Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Installing Red Hat Trusted Application Pipeline

Red Hat Trusted Application Pipeline 1.4

Learn how to install Red Hat Trusted Application Pipeline in your cluster.

Red Hat Customer Content Services

Abstract

This document provides information about how to install Red Hat Trusted Application Pipeline in your cluster.

Preface
Copy link

Red Hat Trusted Application Pipeline (RHTAP) is not really a single product. Instead, it is a set of products that combine to form a highly automated, customizable, and secure platform for building applications.

By default, RHTAP includes the following products:

You can see exactly which versions of these products RHTAP supports in the compatibility and support matrix of our Release notes.

Note

Red Hat Trusted Application Pipeline supports many alternatives to this default combination of products. Later in the installation process, this documentation explains how to customize your deployment to meet your needs.

Because a fully-operational instance of RHTAP involves all of the products listed above, installing RHTAP takes some effort. However, we have automated the vast majority of this process with an installer tool packaged as a container image.

Be aware that the RHTAP installer is not a manager: it does not support upgrades. The installer generates your first deployment of RHTAP. But after installation, you must manage each product within RHTAP separately. And while the installer can be run multiple times, doing so after manually changing the configuration of a product may have unpredictable results.

Additionally, the products that the installer deploys are production ready, but they are sized for a proof of concept or a very small team. For larger teams, manual reconfiguration of the products is most likely necessary and should be done by following procedures documented for each individual product.

Lastly, please be aware that the RHTAP subscription only includes Red Hat Developer Hub, Red Hat Trusted Artifact Signer, Red Hat Trusted Profile Analyzer, and Red Hat Enterprise Contract. The RHTAP installer deploys all the other products listed above, too. But to use them, you must purchase a subscription for OpenShift Plus.

Installation steps

To install RHTAP using the installer, you must complete the following procedures.

  1. Configuring GitHub for RHTAP
  2. (Optional) Customizing your installation
  3. Installing RHTAP in your cluster
  4. (Optional) Completing integrations after installation

The following pages of this document explain each of those installation steps in detail.

Chapter 1. Configuring GitHub for RHTAP
Copy link

RHTAP uses GitHub to authenticate users. RHTAP also uses GitHub as the destination for repositories that it generates.

To enable this functionality, before installing RHTAP in your cluster, you must first complete the following procedures to configure GitHub for RHTAP:

  1. Creating a GitHub personal access token
  2. Creating a GitHub application
  3. (Optional) Forking the software catalog

1.1. Creating a GitHub personal access token
Copy link

Before completing this procedure, you need to own a GitHub organization that you can use for RHTAP. This can be a new organization that you create, an organization you already own, or an existing organization for which you request ownership from the current admins. After installing RHTAP, this GitHub organization gives RHTAP users a place to create git repositories for their applications.

Once you own an organization, you are ready to follow the steps in this procedure to create a personal access token. You need this token to run a command that is covered in the next procedure.

Prerequisites:

  • Ownership of a GitHub organization

Procedure:

  1. Go to your Developer Settings page in GitHub.
  2. In the left panel, under Personal access tokens, select Tokens (classic).
  3. From the Generate new token drop down menu under the page banner, select Generate new token (classic). You may need to authenticate to continue.
  4. Enter a name, select an expiration date, and under Select scopes, select repo (which should automatically include all scopes from repo: status to security_events).

  5. Select Generate token. GitHub redirects you to a new page, where your token is visible. Create a new file called private.env, and save this token in that file.

    Note

    The private.env is critical to the success of your installation. Please ensure you create this file and save it in a secure location.

1.2. Creating a GitHub application for RHTAP
Copy link

Creating a GitHub application for RHTAP allows developers to authenticate to Red Hat Developer Hub, which is the user interface (UI) where they can interact with RHTAP. This GitHub application also allows RHTAP to access developer’s source code that is hosted on GitHub.

Keep in mind that you must create and install the new application in the GitHub organization that you are using for Red Hat Trusted Application Pipeline. RHTAP can subsequently create new repositories within that organization, to serve as the source code for the applications it builds.

