Red Hat SummitRelease notes for Red Hat Trusted Application Pipeline 1.0
Explore new features in this release and learn about known issues.
Abstract
Preface
The release notes for Red Hat Trusted Application Pipeline summarize new features and enhancements, notable technical changes, features in Technology Preview, bug fixes, known issues, and other related advisories or information.
Chapter 1. About Red Hat Trusted Application Pipeline
Sophisticated applications have complex software supply chains, and the longer a software supply chain is, the more vulnerable it is to attacks of all kinds. Secure every phase of your software development lifecycle with Red Hat Trusted Application Pipeline (RHTAP). RHTAP can build, test, deploy, and monitor your source code with secure CI/CD, and its comprehensive set of security tools protects your complete software supply chain.
Key RHTAP features
- Continuously build, test, and deploy container images from your Git source code to a built-in development environment.
- Ready-to-use templates to start learning and customizing right away.
- Build Java, Python, Node, Go, or npm-based apps into container images.
- Access to Red Hat Developer Hub as your self-serve developer portal.
- Generate, check, and manage your software bill of materials (SBOM).
- Cryptographically sign and attest container image provenance with Tekton chains.
- Verify container image SLSA compliance up to level 3, against more than 40 rules.
- Vulnerabilities scanning with each merge request to identify and address any security threats at the earliest stage possible.
Who’s the target user?
If you’re a platform engineer, application developer, or security team member, you’re in the right place. In Red Hat Trusted Application Pipeline, you’ll find everything you need to install, configure, and customize the internal developer portal to secure your software supply chain across the development lifecycle.
How does it work?
Red Hat Trusted Application Pipeline (RHTAP) empowers you to streamline and secure your entire DevSecOps CI/CD process.
Secure development from the onset
Once RHTAP is installed and configured, access pre-built, secure templates within Red Hat Developer Hub. Simply select the appropriate ready-to-use software template, fill in the necessary details, and create a new application. This creates a dedicated development environment that includes everything you need: a code repository (source code and GitOps repositories), technical documentation, and a continuous integration/continuous delivery (CI/CD) pipeline.
Security scans throughout the development lifecycle
Editing the source code triggers a pipeline run within your application. This pipeline ensures every build artifact is signed and attested for authenticity. It also scans for vulnerabilities in your code and automatically generates Software Bills of Materials (SBOMs). These SBOMs detail all components, libraries, and dependencies included in the container image, providing complete transparency into your application’s makeup.
Review, Refine, and Release
The pipeline presents any identified vulnerabilities for your review and remediation. You can also review the SBOM to gain a deeper understanding of your application’s components. Depending on your promotional workflow, you might advance your application through development, staging, and finally to production. Each promotion triggers another pipeline run, scanning for vulnerabilities and enforcing your Enterprise Contract (EC). The EC ensures that container images meet predefined quality and security standards before release. Should an image fail to meet these criteria, the EC issues a detailed report identifying the necessary corrections.
This streamlined approach with RHTAP allows developers to focus on innovation while upholding the highest security standards throughout the development lifecycle.
To better understand how RHTAP works, take a look at the following descriptive list of the various components and technologies that support and are supported by RHTAP.
| Components and technologies | Description |
|---|---|
| Red Hat Developer Hub | RHDH gives you access to countless resources and tools for secure software development, so getting started with RHTAP is streamlined and straightforward. RHDH encourages best practices and facilitates the integration of security measures from the very start of your development process. |
| Red Hat Trusted Artifact Signer | RHTAS enhances software integrity by making sure every piece of your code and all of your artifacts are signed and attested. RHTAS provides a verifiable trust chain to confirm that all of your software components are safeguarded and authentic. |
| Red Hat Trusted Profile Analyzer | RHTPA automates the creation of your software bill of materials (SBOM). SBOMs are critical for maintaining software supply chain transparency and compliance because they provide a detailed list of all components, libraries, and dependencies included in a software product. When you use RHTPA to generate and manage your SBOM, you’re making sure that all of your stakeholders have accurate and current information about the composition of your software. |
| OpenShift | RHTAP uses an OpenShift Container Platform (OCP) cluster for compute resources. OCP also includes a console, which offers various services to standardize workflows and make it easier to securely manage the entire development lifecycle. |
| GitHub | RHTAP automatically starts a build according to the pipeline definition in your pull request (PR). You can also view PR test feedback according to the checks API, and after successful tests, you can set up your PRs to automerge. |
| Argo CD | Argo CD from GitOps declares and controls versions of your app definitions, configurations, and environments, and automates and tracks app deployment and lifecycle management. |
| Tekton build pipeline | When you build with RHTAP, you store a complete Tekton build pipeline in your repository. |
| Tekton Chains | RHTAP can use Tekton Chains to produce a signed build pipeline attestation. |
Chapter 2. Compatibility and support matrix
Red Hat Trusted Application Pipeline, or RHTAP, installs on OpenShift Container Platform.
| Product | Version |
|---|---|
| OpenShift Container Platform | 4.15, 4.14, 4.13 |
RHTAP installs the following products and components during installation:
| Products installed with RHTAP | Version |
|---|---|
| Red Hat Developer Hub | 1.1.x |
| Red Hat Trusted Artifact Signer | 1.0.x |
| Red Hat Trusted Profile Analyzer | 1.0.0 |
| OpenShift Pipelines | 1.14.x |
| OpenShift GitOps | 1.12.x |
RHTAP also integrates with the following products or components to help protect your software supply chain:
| Product | Version |
|---|---|
| Red Hat Advanced Cluster Security | 4.3 |
| Quay | 3.10 |
Chapter 3. Known issues
-
Installation might fail due to a known issue with RHTAP SecureSign. To recover, simply delete the namespace into which you’ve deployed RHTAP (
rhtapby default) and rerun the installer. On the second run, the installation should be successful. - RHTAP 1.0 does not install Red Hat Trusted Profile Analyzer (RHTPA); instead, it installs an upstream tool called Trustification. RHTAP 1.0.2, however, installs RHTPA.
-
You can configure GitLab as an authentication provider in the
private-values.yamlfile you create for installation. However, once GitLab is configured, it still doesn’t show up as a sign in option. The login for GitLab is accessible in the settings page,<host>/settings/auth-providers, but requires signing in to GitHub to access that page. -
The
pull-requestpipeline often fails with thebuild-containertask and displays the following error message:Access to the requested resource is not authorized. To fix this, push your container image to Quay.io and run the pipeline again. When promoting applications, the
verify-enterprise-contracttask currently fails. However, to fix this issue, you simply need to remove the Rekor custom resource (CR). A new Rekor CR then starts up, but the task no longer fails. Remove the CR with one of the following methods:Delete the Rekor CR in your command line.
oc delete rekor -n $<namespace where rhtap is installed> rhtap-securesign-
In the OCP console, in the Admin view, click on Search under the Home tab. Search for "Rekor" in the
rhtapnamespace, and delete the instance of the CR that you find.
-
When you promote a new container image to the RHTAP stage environment from a Go or Python software template, you run the
verify-enterprise-contractstep. This step might cause the following error:No image attestations found matching the given public key.You must manually update the image repository so that it’s public. - RHTAP 1.0 does not support the following environments: any air-gapped environment, IBM Power Platform, IBM Z Platform, ARM64, and Federal Information Processing Standards (FIPS) mode OCP.
- Uninstallation of RHTAP is not currently supported, but it can be done by removing all RHTAP namespaces from the cluster.
Revised on 2024-07-15 21:03:50 UTC
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}