Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Configuring Azure Pipelines

Red Hat Trusted Application Pipeline 1.5

Learn how to configure Azure CI for secure CI/CD workflows.

Red Hat Trusted Application Pipeline Documentation Team

Abstract

This document provides instructions on setting up Azure CI to perform essential security tasks, such as vulnerability scanning, image signing, and attestation generation.

Preface
Copier lien

If you’re using Azure Pipelines for your application, pipeline runs may fail due to missing secrets and environment variables. Without them, integrations with Quay, JFrog Artifactory, and Red Hat Advanced Cluster Security (ACS) won’t work, breaking security tasks like vulnerability scanning, image signing, and SBOM generation for compliance.

To prevent this, you need to securely store secrets and environment variables in Azure. This guide walks you through the process, ensuring your pipelines run smoothly and securely.

This procedure explains how to add secrets and environment variables to Azure Pipelines and also lists which variables are required. All listed variables must be added to ensure that Azure Pipelines works correctly with RHTAP and related Red Hat products.

Prerequisites

Before you configure Azure Pipelines, ensure you have the following:

  • Admin access to your repository in Bitbucket or GitHub.
  • Admin access to your Azure DevOps project and pipeline settings.
  • Container registry credentials for pulling container images from Quay.io, JFrog Artifactory, or Sonatype Nexus.

  • Authentication details for specific Azure Pipelines tasks:

    • For ACS security tasks:

      • ROX Central server endpoint
      • ROX API token

    • For SBOM and artifact signing tasks:

      • Cosign signing key password, private key and public key
      • Trustification API and issuer URL, client ID, client secret, and supported CycloneDX version
    Note

    The credentials and other details are already Base64-encoded, so you do not need to encode them again. You can find these credentials in your private.env file, which you created during RHTAP installation.

Procedure

  1. Log in to https://dev.azure.com and open your Azure DevOps project.
  2. In the left navigation panel, select Pipelines, then select Library.
  3. Select Variable group to create a new variable group.
  4. Enter a name for the variable group, for example, rhtap.

  5. In the variable group editor:

    1. Select Add to add a new variable.
    2. In the Name field, enter the key. For example, GITOPS_AUTH_PASSWORD.
    3. In the Value field, enter the value used to authenticate with the GitOps repository for pushing updated image information.
    4. Select the Keep this value secret checkbox to mask the value in the UI and logs.

  6. Repeat step 5 to add all required secrets:

    Expand
    Table 1.1. Image registry and GitOps secrets
    VariableDescription

    IMAGE_REGISTRY_PASSWORD

    Password for accessing your container image registry.

    GITOPS_AUTH_PASSWORD

    The token the system uses to update the GitOps repository for newly built images.

    Expand
    Table 1.2. Secrets required for ACS and SBOM tasks
    VariableDescription

    ROX_API_TOKEN

    API token for accessing the ROX server.

    COSIGN_SECRET_PASSWORD

    Password for Cosign signing key.

    COSIGN_SECRET_KEY

    Private key for Cosign.

    TRUSTIFICATION_OIDC_CLIENT_SECRET

    Client secret used alongside the client ID to authenticate to the Trustification Bombastic API.

  1. Now add regular environment variables and don’t mask their values. In the variable group editor:

    1. Select Add.
    2. In the Name field, enter the key. For example, IMAGE_REGISTRY_USER.
    3. In the Value field, enter the value. In our example: a username for accessing your container image registry.
    4. Do not select the Keep this value secret checkbox.

  2. Repeat step 6 to add all required environment variables:

    Expand
    Table 1.3. Image registry and GitOps variables
    VariableDescription

    IMAGE_REGISTRY_USER

    Username for accessing your container image registry.

    GITOPS_AUTH_USERNAME (optional)

    Your OpenShift GitOps username. This variable is required for Azure to work with Bitbucket. By default, lines with this variable are commented in the azure-pipelines.yml file. To start using Bitbucket, uncomment all 5 instances of the line # GITOPS_AUTH_USERNAME: $(GITOPS_AUTH_USERNAME).

    Expand
    Table 1.4. Variables required for ACS and SBOM tasks
    VariableDescription

    ROX_CENTRAL_ENDPOINT

    Endpoint for the ROX Central server.

    COSIGN_PUBLIC_KEY

    Public key for Cosign.

    TRUSTIFICATION_BOMBASTIC_API_URL

    URL for Trustification Bombastic API used in SBOM generation.

    TRUSTIFICATION_OIDC_ISSUER_URL

    OIDC issuer URL used for authentication when interacting with the Trustification Bombastic API.

    TRUSTIFICATION_OIDC_CLIENT_ID

    Client ID for authenticating to the Trustification Bombastic API using OIDC.

    TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION

    Specifies the CycloneDX SBOM version that is supported and generated by the system.

    Optional: Set the Rekor and TUF variables if your CI provider runners do not run on the same cluster as the RHTAP instance.

    Expand
    Table 1.5. Rekor and TUF variables
    VariableDescription

    REKOR_HOST

    URL of your Rekor server.

    TUF_MIRROR

    URL of your TUF service.

  1. Select Save.

  2. To authorize pipelines to use this variable group:

    1. Select the Pipeline permissions tab.
    2. Select Add pipeline.
    3. Select the pipelines that require access to this variable group and select Authorize selected pipelines.

  3. Optional: If you use a different name for the variable group other than rhtap, you must update the variable group name in the azure-pipelines.yml file. 

    variables:
    - group: <my-variable-group>
    Copy to Clipboard Toggle word wrap

Verification

  1. Rerun the latest pipeline. If the secrets are applied correctly, the pipeline will complete successfully. After a successful run, verify that tasks such as RHACS or SBOM display the expected details.





Revised on 2025-04-30 03:55:38 UTC

Legal Notice
Copier lien

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat