Migrate Tekton-Chains to openshift-pipelines 1/3

This PR leaves the secrets in the tekton-chains namespace, but copies them
to the openshift-pipelines namespace. This should guarantee that older
attestations can still be decoded, and that new attestations can be decoded
if the PR needs to be rolled back.

* Move chains configuration to TektonConfig
* Revert premature changes on namespaces
* Add serviceaccount and job to copy the secrets to the new namespace
* A test commented out has been added for when we are ready to do part 2/2
* Improve debugging of test.sh and behavior on some flakiness

Part 2/3 will enable the public-key-migration test so that EC can target
the new secret.

Part 2/3 will deprecate the tekton-chains namespace.

Signed-off-by: Romain Arnaud <[email protected]>

Author: Roming22

operator/gitops/argocd/pipeline-service/openshift-pipelines/allow-argocd-to-manage.yaml

@@ -4,6 +4,16 @@ kind: ClusterRole
 metadata:
   name: openshift-gitops-apply-tekton-config-parameters
 rules:
+  - apiGroups:
+      - monitoring.coreos.com
+    resources:
+      - servicemonitors
+    verbs:
+      - get
+      - list
+      - patch
+      - create
+      - delete
   - apiGroups:
       - operator.tekton.dev
     resources:

operator/gitops/argocd/pipeline-service/openshift-pipelines/tekton-config.yaml

@@ -1,4 +1,5 @@
 ---
+# Docs: https://github.com/tektoncd/operator/blob/main/docs/TektonConfig.md
 apiVersion: operator.tekton.dev/v1alpha1
 kind: TektonConfig
 metadata:
@@ -15,6 +16,22 @@ spec:
     openshift:
       pipelinesAsCode:
         enable: true
+  chain:
+    # Configure TaskRun attestation.
+    # RHTAP does not leverage the TaskRun attestations.
+    # This tells Tekton Chains to not store them in the OCI registry.
+    artifacts.taskrun.format: "in-toto"
+    artifacts.taskrun.storage: ""
+
+    # Configure image signing
+    artifacts.oci.storage: "oci"
+
+    # Configure PipelineRun attestation
+    artifacts.pipelinerun.format: "in-toto"
+    artifacts.pipelinerun.storage: "oci"
+
+    # Rekor integration is disabled for now. It is planned to be re-introduced in the future.
+    transparency.enabled: "false"
   pipeline:
     default-service-account: appstudio-pipeline
     enable-api-fields: beta

operator/gitops/argocd/pipeline-service/tekton-chains/chains-config.yaml

@@ -3,13 +3,13 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: chains-secrets-admin
-  namespace: openshift-pipelines
+  namespace: tekton-chains
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: chains-secret-admin
-  namespace: openshift-pipelines
+  namespace: tekton-chains
 rules:
   - apiGroups:
       - ""
@@ -39,15 +39,15 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: chains-secret-admin
-  namespace: openshift-pipelines
+  namespace: tekton-chains
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: chains-secret-admin
 subjects:
   - kind: ServiceAccount
     name: chains-secrets-admin
-    namespace: openshift-pipelines
+    namespace: tekton-chains
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -61,13 +61,13 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: chains-secrets-admin
-    namespace: openshift-pipelines
+    namespace: tekton-chains
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
   name: tekton-chains-signing-secret
-  namespace: openshift-pipelines
+  namespace: tekton-chains
   annotations:
     argocd.argoproj.io/sync-wave: "1"
 spec:

operator/gitops/argocd/pipeline-service/tekton-chains/chains-secrets-config.yaml

@@ -0,0 +1,176 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tekton-chains-secrets-migrator
+  namespace: openshift-pipelines
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: tekton-chains-secret-migration
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - public-key
+      - signing-secrets
+    verbs:
+      - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tekton-chains-secrets-migrator
+  namespace: tekton-chains
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: tekton-chains-secret-migration
+subjects:
+  - kind: ServiceAccount
+    name: tekton-chains-secrets-migrator
+    namespace: openshift-pipelines
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: openshift-pipelines-secret-migration
+  namespace: openshift-pipelines
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - list
+      - create
+      - get
+      - update
+      - patch
+      - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: openshift-pipelines-secret-migration
+  namespace: openshift-pipelines
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: openshift-pipelines-secret-migration
+subjects:
+  - kind: ServiceAccount
+    name: tekton-chains-secrets-migrator
+    namespace: openshift-pipelines
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: openshift-gitops-jobs-admin
+rules:
+  - apiGroups:
+      - batch
+    resources:
+      - jobs
+    verbs:
+      - get
+      - list
+      - patch
+      - create
+      - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: openshift-gitops-jobs-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: openshift-gitops-jobs-admin
+subjects:
+  - kind: ServiceAccount
+    name: openshift-gitops-argocd-application-controller
+    namespace: openshift-gitops
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: tekton-chains-secrets-migration
+  namespace: openshift-pipelines
+  annotations:
+    # Must run after tekton-chains-signing-secret during migration
+    argocd.argoproj.io/sync-wave: "2"
+spec:
+  template:
+    spec:
+      containers:
+        - name: chains-secret-migration
+          image: quay.io/redhat-appstudio/appstudio-utils:eb94f28fe2d7c182f15e659d0fdb66f87b0b3b6b
+          imagePullPolicy: Always
+          command:
+            - /bin/bash
+            - -c
+            - |
+              cd /tmp
+              # Once the key-pair has been set it's marked as immutable so it can't be updated.
+              # Try to handle that nicely. The object is expected to always exist so check the data.
+              echo "Waiting for tekton-chains/secrets/signing-secrets: "
+              while [ -z  $CHAINS_SIG_KEY_DATA ]; do
+                echo -n "."
+                CHAINS_SIG_KEY_DATA=$(kubectl get secret signing-secrets -n tekton-chains -o jsonpath='{.data}')
+                sleep 3
+              done
+              echo "OK"
+
+              OSP_SIG_KEY_DATA=$(kubectl get secret signing-secrets -n openshift-pipelines -o jsonpath='{.data}')
+              if [ -z "$OSP_SIG_KEY_DATA" -o "$OSP_SIG_KEY_DATA" != "$CHAINS_SIG_KEY_DATA" ]; then
+                echo "openshift-pipelines: copying signing-secrets from tekton-chains"
+                kubectl create secret generic signing-secrets \
+                  --namespace openshift-pipelines \
+                  --from-literal=cosign.key="$(
+                    echo "$CHAINS_SIG_KEY_DATA" | jq -r '.["cosign.key"]' | base64 -d
+                  )" \
+                  --from-literal=cosign.password="$(
+                    echo "$CHAINS_SIG_KEY_DATA" | jq -r '.["cosign.password"]' | base64 -d
+                  )" \
+                  --from-literal=cosign.pub="$(
+                    echo "$CHAINS_SIG_KEY_DATA" | jq -r '.["cosign.pub"]' | base64 -d
+                  )" \
+                  --dry-run=client \
+                  -o yaml | kubectl apply -f -
+              else
+                echo "openshift-pipelines: signing-secrets is up to date"
+              fi
+
+              # Generate/update the secret with the public key
+              echo "Creating public-key in openshift-pipelines"
+              kubectl create secret generic public-key \
+                --namespace openshift-pipelines \
+                --from-literal=cosign.pub="$(
+                  cosign public-key --key k8s://openshift-pipelines/signing-secrets
+                )" \
+                --dry-run=client \
+                -o yaml | kubectl apply -f -
+              echo "OK"
+      dnsPolicy: ClusterFirst
+      restartPolicy: OnFailure
+      terminationGracePeriodSeconds: 30
+      serviceAccountName: tekton-chains-secrets-migrator
+---
+# public-key access
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: openshift-pipelines-public-key-viewer
+  namespace: openshift-pipelines
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: tekton-chains-public-key-viewer
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: system:authenticated

operator/gitops/argocd/pipeline-service/tekton-chains/chains-secrets-migration.yaml

@@ -9,21 +9,29 @@ resources:
   # To list available releases:
   #  curl -s https://storage.googleapis.com/tekton-releases/ | xq | grep -E 'chains/.*/release.yaml'
   #
+  - namespace.yaml
   - chains-secrets-config.yaml
   - public-key.yaml
+  - chains-secrets-migration.yaml
 
 patches:
- # Add some chains configuration
-  - path: chains-config.yaml
-  #
   - target:
       kind: Secret
       name: signing-secrets
-      namespace: openshift-pipelines
+      namespace: tekton-chains
     patch: |-
       apiVersion: v1
       kind: Secret
       metadata:
         name: signing-secrets
-        namespace: openshift-pipelines
+        namespace: tekton-chains
       $patch: delete
+  # Allow openshift-gitops to manage tekton-chains
+  - target:
+      kind: Namespace
+      name: tekton-chains
+    patch: |-
+      - op: add
+        path: "/metadata/labels"
+        value:
+          argocd.argoproj.io/managed-by: openshift-gitops

operator/gitops/argocd/pipeline-service/tekton-chains/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tekton-chains

operator/gitops/argocd/pipeline-service/tekton-chains/namespace.yaml

@@ -19,7 +19,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: tekton-chains-public-key-viewer
-  namespace: openshift-pipelines
+  namespace: tekton-chains
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

operator/gitops/argocd/pipeline-service/tekton-chains/public-key.yaml

@@ -157,8 +157,8 @@ tekton_chains_manifest(){
       --workdir /workspace \
       --entrypoint /usr/bin/cosign \
       "$cosign_image" generate-key-pair
-    kubectl create namespace openshift-pipelines --dry-run=client -o yaml > "$chains_namespace"
-    kubectl create secret generic -n openshift-pipelines signing-secrets --from-file="$chains_tmp_dir" --dry-run=client -o yaml | \
+    kubectl create namespace tekton-chains --dry-run=client -o yaml > "$chains_namespace"
+    kubectl create secret generic -n tekton-chains signing-secrets --from-file="$chains_tmp_dir" --dry-run=client -o yaml | \
             yq '. += {"immutable" :true}' | \
             yq "sort_keys(.)" > "$chains_secret"
     yq e -n '.resources += ["namespace.yaml", "signing-secrets.yaml"]' > "$chains_kustomize"

operator/images/access-setup/content/bin/setup_work_dir.sh

@@ -154,9 +154,9 @@ install_clusters() {
 install_shared_manifests() {
   CREDENTIALS_DIR="$WORKSPACE_DIR/credentials"
 
-#  if [ "$(kubectl get secret -n openshift-pipelines signing-secrets --ignore-not-found -o json | jq -r ".immutable")" != "true" ]; then
-#    kubectl apply -k "$CREDENTIALS_DIR/manifests/compute/tekton-chains"
-#  fi
+  # if [ "$(kubectl get secret -n tekton-chains signing-secrets --ignore-not-found -o json | jq -r ".immutable")" != "true" ]; then
+  #   kubectl apply -k "$CREDENTIALS_DIR/manifests/compute/tekton-chains"
+  # fi
   kubectl apply -k "$CREDENTIALS_DIR/manifests/compute/tekton-results"
 }