Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Customizing Red Hat Trusted Application Pipeline

Red Hat Trusted Application Pipeline 1.5

Learn how to customize default software templates and build pipeline configurations.

Red Hat Trusted Application Pipeline Documentation Team

Abstract

This document provides instructions for cluster administrators on customizing RHTAP's software templates, build pipelines, and integrations to better align with the unique requirements of your on-prem environments.

Preface

RHTAP includes built-in pipeline templates for automating CI/CD workflows, but they might not always fit your exact needs. You may need to add extra security checks, modify how deployments work, or integrate Jenkins. Cluster administrators can customize these pipelines to match the unique requirements of their on-prem environments.

Chapter 1. Customizing sample software templates

Learn how to customize ready-to-use software templates for your on-prem environment. As a cluster administrators, you have full control over modifying metadata and specifications to align with your deployment needs.

Prerequisites

Before making changes, ensure that following:

  • You have used the forked repository URL from tssc-sample-templates during RHTAP installation.
  • You have forked and cloned the tssc-sample-jenkins pipeline template.
  • You forked repository is up to date and synced with the upstream repository.

Procedure

  1. Clone your forked tssc-sample-templates repository, and then open it in your preferred text editor, such as Visual Studio Code.

  2. Locate the properties file within your project directory. This file stores the default values that you can customize. Open it for editing and update the following key-value pairs according to your environment.

    KeyDescription

    export GITHUB_DEFAULT_HOST

    Set this to your on-prem GitHub host fully qualified domain name. That is, the URL without the HTTP protocol and without the .git extension. For example github-github.apps.cluster-ljg9z.sandbox219.opentlc.com. Default is github.com.

    export GITLAB_DEFAULT_HOST

    Set this to your on-prem GitLab host host fully qualified domain name. That is, the URL without the HTTP protocol and without the .git extension. For example gitlab-gitlab.apps.cluster-ljg9z.sandbox219.opentlc.com. Default is gitlab.com.

    export QUAY_DEFAULT_HOST

    The default Quay URL corresponds to your specific on-prem image registry URL without the HTTP protocol. For example, quay-tv2pb.apps.cluster-tv2pb.sandbox1194.opentlc.com. The default quay host is quay.io.

    export DEFAULT_DEPLOYMENT_NAMESPACE_PREFIX

    The namespace prefix for deployments within RHTAP. Default is rhtap-app.

    Note

    Update this if you have modified the default trusted-application-pipeline: namespace during the RHTAP installation process.

    export PIPELINE_REPO_URL

    The URL of the forked pipeline repository. For example, https://github.com/redhat-appstudio/tssc-sample-pipelines.

    export PIPELINE_REPO_BRANCH

    The branch of the forked pipeline repository to which you want to point. For example, main.

    export GITHUB_DEFAULT_ORG

    The name of your GitHub organization that you want to set as default.

    export QUAY_DEFAULT_ORG

    The name of your Quay organization that you want to set as default.

    Figure 1.1. The properties file

    properties

  3. Run the generate.sh script in your terminal. This action adjusts the software templates, replacing default host values with your specified inputs.

    Copy to Clipboard Toggle word wrap 
    ./generate.sh

    Figure 1.2. The generate.sh script

    generate

  4. For Jenkins only: To customize your Jenkins library, navigate to skeleton > ci > gitops-template > jenkins, and open Jenkinsfile. Replace the remote URL with the URL of your forked repository. For example, remote: 'https://github.com/<username>/tssc-sample-jenkins.git'.

    Additionally, if your Jenkins is on a non-local OpenShift instance, and your Rekor and TUF services are on different clusters, update the REKOR_HOST and TUF_MIRROR environment variables. You can configure these variables in the env.sh file within the component repository or set them as environment variables or secrets in Jenkins. This configuration ensures that your external Jenkins server can communicate with Rekor and TUF installed with RHTAP. Without this, RHTAP might not sign container images correctly in the Jenkins pipeline.

    To update the REKOR_HOST and TUF_MIRROR variables:

    1. Open the env.sh file via skeleton > ci > gitops-template > jenkins > rhtap.

      The second env.sh file is located at skeleton > ci > source-repo > jenkins > rhtap. Pick the one that suits your needs or update both.

      In env.sh, review the default values for REKOR_HOST and TUF_MIRROR:

      Copy to Clipboard Toggle word wrap 
      REKOR_HOST=http://rekor-server.rhtap-tas.svc
TUF_MIRROR=http://tuf.rhtap-tas.svc

    2. Replace .svc with your OpenShift cluster URL. The .svc domain refers to the local cluster, and internal services can access other services with .svc in their routes, but an external Jenkins cannot.

      The correct routes of the Rekor and TUF services are printed as part of the installation process of RHTAP. If these data aren’t available to you, run this command in your CLI and select the Rekor and TUF routes in the output:

      Copy to Clipboard Toggle word wrap 
      $ oc get routes -n rhtap-tas

      An example of a Rekor server URL: http://rekor-server.rhtap-tas.apps.rosa.j6ufg-t3htv-ts6.z797.p3.openshiftapps.com.

    Note
  5. For RHACS only: To enable RHACS scans, set the export DISABLE_ACS to false in the env.sh file.

  6. Commit and push the changes to your repository. This automatically updates the template in RHDH. Alternatively, you can import and refresh a single or all customized templates directly in RHDH.

    1. Go to your forked sample template repository on your Git provider.
    2. For a single template, from the templates directory, select template.yaml. Copy its URL from the browser address bar. For example, https://github.com/<username>/tssc-sample-templates/blob/main/templates/devfile-sample-code-with-quarkus-dance/template.yaml. Otherwise, for all the templates, select all.yaml and copy its URL from the browser address bar. For example, https://github.com/<username>/tssc-sample-templates/blob/main/all.yaml.
    3. Switch back to RHDH platform.
    4. Select Create > Register Existing Component.
    5. In the Select URL field, paste the appropriate URL that you copied in Step 4b.
    6. Select Analyze and then select Import to update the templates in RHDH.

Verification

  • Consider creating an application to explore the impact of your template customization.

Additional resources

Chapter 2. Customizing sample pipelines

Learn how to update Pipeline as Code (pac) URLs within the sample templates repository and customize the sample pipelines repository to match your workflow. By customizing pac URLs, organizations can integrate custom pipelines tailored to their CI/CD requirements.

Prerequisites

Before making changes, ensure that:

  • You have already forked and cloned the following repositories:

  • Your forked repositories are up to date and synced with the upstream repository.

Customizing the sample templates repository to update pac URLs*

Procedure

  1. Access forked sample pipelines repository URL:

    1. Open your forked sample pipelines repository.
    2. Copy the complete URL from the address bar. For example, https://github.com/<username>/tssc-sample-pipelines.

  2. Update pac URLs in the sample templates repository:

    1. Navigate to your local cloned sample templates repository using your terminal.
    2. Run the following command, replacing {fork_url} with the copied URL from step 1 and {branch_name} with your desired branch name (for example, main):
    Copy to Clipboard Toggle word wrap 
    ./scripts/update-tekton-definition {fork_url} {branch_name}

# For example, .scripts/update-tekton-definition https://github.com/<username>/tssc-sample-pipelines main

  3. Review, commit, and push changes:

    1. Review the updated files within your sample templates repository.
    2. Commit the changes with appropriate message.
    3. Push the committed changes to your forked repository.

Customizing the sample pipelines repository to your workflow

The sample pipelines repository provides a foundation upon which you can build your organization’s specific CI/CD workflows. The sample pipelines repository includes several key pipeline templates in the pac directory:

  • gitops-repo: This directory holds the pipeline definitions for validating pull requests within your GitOps repository. It triggers the gitops-pull-request pipeline, located in the pipelines directory, validating that image updates comply with organizational standards. This setup is crucial for promotion workflows, where an application’s deployment state is advanced sequentially through environments, such as from development to staging or from staging to production. For more information about pipeline definitions in gitops-repo, refer Gitops Pipelines.
  • pipelines: This directory houses the implementations of build and validation pipelines that are referenced by the event handlers in both the gitops-repo and source-repo. By examining the contents of this directory, you can understand the specific actions performed by the pipelines, including how they contribute to the secure promotion and deployment of applications.
  • source-repo: This directory focuses on Dockerfile-based secure supply chain software builds. It includes pipeline definitions for cloning the source, generating and signing artifacts (such as .sig for image signature, .att for attestation, and .sbom for Software Bill of Materials), and pushing these to the user’s image registry. For more information about pipeline definitions in source-repo, refer Shared Git resolver model for shared pipeline and tasks.
  • tasks: This directory houses a collection of tasks that can be added or modified, aligning with organizational needs. For example, Advanced Cluster Security (ACS) tasks can be substituted with alternative checks, or entirely new tasks can be integrated into the pipeline to enhance its functionality and compliance.

Verification

  • Consider creating an application to explore the impact of your template and pipeline customization.

Additional resources

Chapter 3. Customizing GitLab pipelines and rebuilding container images

When customizing pipelines in GitLab, rebuilding container image is a critical step to ensure your changes are included in the updated workflow.

Pipelines in GitLab rely on specific container image, such as the GitLab runner image, to execute the tasks defined in your CI/CD workflow. The GitLab runner image provides the necessary tools, configuration, and scripts required for your pipeline to run. If you modify tasks in the pipeline, you must update and rebuild the container image to include those changes. This ensures that you pipeline tasks are properly executed when the pipeline is triggered.

Rebuilding container image involves the following steps:

  • Running podman to extract the existing pipeline files.
  • Customizing the pipeline tasks as per your requirements.
  • Rebuilding the container image.
  • Pushing the updated image to a container registry.

Prerequisites

Before making changes, ensure that:

  • You have podman installed on your system.
  • You have login credentials for Quay.io to push the updated image.
  • You have forked and cloned the Sample templates repository.
  • Your forked repository is up to date and synced with the upstream repository.

Procedure

  1. Create a directory for the build resources. The location of the directory depends on your role:

    • Platform engineer: If you are rebuilding the image to update the default pipeline for your organization, you may create the directory within the location where you forked the tssc-sample-templates repository. For example, rebuild-image.
    • Developers: If you are rebuilding the image for your own use or a specific project, create a directory in a location outside the organization-wide fork of tssc-sample-templates to avoid conflicts.
    Copy to Clipboard Toggle word wrap 
    mkdir rebuild-image

  2. Run the following command and copy the container image URL:

    Copy to Clipboard Toggle word wrap 
    more ../tssc-sample-templates/skeleton/ci/source-repo/gitlabci/.gitlab-ci.yml

# Example:
...
image: quay.io/redhat-appstudio/rhtap-task-runner:latest
...

  3. Copy the existing pipeline content locally by running the following command:

    Copy to Clipboard Toggle word wrap 
    podman run -v $(pwd):/pwd:z <The_url_you_copied_in_step_2> cp -r /work/rhtap /pwd
    1
    1
    This command starts the container using the <the_url_you_copied_in_step_2> image. It then copies the pipeline files from /work/rhtap inside the container to your working directory ($(pwd)). Additionally, if you are not on a system with SELinux enabled (for example, Fedora, RHEL, pr CentOS), remove the :z option in the command to ensure compatibility.
  4. Navigate to the rhtap directory and customize the pipelines tasks as required.

  5. Create a Dockerfile in the rebuild-image directory and add the following content to include your changes in the container. Additionally, the base image quay.io/redhat-appstudio/rhtap-task-runner:latest is built on ubi/ubi-minimal, which provides a lightweight Universal Base Image (UBI). If you need to install additional software and dependencies, use microdnf. An example command:

    Copy to Clipboard Toggle word wrap 
    FROM quay.io/redhat-appstudio/rhtap-task-runner:latest
    1 
    

#Copy the updated pipeline tasks

COPY ./rhtap /work/rhtap
    2 
    

# Example: Install additional software (for example, git)
RUN microdnf -y install make
    3
    1
    Uses the existing rhtap-runner container as the starting point.
    2
    Copies the updated pipeline tasks from the local rhtap folder into the /work/rhtap directory inside the container.
    3
    Demonstrates the use of the microdnf to install additional software or dependencies.

  6. Build the new container image with the following command:

    Copy to Clipboard Toggle word wrap 
    podman build -f Dockerfile -t quay.io/<namespace>/<new_image_name>
    1
    1
    -f Dockerfile specifies the Dockerfile to use for the build the container image. The -f flag allows you to explicitly point to the Dockerfile if it’s not named Dockerfile or is located in a different directory. -t quay.io/<namespace>/<new_image_name> assigns a tag (name) to the container image for easy identification.

  7. Login to Quay.io and push the updated image:

    Copy to Clipboard Toggle word wrap 
    podman login quay.io

# Enter username and password

podman push quay.io/<namespace>/<new_image_name>
    1
    1
    This uploads the customized container image to Quay.io, making it available for use in GitLab pipelines.

  8. Platform engineer only: Navigate to tssc-sample-templates > skeleton > ci > source-repo > gitlabci > .gitlab-ci.yml file and replace the container image URL with the one you just created. This makes the new container image as the default.

    Copy to Clipboard Toggle word wrap 
    image: quay.io/<namespace>/<new_image_name>

  9. For developers only: To update the container image just for a single repository in GitLab:

    1. Navigate to the source repository > .gitlab-ci.yaml and replace the container image URL with the one you just created.
    Copy to Clipboard Toggle word wrap 
    image: quay.io/<namespace>/<new_image_name>
  10. Commit and push the changes to apply the updated pipeline configuration.

Chapter 4. Configuring RHTAP to use built-in Jenkins libraries

By default {ProductLongName} (RHTAP) uses dynamically loaded Jenkins libraries. While dynamically loading provides flexibility, using built-in Jenkins libraries offer improved stability, security, and traceability during builds. Configuring RHTAP to use built-in libraries instead of dynamically loaded ones allows for better Red Hat Enterprise Contract (Enterprise Contract) attestations and enhanced build verification.

Prerequisites

Before making changes, ensure that:

4.1. Define the built-in library in Jenkins

Procedure

  1. Log in to Jenkins and navigate to Manage Jenkins > System.
  2. Locate the Global Trusted Pipeline Libraries section.

  3. Click Add and define the new library with the following parameters:

    1. Name: <your-library-name>
    2. Default version: Set to a specific branch or commit reference. For example, v1.5.
    3. Allow default version to be overridden: (Optional) Select this option to restrict users to a specific version of the Jenkins library. This ensures that the users cannot select a different version.
    4. Include @Library changes in your recent changes: Select this option to track modifications made to the shared library. This feature helps users understand changes that might affect their builds.

    5. Retrieval method: Select Modern SCM.

      1. From the Source Code Management drop-down list, select Git.
      2. In the Project Repository field, enter the Jenkins library URL. For example, https://github.com/redhat-appstudio/tssc-sample-jenkins.
      3. Select Fresh clone per build, to ensure each build fetches a clean copy of the library.
      4. Select Save.

4.2. Modify the Jenkins pipeline to use the built-in library

Procedure

  1. Navigate to your Jenkins CI source repository, For example, https://github.com/redhat-appstudio/tssc-sample-templates/blob/main/skeleton/ci/source-repo/jenkins.
  2. Select Jenkinsfile in edit mode.

  3. Replace the dynamic library loading with the @Library annotation.

    Replace thisWith this

    library identifier: 'RHTAP_Jenkins@main', retriever: modernSCM( [$class: 'GitSCMSource', remote: 'https://github.com/redhat-appstudio/tssc-sample-jenkins.git'])

    @Library('RHTAP_Jenkins@v1.5') _

  4. Save and commit the updated Jenkinsfile.

4.3. Use the configured Jenkins library

Procedure

  1. In your Jenkins instance, navigate to your project.
  2. Select Build Now to trigger a new build.

Verification

  1. Check the Jenkins build logs to confirm that the built-in library is loaded instead of dynamically retrieving dependencies.
  2. Validate that Enterprise Contract attestations now reflect a built-in library.
  3. Verify the library name, retrieval method, and pipeline script if any error occur.

4.4. Applying changes to one or all RHTAP templates

Depending on your use case, you can apply this configuration to one RHTAP template or all RHTAP templates in Red Hat Developer Hub (RHDH).

  • To apply this change to a single template: Modify only the specific pipeline template used in your project. This ensures that only this pipeline uses the built-in Jenkins library, while others continue using dynamic loading.
  • To apply this change to all RHTAP templates in RHDH: Update the global RHTAP template configuration to reference the built-in library instead of dynamically loaded ones. This ensures consistency across all RHTAP pipelines.
Important

Applying this change globally may impact all builds using RHTAP. Ensure that the built-in library is correctly defined and tested before making this change across all templates.

Chapter 5. Enabling the Image Registry tab

When you create your application, Red Hat Developer Hub should display the Image Registry tab on your component’s page. This tab provides useful information about your container images stored in your artifact registry. However, in some cases, the tab isn’t displayed and here’s why.

RHTAP attempts to detect your artifact registry type by analyzing the URL. If the URL contains “quay”, “jfrog” or “artifactory”, RHTAP adds a corresponding annotation to the catalog-info.yaml file in the Git repository with your application. RHDH uses this information to annotate Catalog entries and then correctly displays the Image Registry tab.

However, if your registry URL doesn’t include “quay”, “jfrog” or “artifactory”, RHTAP cannot detect your registry type and annotate your components correctly. As a result, the Image Registry tab isn’t enabled in RHDH.

If the Image Registry tab is missing in the RHDH UI, you can manually enable it. You have 2 options:

  1. Enable the tab for a single existing component.
  2. Modify the registry detection script, and all new components will be automatically annotated correctly.

Option 1: Enabling the Image Registry tab for the existing component

Repeat this procedure for every affected component.

Procedure

  1. In the Git repository with your component, navigate to skeleton > source-repo and open the catalog-info.yaml file.

  2. Add an annotation relevant to your case:

    Copy to Clipboard Toggle word wrap 
    metadata:
    annotations:
        'quay.io/repository-slug': `<ORGANIZATION>/<REPOSITORY>'
     Copy to Clipboard Toggle word wrap 
    metadata:
    annotations:
        'jfrog-artifactory/image-name': '<IMAGE-NAME>'
  3. Commit and push the changes to the repository.

RHDH will detect your registry type and enable the Image Registry tab.

Verification

Select an RHTAP component where the Image Registry tab was missing. The tab menu should display it now.

Figure 5.1. The Image Registry tab displayed

imageregistry

Option 2: Enabling the Image Registry tab for all future components

The RHTAP software templates use specific patterns to identify the registry type, Quay or JFrog Artifactory. If your registry does not match these patterns, you can update the catalog-info.yaml file in the templates, and RHTAP will automatically detect your registry type for all future components and annotate them correctly for RHDH.

Prerequisites

Procedure

  1. In a GitHub repository with your templates, navigate to skeleton > source-repo and open the catalog-info.yaml file.

  2. Find code related to registry detection:

    Copy to Clipboard Toggle word wrap 
      {%- if "quay" in values.image %}
    quay.io/repository-slug: ${{ values.repoSlug }}

  {%- elif "jfrog" in values.image or "artifactory" in values.image %}
    jfrog-artifactory/image-name: ${{ values.imageName }}

  3. Replace "quay", "jfrog" or "artifactory" with a part of the URL of your registry.

    For example, if your Artifactory registry is called my-registry.mycompany.com, then your images names may be my-registry.mycompany.com/username/my-image. You can add my-registry.mycompany to catalog-info.yaml.

The updated template will automatically trigger correct annotations, and the Image Registry tab will be displayed in RHDH.





Revised on 2025-04-30 03:56:00 UTC

Legal Notice

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat, Inc.