Chapter 1. Configuring GitLab CI for external integration by using the UI

Prerequisites

Before you configure GitLab CI, ensure you have the following:

Admin access to your GitLab repository and CI/CD settings.
Container registry credentials for pulling container images from Quay, JFrog Artifactory, or Sonatype Nexus Repository.
Authentication details for specific GitLab CI tasks:
- For ACS security tasks:
  - ROX Central server endpoint
  - ROX API token
- For SBOM and artifact signing tasks:
  - Cosign signing key password, private key and public key
  - Trustification API and issuer URL, client ID, client secret, and supported CycloneDX version
Note
The credentials and other details are already Base64-encoded, so you do not need to encode them again. You can find these credentials in your private.env file, which you created during RHADS - SSC installation.

Procedure

This procedure adds both required secrets and environment variables. You need to mask the values of secrets.

Log in to GitLab and open your source repository.
Expand the Setting menu and select CI/CD.
In the Variables section, select Expand.
Select Add variable and in a window:
1. Add values to the Key and Value fields.
2. Under Flags, select Mask variable to hide sensitive values.
3. Select Add variable.

Repeat step 4 to add the required secrets and check the Mask variable flag for each of them:

Expand

Table 1.1. Image registry and GitOps secrets
Variable	Description
`QUAY_IO_CREDS_PSW`	Password for accessing your Quay repository.
`ARTIFACTORY_IO_CREDS_PSW`	Password for accessing your JFrog Artifactory repository.
`NEXUS_IO_CREDS_PSW`	Password for accessing your Sonatype Nexus repository.
`GITOPS_AUTH_PASSWORD`	The token the system uses to update the GitOps repository for newly built images.

Expand

Table 1.2. Secrets required for ACS and SBOM tasks
Variable	Description
`ROX_API_TOKEN`	API token for accessing the ROX server.
`COSIGN_SECRET_PASSWORD`	Password for Cosign signing key.
`COSIGN_SECRET_KEY`	Private key for Cosign.
`TRUSTIFICATION_OIDC_CLIENT_SECRET`	Client secret used alongside the client ID to authenticate to the Trustification Bombastic API.

Add regular environment variables:
1. Select Add variable.
2. Add values to the Key and Value fields.
3. Under Flags, do not select Mask variable.
4. Select Add variable.

Repeat step 6 to add the following variables:

Expand

Table 1.3. Image registry and GitOps variables
Variable	Description
`QUAY_IO_CREDS_USR`	Username for accessing your Quay repository.
`ARTIFACTORY_IO_CREDS_USR`	Username for accessing your JFrog Artifactory repository.
`NEXUS_IO_CREDS_USR`	Username for accessing your Nexus repository.
`GITOPS_AUTH_USERNAME`	Your OpenShift GitOps username.

Expand

Table 1.4. Variables required for ACS and SBOM tasks
Variable	Description
`ROX_CENTRAL_ENDPOINT`	Endpoint for the ROX Central server.
`COSIGN_PUBLIC_KEY`	Public key for Cosign.
`TRUSTIFICATION_BOMBASTIC_API_URL`	URL for Trustification Bombastic API used in SBOM generation.
`TRUSTIFICATION_OIDC_ISSUER_URL`	OIDC issuer URL used for authentication when interacting with the Trustification Bombastic API.
`TRUSTIFICATION_OIDC_CLIENT_ID`	Client ID for authenticating to the Trustification Bombastic API using OIDC.
`TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION`	Specifies the CycloneDX SBOM version that is supported and generated by the system.

Optional: Set the Rekor and TUF variables if your CI provider runners do not run on the same cluster as the RHADS - SSC instance.

Expand

Table 1.5. Rekor and TUF variables
Variable	Description
`REKOR_HOST`	URL of your Rekor server.
`TUF_MIRROR`	URL of your TUF service.

Rerun the last pipeline run to verify the secrets are applied correctly. Alternatively, switch to you application’s source repository in GitLab, make a minor change, and commit it to trigger a new pipeline run.