Workshop overview

Introduction

Welcome to the Trusted Software Factory (TSF) workshop. In this hands-on lab, you will deploy and configure a complete secure software supply chain on OpenShift Container Platform, then use it to build, sign, and verify your first containerized application with SLSA Level 3 provenance.

Business scenario

TechCorp Industries is a financial services company that develops cloud-native applications on OpenShift Container Platform. Their security team has mandated that all container images must be:

  • Built using secure, auditable CI/CD pipelines

  • Cryptographically signed with verifiable provenance

  • Scanned for vulnerabilities before deployment

  • Traceable with complete Software Bills of Materials (SBOM)

The platform engineering team has been tasked with implementing Trusted Software Factory to meet these requirements while maintaining developer productivity and enabling rapid application delivery.

As a platform engineer at TechCorp, you will:

  1. Onboard your first application and trigger a secure build pipeline

  2. Validate the cryptographic signatures and SBOM artifacts

The steps to install the products on your own cluster are covered in the workshop appendices.

Learning objectives

By completing this workshop, you will be able to:

  • Access the Konflux UI and authenticate with Keycloak

  • Create applications and components in Konflux

  • Trigger secure build pipelines with automatic signing

  • Validate SLSA Level 3 provenance and signature artifacts

  • Analyze SBOMs and vulnerability reports in Red Hat Trusted Profile Analyzer

Workshop modules

This workshop is organized into the following modules:

Module 1: Preparing your environment for the lab

Validate cluster prerequisites, install Podman, create an initial tsf.env with API credentials, run the installer container, and confirm oc access from inside it.

Module 2: Getting started with Konflux

Create your first application, onboard a component from Git, trigger a secure build pipeline, and verify the signed artifacts with SLSA provenance.

Optional modules to learn how to deploy TSF from scratch:

Appendix A: Preparing to install

Similar preparation exercises as Module 1, for readers who follow the appendix sequence only.

Appendix B: Installing TSF

Run the TSF installer container, configure integrations with GitHub and Quay, and deploy all components using Helm charts.

Appendix C: Verifying and accessing

Verify successful deployment of all components, access the Konflux UI, and explore the deployed namespaces and services.

Appendix D: Troubleshooting

Find solutions to common issues.

Expected outcomes

After completing this workshop, you will have:

  • A fully functional TSF deployment on OpenShift Container Platform

  • Understanding of secure software supply chain principles

  • Hands-on experience with Konflux, Red Hat Trusted Artifact Signer, and Red Hat Trusted Profile Analyzer

  • A signed container image with SLSA Level 3 provenance

  • Knowledge of how to onboard applications to the secure pipeline

Workshop duration

  • Estimated time: 50 minutes

  • Module 1: 10 minutes

  • Module 2: 30 minutes

  • Wrap-up and Q&A: 10 minutes

Let’s begin

Ready to implement a secure software supply chain? Click Next to start Module 1 and learn about the prerequisites for working with TSF.