Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Deployment Guide

Red Hat Trusted Profile Analyzer 2

Deploying the Trusted Profile Analyzer service on Red Hat Enterprise Linux and Red Hat OpenShift

Red Hat Trusted Documentation Team

Abstract

This Deployment Guide gives system administrators information about installing Red Hat's Trusted Profile Analyzer service on Red Hat Enterprise Linux and Red Hat OpenShift Container Platform.

Preface
Copy link

Welcome to the Red Hat Trusted Profile Analyzer (RHTPA) Deployment Guide!

This guide helps you with deploying the Red Hat Trusted Profile Analyzer (RHTPA) software stack on Red Hat OpenShift Container Platform or on Red Hat Enterprise Linux. For new RHTPA deployments, start by choosing your target installation platform.

You can view the official RHTPA Release Notes here.

Chapter 1. Select your installation platform
Copy link

As as systems administrator, you can select two different installation platforms to run Red Hat Trusted Profile Analyzer (RHTPA). You can deploy RHTPA to Red Hat OpenShift Container Platform or Red Hat Enterprise Linux. You also can select to use Red Hat services, such as single sign-on (SSO) and OpenShift Data Foundation, or you can use Amazon Web Services (AWS) as the infrastructure for authentication, storage, and database access.

Select your target installation platform:

You can install the Red Hat Trusted Profile Analyzer (RHTPA) on Red Hat Enterprise Linux by using a Red Hat provided Ansible Playbook. This Ansible deployment of RHTPA allows you to specify your own PostgreSQL database, OpenID Connect (OIDC) provider, and a Simple Storage Service (S3) provider.

Prerequisites

  • Red Hat Enterprise Linux version 9.3 or later.
  • A Red Hat user account to access the Red Hat Hybrid Cloud Console.
  • A configured OIDC provider, either Red Hat’s SSO or Amazon Cognito.
  • A storage provider, either Red Hat OpenShift Data Foundation or Amazon S3.
  • An available PostgreSQL or Amazon RDS database instance.

Procedure

  1. Log in to the Red Hat Hybrid Cloud Console with your Red Hat credentials.
  2. From the home page, click the Services drop-down menu, and click Red Hat Ansible Automation Platform.
  3. From the navigational menu, expand Automation Hub, and click Collections.
  4. In the search field type rhtpa and press enter.
  5. Click the trusted_profile_analyzer link on the Red Hat Trusted Profile Analyzer tile.

  6. Click the Documentation tab, and follow the steps there to complete the installation of RHTPA on Red Hat Enterprise Linux.

    Note

    For a detailed overview of all the configuration parameters, click the tpa_single_node link under the Roles section.

Understanding how to size the infrastructure resources before deploying Red Hat Trusted Profile Analyzer (RHTPA) on Red Hat OpenShift is important for running an optimal service under load. The key infrastructure pieces to consider are persistent storage for the PostgreSQL database, which stores the supply chain metadata, and object storage for storing Software Bill of Material (SBOM) and Vulnerability Exploitability eXchange (VEX) documents. The size of your object store depends on how many SBOM and VEX documents you plan to initially upload to RHTPA. Also consider your projected storage growth as you add or update your documents, and then include a buffer for unexpected growth into your storage estimate.

For example, if you upload 10,000 SBOM documents, with an average document size of 500 KB, your initial object storage size is 5 GB. Over the next year, you create new SBOM documents, or update your existing SBOM documents 100 times a day, then you can estimate your object storage growth. In this example, you can plan on a growth in storage of 18.25 GB over the next year. Adding in some buffer, say 20%, your estimated total object storage allocation would be roughly 28 GB.

Here are the baseline CPU, memory, and storage resources you can start with:

  • 4 CPU cores
  • 8 GB of RAM
  • 45 GB of storage for database
  • 45 GB of storage for objects

You can install the Red Hat Trusted Profile Analyzer (RHTPA) Operator, and deploy the RHTPA service by using OpenShift’s Operator Lifecycle Manager (OLM). This deployment gives you a basic RHTPA environment, and a web-based user interface (UI) to manage the service. You can configure either Red Hat’s single sign-on (SSO) technology or Amazon Web Services' (AWS) Cognito as an OpenID Connect (OIDC) provider. You can configure either Red Hat’s OpenShift Data Foundation or AWS S3 for storage. You can also configure either a PostgreSQL database or use Amazon’s Relational Database Service (RDS) to store advisory and analytical data.

Important

Deploying the RHTPA operator on OpenShift is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs), might not be functionally complete, and Red Hat does not recommend to use them for production. These features give early access to upcoming product features, enabling customers to test functionality and give their feedback during the development process. See the support scope for Red Hat Technology Preview features for more details.

Prerequisites

  • Red Hat OpenShift Container Platform 4.16 or later.
  • Access to the OpenShift web console with the cluster-admin role.
  • A configured OIDC provider, either Red Hat’s SSO or Amazon Cognito.
  • A storage provider, either Red Hat OpenShift Data Foundation or Amazon S3.
  • An available PostgreSQL or Amazon RDS database instance.

Procedure

  1. Log in to the OpenShift web console with a user that has the cluster-admin role.
  2. From the Administrator perspective, expand the Operators navigation menu, and click OperatorHub.
  3. In the search field, type trusted, and click the Red Hat Trusted Profile Analyzer tile.
  4. Click the Install button to show the operator details.
  5. On the Install Operator page, select your installation namespace from the drop-down menu, or create a new project namespace. Accept the rest of the default values, and click the Install button. Wait for the installation to finish.
  6. Once the installation of the RHTPA operator finishes, click the View Operator button.

  7. To deploy the Trusted Profile Analyzer service.

    1. On the Red Hat Trusted Profile Analyzer Operator page, under the Details tab, click the Create instance link on the TrustedProfileAnalyzer tile.
    2. On the Create TrustedProfileAnalyzer page, select YAML view.
    3. Copy the OIDC provider, storage, and importer sections from the Helm chart for AWS services or Red Hat services, and paste them under the spec section.
    4. Update the OIDC provider, storage, and importer values for your environment.
    5. Click the Create button.
  8. You can check on the health of the new Trusted Profile Analyzer service by checking that the pods are up and running. You can also verify the exposure of the access route URL, and that the Trusted Profile Analyzer service is accessible.

You can install Red Hat’s Trusted Profile Analyzer (RHTPA) service on OpenShift by using a Helm chart from Red Hat. This procedure guides you on integrating Amazon Web Services (AWS) with RHTPA by using a customized values file for Helm.

Important

If the secret values change after the installation, OpenShift redeploys RHTPA.

Prerequisites

  • A Red Hat OpenShift Container Platform cluster running version 4.15 or later.

    • Support for the Ingress resource to serve publicly trusted certificates that use HTTPS.
  • Helm version 3.17 or higher.
  • The ability to provision Transport Layer Security (TLS) certificates for Helm.

  • An AWS account with access to the following services:

    • Simple Storage Service (S3)
    • Relational Database Service (RDS) using a PostgreSQL database instance.
    • Cognito with an existing Cognito domain.

  • Have the following unversioned S3 bucket name created:

    • trustify-UNIQUE_ID
    Important

    This bucket name must be unique across all AWS accounts in all AWS regions within the same partition. See Amazon’s S3 documentation for more information on bucket naming rules.

  • Access to the OpenShift web console with the cluster-admin role.
  • A workstation with the oc, and the helm binaries installed.

Procedure

  1. On your workstation, open a terminal, and log in to OpenShift by using the command-line interface: 

    oc login --token=TOKEN --server=SERVER_URL_AND_PORT
    Copy to Clipboard Toggle word wrap 
    $ oc login --token=sha256~ZvFDBvoIYAbVECixS4-WmkN4RfnNd8Neh3y1WuiFPXC --server=https://example.com:6443
    Copy to Clipboard Toggle word wrap
    Note

    You can find your login token and URL from the OpenShift web console to use on the command line. Log in to the OpenShift web console. Click your user name, and click Copy login command. Offer your user name and password again, and click Display Token to view the command.

  2. Create a new project for the RHTPA deployment: 

    oc new-project PROJECT_NAME
    Copy to Clipboard Toggle word wrap 
    $ oc new-project trusted-profile-analyzer
    Copy to Clipboard Toggle word wrap

  3. Open a new file for editing: 

    $ vi values-rhtpa.yaml
    Copy to Clipboard Toggle word wrap
  4. Copy and paste the RHTPA values file template into the new values-rhtpa.yaml file.

  5. Update the values-rhtpa.yaml file with your relevant AWS information.

    1. Replace REGION, USER_POOL_ID, FRONTEND_CLIENT_ID, and CLI_CLIENT_ID with your relevant Amazon Cognito information. You can find this information in the AWS Cognito Console, in the User pool overview section.
    2. Replace UNIQUE_ID with your unique bucket name for the trustify- S3 bucket.
    3. Save the file, and quit the editor.

  6. Create the S3 storage secret resource by using your AWS credentials: 

    apiVersion: v1
kind: Secret
metadata:
  name: storage-credentials
  namespace: PROJECT_NAME
type: Opaque
data:
  aws_access_key_id: AWS_ACCESS_KEY
  aws_secret_access_key: AWS_SECRET_KEY
    Copy to Clipboard Toggle word wrap 
    $ cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: storage-credentials
  namespace: trusted-profile-analyzer
type: Opaque
data:
  aws_access_key_id: RHTPASTORAGE1EXAMPLE
  aws_secret_access_key: xBalrKUtnFEMI/K7RDENG/aPxRfzCYEXAMPLEKEY
EOF
    Copy to Clipboard Toggle word wrap

  7. Create a OpenID Connect (OIDC) client secret resource: 

    apiVersion: v1
kind: Secret
metadata:
  name: oidc-cli
  namespace: PROJECT_NAME
type: Opaque
data:
  client-secret: SECRET
    Copy to Clipboard Toggle word wrap 
    $ cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: oidc-cli
  namespace: trusted-profile-analyzer
type: Opaque
data:
  client-secret: 5460cc91-4e20-4edd-881c-b15b169f8a79
EOF
    Copy to Clipboard Toggle word wrap

  8. Create two PostgreSQL database secret resources by using your Amazon RDS credentials.

    1. A PostgreSQL standard user secret resource: 

      apiVersion: v1
kind: Secret
metadata:
  name: postgresql-credentials
  namespace: PROJECT_NAME
type: Opaque
data:
  db.host: DB_HOST
  db.name: DB_NAME
  db.user: USERNAME
  db.password: PASSWORD
  db.port: PORT
      Copy to Clipboard Toggle word wrap 
      $ cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: postgresql-credentials
  namespace: trusted-profile-analyzer
type: Opaque
data:
  data:
  db.host: rds.us-east-1.amazonaws.com
  db.name: rhtpadb
  db.user: jdoe
  db.password: example1234
  db.port: 5432
EOF
      Copy to Clipboard Toggle word wrap

    2. A PostgreSQL administrator secret resource: 

      apiVersion: v1
kind: Secret
metadata:
  name: postgresql-admin-credentials
  namespace: PROJECT_NAME
type: Opaque
data:
  db.host: DB_HOST
  db.name: DB_NAME
  db.user: USERNAME
  db.password: PASSWORD
  db.port: PORT
      Copy to Clipboard Toggle word wrap 
      $ cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: postgresql-admin-credentials
  namespace: trusted-profile-analyzer
type: Opaque
data:
  data:
  db.host: rds.us-east-1.amazonaws.com
  db.name: rhtpadb
  db.user: admin
  db.password: example1234
  db.port: 5432
EOF
      Copy to Clipboard Toggle word wrap
    3. From the AWS Management Console, configure the Amazon Virtual Private Cloud (VPC) security group to allow port 5432.

  9. Open a new file for editing: 

    $ vi values-importers.yaml
    Copy to Clipboard Toggle word wrap
    1. Copy and paste the RHTPA importers values file template into the new values-importers.yaml file.
    2. Save the file, and quit the editor.

  10. Set up your shell environment: 

    $ export NAMESPACE=trusted-profile-analyzer
$ export APP_DOMAIN_URL=-$NAMESPACE.$(oc -n openshift-ingress-operator get ingresscontrollers.operator.openshift.io default -o jsonpath='{.status.domain}')
    Copy to Clipboard Toggle word wrap

  11. Add the OpenShift Helm chart repository: 

    $ helm repo add openshift-helm-charts https://charts.openshift.io/
    Copy to Clipboard Toggle word wrap

  12. Get the latest chart information from the Helm chart repositories: 

    $ helm repo update
    Copy to Clipboard Toggle word wrap

  13. Run the Helm chart: 

    helm upgrade --install redhat-trusted-profile-analyzer openshift-helm-charts/redhat-trusted-profile-analyzer -n $NAMESPACE --values PATH_TO_VALUES_FILE --values PATH_TO_IMPORTER_VALUES_FILE --set-string appDomain=$APP_DOMAIN_URL
    Copy to Clipboard Toggle word wrap 
    $ helm upgrade --install redhat-trusted-profile-analyzer openshift-helm-charts/redhat-trusted-profile-analyzer -n $NAMESPACE --values values-rhtpa.yaml --values values-importers.yaml --set-string appDomain=$APP_DOMAIN_URL
    Copy to Clipboard Toggle word wrap
    Note

    You can run this Helm chart many times to apply the currently configured state from the values file.

