Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 5. Post-installation integrations

After installing RHTAP, there are a several scenarios that require you to complete some additional work, to ensure RHTAP functions properly.

If you integrated your own instance of Quay into RHTAP, or if you want to use private repositories in Quay, then you must now integrate Quay into ACS. This ensures ACS has access to the repositories you use in Quay.

If you integrated Jenkins into RHTAP, configure Jenkins using the Jenkins UI to ensure it can run the build pipelines provided by RHTAP.

Additionally, if you integrated GitLab into RHTAP, configure GitLab using the GitLab UI to set up webhooks for automated pipeline triggering.

If either of these scenarios apply to you, complete the appropriate procedures below.

5.1. (Optional) Integrating Quay into ACS
Copy link

Again, if you are using your own instance of Quay, instead of Quay.io, or if you plan to use private repositories in Quay, you must ensure ACS can access your images.

Procedure

  1. Go to your instance of ACS. If you did not have ACS prior to installation, then the details you need for access were given in the output of the rhtap-cli deploy command. You saved this output in ~/install_values.txt, near the end of the installation procedure.
  2. Follow the instructions in this document to integrate Quay into ACS.

5.2. (Optional) Integrating RHTAP into Jenkins
Copy link

To ensure that your Jenkins pipeline can perform essential security tasks such as vulnerability scanning, image signing, and attestation, you need to configure Jenkins with the appropriate credentials. This procedure will guide you through the steps required to add these credentials to your Jenkins instance.

By completing these steps, you will enable Jenkins to integrate seamlessly with ACS (Advanced Cluster Security), Quay, and GitOps, and utilize Cosign for signing and verifying container images.

Prerequisites

  • You must have the necessary permissions to create and manage Jenkins jobs.
  • You must have appropriate ACS (Advanced Cluster Security), Quay, and GitOps credentials.
  • You must have the Cosign private key, Cosign public key, and Cosign password, which together are referred to as the “Cosign signing secret”. The values used for these credentials are already base64 encoded, so you do not need to convert them. You can find these credentials in your ~/install_values.txt file.

Procedure

  1. Open your Jenkins instance in a web browser and log in with your admin credentials.
  2. Click on your username at the top right corner of the Jenkins dashboard.
  3. From the left sidebar, select Credentials.
  4. Choose the appropriate domain where you want to add the credentials. Typically, it’s Global credentials (unrestricted).
  5. Click Add Credentials.
  6. From the Kind drop-down list, select Secret text.
  7. Keep the default value in the Scope drop-down list as Global (Jenkins).
  8. In the Secret field, enter your ACS API token.
  9. In the ID field, enter ROX_API_TOKEN.
  10. In the Description field, enter an appropriate description for the credentials.

  11. Repeat steps 5-10 for the following credentials:

    Expand

    ID

    Secret

    ROX_CENTRAL_ENDPOINT

    The route to your ACS instance. If not provided, the ACS task in the pipeline will operate as a NOOP.

    GITOPS_AUTH_PASSWORD

    The token the system uses to update the GitOps repository for newly built images.

    GITOPS_AUTH_USERNAME (optional)

    The parameter required for Jenkins to work with GitLab.

    You also need to uncomment a line with this parameter in a Jenkinsfile: GITOPS_AUTH_USERNAME = credentials('GITOPS_AUTH_USERNAME'). By default, this line is commented out.

    QUAY_IO_CREDS

    The credentials for Quay used to push the images.

    COSIGN_SECRET_KEY

    The signing secret used to sign images and attestations.

    COSIGN_PUBLIC_KEY

    The public key used to verify images created by your build pipeline.

    COSIGN_SECRET_PASSWORD

    The password required to use the signing secret for signing images.

By following these steps, you can ensure that Jenkins has the necessary credentials to perform vulnerability scanning, image signing, and attestation during the build process.

Set up webhooks and secrets in GitLab to automatically trigger pipeline runs in RHDH upon code updates.

Prerequisites

  • You have an existing GitLab project.
  • You have a Webhook URL and a Secret Token. You can find these credentials in your ~/install_values.txt file.

Procedure

  1. Within your GitLab repository, navigate to Settings > Webhooks.
  2. In the URL field, enter the webhook URL.
  3. In the Secret Token field, enter the secret token.

  4. In the Trigger section:

    1. Select Push events.
    2. Select Merge request events.
  5. Click Add Webhook.

Verification

  1. Push your code changes to the GitLab repository.
  2. Navigate to the CI tab in RHDH.
  3. Verify that a pipeline run is triggered for your code push.





Revised on 2025-01-13 15:10:50 UTC

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat