Chapter 1. Installing Trusted Artifact Signer using the Operator Lifecycle Manager
You can install the Red Hat Trusted Artifact Signer (RHTAS) operator, and deploy the RHTAS service by using OpenShift’s Operator Lifecycle Manager (OLM). This deployment gives you a basic signing framework with your choice of an OpenID Connect (OIDC) provider. You must configure at least one of the following OIDC providers: Red Hat Single Sign-on (SSO), Google, Amazon Secure Token Service (STS), or GitHub. You can also optionally customize your database solution, if you do not want to use the default.
Prerequisites
- Red Hat OpenShift Container Platform version 4.13, 4.14, or 4.15.
-
Access to the OpenShift web console with the
cluster-adminrole. -
A workstation with the
ocbinary installed.
Procedure
-
Log in to the OpenShift web console with a user that has the
cluster-adminrole. - From the Administrator perspective, expand the Operators navigation menu, and click OperatorHub.
- In the search field, type trusted, and click the Red Hat Trusted Artifact Signer tile.
- Click the Install button to show the operator details.
Accept the default values, click Install on the Install Operator page, and wait for the installation to finish.
ImportantOnce the installation finishes, a new project is automatically created for you. The new project name is
trusted-artifact-signer.NoteThe Trusted Artifact Signer operator installs into the
openshift-operatorsnamespace, and all dependencies are automatically installed.- Optional. Instead of the default database, you can use an alternative database provider for the Trusted Artifact Signer service. If you want to use Amazon’s Relational Database Service (RDS), or a self-managed database on OpenShift, then follow one of those procedures first before continuing on with this installation. Once done configuring one of these other database providers, you can continue onto the next step of this procedure.
To deploy the Trusted Artifact Signer service.
- Expand Operators from the navigation menu, click Installed Operators.
-
Select
trusted-artifact-signerfrom the project drop-down box. - Click Red Hat Trusted Artifact Signer.
- Click the Securesign tab, and click the Create Securesign button.
- On the Create Securesign page, select YAML view.
You can configure Google OAuth, Amazon STS, Red Hat’s SSO, or GitHub OAuth as the initial OIDC provider during this deployment. Under the
spec.fulcio.config.OIDCIssuerssection, edit the following three lines with the OIDC provider URL, and set theClientIDappropriately.Example
... OIDCIssuers: - Issuer: 'OIDC_ISSUER_URL': ClientID: CLIENT_ID IssuerURL: 'OIDC_ISSUER_URL' Type: email ...
ImportantYou can define several different OIDC providers in the same configuration.
NoteIf Red Hat’s SSO is already implemented as your OIDC provider, then run the following command to find the issuer URL:
$ echo https://$(oc get route keycloak -n keycloak-system | tail -n 1 | awk '{print $2}')/auth/realms/trusted-artifact-signerSet the
ClientIDtotrusted-artifact-signer.Optional. If using a different database other than the default, then under the
spec.trilliansection, setcreatetofalse, and give the name of the database secret object.Example
... trillian: database: create: false databaseSecretRef: name: trillian-mysql ...- Click the Create button.
Click All instances tab to watch the deployment status until the CTlog, Fulcio, Rekor, Trillian, and TUF instances are ready.
NoteThe Securesign instance does not give a status.
- You can check on the health of the new Trusted Artifact Signer service by using Prometheus in the OpenShift console. From the navigation menu, expand Observe, and click Dashboards.
- Verify the installation by signing a container image, or a Git commit.
Additional resources
- See the Appendix in the RHTAS Deployment Guide for more information about RHTAS components and version numbers.