  14. Once the installation finishes, you can log in to the RHTPA console by using the user credentials from your OIDC provider. You can find the RHTPA console URL by running the following command: 

    $ oc -n $NAMESPACE get route --selector app.kubernetes.io/name=server -o jsonpath='https://{.items[0].status.ingress[0].host}{"\n"}'
    Copy to Clipboard Toggle word wrap

You can install Red Hat’s Trusted Profile Analyzer (RHTPA) service on OpenShift by using a Helm chart from Red Hat. You need to have Red Hat’s OpenShift Data Foundation storage infrastructure, Red Hat’s Single sign-on (SSO) as your OpenID Connect (OIDC) provider, and a PostgreSQL database. This procedure guides you on integrating these various services with RHTPA by using a customized values file for Helm.

Important

If the secret values change after the installation, OpenShift redeploys RHTPA.

Prerequisites

  • A Red Hat OpenShift Container Platform cluster running version 4.15 or later.

    • Support for the Ingress resource to serve publicly trusted certificates that use HTTPS.
  • Helm version 3.17 or higher.
  • Red Hat SSO as an OIDC provider for authentication.
  • Red Hat OpenShift Data Foundation for S3 storage.

  • Have the following unversioned S3 bucket name created:

    • trustify-UNIQUE_ID
  • A new PostgreSQL database.
  • Access to the OpenShift web console with the cluster-admin role.
  • A workstation with the oc, and the helm binaries installed.

Procedure

  1. On your workstation, open a terminal, and log in to OpenShift by using the command-line interface: 

    oc login --token=TOKEN --server=SERVER_URL_AND_PORT
    Copy to Clipboard Toggle word wrap 
    $ oc login --token=sha256~ZvFDBvoIYAbVECixS4-WmkN4RfnNd8Neh3y1WuiFPXC --server=https://example.com:6443
    Copy to Clipboard Toggle word wrap
    Note

    You can find your login token and URL from the OpenShift web console to use on the command line. Log in to the OpenShift web console. Click your user name, and click Copy login command. Offer your user name and password again, and click Display Token to view the command.

  2. Create a new project for the RHTPA deployment: 

    oc new-project PROJECT_NAME
    Copy to Clipboard Toggle word wrap 
    $ oc new-project trusted-profile-analyzer
    Copy to Clipboard Toggle word wrap

  3. Open a new file for editing: 

    $ vi values-rhtpa.yaml
    Copy to Clipboard Toggle word wrap
  4. Copy and paste the RHTPA values file template into the new values-rhtpa.yaml file.

  5. Update the values-rhtpa.yaml file with your information.

    1. Replace S3_ENDPOINT_URL with your relevant S3 storage information.
    2. Replace OIDC_ISSUER_URL, FRONTEND_CLIENT_ID and CLI_CLIENT_ID with your relevant OIDC information.
    3. Save the file, and quit the editor.

  6. Create the S3 storage secret resource with your credentials: 

    apiVersion: v1
kind: Secret
metadata:
  name: storage-credentials
  namespace: PROJECT_NAME
type: Opaque
data:
  user: ACCESS_KEY
  password: SECRET_KEY
    Copy to Clipboard Toggle word wrap 
    $ cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: storage-credentials
  namespace: trusted-profile-analyzer
type: Opaque
data:
  user: root
  password: example123
EOF
    Copy to Clipboard Toggle word wrap

  7. Create a OIDC client secret resource: 

    apiVersion: v1
kind: Secret
metadata:
  name: oidc-cli
  namespace: PROJECT_NAME
type: Opaque
data:
  client-secret: SECRET
    Copy to Clipboard Toggle word wrap 
    $ cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: oidc-cli
  namespace: trusted-profile-analyzer
type: Opaque
data:
  client-secret: 5460cc91-4e20-4edd-881c-b15b169f8a79
EOF
    Copy to Clipboard Toggle word wrap

  8. Create the two PostgreSQL database secret resources with your database credentials.

    1. A PostgreSQL standard user secret resource: 

      apiVersion: v1
kind: Secret
metadata:
  name: postgresql-credentials
  namespace: PROJECT_NAME
type: Opaque
data:
  db.host: DB_HOST
  db.name: DB_NAME
  db.user: USERNAME
  db.password: PASSWORD
  db.port: PORT
      Copy to Clipboard Toggle word wrap 
      $ cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: postgresql-credentials
  namespace: trusted-profile-analyzer
type: Opaque
data:
  data:
  db.host: postgresql.example.com
  db.name: rhtpadb
  db.user: jdoe
  db.password: example1234
  db.port: 5432
EOF
      Copy to Clipboard Toggle word wrap

    2. A PostgreSQL administrator secret resource: 

      apiVersion: v1
kind: Secret
metadata:
  name: postgresql-admin-credentials
  namespace: PROJECT_NAME
type: Opaque
data:
  db.host: DB_HOST
  db.name: DB_NAME
  db.user: USERNAME
  db.password: PASSWORD
  db.port: PORT
      Copy to Clipboard Toggle word wrap 
      $ cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: postgresql-admin-credentials
  namespace: trusted-profile-analyzer
type: Opaque
data:
  data:
  db.host: postgresql.example.com
  db.name: rhtpadb
  db.user: admin
  db.password: example1234
  db.port: 5432
EOF
      Copy to Clipboard Toggle word wrap

  9. Open a new file for editing: 

    $ vi values-importers.yaml
    Copy to Clipboard Toggle word wrap
    1. Copy and paste the RHTPA importers values file template into the new values-importers.yaml file.
    2. Save the file, and quit the editor.

  10. Set up your shell environment: 

    $ export NAMESPACE=trusted-profile-analyzer
$ export APP_DOMAIN_URL=-$NAMESPACE.$(oc -n openshift-ingress-operator get ingresscontrollers.operator.openshift.io default -o jsonpath='{.status.domain}')
    Copy to Clipboard Toggle word wrap

  11. Add the OpenShift Helm chart repository: 

    $ helm repo add openshift-helm-charts https://charts.openshift.io/
    Copy to Clipboard Toggle word wrap

  12. Get the latest chart information from the Helm chart repositories: 

    $ helm repo update
    Copy to Clipboard Toggle word wrap

  13. Run the Helm chart: 

    helm upgrade --install redhat-trusted-profile-analyzer openshift-helm-charts/redhat-trusted-profile-analyzer -n $NAMESPACE --values PATH_TO_VALUES_FILE --values PATH_TO_IMPORTER_VALUES_FILE --set-string appDomain=$APP_DOMAIN_URL
    Copy to Clipboard Toggle word wrap 
    $ helm upgrade --install redhat-trusted-profile-analyzer openshift-helm-charts/redhat-trusted-profile-analyzer -n $NAMESPACE --values values-rhtpa.yaml --values values-importers.yaml --set-string appDomain=$APP_DOMAIN_URL
    Copy to Clipboard Toggle word wrap
    Note

    You can run this Helm chart many times to apply the currently configured state from the values file.

  14. Once the installation finishes, you can log in to the RHTPA console by using the user credentials from your OIDC provider. You can find the RHTPA console URL by running the following command: 

    $ oc -n $NAMESPACE get route --selector app.kubernetes.io/name=server -o jsonpath='https://{.items[0].status.ingress[0].host}{"\n"}'
    Copy to Clipboard Toggle word wrap

Red Hat’s Trusted Profile Analyzer (RHTPA) with Amazon Web Services (AWS) values file template for use by the RHTPA Helm chart. 

appDomain: $APP_DOMAIN_URL

ingress:
  className: openshift-default
  additionalAnnotations:
    "haproxy.router.openshift.io/timeout": "5m"

authenticator:
  type: cognito

storage:
  type: s3
  region: REGION
  bucket: trustify-UNIQUE_ID
  accessKey:
    valueFrom:
      secretKeyRef:
        name: storage-credentials
        key: aws_access_key_id
  secretKey:
    valueFrom:
      secretKeyRef:
        name: storage-credentials
        key: aws_secret_access_key

database:
  sslMode: require
  host:
    valueFrom:
      secretKeyRef:
        name: postgresql-credentials
        key: db.host
  port:
    valueFrom:
      secretKeyRef:
        name: postgresql-credentials
        key: db.port
  name:
    valueFrom:
      secretKeyRef:
        name: postgresql-credentials
        key: db.name
  username:
    valueFrom:
      secretKeyRef:
        name: postgresql-credentials
        key: db.user
  password:
    valueFrom:
      secretKeyRef:
        name: postgresql-credentials
        key: db.password

createDatabase:
  name:
    valueFrom:
      secretKeyRef:
        name: postgresql-admin-credentials
        key: db.name
  username:
    valueFrom:
      secretKeyRef:
        name: postgresql-admin-credentials
        key: db.user
  password:
    valueFrom:
      secretKeyRef:
        name: postgresql-admin-credentials
        key: db.password

migrateDatabase:
  username:
    valueFrom:
      secretKeyRef:
        name: postgresql-admin-credentials
        key: db.user
  password:
    valueFrom:
      secretKeyRef:
        name: postgresql-admin-credentials
        key: db.password

modules:
  createDatabase:
    enabled: true
  migrateDatabase:
    enabled: true

oidc:
  issuerUrl: https://cognito-idp.REGION.amazonaws.com/USER_POOL_ID
  clients:
    frontend:
      clientId: FRONTEND_CLIENT_ID
    cli:
      clientId: CLI_CLIENT_ID
      clientSecret:
        valueFrom:
          secretKeyRef:
            name: oidc-cli
            key: client-secret
Copy to Clipboard Toggle word wrap

Red Hat’s Trusted Profile Analyzer (RHTPA) with Red Hat services values file template for use by the RHTPA Helm chart. 

appDomain: $APP_DOMAIN_URL

ingress:
  className: openshift-default
  additionalAnnotations:
    "haproxy.router.openshift.io/timeout": "5m"

storage:
  type: s3
  region: S3_ENDPOINT_URL
  bucket: trustify-UNIQUE_ID
  accessKey:
    valueFrom:
      secretKeyRef:
        name: storage-credentials
        key: user
  secretKey:
    valueFrom:
      secretKeyRef:
        name: storage-credentials
        key: password

database:
  sslMode: require
  host:
    valueFrom:
      secretKeyRef:
        name: postgresql-credentials
        key: db.host
  port:
    valueFrom:
      secretKeyRef:
        name: postgresql-credentials
        key: db.port
  name:
    valueFrom:
      secretKeyRef:
        name: postgresql-credentials
        key: db.name
  username:
    valueFrom:
      secretKeyRef:
        name: postgresql-credentials
        key: db.user
  password:
    valueFrom:
      secretKeyRef:
        name: postgresql-credentials
        key: db.password

createDatabase:
  name:
    valueFrom:
      secretKeyRef:
        name: postgresql-admin-credentials
        key: db.name
  username:
    valueFrom:
      secretKeyRef:
        name: postgresql-admin-credentials
        key: db.user
  password:
    valueFrom:
      secretKeyRef:
        name: postgresql-admin-credentials
        key: db.password

migrateDatabase:
  username:
    valueFrom:
      secretKeyRef:
        name: postgresql-admin-credentials
        key: db.user
  password:
    valueFrom:
      secretKeyRef:
        name: postgresql-admin-credentials
        key: db.password

modules:
  createDatabase:
    enabled: true
  migrateDatabase:
    enabled: true

oidc:
  issuerUrl: OIDC_ISSUER_URL
  clients:
    frontend:
      clientId: FRONTEND_CLIENT_ID
    cli:
      clientId: CLI_CLIENT_ID
      clientSecret:
        valueFrom:
          secretKeyRef:
            name: oidc-cli
            key: client-secret
Copy to Clipboard Toggle word wrap

Red Hat’s Trusted Profile Analyzer (RHTPA) values file template containing the default importers for use by the RHTPA Helm chart. 

$schema: "charts/trustify/values.schema.json"

appDomain: asdf
tracing: {}

modules:
  createImporters:
    enabled: true
    importers:
      redhat-sboms:
        sbom:
          description: All Red Hat SBOMs
          period: 1d
          source: https://access.redhat.com/security/data/sbom/beta/
          keys:
            - https://access.redhat.com/security/data/97f5eac4.txt#77E79ABE93673533ED09EBE2DCE3823597F5EAC4
          disabled: true
          fetchRetries: 50
      redhat-csaf:
        csaf:
          description: All Red Hat CSAF data
          period: 1d
          source: redhat.com
          disabled: true
          fetchRetries: 50
      cve:
        cve:
          description: CVE list v5
          period: 1d
          source: https://github.com/CVEProject/cvelistV5
          disabled: false
      osv-github:
        osv:
          description: GitHub Advisory Database
          period: 1d
          source: https://github.com/github/advisory-database
          path: advisories
          disabled: false
      quay-redhat-user-workloads:
        quay:
          description: SBOMs from build image attachments
          period: 1d
          source: quay.io
          namespace: redhat-user-workloads
          disabled: true
Copy to Clipboard Toggle word wrap

Legal Notice
Copy link

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat