Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Customizing Red Hat Advanced Developer Suite - software supply chain

Red Hat Advanced Developer Suite - software supply chain 1.7

Learn how to customize default software templates and build pipeline configurations.

Red Hat Advanced Developer Suite - software supply chain Documentation Team

Abstract

This document provides instructions for cluster administrators on customizing RHADS - SSC's software templates, build pipelines, and integrations to better align with the unique requirements of your on-prem environments.

Preface
Copia collegamento

Red Hat Advanced Developer Suite - software supply chain (RHADS - SSC) includes built-in pipeline templates to automate your CI/CD workflows. While these templates are ready to use, you have the full flexibility to customize them to meet the unique requirements of your on-premise environments. For example, you can make the following customizations:

  • Add extra security checks.
  • Modify deployment processes.
  • Integrate external tools.

Chapter 1. Customizing sample software templates
Copia collegamento

Learn how to customize ready-to-use software templates for your on-premise environment. As a cluster administrator, you have full control over modifying metadata and specifications to align with your deployment needs.

Prerequisites

Before customizing the sample software templates, ensure you have the following prerequisites in place:

  • You have used the forked repository URL from the tssc-sample-templates during installation.
  • The forked tssc-sample-templates repository is up to date with the upstream repository.
  • You have cloned the tssc-sample-templates repository to your local machine.
  • If deploying with Jenkins, you have forked and cloned the tssc-sample-jenkins pipeline template.

Procedure

  1. Navigate to the cloned tssc-sample-templates repository on your local machine.

  2. Open the properties file with your preferred text editor. For example, run the following command in your terminal to open it with Visual Studio Code: 

    $ code properties
     
    # PE can replace these values with on-prem host
export GITHUB__DEFAULT__HOST=github.com
export GITLAB__DEFAULT__HOST=gitlab.com
export BITBUCKET__DEFAULT__HOST=bitbucket.org

export QUAY__DEFAULT__HOST=quay.io

# leave empty if you don't want to set defaults for your git or quay org
export GITHUB__DEFAULT__ORG=""
export GITLAB__DEFAULT__ORG=""
export BITBUCKET__DEFAULT__ORG=""
export QUAY__DEFAULT__ORG=""

# PE can replace these values with own pipeline fork
export PIPELINE__REPO__URL=https://github.com/redhat-appstudio/tssc-sample-pipelines
export PIPELINE__REPO__BRANCH=main

export DEFAULT__DEPLOYMENT__NAMESPACE__PREFIX=tssc-app

export RHTAP__DEFAULT__NAMESPACE=tssc
export ARGOCD__DEFAULT__NAMESPACE=tssc-gitops
export ARGOCD__DEFAULT__INSTANCE=default
export ARGOCD__DEFAULT__PROJECT=default


# For secret reference in Repository CRs
# Secret will be prefixed by CI name, gitops (for github), or gitlab, or bitbucket in template
# export GIT__SECRET__DEFAULT__NAME=auth-secret
export GIT__SECRET__DEFAULT__KEY=password
export WEBHOOK__SECRET__DEFAULT__NAME=pipelines-secret
export WEBHOOK__SECRET__DEFAULT__KEY=webhook.secret

# compute the template tag to set defaults, leave empty if not set
if [ ! -z "${GITHUB__DEFAULT__ORG}" ]; then
export DEFAULT_ORG_FOR_GITHUB="default: $GITHUB__DEFAULT__ORG"
fi
if [ ! -z "${GITLAB__DEFAULT__ORG}" ]; then
export DEFAULT_ORG_FOR_GITLAB="default: $GITLAB__DEFAULT__ORG"
fi
if [ ! -z "${BITBUCKET__DEFAULT__ORG}" ]; then
export DEFAULT_ORG_FOR_BITBUCKET="default: $BITBUCKET__DEFAULT__ORG"
fi
if [ ! -z "${QUAY__DEFAULT__ORG}" ]; then
export DEFAULT_ORG_FOR_QUAY="default: $QUAY__DEFAULT__ORG"
fi

  3. Customize the properties file by updating the following key-value pairs according to your environment:

    Expand
    KeyDescription

    export GITHUB_DEFAULT_HOST

    Set this to your on-premise GitHub host fully qualified domain name. That is, the URL without the HTTP protocol and without the .git extension. For example github-github.apps.cluster-ljg9z.sandbox219.opentlc.com. The default value is github.com.

    export GITLAB_DEFAULT_HOST

    Set this to your on-premise GitLab host fully qualified domain name. That is, the URL without the HTTP protocol and without the .git extension. For example gitlab-gitlab.apps.cluster-ljg9z.sandbox219.opentlc.com. The default value is gitlab.com.

    export DEFAULT_DEPLOYMENT_NAMESPACE_PREFIX

    The namespace prefix for deployments within RHADS - SSC. The default value is tssc-app.

    Note

    Update this if you have modified the default developerHub: namespacePrefixes during the installation process.

    export PIPELINE_REPO_URL

    The URL of the forked pipeline repository. For example, https://github.com/redhat-appstudio/tssc-sample-pipelines.

    export PIPELINE_REPO_BRANCH

    The target branch of the forked pipeline repository. For example, main.

    export GITHUB_DEFAULT_ORG

    The name of the GitHub organization that you want to set as the default.

    export QUAY_DEFAULT_ORG

    The name of the Quay organization that you want to set as the default.

  4. Adjust the software templates, replacing default host values with your specified inputs by running the following command from the top-level directory of the repository: 

    $ ./generate.sh

  5. For Jenkins only: To customize your Jenkins library, navigate to skeleton > ci > gitops-template > jenkins, and open the Jenkinsfile file. Replace the remote URL with the URL of your forked repository. For example, remote: https://github.com/<username>/tssc-sample-jenkins.git.

    Additionally, if your Jenkins instance is not deployed to an on-premise OpenShift Container Platform (OCP) instance, and your Rekor and TUF services are on different clusters, update the REKOR_HOST and TUF_MIRROR environment variables. You can configure these variables in the env.sh file within the component repository or set them as environment variables or secrets in Jenkins. This configuration ensures that the external Jenkins server can communicate with the Rekor and TUF services installed with RHADS - SSC. Without this customization, RHADS - SSC might not sign the container images correctly in the Jenkins pipeline.

    To update the REKOR_HOST and TUF_MIRROR variables:

    1. Open the env.sh file by navigating to the skeleton > ci > gitops-template > jenkins > tssc directory.

      The second env.sh file is located at skeleton > ci > source-repo > jenkins > tssc. Update the settings to suit your needs.

      In env.sh, review the default values for REKOR_HOST and TUF_MIRROR: 

      REKOR_HOST=http://rekor-server.tssc-tas.svc
TUF_MIRROR=http://tuf.tssc-tas.svc

    2. Replace .svc with your OCP cluster URL. The .svc domain refers to the local cluster, and internal services can access other services with .svc in their routes, but an external Jenkins cannot.

      The correct routes of the Rekor and TUF services are printed as part of the installation process of RHADS - SSC. If these data aren’t available to you, run this command in your CLI and select the Rekor and TUF routes in the output: 

      $ oc get routes -n tssc-tas

      An example of a Rekor server URL: http://rekor-server.tssc-tas.apps.rosa.j6ufg-t3htv-ts6.z797.p3.openshiftapps.com.

      Note
  6. For Red Hat Advanced Cluster Security (RHACS) only: To enable RHACS scans, set the export DISABLE_ACS to false in the env.sh file.
  7. Option A: Commit and push the changes to your repository. This automatically updates the template in Red Hat Developer Hub (RHDH).

  8. Option B: Manually import and refresh the templates using the following steps:

    1. Go to your forked sample template repository on your Git provider.

    2. Get the appropriate URL:

    3. Switch back to the RHDH platform.
    4. Select Create > Register Existing Component.
    5. In the Select URL field, paste the appropriate URL that you copied in the previous step.
    6. Select Analyze and then select Import to update the templates in RHDH.

Verification

  • Consider creating an application to explore the impact of your template customization.

Chapter 2. About sample pipelines
Copia collegamento

Learn how to update the Pipeline as Code (pac) URLs within the sample templates repository and customize the sample pipelines repository to match your workflow. By customizing the pac URLs, you can integrate custom pipelines tailored to your CI/CD requirements.

The sample pipelines repository provides functional templates, which you can customize for your organization’s specific CI/CD workflows. The sample pipelines repository includes several key pipeline templates in the pac directory:

  • gitops-repo: This directory holds the pipeline definitions for validating pull requests within your GitOps repository. It triggers the gitops-pull-request pipeline, located in the pipelines directory, validating that image updates comply with organizational standards. This setup is crucial for 'promotion' workflows, where an application’s deployment state advances sequentially through environments, such as from development to staging or from staging to production. For more information about pipeline definitions in gitops-repo, refer Gitops Pipelines.
  • pipelines: This directory houses the implementations of build and validation pipelines that are referenced by the event handlers in both the gitops-repo and source-repo. By examining the contents of this directory, you can understand the specific actions performed by the pipelines, including how they contribute to the secure promotion and deployment of applications.
  • source-repo: This directory focuses on Dockerfile-based secure supply chain software builds. It includes pipeline definitions for cloning the source, generating and signing artifacts (such as .sig for image signature, .att for attestation, and .sbom for Software Bill of Materials), and pushing these to the user’s image registry. For more information about pipeline definitions in source-repo, refer Shared Git resolver model for shared pipeline and tasks.
  • tasks: This directory houses a collection of tasks that can be added or modified, aligning with organizational needs. For example, Advanced Cluster Security (ACS) tasks can be substituted with alternative checks, or entirely new tasks can be integrated into the pipeline to enhance its functionality and compliance.

Chapter 3. Customizing sample pipelines
Copia collegamento

Update the Pipeline as Code (pac) URLs within the sample templates repository. Then, customize the sample pipelines repository to match your workflow as needed. By customizing pac URLs, you can integrate custom pipelines tailored to your continuous integration and continuous delivery (CI/CD) requirements.

Prerequisites

Before customizing the sample pipelines, you must ensure you have the following prerequisites in place:

Procedure

  1. Access the forked tssc-sample-pipelines repository URL:

    1. Open the forked tssc-sample-pipelines repository.
    2. Copy the complete URL from the address bar. For example, https://github.com/<username>/tssc-sample-pipelines.

  2. Update pac URLs in the tssc-sample-templates repository:

    1. In your terminal, navigate to the local clone of the tssc-sample-templates repository.

    2. Update the Tekton definition by running the following command: 

      ./scripts/update-tekton-definition {fork_url} {branch_name}

      Replace {fork_url} with the copied URL from step 1 and {branch_name} with the desired branch name. For example, to update the Tekton definition, run the following command: 

      $ .scripts/update-tekton-definition \https://github.com/myusername/tssc-sample-pipelines main

  3. Review, commit, and push your changes:

    1. Review the updated files within the tssc-sample-templates repository.
    2. Commit the changes with an appropriate message.
    3. Push the committed changes to the forked repository.

Verification

  • Consider creating an application to explore the impact of your template and pipeline customizations.

Chapter 4. Customizing GitLab pipelines and rebuilding container images
Copia collegamento

When customizing pipelines in GitLab, rebuilding the container image is a critical step to ensure your changes are included in the updated workflow.

Pipelines in GitLab rely on a specific container image, such as the GitLab runner image, to run the tasks defined in your CI/CD workflow. The GitLab runner image provides the necessary tools, configuration, and scripts required for your pipeline to run. If you modify tasks in the pipeline, you must update and rebuild the container image to include those changes. This ensures that the pipeline tasks are properly executed when the pipeline is triggered.

Rebuilding the container image involves the following steps:

  • Running podman to extract the existing pipeline files.
  • Customizing the pipeline tasks with your requirements.
  • Rebuilding the container image.
  • Pushing the updated image to a container registry.

Prerequisites

Before making changes, ensure that:

  • You have podman installed on your system.
  • You have login credentials for Quay.io to push the updated image.
  • You have forked and cloned the Sample templates repository.
  • Your forked repository is up to date and synced with the upstream repository.

Procedure

  1. Create a directory for the build resources. The location of the directory depends on your role:

    • Platform engineer: If you are rebuilding the image to update the default pipeline for your organization, you can create the directory within the location where you forked the tssc-sample-templates repository. For example, rebuild-image.

    • Developers: If you are rebuilding the image for your own use or a specific project, create a directory in a location outside the organization-wide fork of tssc-sample-templates to avoid conflicts. 

      $ mkdir rebuild-image

  2. Run the following command and copy the container image URL: 

    $ less ../tssc-sample-templates/skeleton/ci/source-repo/gitlabci/.gitlab-ci.yml
     
    image: registry.access.redhat.com/rhtap-task-runner/rhtap-task-runner-rhel9:{ProductVersion}

  3. Copy the existing pipeline content locally by running the following command: 

    $ podman run -v $(pwd):/pwd:z <The_url_you_copied_in_step_2> cp -r /work/rhtap /pwd

    This command starts the container by using the <the_url_you_copied_in_step_2> image. It then copies the pipeline files from /work/rhtap inside the container to your working directory ($(pwd)). Additionally, if you are not on a system with SELinux enabled (for example, Fedora, RHEL, or CentOS), remove the :z option in the command to ensure compatibility.

  4. Navigate to the rhtap directory and customize the pipelines tasks as required.

  5. Create a Dockerfile in the rebuild-image directory and add the following content to include your changes in the container. Additionally, the base image registry.access.redhat.com/rhtap-task-runner/rhtap-task-runner-rhel9:1.7 is built on ubi/ubi-minimal, which provides a lightweight Universal Base Image (UBI). If you need to install additional software and dependencies, use microdnf. For example, example command: 

    FROM registry.access.redhat.com/rhtap-task-runner/rhtap-task-runner-rhel9:1.7

COPY ./rhtap /work/rhtap

RUN microdnf -y install make
    FROM
    Uses the existing rhtap-runner container as the starting point.
    COPY
    Copies the updated pipeline tasks from the local rhtap folder into the /work/rhtap directory inside the container.
    RUN
    Demonstrates the use of the microdnf to install additional software or dependencies.

  6. Build the new container image by running the following command: 

    $ podman build -f Dockerfile -t quay.io/<namespace>/<new_image_name>
    1

    The -f Dockerfile option specifies the Dockerfile to use to build the container image. The -f option allows you to explicitly point to the Dockerfile if it’s not named Dockerfile or is located in a different directory. The -t quay.io/<namespace>/<new_image_name> option assigns a tag (name) to the container image for easy identification.

  7. Login to Quay.io by running the following command: 

    $ podman login quay.io

  8. Push the updated image by running the following command: 

    $ podman push quay.io/<namespace>/<new_image_name>

    This uploads the customized container image to Quay.io, making it available for use in GitLab pipelines.

  9. Platform engineer only: Navigate to the .gitlab-ci.yml in the tssc-sample-templates > skeleton > ci > source-repo > gitlabci > directory and replace the container image URL with the one you just created. This makes the new container image the default. 

    image: quay.io/<namespace>/<new_image_name>

  10. For developers only: To update the container image just for a single repository in GitLab, navigate to the source repository > .gitlab-ci.yaml and replace the container image URL with the one you just created. 

    image: quay.io/<namespace>/<new_image_name>
  11. Commit and push the changes to apply the updated pipeline configuration.

Chapter 5. Configuring RHADS - SSC to use built-in Jenkins libraries
Copia collegamento

By default Red Hat Advanced Developer Suite - software supply chain (RHADS - SSC) uses dynamically loaded Jenkins libraries. While dynamically loading provides flexibility, using built-in Jenkins libraries offer improved stability, security, and traceability during builds. Configuring RHADS - SSC to use built-in libraries instead of dynamically loaded ones allows for better Conforma attestations and enhanced build verification.

Prerequisites

Before making changes, ensure that:

  • You have administrator access to the Jenkins instance in RHADS - SSC.
  • You have the Jenkins library git repo URL. For example, https://github.com/redhat-appstudio/tssc-sample-jenkins. You can find the Git repository URL in the default RHADS - SSC Jenkins CI source repository.
  • You have permissions to modify the Jenkinsfile.

5.1. Define the built-in library in Jenkins
Copia collegamento

Procedure

  1. Log in to Jenkins and navigate to Manage Jenkins > System.
  2. Locate the Global Trusted Pipeline Libraries section.

  3. Click Add and define the new library with the following parameters:

    1. Name: <your-library-name>
    2. Default version: Set to a specific branch or commit reference. For example, v1.7.
    3. Allow default version to be overridden: (Optional) Select this option to restrict users to a specific version of the Jenkins library. This ensures that the users cannot select a different version.
    4. Include @Library changes in your recent changes: Select this option to track modifications made to the shared library. This feature helps users understand changes that might affect their builds.

    5. Retrieval method: Select Modern SCM.

      1. From the Source Code Management drop-down list, select Git.
      2. In the Project Repository field, enter the Jenkins library URL. For example, https://github.com/redhat-appstudio/tssc-sample-jenkins.
      3. Select Fresh clone per build, to ensure each build fetches a clean copy of the library.
      4. Select Save.

5.2. Modify the Jenkins pipeline to use the built-in library
Copia collegamento

Procedure

  1. Navigate to your Jenkins CI source repository, For example, https://github.com/redhat-appstudio/tssc-sample-templates/blob/main/skeleton/ci/source-repo/jenkins.
  2. Select Jenkinsfile in edit mode.

  3. Replace the dynamic library loading with the @Library annotation.

    Expand
    Replace thisWith this

    library identifier: 'RHADS - SSC_Jenkins@main', retriever: modernSCM( [$class: 'GitSCMSource', remote: 'https://github.com/redhat-appstudio/tssc-sample-jenkins.git'])

    @Library('RHADS - SSC_Jenkins@v1.7') _

  4. Save and commit the updated Jenkinsfile.

5.3. Use the configured Jenkins library
Copia collegamento

Procedure

  1. In your Jenkins instance, navigate to your project.
  2. Select Build Now to trigger a new build.

Verification

  1. Check the Jenkins build logs to confirm that the built-in library is loaded instead of dynamically retrieving dependencies.
  2. Validate that Conforma attestations now reflect a built-in library.
  3. Verify the library name, retrieval method, and pipeline script if any error occur.

5.4. Applying changes to one or all RHADS - SSC templates
Copia collegamento

Depending on your use case, you can apply this configuration to one RHADS - SSC template or all RHADS - SSC templates in Red Hat Developer Hub (RHDH).

  • To apply this change to a single template: Modify only the specific pipeline template used in your project. This ensures that only this pipeline uses the built-in Jenkins library, while others continue using dynamic loading.
  • To apply this change to all RHADS - SSC templates in RHDH: Update the global RHADS - SSC template configuration to reference the built-in library instead of dynamically loaded ones. This ensures consistency across all RHADS - SSC pipelines.
Important

Applying this change globally may impact all builds using RHADS - SSC. Ensure that the built-in library is correctly defined and tested before making this change across all templates.

Chapter 6. Enabling the Image Registry tab
Copia collegamento

When you create your application, Red Hat Developer Hub should display the Image Registry tab on your component’s page. This tab provides useful information about your container images stored in your artifact registry. However, in some cases, the tab isn’t displayed and here’s why.

RHADS - SSC attempts to detect your artifact registry type by analyzing the URL. If the URL contains “quay”, “jfrog” or “artifactory”, RHADS - SSC adds a corresponding annotation to the catalog-info.yaml file in the Git repository with your application. RHDH uses this information to annotate Catalog entries and then correctly displays the Image Registry tab.

However, if your registry URL doesn’t include “quay”, "jfrog" or "artifactory", RHADS - SSC cannot detect your registry type and annotate your components correctly. As a result, the Image Registry tab isn’t enabled in RHDH.

If the Image Registry tab is missing in the RHDH UI, you can manually enable it. You have 2 options:

  1. Enable the tab for a single existing component.
  2. Modify the registry detection script, and all new components will be automatically annotated correctly.

Option 1: Enabling the Image Registry tab for the existing component

Repeat this procedure for every affected component.

Procedure

  1. In the Git repository with your component, navigate to skeleton > source-repo and open the catalog-info.yaml file.

  2. Add an annotation relevant to your case: 

    metadata:
    annotations:
        'quay.io/repository-slug': `<ORGANIZATION>/<REPOSITORY>'
     
    metadata:
    annotations:
        'jfrog-artifactory/image-name': '<IMAGE-NAME>'
  3. Commit and push the changes to the repository.

RHDH will detect your registry type and enable the Image Registry tab.

Verification

Select an RHADS - SSC component where the Image Registry tab was missing. The tab menu should display it now.

Figure 6.1. The Image Registry tab displayed

imageregistry

Option 2: Enabling the Image Registry tab for all future components

The RHADS - SSC software templates use specific patterns to identify the registry type, Quay or JFrog Artifactory. If your registry does not match these patterns, you can update the catalog-info.yaml file in the templates, and RHADS - SSC will automatically detect your registry type for all future components and annotate them correctly for RHDH.

Prerequisites

Procedure

  1. In a GitHub repository with your templates, navigate to skeleton > source-repo and open the catalog-info.yaml file.

  2. Find code related to registry detection: 

      {%- if "quay" in values.image %}
    quay.io/repository-slug: ${{ values.repoSlug }}

  {%- elif "jfrog" in values.image or "artifactory" in values.image %}
    jfrog-artifactory/image-name: ${{ values.imageName }}

  3. Replace "quay", "jfrog" or "artifactory" with a part of the URL of your registry.

    For example, if your Artifactory registry is called my-registry.mycompany.com, then your images names may be my-registry.mycompany.com/username/my-image. You can add my-registry.mycompany to catalog-info.yaml.

The updated template will automatically trigger correct annotations, and the Image Registry tab will be displayed in RHDH.





Revised on 2025-11-03 21:31:14 UTC

Legal Notice
Copia collegamento

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2026 Red HatTorna in cima