Also be aware that this procedure directs you to pull and start running the installer container image. This installer allows you to automate much of the remaining installation process.

Prerequisites

  • A GitHub personal access token (from the previous procedure)
  • A container management tool on your workstation, such as Podman or Docker
  • Valid credentials for registry.redhat.io
  • ClusterAdmin access to an OpenShift cluster

Procedure

  1. In your CLI, authenticate to registry.redhat.io. 

    $ podman login registry.redhat.io
    Copy to Clipboard Toggle word wrap

  2. Pull the installer image. 

    $ podman pull registry.redhat.io/rhtap-cli/rhtap-cli-rhel9:latest
    Copy to Clipboard Toggle word wrap

  3. Start the rhtap-cli container image. 

    $ podman run \
        -it \
        --entrypoint=bash \
        --publish 8228:8228 \
        --rm \
        rhtap-cli:latest
    Copy to Clipboard Toggle word wrap

  4. In the running container, login to your OpenShift cluster as ClusterAdmin. 

    bash-5.1$ oc login https://api.<input omitted>.openshiftapps.com:443 --username cluster-admin --password <input omitted>
    Copy to Clipboard Toggle word wrap

  5. Run the following command to start creating a GitHub application. Replace $GH_TOKEN with the token you created in the previous procedure. Replace $GH_ORG_NAME with the name of the GitHub organization you are using for RHTAP. Replace $GH_APP_NAME with a name you would like to use for your application. 

    bash-5.1$ rhtap-cli integration github-app --create --token="$GH_TOKEN" --org="$GH_ORG_NAME" $GH_APP_NAME
    Copy to Clipboard Toggle word wrap
  6. The output of this command includes a URL. Use your web browser on your workstation to navigate to this address. When prompted, click Create your GitHub App.
  7. The button redirects you to GitHub. If necessary, authenticate in GitHub to confirm access. Then click Create GitHub App for <your organization’s name>.
  8. A new message displays in your browser, telling you that the app was successfully created. Click on the hyperlinked text to install the new application in your GitHub organization.
  9. The link redirects you to GitHub. Click the green Install button.
  10. Select the organization that you are using for RHTAP.

  11. When prompted, select All repositories, so RHTAP can create new repositories in your organization. Click the green Install button.

    Note

    You may want to keep this GitHub page open, although you can close it without interrupting installation. In the page banner, there is a link that you can use after installation to access RHTAP (beginning with https://backstage-developer-hub-rhtap…​).

RHTAP provides users with a set of software templates that enable developers to build applications more quickly. You may want to customize these templates, to tailor them to your users' specific needs. To enable this customization, you must fork the repository that contains the default templates now. In a later stage of the installation process, you can configure RHTAP to find software templates in your customizable fork, rather than in the default repository.

Procedure:

  1. In your web browser, navigate to the RHTAP software catalog repository.

  2. Beneath the banner of the page, select Fork and fork the repository.

    1. Uncheck the box that says "Copy the main branch only".
  3. Once the fork is ready, copy its address. Label and save it in private.env.

  4. In your new fork, beneath the banner, click main to open a dropdown menu. Under Tags, select the release that corresponds to the version of RHTAP that you are using.

    Note

    Be sure to update your fork from time to time, so updates from the upstream repository can benefit your instance of RHTAP.

Chapter 2. Customizing your installation
Copy link

The RHTAP installer deploys a network of products that work together to form a secure, automated CI/CD platform. However, two of these products you may have already installed: Advanced Cluster Security (ACS) and Quay. If you already have instances of either of these products, you can integrate them into your installation of RHTAP. Integration saves time and prevents data loss. If you have instances of these products and do not integrate them, then the installer just creates new instances in new namespaces.

Additionally, there are three products that you can replace with certain substitutes in your deployment of RHTAP. The table below names these products, their purpose, and what other products you can use instead.

Expand
ProductPurposePossible substitutes

GitHub

Source code repository

  • GitLab
  • Bitbucket

Tekton

CI pipeline

  • Jenkins
  • GitHub Actions
  • GitLab CI

CI pipeline substitutes conform to SLSA Build L2. Only Tekton conforms to Build L3.

Quay

Registry for artifacts

Artifactory

Please note that when you use alternative providers for your Git, CI and registry integrations, RHTAP also installs plugins for those products in Red Hat Developer Hub. Most of them are Technology Preview or community plugins. This means that replacing default products can introduce security risks and is not recommended for a production environment. For more information, please see the plugins table in our release notes and the RHDH documentation about plugins.

Also be aware that, to customize your installation, you must run all relevant commands inside an rhtap-cli container, which is logged into your cluster as ClusterAdmin.

The following procedures explain how to customize your installation of RHTAP, by integrating pre-existing instances and outside products.

2.1. (Optional) Integrating ACS
Copy link

Prerequisites

  • Administrator access to an instance of ACS

Procedure

  1. Before you can integrate your instance of ACS, you need an API token and the central endpoint URL.

    1. Follow the instructions for the prerequisites here to create an API token. Save the token in private.env.
    2. Follow the instructions here to configure your endpoint. Save the URL in private.env.

  2. In your rhtap-cli container, run the integration command. Replace $ACS_ENDPOINT with your ACS central endpoint URL, and $ACS_TOKEN with your ACS API token. 

    bash-5.1$ rhtap-cli integration acs --endpoint="$ACS_ENDPOINT" --token="$ACS_TOKEN"
    Copy to Clipboard Toggle word wrap

2.2. (Optional) Integrating Quay
Copy link

In this procedure, you obtain two values from your instance of Quay. Then you integrate your instance into RHTAP.

Prerequisites:

  • A Quay account
  • Ownership of a Quay organization (you can use any plan, including the free option).
Note

We recommend using a robot account in Quay for this procedure. This way, once RHTAP is installed, multiple users can authenticate to your organization’s namespace in Quay.

Procedure:

  1. In your web browser, login to Quay. On the right side of the banner, select your username and select Account Settings from the dropdown menu.
  2. On your user settings page, under Docker CLI Password, select Generate Encrypted Password. In the popup window, enter your password to authenticate.
  3. Next, still in the popup window, select Docker Configuration > View [username]-auth.json. Copy the string, without the quotation marks, following "auth":.
  4. In your private.env file, label and create the Docker configuration value with the following format, using your username and auth token where appropriate: {"auths": {"quay.io": {"auth": "[auth token]","email": ""}}}
  5. Back in the Quay UI, return to the default Repositories page. On the right side, under Users and Organizations, select the Quay organization you want to use for RHTAP.
  6. From the tabs on the left side, select Applications.
  7. Click Create New Application. Give your application a name.
  8. Click on the application’s name.
  9. From the tabs on the left, select Generate Token.
  10. From the options for permissions for the token, select View all visible repositories.
  11. Click Generate Access Token.
  12. Click Authorize Applicaiton.
  13. The UI displays an access token. Label and save this token in private.env, too.

  14. In your rhtap-cli container, run the following command to integrate your instance of Quay. Replace $QUAY_DOCKERCONFIGJSON with the Docker configuration value. Replace $QUAY_TOKEN with the token you just generated. And replace $QUAY_URL with the address for your instance of Quay (https://quay.io if you have not installed Quay in your cluster). 

    bash-5.1$ rhtap-cli integration quay --dockerconfigjson='$QUAY_DOCKERCONFIGJSON' --token="$QUAY_TOKEN" --url="$QUAY_URL"
    Copy to Clipboard Toggle word wrap
Note

Make sure to put the $QUAY_DOCKERCONFIGJSON value inside single quotes.

2.3. (Optional) Integrating Bitbucket
Copy link

If you want to use Bitbucket cloud to host your source code, complete the steps in the following procedure.

Prerequisites

  • A Bitbucket username; to find your username:

    1. On the sidebar in Bitbucket, click your profile picture and select View profile.
    2. In the sidebar, select Settings. The system displays your username in the account settings.
  • An app password

Procedure

  1. In your rhtap-cli container, run the integration command. Replace $BB_USERNAME with your Bitbucket username, and $BB_TOKEN with your Bitbucket access tokens. If you are integrating with a custom Bitbucket host, replace $BB_URL with you Bitbucket host URL. If you are using the default bitbucket.org host, you can remove the --host option. 

    bash-5.1$ rhtap-cli integration bitbucket --username="$BB_USERNAME" --app-password="$BB_TOKEN" --host="$BB_URL"
    Copy to Clipboard Toggle word wrap

2.4. (Optional) GitHub Actions
Copy link

If you want to use GitHub Actions as an alternative CI provider, you do not need to complete any additional steps before installation. The GitHub application that you already made enables this CI functionality for RHTAP.

2.5. (Optional) Integrating GitLab
Copy link

If you want to use GitLab to host your source code, or as a CI provider, complete the steps in the following procedure.

Prerequisites

  • You must have the necessary permissions to create and manage GitLab jobs.
  • You must have a GitLab API token.
  • You must have a host URL, if you plan to integrate with a custom GitLab host. If you do not specify a GitLab host URL, the system defaults to gitlab.com.

Procedure

  1. In your rhtap-cli container, run the integration command. Replace $GL_API_TOKEN with your GitLab API token. If you are integrating with a custom GitLab host, replace $GL_URL with you GitLab host URL. If you are using the default gitlab.com host, you can remove the --host option. 

    bash-5.1$ rhtap-cli integration gitlab --token="$GL_API_TOKEN" --host="$GL_URL"
    Copy to Clipboard Toggle word wrap

2.6. (Optional) Integrating Jenkins
Copy link

Prerequisites

  • You must have the necessary permissions to create and manage Jenkins jobs.
  • You must have a URL using which you access Jenkins, a Jenkins user ID, and an API token.

Procedure

  1. In your rhtap-cli container, run the integration command. Replace $JK_API_TOKEN with your Jenkins API token, $JK_URL with you Jenkins instance URL, $JK_USERNAME with your Jenkins user ID. 

    bash-5.1$ rhtap-cli integration jenkins --token="$JK_API_TOKEN" --url="$JK_URL" --username="$JK_USERNAME"
    Copy to Clipboard Toggle word wrap

2.7. (Optional) Integrating JFrog Artifactory
Copy link

Prerequisites

  • Admin access to an instance of Artifactory
  • A repository in Artifactory that you want to use with RHTAP

Procedure

  1. In the Artifactory UI, in the Administration view, click the green Set Up Client/CI Tool button next to the repository that you want to use.
  2. Select Docker Client

  3. Follow the UI instructions to authenticate in your CLI.

    1. The UI generates a token to use as a password. Make sure to save it in private.env.
    2. When you login to JFrog in your CLI, you should get a message saying your password has been stored in a location such as ~/.docker/config.json. If you do not see this message, a later step in this procedure explains what to do.

  4. In your rhtap-cli container, run the integration command. Set the value of AF_URL to the URL of your instance (for example, "https://myusername.jfrog.io"). Set the value of AF_DOCKERCONFIGJSON to the contents of the file where your password was stored. Set the value of AF_API_TOKEN to the token that JFrog generated. 

    bash-5.1$ rhtap-cli integration artifactory --url="$AF_URL" --dockerconfigjson='$AF_DOCKERCONFIGJSON' --token="$AF_API_TOKEN"
    Copy to Clipboard Toggle word wrap
Note

Make sure to put the $AF_DOCKERCONFIGJSON value inside single quotes. Additionally, if your CLI did not print a message about the config.json file, you can create its contents as follows: { "auths": { "<URL for your JFrog instance>":{ "auth": "<base64 format of username:password>", "email": "" }}}

Chapter 3. Installing RHTAP in your cluster
Copy link

Once you have configured GitHub, you are ready to install RHTAP in your cluster. The actual installation process is quite simple.

However, if you performed any of the optional procedures, you must also customize a file called config.yaml before installing RHTAP. This is not difficult, either.

The following procedures explain how to complete both of these processes.

3.1. (Optional) Customizing config.yaml
Copy link

If you forked the software catalog, or ran optional integration commands, you should customize config.yaml, which is in the home directory of the installer. Customizing this file ensures that the RHTAP installer reacts correctly to the work you did in those procedures.

Prerequisites

  • A running installer container, which is logged in to your OCP cluster as ClusterAdmin.

Procedure

  1. In the rhatp-cli container, create a copy of the config.yaml file:. 

    bash-5.1$ cp config.yaml my-config.yaml
    Copy to Clipboard Toggle word wrap

  2. Using the vi text editor, change the contents of /rhtap-cli/config.yaml as appropriate for the optional procedures you completed: 

    bash-5.1$ vi my-config.yaml
    Copy to Clipboard Toggle word wrap

    1. If you forked the software catalog, then change the catalogURL to the URL for your fork, as shown in the example below. 

      redHatDeveloperHub:
      enabled: &rhdhEnabled true
      namespace: *installerNamespace
      properties:
        catalogURL: https://github.com/<your username>/tssc-sample-templates/blob/release/all.yaml
      Copy to Clipboard Toggle word wrap

    2. If you ran rhtap-cli integration commands, then change the values for the relevant enabled fields to false. This is not necessary if you are using an alternative host for your source code. But any other integration you made requires a change to be made in this file. The example below shows the change you need to make for integrating a pre-existing instance of ACS. 

      redHatAdvancedClusterSecurity:
      enabled: &rhacsEnabled false
      namespace: rhtap-acs
      Copy to Clipboard Toggle word wrap
      Note

      If you try to integrate outside products or pre-existing instances, but do not customize config.yaml, RHTAP still installs and uses its default products. You must customize config.yaml for your rhtap-cli integration commands to take effect.

  3. Once you have made the appropriate changes, save the new my-config.yaml file.

If you have configured GitHub and, if necessary, customized config.yaml, then you are ready to install RHTAP.

Prerequisites

  • A running installer container, which is logged in to your OCP cluster as ClusterAdmin.

  • None of the following operators are already installed in your cluster:

    • Advanced Cluster Security
    • AMQ Streams
    • Crunch-Data PostgreSQL
    • Developer Hub
    • Keycloak
    • OpenShift GitOps
    • OpenShift Pipelines
    • Quay
    • Trusted Artifact Signer

Procedure

  1. In the rhatp-cli container, run the installation command. If you did not make any changes to config.yaml, you can simply run rhtap-cli deploy. But if you did customize that file, run the following command, and replace the $CONFIG variable with the path of your customized file.

    Note

    Installation takes about fifteen minutes to complete. 

    bash-5.1$ rhtap-cli deploy --config=$CONFIG
    Copy to Clipboard Toggle word wrap
  2. Once installation is complete, be sure to save the output of the rhtap-cli deploy command in your private.env file. This output enables you to access your instances of the new products that are now installed.

  3. Now, you can access your instance of RHTAP!

    1. After creating a GitHub app, you may have left the page for your new GitHub app open, as our note suggested. In that case, you can use the link in the banner of that page to access RHTAP.
    2. Otherwise, navigate to your the Authorized GitHub Apps tab on your Applications page. Click on the name of the app you created for RHTAP. Again, in the banner of this page, you can find the link you need to access RHTAP, which begins with https://backstage-developer-hub-rhtap…​.

Chapter 4. Post-installation integrations
Copy link

After installing RHTAP, complete the following tasks to ensure that RHTAP works properly.

4.1. (Optional) Integrating Quay into ACS
Copy link

If you are using your own Quay instance instead of Quay.io, or if you plan to use private repositories in Quay, then you must integrate Quay into ACS. This ensures ACS has access to the repositories you use in Quay.

Procedure

  1. Go to your ACS instance. If you did not have ACS before installing RHTAP, you can find the access details in the rhtap-cli deploy command output, which you saved to ~/install_values.txt at the end of the installation procedure.
  2. Follow the instructions in the Red Hat Advanced Cluster Security for Kubernetes 4.6 documentation to integrate Quay into ACS.





Revised on 2025-02-13 19:17:38 UTC

Legal Notice
Copy link

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat