Red Hat SummitThis documentation is for a release that is no longer maintained
See documentation for the latest supported version.Release notes for Red Hat Trusted Application Pipeline 1.3
Explore new features in this release and learn about known issues.
Abstract
Preface
The release notes for Red Hat Trusted Application Pipeline summarize new features and enhancements, notable technical changes, features in Technology Preview, bug fixes, known issues, and other related advisories or information.
Chapter 1. About this release
Red Hat Trusted Application Pipeline 1.3 is now generally available. To learn more about support for all versions, refer to the RHTAP life cycle policy.
- To learn more about RHTAP, refer to the About RHTAP product overview.
- To install RHTAP, refer to Installing Red Hat Trusted Application Pipeline.
The products that the RHTAP installer deploys are production ready, but they are sized for a proof of concept or a very small team. For larger teams, manual reconfiguration of the products is most likely necessary and should be done by following procedures documented for each individual product.
Chapter 2. New features and enhancements
This section lists new features and feature enhancements available in Red Hat Trusted Application Pipeline 1.3.
Bitbucket Cloud is now supported
You can now choose Bitbucket Cloud as your Git repository hosting service to create components in RHTAP applications. You can combine source code from different Git platforms (GitHub, GitLab, and Bitbucket) to build an application. To use Bitbucket, integrate it during the RHTAP installation and then configure it using the Setting up Bitbucket guide.
GitLab CI is now supported
You can now use GitLab CI as your CI provider. To use it, integrate GitLab during the RHTAP installation and then configure GitLab CI to ensure secure CI/CD workflows. Additionally, you can choose to customize GitLab pipelines. If you don’t integrate GitLab CI, RHTAP defaults to Tekton.
Technology Preview: GitHub Actions is now supported
You can now choose GitHub Actions as your CI provider. You can integrate GitHub Actions during the RHTAP installation, otherwise, RHTAP defaults to Tekton. This feature is available as a Technology Preview, and it is not fully supported, may not be functionally complete, and is not intended for production use.
JFrog Artifactory is now supported
You can now choose JFrog Artifactory as your container images registry when you create your application. To use Artifactory, refer to the Integrating JFrog Artifactory section in the Installation guide. If you don’t integrate JFrog Artifactory, RHTAP defaults to Quay.
Technology Preview: A new software template is now available
RHTAP introduces a new secure software template called Import User Repository. It allows you to import code from the existing Git repository and create a new repository that includes software supply chain security functionality provided by RHTAP. To learn more, view the Bring your source template on GitHub. Note that this is a Technology Preview feature.
Changes to the RHTAP installation
The RHTAP installer now includes all the resources needed for RHTAP deployment in the single binary to simplify installation. The new installer also provides extra monitoring to watch over Kubernetes resource status for improved reliability during installation.
- To install RHTAP 1.3, refer to the Installation guide.
-
To customize the installation, refer to Customizing config.yaml.
Changes to the MinIO installation
Installing MinIO through OpenShift OperatorHub subscription is no longer available. As a result, the Operator will no longer update the MinIO installation automatically.
In Red Hat Trusted Application Pipeline 1.3, MinIO is still installed automatically, however now the MinIO Operator Helm chart is used. It allows you to customize the RHTAP installation process.
SBOMs are now automatically uploaded to RHTPA
RHTAP now automatically publishes your software bill of materials (SBOM) to Red Hat Trusted Profile Analyzer when you use any of the supported CI providers: Tekton, Jenkins, GitLab CI or GitHub Actions. Note that GitHub Actions is a Technology Preview feature and has not been fully tested.
If you prefer, you can extract the SBOM manually by referring to Inspecting your SBOM with RHTPA.
Chapter 3. Compatibility and support matrix
Red Hat Trusted Application Pipeline installs on OpenShift Container Platform.
| Product | Version |
|---|---|
| OpenShift Container Platform | 4.15, 4.16, 4.17 |
RHTAP installs the following products and components during installation:
| Products installed with RHTAP | Version |
|---|---|
| Red Hat Developer Hub | 1.3 |
| Red Hat Trusted Artifact Signer | 1.1 |
| Red Hat Trusted Profile Analyzer | 1.1 |
| OpenShift Pipelines | 1.16 |
| OpenShift GitOps | 1.14 |
| Advanced Cluster Security | 4.5 |
| Quay | 3.13 |
Red Hat Developer Hub plugins
RHTAP enables a selection of RHDH dynamic plugins to support creation and monitoring of trusted secure supply chain applications. Some of the plugins enabled by RHTAP include Technology Preview and community plugins that may not be functionally complete.
Regardless of the plugins levels of support, pipelines produced by the RHTAP software templates are fully supported and leverage the security features of Trusted Software Supply Chain products and features: Red Hat Trusted Application Signer, Red Hat Trusted Profile Analyzer, and Enterprise Contract.
Technology Preview and community plugins enabled by RHTAP:
| Level of support | Name |
|---|---|
| Technology Preview plugins | JFrog Artifactory |
| Community plugins |
Jenkins |
To learn more about the supported levels of the individual dynamic plugins, refer to the Developer Hub documentation.
Chapter 4. Bug fixes
This section describes bug fixes available in Red Hat Trusted Application Pipeline 1.3.
GitLab authentication is now supported on RHDH
Previously, you could only use GitHub authentication as a sign-in option in Red Hat Developer Hub, to access RHTAP. Now you can also use GitLab authentication to sign in RHDH and access RHTAP.
Chapter 5. Known issues
This section describes known issues in Red Hat Trusted Application Pipeline 1.3.
Pipeline fails if you create a new Deployment Namespace
When you create a new component with a new Deployment Namespace, the pipeline fails with the error tasks.tekton.dev "rhtap-dev-namespace-setup" not found. To work around this issue, use the default Deployment Namespace called rhtap-app.
View logs and View SBOM icons don’t link to correct information
After a Pipeline Run is finished, you should be able to access the build summary and SBOM by clicking the View logs and View SBOM icons in the Actions menu. However, these icons don’t always show the correct information. To access the correct steps in logs, click either of these two icons, and in the pop-up window with logs, select the step you need: show-sbom or show-summary.
Vulnerabilities tab in RHTPA may show Internal server error
When RHTAP uploads the SBOM to Red Hat Trusted Profile Analyzer, RHTPA accepts the SBOM but may show Internal server error in the Vulnerabilities tab. If you encounter this issue, contact rhtpa-support@redhat.com.
RHDH doesn’t display the Image Registry tab if RHTAP cannot detect your registry type
The Red Hat Developer Hub UI doesn’t display the Image Registry tab on the component’s page if RHTAP is unable to detect which container image registry you’re using. RHTAP analyzes your registry URL to annotate your components, and if that annotation is missing, the tab will not appear in the RHDH UI. To work around this issue, you can manually enable the Image Registry tab.
Jenkins can only use one Git hosting provider
The default Jenkins configuration uses a global credential called GITOPS_AUTH_PASSWORD to authenticate when updating the gitops repository with a newly built image. Because only one such global variable is available, a single Jenkins instance can only be configured to work with one Git repository provider at a time, GitHub, GitLab, or Bitbucket Cloud.
RHTAP doesn’t automatically find a Rekor server when running Jenkins pipelines
When running a Jenkins pipeline, RHTAP cannot find a Rekor server if your Jenkins instance runs outside the RHTAP cluster. To work around this problem, you must manually provide the external routes for the Rekor and TUF services by configuring the REKOR_HOST and TUF_MIRROR environment variables in the env.sh file. Their values should include your cluster URL. For details and instructions, refer to Customizing sample software templates for Jenkins.
GitLab: If RHTAP cannot reach the Rekor and TUF services when running GitLab pipelines, check that you’ve added their correct URLs as CI/CD variables in GitLab. For instructions, refer to Adding secrets to GitLab CI for secure integration.
When you use GitLab, you might see an error: namespaces "rhtap-acs" not found
When you use GitLab as an authentication option, a Git hosting platform and a CI provider, and you also disable ACS and integrate Quay, at the end of the RHTAP installation you might see the following error:
[INFO] Configure internal Quay integration with internal ACS Error from server (NotFound): namespaces "rhtap-acs" not found
[INFO] Configure internal Quay integration with internal ACS
Error from server (NotFound): namespaces "rhtap-acs" not found
Despite this error, RHTAP is installed correctly and its functionality isn’t affected.
RHTAP doesn’t support some environments
RHTAP 1.3 does not support the following environments: any air-gapped environment, IBM Power Platform, IBM Z Platform, ARM64, and Federal Information Processing Standards (FIPS) mode OCP.
Uninstallation of RHTAP is not supported
Uninstallation of RHTAP is not currently supported, but it can be done by removing all rhtap namespaces from the cluster.
Revised on 2024-12-12 18:58:38 UTC
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}