Lab 3: End-to-End TSSC Pipeline

Overview

In this final exercise, you will complete the end-to-end RHADS module that ties together everything from the previous sections. The application from Lab 1 will be deployed through the full production-ready development lifecycle with TSSC integrated at every stage.

RHADS End-to-End: Production-Ready Development Lifecycle (Module 10)

Complete Module 10: RHADS End-to-End: Production-Ready Development Lifecycle in the TL3 lab.

This module demonstrates the complete developer workflow:

  • Template-based project creation

  • CI/CD pipeline execution with signing and attestation

  • Promotion from development through staging to production

  • Verification of supply chain integrity at each stage

Integrate with Lab 1

After completing Module 10, apply what you have learned to the application from Lab 1:

  1. Extend the Tekton pipeline from Lab 1 with TSSC tasks:

    • Generate SBOM — Produce an SBOM for the built image

    • Sign — Sign the container image using TAS (cosign + Fulcio + Rekor)

    • Attest — Create and sign an attestation for the build provenance

    • Analyze — Submit the SBOM to TPA for vulnerability analysis

  2. Trigger the pipeline by pushing a change to the application repository:

    git commit --allow-empty -m "chore: trigger TSSC pipeline"
git push

  3. Verify the full supply chain is intact:

    • Signature verification — Verify the deployed image is signed

    • Attestation verification — Verify build provenance attestations exist

    • SBOM analysis — Confirm TPA has a trust profile for the deployed image

    • Transparency log — Verify the signing event is recorded in Rekor

Summary

You have completed the 3-day workshop. Your application now flows through a complete Software Factory with:

  • Day 1 — Git branching workflows and environment setup

  • Day 2 — Automated CI/CD with Dev Spaces, Tekton, Vault, Argo CD, and OpenTelemetry

  • Day 3 — Trusted Software Supply Chain with TAS signing, TPA analysis, and end-to-end attestation