Appendix C: Verifying and accessing

Learning objectives

By the end of this appendix, you will be able to:

  • Verify successful deployment of all TSF components

  • Access the Konflux UI and authenticate with Keycloak

  • Explore deployed namespaces and services

  • Verify Red Hat Trusted Artifact Signer and Red Hat Trusted Profile Analyzer components

  • Understand the architecture of the deployed system

Introduction

With TSF deployed, you need to verify that all components are running correctly and accessible. In this appendix, you will check each component, access the Konflux UI, and explore the architecture that TechCorp Industries now has in place for their secure software supply chain.

Exercise 1: Verify deployed namespaces

In this exercise, you will verify that all required namespaces were created during deployment.

List all namespaces

  1. View all namespaces created by TSF.

    oc get namespaces | grep -E '(tsf|konflux|cert-manager|rhbk|rhtpa|openshift-storage)'

    Expected output:

    cert-manager                                       Active   25m
cert-manager-operator                              Active   25m
konflux-cli                                        Active   5m
konflux-info                                       Active   5m
konflux-operator                                   Active   5m
konflux-ui                                         Active   5m
openshift-storage                                  Active   15m
rhbk-operator                                      Active   10m
rhtpa-operator                                     Active   10m
tsf                                                Active   10m
tsf-keycloak                                       Active   10m
tsf-tas                                            Active   10m
tsf-tpa                                            Active   10m

  2. Count the namespaces to ensure all were created.

    oc get namespaces | grep -E '(tsf|konflux|cert-manager|rhbk|rhtpa|openshift-storage)' | wc -l

    Expected output:

    13

Verify

✓ All required namespaces exist
✓ Namespaces are in "Active" status

Exercise 2: Verify component operators

In this exercise, you will verify that all operators are running correctly.

Verify Cert-Manager operator

  1. Check the Cert-Manager operator pod.

    oc get pods -n cert-manager-operator

    Expected output:

    NAME                                                READY   STATUS    RESTARTS   AGE
cert-manager-operator-controller-manager-xxxxx      2/2     Running   0          12m

Verify Keycloak operator

  1. Check the Keycloak (Red Hat Build of Keycloak) operator.

    oc get pods -n rhbk-operator

    Expected output:

    NAME                               READY   STATUS    RESTARTS   AGE
rhbk-operator-xxxxx-xxxxx          1/1     Running   0          11m

Verify RHTPA operator

  1. Check the Red Hat Trusted Profile Analyzer operator.

    oc get pods -n tsf-tpa

    Expected output:

    NAME                                READY   STATUS    RESTARTS   AGE
rhtpa-operator-xxxxx-xxxxx          1/1     Running   0          9m

Verify Konflux components

  1. Check the Konflux UI pods.

    oc get pods -n konflux-ui

    Expected output:

    NAME                           READY   STATUS    RESTARTS   AGE
dex-xxxxx-xxxxx                1/1     Running   0          8m
proxy-xxxxx-xxxxx              2/2     Running   0          8m

Verify

✓ All operator pods are in "Running" status
✓ All pods show "READY" with correct replica counts
✓ No pods in "CrashLoopBackOff" or "Error" states

Exercise 3: Verify deployed routes

In this exercise, you will identify the URLs for accessing TSF components.

Get Konflux UI route

  1. Get and save the Konflux UI URL:

    KONFLUX_URL="https://$(oc get route -n konflux-ui -l konflux.konflux-ci.dev/component=ui,konflux.konflux-ci.dev/owner=konflux-ui -o jsonpath='{.items[0].spec.host}')"
echo "Konflux UI: $KONFLUX_URL"

Get RHTPA UI route

  1. Get and save the Red Hat Trusted Profile Analyzer UI URL.

    RHTPA_URL="https://$(oc get route -n tsf-tpa -l app.kubernetes.io/component=server,app.kubernetes.io/instance=trustedprofileanalyzer -o jsonpath='{.items[0].spec.host}')"
echo "RHTPA UI: $RHTPA_URL"

Verify

✓ Konflux UI route exists and is accessible
✓ RHTPA UI route exists and is accessible
✓ Both routes use HTTPS with valid certificates

Exercise 4: Access the Konflux UI

In this exercise, you will access the Konflux UI for the first time and authenticate.

