Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 1. Select your installation platform

As as systems administrator, you can select two different installation platforms to run Red Hat Trusted Profile Analyzer (RHTPA). You can deploy RHTPA to Red Hat OpenShift Container Platform that use Amazon Web Services (AWS) or other service providers with a Helm chart from Red Hat. You can also deploy RHTPA to Red Hat Enterprise Linux by using Ansible.

Note

To use infrastructure services other than AWS, then open a support ticket requesting assistance with integrating other compatible providers.

Select your target installation platform:

1.1. Installing Trusted Profile Analyzer by using Ansible

You can install the Red Hat Trusted Profile Analyzer (RHTPA) on Red Hat Enterprise Linux by using a Red Hat provided Ansible Playbook. This Ansible deployment of RHTPA allows you to specify your own PostgreSQL database, OpenID Connect (OIDC) provider, and a Simple Storage Service (S3) provider.

Important

Deploying RHTPA on Red Hat Enterprise Linux by using Ansible is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs), might not be functionally complete, and Red Hat does not recommend to use them for production. These features give early access to upcoming product features, enabling customers to test functionality and give feedback during the development process. See the support scope for Red Hat Technology Preview features for more details.

Prerequisites

  • Red Hat Enterprise Linux version 9.3 or later.
  • A Red Hat user account to access the Red Hat Hybrid Cloud Console.

Procedure

  1. Log in to the Red Hat Hybrid Cloud Console with your Red Hat credentials.
  2. From the home page, click the Services drop-down menu, and click Red Hat Ansible Automation Platform.
  3. From the navigational menu, expand Automation Hub, and click Collections.
  4. In the search field type rhtpa and press enter.
  5. Click the trusted_profile_analyzer link on the Red Hat Trusted Profile Analyzer tile.

  6. Click the Documentation tab, and follow the steps there to complete the installation of RHTPA on Red Hat Enterprise Linux.

    Note

    For a detailed overview of all the configuration parameters, click the tpa_single_node link under the Roles section.

1.2. Installing Trusted Profile Analyzer by using Helm with Amazon Web Services

You can install Red Hat’s Trusted Profile Analyzer (RHTPA) service on OpenShift by using a Helm chart from Red Hat. This procedure guides you on integrating Amazon Web Services (AWS) with RHTPA by using a customized values file for Helm.

Important

If the secret values change after the installation, OpenShift redeploys RHTPA.

Prerequisites

  • A Red Hat OpenShift Container Platform cluster running version 4.14 or later.

    • Support for the Ingress resource to serve publicly trusted certificates that use HTTPS.
  • Helm version 3.17 or higher.
  • The ability to provision Transport Layer Security (TLS) certificates for Helm.

  • An AWS account with access to the following services:

    • Simple Storage Service (S3)
    • Relational Database Service (RDS) using a PostgreSQL database instance.
    • Cognito with an existing Cognito domain.

  • Have the following unversioned S3 bucket name created:

    • trustify-UNIQUE_ID
    Important

    This bucket name must be unique across all AWS accounts in all AWS regions within the same partition. See Amazon’s S3 documentation for more information on bucket naming rules.

  • Access to the OpenShift web console with the cluster-admin role.
  • A workstation with the oc, and the helm binaries installed.

Procedure

  1. On your workstation, open a terminal, and log in to OpenShift by using the command-line interface:

    Syntax

    oc login --token=TOKEN --server=SERVER_URL_AND_PORT

    Example

    $ oc login --token=sha256~ZvFDBvoIYAbVECixS4-WmkN4RfnNd8Neh3y1WuiFPXC --server=https://example.com:6443

    Note

    You can find your login token and URL from the OpenShift web console to use on the command line. Log in to the OpenShift web console. Click your user name, and click Copy login command. Offer your user name and password again, and click Display Token to view the command.

  2. Create a new project for the RHTPA deployment:

    Syntax

    oc new-project PROJECT_NAME

    Example

    $ oc new-project trusted-profile-analyzer

  3. Open a new file for editing:

    Example

    $ vi values-rhtpa-aws.yaml

  4. Copy and paste the RHTPA values file template into the new values-rhtpa-aws.yaml file.

  5. Update the values-rhtpa-aws.yaml file with your relevant AWS information.

    1. Replace REGION, USER_POOL_ID, FRONTEND_CLIENT_ID, and CLI_CLIENT_ID with your relevant Amazon Cognito information. You can find this information in the AWS Cognito Console, in the User pool overview section.
    2. Replace UNIQUE_ID with your unique bucket name for trustify- S3 bucket.
    3. Save the file, and quit the editor.

  6. Create the S3 storage secret resource by using your AWS credentials:

    Syntax

    apiVersion: v1
kind: Secret
metadata:
  name: storage-credentials
  namespace: PROJECT_NAME
type: Opaque
data:
  aws_access_key_id: AWS_ACCESS_KEY
  aws_secret_access_key: AWS_SECRET_KEY

    Example

    $ cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: storage-credentials
  namespace: trusted-profile-analyzer
type: Opaque
data:
  aws_access_key_id: RHTPASTORAGE1EXAMPLE
  aws_secret_access_key: xBalrKUtnFEMI/K7RDENG/aPxRfzCYEXAMPLEKEY
EOF

  7. Create a OpenID Connect (OIDC) walker client secret resource:

    Syntax

    apiVersion: v1
kind: Secret
metadata:
  name: oidc-cli
  namespace: PROJECT_NAME
type: Opaque
data:
  client-secret: SECRET

    Example

    $ cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: oidc-cli
  namespace: trusted-profile-analyzer
type: Opaque
data:
  client-secret: 5460cc91-4e20-4edd-881c-b15b169f8a79
EOF

  8. Create two PostgreSQL database secret resources by using your Amazon RDS credentials.

    1. A PostgreSQL standard user secret resource:

      Syntax

      apiVersion: v1
kind: Secret
metadata:
  name: postgresql-credentials
  namespace: PROJECT_NAME
type: Opaque
data:
  db.host: DB_HOST
  db.name: DB_NAME
  db.user: USERNAME
  db.password: PASSWORD
  db.port: PORT

      Example

      $ cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: postgresql-credentials
  namespace: trusted-profile-analyzer
type: Opaque
data:
  data:
  db.host: rds.us-east-1.amazonaws.com
  db.name: rhtpadb
  db.user: jdoe
  db.password: example1234
  db.port: 5432
EOF

    2. A PostgreSQL administrator secret resource:

      Syntax

      apiVersion: v1
kind: Secret
metadata:
  name: postgresql-admin-credentials
  namespace: PROJECT_NAME
type: Opaque
data:
  db.host: DB_HOST
  db.name: DB_NAME
  db.user: USERNAME
  db.password: PASSWORD
  db.port: PORT

      Example

      $ cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: postgresql-admin-credentials
  namespace: trusted-profile-analyzer
type: Opaque
data:
  data:
  db.host: rds.us-east-1.amazonaws.com
  db.name: rhtpadb
  db.user: admin
  db.password: example1234
  db.port: 5432
EOF

    3. From the AWS Management Console, configure the Amazon Virtual Private Cloud (VPC) security group to allow port 5432.

  9. Open a new file for editing:

    Example

    $ vi values-importers.yaml

  10. Copy and paste the RHTPA importers values file template into the new values-importers.yaml file.
  11. Save the file, and quit the editor.

  12. Set up your shell environment:

    Syntax

    export NAMESPACE=PROJECT_NAME
export APP_DOMAIN_URL=-$NAMESPACE.$(oc -n openshift-ingress-operator get ingresscontrollers.operator.openshift.io default -o jsonpath='{.status.domain}')

    Example

    $ export NAMESPACE=trusted-profile-analyzer
$ export APP_DOMAIN_URL=-$NAMESPACE.$(oc -n openshift-ingress-operator get ingresscontrollers.operator.openshift.io default -o jsonpath='{.status.domain}')

  13. Add the OpenShift Helm chart repository:

    Example

    $ helm repo add openshift-helm-charts https://charts.openshift.io/

  14. Get the latest chart information from the Helm chart repositories:

    Example

    $ helm repo update

  15. Run the Helm chart:

    Syntax

    helm upgrade redhat-trusted-profile-analyzer openshift-helm-charts/redhat-trusted-profile-analyzer -n $NAMESPACE --values PATH_TO_VALUES_FILE --values PATH_TO_IMPORTER_VALUES_FILE --set-string appDomain=$APP_DOMAIN_URL

    Example

    $ helm upgrade redhat-trusted-profile-analyzer openshift-helm-charts/redhat-trusted-profile-analyzer -n $NAMESPACE --values values-rhtpa-aws.yaml --values values-importers.yaml --set-string appDomain=$APP_DOMAIN_URL

    Note

    You can run this Helm chart many times to apply the currently configured state from the values file.

  16. Once the installation finishes, you can log in to the RHTPA console by using a user’s credentials from the Cognito user pool. You can find the RHTPA console URL by running the following command:

    Example

    $ oc -n $NAMESPACE get route --selector app.kubernetes.io/name=server -o jsonpath='https://{.items[0].status.ingress[0].host}{"\n"}'

Additional resources

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat, Inc.