Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 2. Customizing your installation
The RHTAP installer deploys a network of products that work together to form a secure, automated CI/CD platform. However, two of these products you may have already installed: Advanced Cluster Security (ACS) and Quay. If you already have instances of either of these products, you can integrate them into your installation of RHTAP. Integration saves time and prevents data loss. If you have instances of these products and do not integrate them, then the installer just creates new instances in new namespaces.
Additionally, there are three products that you can replace with certain substitutes in your deployment of RHTAP. The table below names these products, their purpose, and what other products you can use instead.
| Product | Purpose | Possible substitutes |
|---|---|---|
| GitHub | Source code repository |
|
| Tekton | CI pipeline |
CI pipeline substitutes conform to SLSA Build L2. Only Tekton conforms to Build L3. |
| Quay | Registry for artifacts | Artifactory |
Please note that when you use alternative providers for your Git, CI and registry integrations, RHTAP also installs plugins for those products in Red Hat Developer Hub. Most of them are Technology Preview or community plugins. This means that replacing default products can introduce security risks and is not recommended for a production environment. For more information, please see the plugins table in our release notes and the RHDH documentation about plugins.
Also be aware that, to customize your installation, you must run all relevant commands inside an rhtap-cli container, which is logged into your cluster as ClusterAdmin.
The following procedures explain how to customize your installation of RHTAP, by integrating pre-existing instances and outside products.
2.1. (Optional) Integrating ACS
Prerequisites
- Administrator access to an instance of ACS
Procedure
Before you can integrate your instance of ACS, you need an API token and the central endpoint URL.
In your
rhtap-clicontainer, run the integration command. Replace $ACS_ENDPOINT with your ACS central endpoint URL, and $ACS_TOKEN with your ACS API token.bash-5.1$ rhtap-cli integration acs --endpoint="$ACS_ENDPOINT" --token="$ACS_TOKEN"
2.2. (Optional) Integrating Quay
In this procedure, you obtain two values from your instance of Quay. Then you integrate your instance into RHTAP.
Prerequisites:
- A Quay account
- Ownership of a Quay organization (you can use any plan, including the free option).
We recommend using a robot account in Quay for this procedure. This way, once RHTAP is installed, multiple users can authenticate to your organization’s namespace in Quay.
Procedure:
- In your web browser, login to Quay. On the right side of the banner, select your username and select Account Settings from the dropdown menu.
- On your user settings page, under Docker CLI Password, select Generate Encrypted Password. In the popup window, enter your password to authenticate.
-
Next, still in the popup window, select Docker Configuration > View [username]-auth.json. Copy the string, without the quotation marks, following
"auth":. -
In your
private.envfile, label and create the Docker configuration value with the following format, using your username and auth token where appropriate: {"auths": {"quay.io": {"auth": "[auth token]","email": ""}}} - Back in the Quay UI, return to the default Repositories page. On the right side, under Users and Organizations, select the Quay organization you want to use for RHTAP.
- From the tabs on the left side, select Applications.
- Click Create New Application. Give your application a name.
- Click on the application’s name.
- From the tabs on the left, select Generate Token.
- From the options for permissions for the token, select View all visible repositories.
- Click Generate Access Token.
- Click Authorize Applicaiton.
-
The UI displays an access token. Label and save this token in
private.env, too. In your
rhtap-clicontainer, run the following command to integrate your instance of Quay. Replace $QUAY_DOCKERCONFIGJSON with the Docker configuration value. Replace $QUAY_TOKEN with the token you just generated. And replace $QUAY_URL with the address for your instance of Quay (https://quay.io if you have not installed Quay in your cluster).bash-5.1$ rhtap-cli integration quay --dockerconfigjson='$QUAY_DOCKERCONFIGJSON' --token="$QUAY_TOKEN" --url="$QUAY_URL"
Make sure to put the $QUAY_DOCKERCONFIGJSON value inside single quotes.
2.3. (Optional) Integrating Bitbucket
If you want to use Bitbucket cloud to host your source code, complete the steps in the following procedure.
Prerequisites
A Bitbucket username; to find your username:
- On the sidebar in Bitbucket, click your profile picture and select View profile.
- In the sidebar, select Settings. The system displays your username in the account settings.
- An app password
Procedure
In your
rhtap-clicontainer, run the integration command. Replace $BB_USERNAME with your Bitbucket username, and $BB_TOKEN with your Bitbucket access tokens. If you are integrating with a custom Bitbucket host, replace $BB_URL with you Bitbucket host URL. If you are using the defaultbitbucket.orghost, you can remove the--hostoption.bash-5.1$ rhtap-cli integration bitbucket --username="$BB_USERNAME" --app-password="$BB_TOKEN" --host="$BB_URL"
2.4. (Optional) GitHub Actions
If you want to use GitHub Actions as an alternative CI provider, you do not need to complete any additional steps before installation. The GitHub application that you already made enables this CI functionality for RHTAP.
2.5. (Optional) Integrating GitLab
If you want to use GitLab to host your source code, or as a CI provider, complete the steps in the following procedure.
Prerequisites
- You must have the necessary permissions to create and manage GitLab jobs.
- You must have a GitLab API token.
-
You must have a host URL, if you plan to integrate with a custom GitLab host. If you do not specify a GitLab host URL, the system defaults to
gitlab.com.
Procedure
In your
rhtap-clicontainer, run the integration command. Replace $GL_API_TOKEN with your GitLab API token. If you are integrating with a custom GitLab host, replace $GL_URL with you GitLab host URL. If you are using the defaultgitlab.comhost, you can remove the--hostoption.bash-5.1$ rhtap-cli integration gitlab --token="$GL_API_TOKEN" --host="$GL_URL"
2.6. (Optional) Integrating Jenkins
Prerequisites
- You must have the necessary permissions to create and manage Jenkins jobs.
- You must have a URL using which you access Jenkins, a Jenkins user ID, and an API token.
Procedure
In your
rhtap-clicontainer, run the integration command. Replace $JK_API_TOKEN with your Jenkins API token, $JK_URL with you Jenkins instance URL, $JK_USERNAME with your Jenkins user ID.bash-5.1$ rhtap-cli integration jenkins --token="$JK_API_TOKEN" --url="$JK_URL" --username="$JK_USERNAME"
2.7. (Optional) Integrating JFrog Artifactory
Prerequisites
- Admin access to an instance of Artifactory
- A repository in Artifactory that you want to use with RHTAP
Procedure
- In the Artifactory UI, in the Administration view, click the green Set Up Client/CI Tool button next to the repository that you want to use.
- Select Docker Client
Follow the UI instructions to authenticate in your CLI.
-
The UI generates a token to use as a password. Make sure to save it in
private.env. -
When you login to JFrog in your CLI, you should get a message saying your password has been stored in a location such as
~/.docker/config.json. If you do not see this message, a later step in this procedure explains what to do.
-
The UI generates a token to use as a password. Make sure to save it in
In your
rhtap-clicontainer, run the integration command. Set the value of AF_URL to the URL of your instance (for example, "https://myusername.jfrog.io"). Set the value of AF_DOCKERCONFIGJSON to the contents of the file where your password was stored. Set the value of AF_API_TOKEN to the token that JFrog generated.bash-5.1$ rhtap-cli integration artifactory --url="$AF_URL" --dockerconfigjson='$AF_DOCKERCONFIGJSON' --token="$AF_API_TOKEN"
Make sure to put the $AF_DOCKERCONFIGJSON value inside single quotes. Additionally, if your CLI did not print a message about the config.json file, you can create its contents as follows: { "auths": { "<URL for your JFrog instance>":{ "auth": "<base64 format of username:password>", "email": "" }}}
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}