Open the Konflux UI

  1. Open a web browser and navigate to the Konflux UI URL:

    https://<your-konflux-ui-route>

    You can use the URL saved earlier:

    echo "$KONFLUX_URL"

  2. You will be redirected to the OpenShift Container Platform login page.

Authenticate with OpenShift

  1. Enter your OpenShift Container Platform credentials:

    • Username: Your cluster admin username

    • Password: Your cluster admin password

  2. Click Log In.

Authorize the Dex client

  1. You will see an "Authorize Access" page for the dex-client service account.

  2. Review the requested permissions:

    • user:info — Read-only access to your user information

  3. Click Allow selected permissions.

Verify successful login

  1. After authorization, you should see the Konflux landing page:

    Get started with Konflux

Create a new application or view your namespaces

  2. The UI should display:

    • The "Get started with Konflux" page

    • Navigation menu with Namespaces, Applications, Releases, etc.

    • Your username in the top right corner

Verify

✓ Successfully accessed Konflux UI
✓ Authenticated with OpenShift Container Platform credentials
✓ Authorized Dex client permissions
✓ Landing page displays correctly

If you see certificate warnings, your cluster may be using self-signed certificates. This is normal for development clusters. Accept the certificate to proceed.

Exercise 5: Explore deployed components

In this exercise, you will explore the architecture and components deployed by TSF.

View OpenShift Pipelines (Tekton)

  1. Check for Tekton components.

    oc get pods -n openshift-pipelines

    You should see Tekton controllers, webhooks, and triggers running.

View RHTAS components

  1. Check Red Hat Trusted Artifact Signer components.

    oc get pods -n tsf-tas | grep -E '(fulcio|rekor|tuf)'

    You should see: Fulcio — Certificate authority for code signing Rekor — Transparency log for signatures TUF** — Update framework for secure artifact distribution

View storage components

  1. Check storage provisioners.

    oc get pods -n openshift-storage

    You should see storage operator pods running.

View Quay integration

  1. Check the Quay integration secret.

    oc get secret tsf-quay-integration -n tsf

    This secret contains your Quay credentials used by Konflux to push signed images.

Verify

✓ Tekton pipelines components running
✓ RHTAS components (Fulcio, Rekor, TUF) running
✓ Storage components provisioned
✓ Quay integration configured

Exercise 6: Understand the architecture

In this exercise, you will understand how the deployed components work together.

Component roles

The deployed system has eight core components:

Cert-Manager

Manages TLS certificates for secure communication between components

Red Hat Build of Keycloak

Provides identity and access management with SSO for Konflux UI

Konflux Operator

Defines Custom Resource Definitions (CRDs) for build pipelines and applications

Konflux UI

Web interface for creating applications, viewing builds, and managing releases

OpenShift Pipelines

Tekton-based CI/CD engine that runs build and test pipelines

Red Hat Trusted Artifact Signer

Provides cryptographic signing of container images using Fulcio and Rekor transparency logs

Red Hat Trusted Profile Analyzer

Generates SBOMs and performs vulnerability scanning with Guac and Bombastic

Quay integration

Stores credentials for pushing signed images to Quay registry

Data flow

Here’s how these components work together when building an application:

  1. Developer pushes code to GitHub/GitLab

  2. Webhook triggers Konflux pipeline via Tekton

  3. Pipeline builds container image

  4. Red Hat Trusted Artifact Signer signs the image with Fulcio and records in Rekor

  5. Red Hat Trusted Profile Analyzer generates SBOM and scans for vulnerabilities

  6. Pipeline pushes signed image to Quay

  7. Release pipeline deploys to target environment

Verify understanding

Review the following statements:

✓ I understand the role of each component
✓ I understand how webhooks trigger pipelines
✓ I understand how images are signed and verified
✓ I understand how SBOMs are generated

Learning outcomes

Let’s verify what you’ve accomplished in this appendix:

  • ✓ You verified all required namespaces were created

  • ✓ You confirmed all operators are running correctly

  • ✓ You identified the Konflux UI and RHTPA UI routes

  • ✓ You successfully accessed and authenticated to the Konflux UI

  • ✓ You explored the deployed components and their purposes

  • ✓ You understand the architecture and data flow of TSF

Summary

In this appendix, you verified your TSF deployment:

  • Checked all namespaces and operator pods

  • Accessed the Konflux UI and authenticated with Keycloak

  • Explored Tekton, RHTAS, and RHTPA components

  • Understood how the components work together to create a secure software supply chain

Your TSF deployment is verified and ready to use!

Click Next to continue to Module 2: Getting started with Konflux and build your first secure application.