Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 5. Creating a private-values.yaml file

RHTAP relies on Helm to automate much of the installation process. However, Helm requires specific information to install RHTAP correctly and in your cluster. You must provide that information in a file that you can reference in the install command. The file is called private-values.yaml.

This file is complex, and it could be easy to prepare it incorrectly. However, this procedure explains how to make the process of preparing private-values.yaml much simpler. It guides you to clone the RHTAP installer repository from GitHub and use a shell script within that repository, to generate private-values.yaml much more easily.

Prerequisites:

  • git CLI tool
  • yq CLI tool
  • An ~/install_values.txt file with all the necessary values. You created this file during the first, third, and fourth procedures.
  • An API token and central endpoint of your instance of Advanced Cluster Security.

Procedure:

  1. In your web browser, navigate to the RHTAP installer repository on GitHub.
  2. Select the green <> CODE button. Under the Local tab, select your preferred connection type (HTTPS, SSH, or GitHub CLI) for cloning, and copy the given URL.

  3. Clone the installer using the URL you just copied. But do not clone the main branch. Instead, clone the latest stable release, with the format release-X.X.

    1. For example, at the time of publication, to clone the latest stable release using SSH, run the following command in your CLI: 

      $ git clone -b release-1.0 git@github.com:redhat-appstudio/rhtap-installer.git
      Copy to Clipboard

  4. In your CLI, navigate to your local clone of the RHTAP installer repository. 

    $ cd rhtap-installer
    Copy to Clipboard

  5. Run the bin/make.sh script. 

    $ bin/make.sh values
    Copy to Clipboard

  6. The script prompts you to enter values for each of the following fields. Follow the instructions to determine the value that you should enter. If you need to stop the script at any time, you may do so and simply rerun the bin/make.sh values command to resume your progress:

    1. RHTAP_ENABLE_GITHUB: Enter y if you want to use GitHub as a git repository for your applications

    2. RHTAP_ENABLE_GITLAB: Enter y if you want to use GitLab as a git repository for your applications

      Important

      At the time of publication, our documentation does not explain how to configure GitLab as a git host for RHTAP, but it is possible. We are working on documenting that process. In the meantime, if you want to use GitLab, please reference the documentaiton provided at the end of this procedure.

    3. RHTAP_ENABLE_DEVELOPER_HUB: Enter y
    4. RHTAP_ENABLE_TAS: Enter y if you want to use Red Hat Trusted Artifact Signer to strengthen the security of your software supply chain.
    5. RHTAP_ENABLE_TAS_FULCIO_OIDC_DEFAULT_VALUES: Enter y if you set the previous value to y.
    6. RHTAP_ENABLE_TPA: Enter y if you want to use Red Hat Trusted Profile Analyzer to strengthen the security of your software supply chain.
    7. ACS__API_TOKEN: Enter an API token for your ACS instance. You can follow the instructions for the prerequisites here to create an API token.
    8. ACS__CENTRAL_ENDPOINT: Enter the endpoint of your ACS instance. You can follow the instructions here to configure the endpoint.

    9. DEVELOPER_HUB__CATALOG__URL: Enter the address of the all.yaml file in your fork that you created in the second procedure. Be sure the URL includes the tag that you selected at the end of that procedure. 

      https://github.com/chr1st1an-org/tssc-sample-templates/blob/v1.0.0/all.yaml
      Copy to Clipboard
    10. GITHUB__APP__ID: This value should be in your ~/install_values.txt file. You saved it during the first installation procedure.
    11. GITHUB__APP__CLIENT__ID: This value should be in your ~/install_values.txt file. You saved it during the the first installation procedure.
    12. GITHUB__APP__CLIENT__SECRET: This value should be in your ~/install_values.txt file. You created and saved it during the first procedure.
    13. GITHUB__APP__PRIVATE_KEY: This value should be in your ~/install_values.txt file. You created and saved it during the first procedure.
    14. GITHUB__APP__WEBHOOK__SECRET: This value should be in your ~/install_values.txt file. You created and saved it during the first procedure.
    15. GITOPS__GIT_TOKEN: This value should be in your ~/install_values.txt file. You created and saved it in the third procedure.
    16. QUAY__API_TOKEN: Use 'null' if your image repository is public. Otherwise create an API token with read access and paste its value.
    17. QUAY__DOCKERCONFIGJSON: This value should be in your ~/install_values.txt file. You created and saved it in the last procedure.
    18. TAS__SECURESIGN__FULCIO__ORG_EMAIL: Enter the email of the person or team at your organization who owns this new instance of RHTAP.

    19. TAS__SECURESIGN__FULCIO__ORG_NAME: Enter your GitHub organization’s name.

      Note

      The remaining values are passwords and secrets. You can use pre-existing passwords, which can include special characters, or generate new passwords. You do not have to save these values elsewhere, since the bash script is creating a file that stores all the values you enter.

    20. TPA__GUAC__PASSWORD: Enter a strong password that you and your team members can use to validate yourselves for TPA’s GUAC. You can use the same OpenSSL command you used previously to create a Webhook secret. 

      $ openssl rand -hex 20
      Copy to Clipboard
    21. TPA__KEYCLOAK__ADMIN_PASSWORD: Enter another strong password.
    22. TPA__MINIO__ROOT_PASSWORD: Enter another strong password.
    23. TPA__OIDC__TESTING_MANAGER_CLIENT_SECRET: Enter another value that can be used as a secure secret. You can use the OpenSSL command to generate this value as well.
    24. TPA__OIDC__TESTING_USER_CLIENT_SECRET: Enter another value that can be used as a secure secret.
    25. TPA__OIDC__WALKER_CLIENT_SECRET: Enter another value that can be used as a secure secret.
    26. TPA__POSTGRES__POSTGRES_PASSWORD: Enter another strong password.
    27. TPA__POSTGRES__TPA_PASSWORD: Enter another strong password.
  7. (Optional) After running bin/make.sh, you can change which namespace RHTAP uses to deploy applications. In the same context where you ran bin/make.sh, look for your newly generated private-values.yaml file. Open that file, and edit or add other namespaces under namespaces:, where currently you should see - rhtap-app.

  8. (Optional) If you already have existing deployments of OpenShift GitOps or OpenShift Pipeline in your cluster, you should bypass the deployment of those products that RHTAP attempts during the next procedure:

    1. Using your preferred text editor, open the newly generated private-values.yaml file in your installer directory.
    2. For whichever products you already have deployed, beneath its name in the YAML file (for example, openshift-gitops), set the value of enabled: to false.
    3. If you are bypassing the OpenShift GitOps deployment, follow these instructions to add the Red Hat Trusted Application Pipeline installation namespace (rhtap by default) to your subscription.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat