|
| 1 | +--- |
| 2 | +title: Integrate Pipelines as Code with Enterprise Contract |
| 3 | +authors: |
| 4 | + - "@savita" |
| 5 | +creation-date: 2023-07-10 |
| 6 | +status: implementable |
| 7 | +--- |
| 8 | + |
| 9 | +# Integrate Pipelines as Code with Enterprise Contract |
| 10 | + |
| 11 | +## Summary |
| 12 | + |
| 13 | +By default Pipelines as Code runs all the pipelineruns based on the events coming from respective SCM and finaly display the status of run |
| 14 | + |
| 15 | +The Supply Chain Security (Tekton Chains) in Openshift Pipelines works by observing all TaskRuns/PipelineRuns executions in the cluster. When TaskRuns/PipelineRuns complete, Chains takes a snapshot of them. Chains then converts this snapshot to one or more standard payload formats, signs them and stores them somewhere. |
| 16 | + |
| 17 | +The Enterprise Contract is a set of tools for maintaining software supply chain security, and for the definition and enforcement of policies related to how container images are built and tested. and Its main purpose is to verify the security and provenance of builds created by Tekton Chains or Red Hat Trusted Application Pipeline (RHTAP). |
| 18 | + |
| 19 | +So, Basically Tekton Chains helps to sign the image and Enterprise Contract helps to verify the signed image. |
| 20 | + |
| 21 | +Now Pipelines as Code will be integrated to Enterprise Contract so that the build pipelines will be verified by Enterprise Contract and based on the verification status Pipelines as Code display the final status on the respective SCMs. |
| 22 | + |
| 23 | +## Prerequisite |
| 24 | + |
| 25 | +1. Make sure chains installed on the cluster |
| 26 | +2. Follow [signed-provenance-tutorial.md](https://github.com/tektoncd/chains/blob/main/docs/tutorials/signed-provenance-tutorial.md) to configure chains |
| 27 | + |
| 28 | +## Proposal |
| 29 | + |
| 30 | +Tekton Chains |
| 31 | +1. sign the image and stores it in OCI registry |
| 32 | +2. Attestate PipelineRun/TaskRun payload using slsa and stores is in local storage Tekton. |
| 33 | +But Enterprise Contract only verify attestation of a signed image not the PipelineRun/TaskRun payload because Enterprise Contract understand the OCI not tekton storage. |
| 34 | + |
| 35 | +Considering Enterprise Contract current support the Pipelines as Code will run Enterprise Contract tasks only for Build PipelineRuns(The PipelineRun which build the image). |
| 36 | + |
| 37 | +story : |
| 38 | + |
| 39 | +<https://issues.redhat.com/browse/SRVKP-3084> |
| 40 | + |
| 41 | +### When PipelineRuns are not Building images |
| 42 | + |
| 43 | +There won't be any changes in functionality behaviour |
| 44 | + |
| 45 | +### When There is a Build PipelineRuns (The PipelineRun which build the image) |
| 46 | + |
| 47 | +If `.tekton` directory containes Build PipelineRuns then Pipelines as Code will understand that and triggers a Enterprise Contract task to verify the image sign |
| 48 | + |
| 49 | + |
| 50 | + |
| 51 | + |
| 52 | +### Design |
| 53 | + |
| 54 | +First approach: |
| 55 | + |
| 56 | +1. The PipelineRun provided by user under `.tekton` folder should have a label |
| 57 | +`pipelinesascode.tekton.dev/cosign-pub: secret_name_where_cosign_pub_key_present` |
| 58 | +2. Based on Pull/Push event Build PipelineRun will be created. |
| 59 | +3. Once PipelineRun is success then PAC posts success message with inprogress state on GitHub checks with message like still verifying image sign. |
| 60 | +4. PAC watches on event continously so whenever PAC finds [IMAGE_URL, IMAGE_DIGEST Results](https://github.com/tektoncd/chains/blob/main/docs/config.md#chains-type-hinting) PAC will understand its a Build PipelineRun and then checks for annotation `chains.tekton.dev/signed: "true"` if signing is success then PAC creates a [Enterprise Contract task](https://github.com/enterprise-contract/ec-cli/blob/main/tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml) to verify the image signing. |
| 61 | + |
| 62 | +Inputs for Task: |
| 63 | + |
| 64 | +The task requires information of IMAGE_URL and Public (cosign.pub) key |
| 65 | +PAC will take public key from labels |
| 66 | + 1. If its a scret it just uses as it is |
| 67 | + 2. If its a string value PAC will create a temp secret and pass it to task |
| 68 | + |
| 69 | +5. Once verification is success PAC updates summary message on same GitHub checks |
| 70 | + |
| 71 | +Second approach: |
| 72 | + |
| 73 | +1. Based on Pull/Push event Build PipelineRun will be created. |
| 74 | +2. Once PipelineRun is success then PAC posts success message with inprogress state on GitHub checks with message like still verifying image sign. |
| 75 | +3. PAC watches on event continously so whenever PAC finds [IMAGE_URL, IMAGE_DIGEST Results](https://github.com/tektoncd/chains/blob/main/docs/config.md#chains-type-hinting) PAC will understand its a Build PipelineRun and then checks for annotation `chains.tekton.dev/signed: "true"` if signing is success then PAC creates a [Enterprise Contract task](https://github.com/enterprise-contract/ec-cli/blob/main/tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml) to verify the image signing. |
| 76 | + |
| 77 | +Inputs for Task: |
| 78 | + |
| 79 | +The task requires information of IMAGE_URL and Public (cosign.pub) key |
| 80 | +PAC will read chains secret from SYSTEM_NAMESPACE to get public key(cosign.pub). |
| 81 | +Cons: |
| 82 | +Non admin user won't have access to SYSTEM_NAMESPACE |
| 83 | + |
| 84 | +4. Once verification is success PAC updates summary message on same GitHub checks |
0 commit comments