTTPprotocol and without the.gitextension. For example github-github.apps.cluster-ljg9z.sandbox219.opentlc.com. Default isgithub.com.export GITLAB_DEFAULT_HOST
Set this to your on-prem GitLab host host fully qualified domain name. That is, the URL without the
HTTPprotocol and without the.gitextension. For example gitlab-gitlab.apps.cluster-ljg9z.sandbox219.opentlc.com. Default isgitlab.com.export QUAY_DEFAULT_HOST
The default Quay URL correspond to your specific on-prem image registry URL without the
HTTPprotocol. For example, quay-tv2pb.apps.cluster-tv2pb.sandbox1194.opentlc.com. The default quay host isquay.io.export DEFAULT_DEPLOYMENT_NAMESPACE_PREFIX
The namespace prefix for deployments within RHTAP. Default is
rhtap-app.NoteUpdate this if you have modified the default
trusted-application-pipeline: namespaceduring the RHTAP installation process.Figure 1.1. The properties file
Run the generate.sh script in your terminal. This action adjusts the software templates, replacing default host values with your specified inputs.
./generate.sh
./generate.shCopy to Clipboard Copied! Figure 1.2. The generate.sh script
Commit and push the changes to your repository. This automatically updates the template in RHDH. Alternatively, you can import and refresh a single or all customized templates directly in RHDH.
- Go to your forked sample template repository on your Git provider.
-
For a single template, from the
templatesdirectory, select selecttemplate.yaml. Copy its URL from the browser address bar. For example, https://github.com/<username>/tssc-sample-templates/blob/main/templates/devfile-sample-code-with-quarkus-dance/template.yaml. Otherwise, for all the templates, selectall.yamland copy its URL from the browser address bar. For example, https://github.com/<username>/tssc-sample-templates/blob/main/all.yaml. - Switch back to RHDH platform.
- Select Create > Register Existing Component.
- In the Select URL field, paste the appropriate URL that you copied in Step 4b.
- Select Analyze and then select Import to update the templates in RHDH.
Verification
- Consider creating an application to explore the impact of your template customization.
Chapter 2. Customizing sample pipelines
Learn how to update Pipeline as Code (pac) URLs within the sample templates repository and to customize the sample pipelines repository to your workflow. By customizing pac URLs, organizations can leverage specific pipelines tailored to their needs.
Prerequisites
You have already forked and cloned the following templates locally:
Customizing the sample templates repository to update pac URLs*
Procedure
Access forked sample pipelines repository URL:
- Open your forked sample pipelines repository.
- Copy the complete URL from the address bar. For example, https://github.com/<username>/tssc-sample-pipelines.
Update
pacURLs in the sample templates repository- Navigate to your local cloned sample templates repository using your terminal.
- Run the following command, replacing {fork_url} with the copied URL from step 1 and {branch_name} with your desired branch name (for example, main):
./scripts/update-tekton-definition {fork_url} {branch_name} # For example, .scripts/update-tekton-definition https://github.com/<username>/tssc-sample-pipelines main./scripts/update-tekton-definition {fork_url} {branch_name} # For example, .scripts/update-tekton-definition https://github.com/<username>/tssc-sample-pipelines mainCopy to Clipboard Copied! Review, commit, and push changes:
- Review the updated files within your sample templates repository.
- Commit the changes with appropriate message.
- Push the committed changes to your forked repository.
Customizing the sample pipelines repository to your workflow
The sample pipelines repository provides a foundation upon which you can build your organization’s specific CI/CD workflows. The sample pipelines repository includes several key pipeline templates in the pac directory:
-
gitops-repo: This directory holds the pipeline definitions for validating pull requests within your GitOps repository. It triggers thegitops-pull-requestpipeline, located in thepipelinesdirectory, validating that image updates comply with organizational standards. This setup is crucial for promotion workflows, where an application’s deployment state is advanced sequentially through environments, such as from development to staging or from staging to production. For more information about pipeline definitions ingitops-repo, refer Gitops Pipelines. -
pipelines: This directory houses the implementations of build and validation pipelines that are referenced by the event handlers in both thegitops-repoandsource-repo. By examining the contents of this directory, you can understand the specific actions performed by the pipelines, including how they contribute to the secure promotion and deployment of applications. -
source-repo: This directory focuses on Dockerfile-based secure supply chain software builds. It includes pipeline definitions for cloning the source, generating and signing artifacts (such as.sigfor image signature,.attfor attestation, and.sbomfor Software Bill of Materials), and pushing these to the user’s image registry. For more information about pipeline definitions insource-repo, refer Shared Git resolver model for shared pipeline and tasks. -
tasks: This directory houses a collection of tasks that can be added or modified, aligning with organizational needs. For example, Advanced Cluster Security (ACS) tasks can be substituted with alternative checks, or entirely new tasks can be integrated into the pipeline to enhance its functionality and compliance.
Verification
- Consider creating an application to explore the impact of your template and pipeline customization.
Chapter 3. Configuring GitLab Webhooks for automated pipeline triggers
Learn how to set up webhooks and secrets in GitLab to automatically trigger pipeline run in RHDH upon code updates.
Prerequisites
- You have an existing GitLab project.
- You have administrator privileges on OpenShift web console.
Procedure
Retrieve Webhook URL and Secret Token:
- Log in to the OpenShift web console with Administrator privileges.
-
Navigate to the
rhtapproject, expand Pipelines, and then select PipelineRuns. -
Locate the
rhtap-pe-info-<>pipeline run, and then select the Logs tab.
NoteThese logs contain the webhook URL and secret token required for GitLab configuration.
Configure Webhook in GitLab:
- Within your GitLab repository, navigate to Settings > Webhooks.
- In the URL field, enter the webhook URL copied from Step 1.
- In the Secret Token field, enter the secret token copied from Step 1.
In the Trigger section:
- Select Push events.
- Select Merge request events.
- Click Add Webhook.
Verification
- Push your code changes to the GitLab repository.
- Navigate to the CI tab in RHDH.
- Verify that a pipeline run is triggered for your code push.
Revised on 2024-07-15 21:00:30 UTC
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}