Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 1. Select your installation platform

As systems administrator, you can select two different installation platforms to run Red Hat Trusted Profile Analyzer (RHTPA). You can deploy RHTPA to Red Hat OpenShift Container Platform or Red Hat Enterprise Linux. For supporting infrastructure you can use Red Hat services, such as single sign-on (SSO) and OpenShift Data Foundation, or you can use Amazon Web Services (AWS) as the infrastructure for authentication, storage, and database access.

Select your target installation platform:

You can install the Red Hat Trusted Profile Analyzer (RHTPA) on Red Hat Enterprise Linux by using a Red Hat-provided Ansible Playbook. With Ansible deployments of RHTPA, you can specify your own PostgreSQL database, OpenID Connect (OIDC) provider, and a Simple Storage Service (S3) provider.

Prerequisites

  • Red Hat Enterprise Linux version 9.3 or later.
  • A Red Hat user account to access the Red Hat Hybrid Cloud Console.
  • A configured OIDC provider, either Red Hat’s SSO or Amazon Cognito.
  • A storage provider, either Red Hat OpenShift Data Foundation or Amazon S3.
  • An available PostgreSQL or Amazon RDS database instance.

Procedure

  1. Log in to the Red Hat Hybrid Cloud Console with your Red Hat credentials.
  2. From the home page, click the Services drop-down menu, and click Red Hat Ansible Automation Platform.
  3. From the navigational menu, expand Automation Hub, and click Collections.
  4. In the search field type rhtpa and press enter.
  5. Click the trusted_profile_analyzer link on the Red Hat Trusted Profile Analyzer tile.

  6. Click the Documentation tab, and follow the steps there to complete the installation of RHTPA on Red Hat Enterprise Linux.

    Note

    For a detailed overview of all the configuration parameters, click the tpa_single_node link under the Roles section.

Size your infrastructure resources before deploying Red Hat Trusted Profile Analyzer (RHTPA) to ensure optimal service performance. The size of your object store depends on how many SBOM and VEX documents you plan to initially upload to RHTPA.

For example, if you upload 10,000 SBOM documents, with an average document size of 500 KB, your initial object storage size is 5 GB. Over the next year, if you create or update SBOM documents 100 times daily, you can estimate resulting object storage growth requirements. In this example, you can plan on a growth in storage of 18.25 GB over the next year. Adding in some buffer, say 20%, your estimated total object storage allocation would be roughly 28 GB.

Here are the baseline CPU, memory, and storage resources you can start with:

  • 4 CPU cores
  • 8 GB of RAM
  • 45 GB of storage for database
  • 45 GB of storage for objects

You can install the Red Hat Trusted Profile Analyzer (RHTPA) Operator, and deploy the RHTPA service by using OpenShift Operator Lifecycle Manager (OLM). This deployment gives you a basic RHTPA environment, and a web-based user interface (UI) to manage the service. You can configure either Red Hat single sign-On (SSO) technology or Amazon Web Services (AWS) Cognito as an OpenID Connect (OIDC) provider. You can configure either Red Hat OpenShift Data Foundation or AWS Simple Storage Service (S3) for storage. You can also configure either a PostgreSQL database or use Amazon Relational Database Service (RDS) to store advisory and analytical data.

Prerequisites

  • Red Hat OpenShift Container Platform 4.17 or later.
  • Access to the OpenShift web console with the cluster-admin role.
  • A configured OIDC provider, either Red Hat SSO or AWS Cognito.
  • A storage provider, either Red Hat OpenShift Data Foundation or Amazon S3.
  • An available PostgreSQL or Amazon RDS database instance.

Procedure

  1. Log in to the OpenShift web console with a user that has the cluster-admin role.
  2. From the Administrator perspective, expand the Operators navigation menu, and click OperatorHub.
  3. In the search field, type trusted, and click the Red Hat Trusted Profile Analyzer tile.
  4. Click the Install button to show the operator details.
  5. On the Install Operator page, select your installation namespace from the drop-down menu, or create a new project namespace. Accept the rest of the default values, and click the Install button. Wait for the installation to finish.
  6. Once the installation of the RHTPA operator completes, click the View Operator button.

  7. To deploy the Trusted Profile Analyzer service:

    1. On the Red Hat Trusted Profile Analyzer Operator page, under the Details tab, click the Create instance link on the TrustedProfileAnalyzer tile.
    2. On the Create TrustedProfileAnalyzer page, select YAML view.
    3. Copy the OIDC provider, storage, and importer sections from the Helm chart for AWS services or Red Hat services, and paste them under the spec section.
    4. Update the OIDC provider, storage, and importer values for your environment.
    5. Click the Create button.
  8. You can check on the health of the new Trusted Profile Analyzer service by checking that the pods are up and running. You can also verify the exposure of the access route URL, and that the Trusted Profile Analyzer service is accessible.

You can install Red Hat Trusted Profile Analyzer (RHTPA) service on OpenShift by using a Helm chart from Red Hat. This procedure guides you on integrating Amazon Web Services (AWS) with RHTPA by using a customized values file for Helm.

Important

If the secret values change after the installation, OpenShift redeploys RHTPA.

Prerequisites

  • A Red Hat OpenShift Container Platform cluster running version 4.17 or later.

    • Support for the Ingress resource to serve publicly trusted certificates that use HTTPS.
  • Helm version 3.17 or higher.
  • The ability to provision Transport Layer Security (TLS) certificates for Helm.

  • An AWS account with access to the following services:

    • Simple Storage Service (S3)
    • Relational Database Service (RDS) using a PostgreSQL database instance.
    • Cognito with an existing Cognito domain.

  • Have the following unversioned S3 bucket name created:

    • trustify-UNIQUE_ID
    Important

    This bucket name must be unique across all AWS accounts in all AWS regions within the same partition. See Amazon S3 documentation for more information on bucket naming rules.

  • Access to the OpenShift web console with the cluster-admin role.
  • A workstation with the oc, and the helm binaries installed.

Procedure

  1. On your workstation, open a terminal, and log in to OpenShift by using the command-line interface: 

    oc login --token=TOKEN --server=SERVER_URL_AND_PORT
     
    $ oc login --token=sha256~ZvFDBvoIYAbVECixS4-WmkN4RfnNd8Neh3y1WuiFPXC --server=https://example.com:6443
    Note

    You can find your login token and URL from the OpenShift web console to use on the command line. To find your login token and URL: * Log in to the OpenShift web console. * Click your user name, and click Copy login command. * Enter your user name and password again, and click Display Token to view the command.

  2. Create a new project for the RHTPA deployment: 

    oc new-project PROJECT_NAME
     
    $ oc new-project trusted-profile-analyzer

  3. Open a new file for editing: 

    $ vi values-rhtpa.yaml
  4. Copy and paste the RHTPA values file template into the new values-rhtpa.yaml file.

  5. Update the values-rhtpa.yaml file with your relevant AWS information.

    1. Replace REGION, USER_POOL_ID, FRONTEND_CLIENT_ID, and CLI_CLIENT_ID with your relevant Amazon Cognito information. You can find this information in the AWS Cognito Console, in the User pool overview section.
    2. Replace UNIQUE_ID with your unique bucket name for the trustify- S3 bucket.
    3. Save the file, and quit the editor.

  6. Create the S3 storage secret resource by using your AWS credentials: 

    apiVersion: v1
kind: Secret
metadata:
  name: storage-credentials
  namespace: PROJECT_NAME
type: Opaque
data:
  aws_access_key_id: AWS_ACCESS_KEY
  aws_secret_access_key: AWS_SECRET_KEY
     
    $ cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: storage-credentials
  namespace: trusted-profile-analyzer
type: Opaque
data:
  aws_access_key_id: RHTPASTORAGE1EXAMPLE
  aws_secret_access_key: xBalrKUtnFEMI/K7RDENG/aPxRfzCYEXAMPLEKEY
EOF

  7. Create a OpenID Connect (OIDC) client secret resource: 

    apiVersion: v1
kind: Secret
metadata:
  name: oidc-cli
  namespace: PROJECT_NAME
type: Opaque
data:
  client-secret: SECRET
     
    $ cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: oidc-cli
  namespace: trusted-profile-analyzer
type: Opaque
data:
  client-secret: 5460cc91-4e20-4edd-881c-b15b169f8a79
EOF

  8. Create two PostgreSQL database secret resources by using your Amazon RDS credentials.

    1. A PostgreSQL standard user secret resource: 

      apiVersion: v1
kind: Secret
metadata:
  name: postgresql-credentials
  namespace: PROJECT_NAME
type: Opaque
data:
  db.host: DB_HOST
  db.name: DB_NAME
  db.user: USERNAME
  db.password: PASSWORD
  db.port: PORT
       
      $ cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: postgresql-credentials
  namespace: trusted-profile-analyzer
type: Opaque
data:
  data:
  db.host: rds.us-east-1.amazonaws.com
  db.name: rhtpadb
  db.user: jdoe
  db.password: example1234
  db.port: 5432
EOF

    2. A PostgreSQL administrator secret resource: 

      apiVersion: v1
kind: Secret
metadata:
  name: postgresql-admin-credentials
  namespace: PROJECT_NAME
type: Opaque
data:
  db.host: DB_HOST
  db.name: DB_NAME
  db.user: USERNAME
  db.password: PASSWORD
  db.port: PORT
       
      $ cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: postgresql-admin-credentials
  namespace: trusted-profile-analyzer
type: Opaque
data:
  data:
  db.host: rds.us-east-1.amazonaws.com
  db.name: rhtpadb
  db.user: admin
  db.password: example1234
  db.port: 5432
EOF
    3. From the AWS Management Console, configure the Amazon Virtual Private Cloud (VPC) security group to allow port 5432.

  9. Open a new file for editing: 

    $ vi values-importers.yaml
    1. Copy and paste the RHTPA importers values file template into the new values-importers.yaml file.
    2. Save the file, and quit the editor.

  10. Set up your shell environment: 

    $ export NAMESPACE=trusted-profile-analyzer
$ export APP_DOMAIN_URL=-$NAMESPACE.$(oc -n openshift-ingress-operator get ingresscontrollers.operator.openshift.io default -o jsonpath='{.status.domain}')

  11. Add the OpenShift Helm chart repository: 

    $ helm repo add openshift-helm-charts https://charts.openshift.io/

  12. Get the latest chart information from the Helm chart repositories: 

    $ helm repo update

  13. Run the Helm chart: 

    helm upgrade --install redhat-trusted-profile-analyzer openshift-helm-charts/redhat-trusted-profile-analyzer -n $NAMESPACE --values PATH_TO_VALUES_FILE --values PATH_TO_IMPORTER_VALUES_FILE --set-string appDomain=$APP_DOMAIN_URL
     
    $ helm upgrade --install redhat-trusted-profile-analyzer openshift-helm-charts/redhat-trusted-profile-analyzer -n $NAMESPACE --values values-rhtpa.yaml --values values-importers.yaml --set-string appDomain=$APP_DOMAIN_URL
    Note

    You can run this Helm chart many times to apply the currently configured state from the values file.

  14. Once the installation finishes, you can log in to the RHTPA console by using the user credentials from your OIDC provider. You can find the RHTPA console URL by running the following command: 

    $ oc -n $NAMESPACE get route --selector app.kubernetes.io/name=server -o jsonpath='https://{.items[0].status.ingress[0].host}{"\n"}'

You can install Red Hat Trusted Profile Analyzer (RHTPA) service on OpenShift by using a Helm chart from Red Hat. You need to have Red Hat OpenShift Data Foundation storage infrastructure, Red Hat Single sign-on (SSO) as your OpenID Connect (OIDC) provider, and a PostgreSQL database. This procedure guides you on integrating these various services with RHTPA by using a customized values file for Helm.

Important

If the secret values change after the installation, OpenShift redeploys RHTPA.

Prerequisites

  • A Red Hat OpenShift Container Platform cluster running version 4.17 or later.

    • Support for the Ingress resource to serve publicly trusted certificates that use HTTPS.
  • Helm version 3.17 or higher.
  • Red Hat SSO as an OIDC provider for authentication.
  • Red Hat OpenShift Data Foundation for S3 storage.

  • Have the following unversioned S3 bucket name created:

    • trustify-UNIQUE_ID
  • A new PostgreSQL database.
  • Access to the OpenShift web console with the cluster-admin role.
  • A workstation with the oc, and the helm binaries installed.

Procedure

  1. On your workstation, open a terminal, and log in to OpenShift by using the command-line interface: 

    oc login --token=TOKEN --server=SERVER_URL_AND_PORT
     
    $ oc login --token=sha256~ZvFDBvoIYAbVECixS4-WmkN4RfnNd8Neh3y1WuiFPXC --server=https://example.com:6443
    Note

    You can find your login token and URL from the OpenShift web console to use on the command line. To find your login token and URL: * Log in to the OpenShift web console. * Click your user name, and click Copy login command. * Enter your user name and password again, and click Display Token to view the command.

  2. Create a new project for the RHTPA deployment: 

    oc new-project PROJECT_NAME
     
    $ oc new-project trusted-profile-analyzer

  3. Open a new file for editing: 

    $ vi values-rhtpa.yaml
  4. Copy and paste the RHTPA values file template into the new values-rhtpa.yaml file.

  5. Update the values-rhtpa.yaml file with your information.

    1. Replace S3_ENDPOINT_URL with your relevant S3 storage information.
    2. Replace OIDC_ISSUER_URL, FRONTEND_CLIENT_ID and CLI_CLIENT_ID with your relevant OIDC information.
    3. Save the file, and quit the editor.

  6. Create the S3 storage secret resource with your credentials: 

    apiVersion: v1
kind: Secret
metadata:
  name: storage-credentials
  namespace: PROJECT_NAME
type: Opaque
data:
  user: ACCESS_KEY
  password: SECRET_KEY
     
    $ cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: storage-credentials
  namespace: trusted-profile-analyzer
type: Opaque
data:
  user: root
  password: example123
EOF

  7. Create a OIDC client secret resource: 

    apiVersion: v1
kind: Secret
metadata:
  name: oidc-cli
  namespace: PROJECT_NAME
type: Opaque
data:
  client-secret: SECRET
     
    $ cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: oidc-cli
  namespace: trusted-profile-analyzer
type: Opaque
data:
  client-secret: 5460cc91-4e20-4edd-881c-b15b169f8a79
EOF

  8. Create the two PostgreSQL database secret resources with your database credentials.

    1. A PostgreSQL standard user secret resource: 

      apiVersion: v1
kind: Secret
metadata:
  name: postgresql-credentials
  namespace: PROJECT_NAME
type: Opaque
data:
  db.host: DB_HOST
  db.name: DB_NAME
  db.user: USERNAME
  db.password: PASSWORD
  db.port: PORT
       
      $ cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: postgresql-credentials
  namespace: trusted-profile-analyzer
type: Opaque
data:
  data:
  db.host: postgresql.example.com
  db.name: rhtpadb
  db.user: jdoe
  db.password: example1234
  db.port: 5432
EOF

    2. A PostgreSQL administrator secret resource: 

      apiVersion: v1
kind: Secret
metadata:
  name: postgresql-admin-credentials
  namespace: PROJECT_NAME
type: Opaque
data:
  db.host: DB_HOST
  db.name: DB_NAME
  db.user: USERNAME
  db.password: PASSWORD
  db.port: PORT
       
      $ cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: postgresql-admin-credentials
  namespace: trusted-profile-analyzer
type: Opaque
data:
  data:
  db.host: postgresql.example.com
  db.name: rhtpadb
  db.user: admin
  db.password: example1234
  db.port: 5432
EOF

  9. Open a new file for editing: 

    $ vi values-importers.yaml
    1. Copy and paste the RHTPA importers values file template into the new values-importers.yaml file.
    2. Save the file, and quit the editor.

  10. Set up your shell environment: 

    $ export NAMESPACE=trusted-profile-analyzer
$ export APP_DOMAIN_URL=-$NAMESPACE.$(oc -n openshift-ingress-operator get ingresscontrollers.operator.openshift.io default -o jsonpath='{.status.domain}')

  11. Add the OpenShift Helm chart repository: 

    $ helm repo add openshift-helm-charts https://charts.openshift.io/

  12. Get the latest chart information from the Helm chart repositories: 

    $ helm repo update

  13. Run the Helm chart: 

    helm upgrade --install redhat-trusted-profile-analyzer openshift-helm-charts/redhat-trusted-profile-analyzer -n $NAMESPACE --values PATH_TO_VALUES_FILE --values PATH_TO_IMPORTER_VALUES_FILE --set-string appDomain=$APP_DOMAIN_URL
     
    $ helm upgrade --install redhat-trusted-profile-analyzer openshift-helm-charts/redhat-trusted-profile-analyzer -n $NAMESPACE --values values-rhtpa.yaml --values values-importers.yaml --set-string appDomain=$APP_DOMAIN_URL
    Note

    You can run this Helm chart many times to apply the currently configured state from the values file.

  14. Once the installation finishes, you can log in to the RHTPA console by using the user credentials from your OIDC provider. You can find the RHTPA console URL by running the following command: 

    $ oc -n $NAMESPACE get route --selector app.kubernetes.io/name=server -o jsonpath='https://{.items[0].status.ingress[0].host}{"\n"}'
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top