Appendix B: Installing TSF

Learning objectives

By the end of this appendix, you will be able to:

  • Run the TSF installer container with Podman

  • Login to your OpenShift Container Platform cluster from within the container

  • Create the cluster configuration using the tsf CLI

  • Configure GitHub or GitLab integration

  • Configure Quay registry integration

  • Deploy all TSF components using Helm

Introduction

Now that your environment is prepared (Appendix A), you’re ready to install TSF. The installation uses a containerized installer that includes the tsf CLI tool. This tool orchestrates the deployment of nine Helm charts that create all the components of the secure software supply chain.

In this appendix, you will run the installer, configure integrations, and deploy TSF to your cluster.

Exercise 1: Start the installer container

In this exercise, you will pull and run the TSF installer container.

Run the installer

  1. On your local workstation, ensure you’re in the directory containing your tsf.env file.

  2. Run the installer container with Podman.

    podman run -it --rm --env-file tsf.env \
  --entrypoint bash -p 8228:8228 --pull always \
  quay.io/redhat-ads/tsf-cli:latest --login

    This command:

    • Pulls the latest installer image

    • Loads environment variables from tsf.env

    • Exposes port 8228 for GitHub App workflows

    • Starts an interactive bash shell inside the container

Verify container is running

You should see output indicating the image is being pulled, followed by a bash prompt inside the container:

Trying to pull quay.io/redhat-ads/tsf-cli:unstable...
Getting image source signatures
...
bash-5.1$

Verify

✓ Installer container downloaded successfully
✓ Interactive bash shell is running
✓ Environment variables from tsf.env are loaded

The --pull always flag ensures you get the latest installer version. The image is updated frequently.

Exercise 2: Login to the cluster

In this exercise, you will authenticate to your OpenShift Container Platform cluster from within the installer container.

Login with oc CLI

  1. Inside the container, login to your cluster using the oc CLI.

    oc login "$OCP__API_ENDPOINT" \
  --username "$OCP__USERNAME" \
  --password "$OCP__PASSWORD"

    The environment variables from tsf.env are automatically available.

  2. Verify you are logged in as an admin user.

    oc auth can-i '*' '*' --all-namespaces

    Expected output:

    yes

Verify cluster connection

  1. Check your current context.

    oc whoami --show-server

    This should display your cluster API endpoint.

Verify

✓ Successfully authenticated to OpenShift Container Platform cluster
✓ Cluster-admin user confirmed
✓ Cluster API endpoint accessible

Exercise 3: Create the cluster configuration

In this exercise, you will create the TSF configuration using the tsf CLI.

Create configuration

  1. Run the tsf config command to create the configuration.

    tsf config --create

    This command creates a ConfigMap named tsf-config in the tsf namespace containing component definitions and subscription settings.

    Expected output:

    Creating namespace tsf...
Creating ConfigMap tsf-config...
Configuration created successfully.

If the configuration already exists, you can use the --force flag to overwrite it.

  1. Verify the configuration was created.

    oc get configmap tsf-config -n tsf -o yaml

    You should see a ConfigMap containing component definitions for Cert-Manager, Konflux, Keycloak, Pipelines, RHTAS, RHTPA, Quay, and Storage.

Verify

✓ ConfigMap tsf-config created in tsf namespace
✓ Configuration contains all component definitions

Exercise 4: Configure GitHub integration

Complete this exercise if you are using GitHub. Skip to Exercise 5 if using GitLab.

In this exercise, you will create a GitHub App for integration with TSF.

Create GitHub App

  1. Inside the installer container, run the GitHub integration command.

    tsf integration github \
  --create \
  --org "$GITHUB__ORG" \
  --verbose \
  "techcorp-tsf-app"

    Replace techcorp-tsf-app with a name for your GitHub App.

    The command outputs a localhost URL:

    Please open http://localhost:8228 in your browser to configure the GitHub App.

  2. On your local workstation (outside the container), open a web browser and navigate to:

    http://localhost:8228

    Port 8228 was exposed when you started the container with -p 8228:8228.

  3. Click Create your GitHub App.

  4. You will be redirected to GitHub. Review the app settings:

    • App name: techcorp-tsf-app

    • Homepage URL: Your cluster URL

    • Webhook URL: Points to your cluster ingress

    • Permissions: Read/write access to checks, code, issues, pull requests, workflows

  5. Click Create GitHub App.

  6. Install the app on your organization:

    • Click Install

    • Select your organization

    • Choose All repositories or select specific repos

    • Click Install

  7. Return to the terminal. The command should complete:

    GitHub App created and installed successfully.

Verify

  1. Verify that the GitHub integration secret exists in the tsf namespace.

    oc get secret tsf-github-integration -n tsf

✓ Integration command completed successfully
✓ Secret tsf-github-integration present in tsf namespace
✓ GitHub App created with correct name
✓ App installed on your organization
✓ Webhook URL configured to point to cluster

Exercise 5: Configure GitLab integration (alternative)

Complete this exercise only if you are using GitLab instead of GitHub.

In this exercise, you will configure GitLab integration using your Project Access Token.

Run GitLab integration

  1. Configure the GitLab integration (variables come from tsf.env).

    tsf integration gitlab \
  --group="$GITLAB__GROUP" \
  --host="$GITLAB__HOST" \
  --token="$GITLAB__TOKEN" \
  --verbose

Verify

  1. Verify that the GitLab integration secret exists in the tsf namespace.

    oc get secret tsf-gitlab-integration -n tsf

✓ GitLab integration command completed successfully
✓ Secret tsf-gitlab-integration present in tsf namespace

Exercise 6: Configure Quay integration

In this exercise, you will configure Quay registry integration using your OAuth token.

Run Quay integration command

  1. Configure Quay integration using the tsf CLI.

    tsf integration quay \
  --organization="$QUAY__ORG" \
  --token="$QUAY__API_TOKEN" \
  --url="$QUAY__URL" \
  --verbose

    Expected output:

    Creating Quay integration secret...
Secret tsf-quay-integration created successfully.

  2. Verify the secret was created.

    oc get secret tsf-quay-integration -n tsf

    Expected output:

    NAME                    TYPE     DATA   AGE
tsf-quay-integration    Opaque   3      10s

  3. Inspect the secret contents (optional).

    oc get secret tsf-quay-integration -n tsf -o yaml

Verify

✓ Quay integration command completed successfully
✓ Secret tsf-quay-integration present in tsf namespace
✓ Secret contains organization, token, and URL

Exercise 7: Deploy TSF

In this exercise, you will deploy all TSF components using Helm charts.

Run deployment

  1. Deploy TSF using the tsf CLI.

    tsf deploy

    This command deploys nine Helm charts sequentially:

  2. Cert-Manager

  3. Storage

  4. Keycloak

  5. Konflux Operator

  6. OpenShift Pipelines

  7. Red Hat Trusted Artifact Signer (RHTAS)

  8. Red Hat Trusted Profile Analyzer (RHTPA)

  9. Quay integration

  10. Konflux UI

    This deployment typically takes approximately 15 minutes. Be patient and watch the output.

Monitor deployment progress

  1. The tsf deploy command shows progress for each Helm chart:

    Deploying cert-manager...
✓ Cert-Manager deployed successfully

Deploying storage...
✓ Storage deployed successfully

Deploying keycloak...
✓ Keycloak deployed successfully

...

  2. You can monitor pod status in another terminal (outside the container):

    watch oc get pods -A

Wait for completion

  1. The deployment is complete when you see:

    All components deployed successfully!

  2. Note the various URLs that appeared during the deployment — you will need them in Appendix C.

Verify

✓ All Helm charts deployed successfully
✓ No errors in deployment output
✓ Konflux UI URL displayed
✓ RHTPA UI URL displayed

If tsf deploy looks idle, large image pulls may still be in progress. See Appendix D, Installation and tsf deploy for what to expect and how to monitor.

If you hit other failures during install or deploy, use Appendix D: Troubleshooting as the single reference for known issues and fixes.

Learning outcomes

Let’s verify what you’ve accomplished in this appendix:

  • ✓ You started the TSF installer container with Podman

  • ✓ You authenticated to your OpenShift Container Platform cluster from the container

  • ✓ You created the cluster configuration with tsf config --create

  • ✓ You configured GitHub OR GitLab integration

  • ✓ You configured Quay registry integration

  • ✓ You deployed all TSF components with tsf deploy

  • ✓ You received the Konflux UI and RHTPA UI URLs

Summary

In this appendix, you successfully installed TSF on your OpenShift Container Platform cluster:

  • Started the containerized installer with your configuration

  • Created cluster configuration and verified prerequisites

  • Configured integrations with GitHub/GitLab and Quay

  • Deployed nine Helm charts creating all components

  • Obtained access URLs for Konflux and RHTPA

The secure software supply chain is now deployed and ready for verification!

Click Next to continue to Appendix C: Verifying and accessing.