Merge pull request #59627 from mramendi/tekton-chains-ga

RHDEVDOCS-5246: Tekton Chains configuration changes for GA

Author: gabriel-rh

cicd/pipelines/using-tekton-chains-for-openshift-pipelines-supply-chain-security.adoc

@@ -6,38 +6,35 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-:FeatureName: Tekton Chains
-include::snippets/technology-preview.adoc[]
-
 [role="_abstract"]
 {tekton-chains} is a Kubernetes Custom Resource Definition (CRD) controller. You can use it to manage the supply chain security of the tasks and pipelines created using {pipelines-title}.
 
-By default, {tekton-chains} observes all task run executions in your {product-title} cluster. When the task runs complete, {tekton-chains} takes a snapshot of the task runs. It then converts the snapshot to one or more standard payload formats, and finally signs and stores all artifacts. 
-
-To capture information about task runs, {tekton-chains} uses the `Result` and `PipelineResource` objects. When the objects are unavailable, {tekton-chains} the URLs and qualified digests of the OCI images.
+By default, {tekton-chains} observes all task run executions in your {product-title} cluster. When the task runs complete, {tekton-chains} takes a snapshot of the task runs. It then converts the snapshot to one or more standard payload formats, and finally signs and stores all artifacts.
 
-[NOTE]
-====
-The `PipelineResource` object is deprecated and will be removed in a future release; for manual use, the `Results` object is recommended.
-====
+To capture information about task runs, {tekton-chains} uses `Result` objects. When the objects are unavailable, {tekton-chains} the URLs and qualified digests of the OCI images.
 
 [id="tc-key-features"]
 == Key features
-* You can sign task runs, task run results, and OCI registry images with cryptographic key types and services such as `cosign`.
+* You can sign task runs, task run results, and OCI registry images with cryptographic keys that are generated by tools such as `cosign` and `skopeo`.
 * You can use attestation formats such as `in-toto`.
 * You can securely store signatures and signed artifacts using OCI repository as a storage backend.
 
-include::modules/op-installing-tekton-chains-using-pipelines-operator.adoc[leveloffset=+1]
-
 include::modules/op-configuring-tekton-chains.adoc[leveloffset=+1]
 
-include::modules/op-supported-keys-tekton-chains-configuration.adoc[leveloffset=+2]
+include::modules/op-supported-parameters-tekton-chains-configuration.adoc[leveloffset=+2]
 
 include::modules/op-signing-secrets-in-tekton-chains.adoc[leveloffset=+1]
+include::modules/op-chains-signing-secrets-cosign.adoc[leveloffset=+2]
+include::modules/op-chains-signing-secrets-skopeo.adoc[leveloffset=+2]
+include::modules/op-chains-resolving-existing-secret.adoc[leveloffset=+2]
 
 include::modules/op-authenticating-to-an-oci-registry.adoc[leveloffset=+1]
 
 include::modules/op-creating-and-verifying-task-run-signatures-without-any-additional-authentication.adoc[leveloffset=+1]
+=== Additional resources
+
+* xref:signing-secrets-in-tekton-chains_{context}[]
+* xref:configuring-tekton-chains_{context}[]
 
 include::modules/op-using-tekton-chains-to-sign-and-verify-image-and-provenance.adoc[leveloffset=+1]
 
@@ -46,4 +43,3 @@ include::modules/op-using-tekton-chains-to-sign-and-verify-image-and-provenance.
 == Additional resources
 
 * xref:../../cicd/pipelines/installing-pipelines.adoc#installing-pipelines[Installing {pipelines-shortname}]
-

modules/op-chains-resolving-existing-secret.adoc

@@ -0,0 +1,28 @@
+// This module is included in the following assembly:
+//
+// *cicd/pipelines/using-tekton-chains-for-pipelines-supply-chain-security.adoc
+
+:_content-type: PROCEDURE
+
+[id="chains-resolving-existing-secret_{context}"]
+= Resolving the "secret already exists" error
+
+If the `signing-secret` secret is already populated, the command to create this secret might output the following error message:
+
+[source,terminal]
+----
+Error from server (AlreadyExists): secrets "signing-secrets" already exists
+----
+
+You can resolve this error by deleting the secret.
+
+.Procedure
+
+. Delete the `signing-secret` secret by running the following command:
++
+[source,terminal]
+----
+$ oc delete secret signing-secrets -n openshift-pipelines
+----
+
+. Re-create the key pairs and store them in the secret using your preferred signing scheme.

modules/op-chains-signing-secrets-cosign.adoc

@@ -0,0 +1,27 @@
+// This module is included in the following assembly:
+//
+// *cicd/pipelines/using-tekton-chains-for-pipelines-supply-chain-security.adoc
+
+:_content-type: PROCEDURE
+
+[id="chains-signing-secrets-cosign_{context}"]
+= Signing using cosign
+
+You can use the `cosign` signing scheme with {tekton-chains} using the `cosign` tool.
+
+.Prerequisites
+
+* You installed the link:https://docs.sigstore.dev/cosign/installation/[cosign] tool.
+
+.Procedure
+
+. Generate the `cosign.key` and `cosign.pub` key pairs by running the following command:
++
+[source,terminal]
+----
+$ cosign generate-key-pair k8s://openshift-pipelines/signing-secrets
+----
++
+Cosign prompts you for a password and then creates a Kubernetes secret.
+
+. Store the encrypted `cosign.key` private key and the `cosign.password` decryption password in the `signing-secrets` Kubernetes secret. Ensure that the private key is stored as an encrypted PEM file of the `ENCRYPTED COSIGN PRIVATE KEY` type.

modules/op-chains-signing-secrets-skopeo.adoc

@@ -0,0 +1,80 @@
+// This module is included in the following assembly:
+//
+// *cicd/pipelines/using-tekton-chains-for-pipelines-supply-chain-security.adoc
+
+:_content-type: PROCEDURE
+
+[id="chains-signing-secrets-skopeo_{context}"]
+= Signing using skopeo
+
+You can generate keys using the `skopeo` tool and use them in the `cosign` signing scheme with {tekton-chains}.
+
+.Prerequisites
+
+* You installed the link:https://github.com/containers/skopeo[skopeo] tool.
+
+.Procedure
+
+. Generate a public/private key pair by running the following command:
++
+[source,terminal]
+----
+$ skopeo generate-sigstore-key --output-prefix <mykey> # <1>
+----
+<1> Replace `<mykey>` with a key name of your choice.
++
+Skopeo prompts you for a passphrase for the private key and then creates the key files named `<mykey>.private` and `<mykey>.pub`.
+
+. Encode the `<mykey>.pub` file using the `base64` tool by running the following command:
++
+[source,terminal]
+----
+$ base64 -w 0 <mykey>.pub > b64.pub
+----
+
+. Encode the `<mykey>.private` file using the `base64` tool by running the following command:
++
+[source,terminal]
+----
+$ base64 -w 0 <mykey>.private > b64.private
+----
+
+. Encode the passhprase using the `base64` tool by running the following command:
++
+[source,terminal]
+----
+$ echo -n '<passphrase>' | base64 -w 0 > b64.passphrase # <1>
+----
+<1> Replace `<passphrase>` with the passphrase that you used for the key pair.
+
+. Create the `signing-secrets` secret in the `openshift-pipelines` namespace by running the following command:
++
+[source,terminal]
+----
+$ oc create secret generic signing-secrets -n openshift-pipelines
+----
++
+. Edit the `signing-secrets` secret by running the following command:
+----
+$ oc edit secret -n openshift-pipelines signing-secrets
+----
++
+Add the encoded keys in the data of the secret in the following way:
++
+[source,yaml]
+----
+apiVersion: v1
+data:
+  cosign.key: <Encoded <mykey>.private> # <1>
+  cosign.password: <Encoded passphrase> # <2>
+  cosign.pub: <Encoded <mykey>.pub> # <3>
+immutable: true
+kind: Secret
+metadata:
+  name: signing-secrets
+# ...
+type: Opaque
+----
+<1> Replace `<Encoded <mykey>.private>` with the content of the `b64.private` file.
+<2> Replace `<Encoded passphrase>` with the content of the `b64.passphrase` file.
+<3> Replace `<Encoded <mykey>.pub>` with the content of the `b64.pub` file.

modules/op-configuring-tekton-chains.adoc

@@ -6,14 +6,26 @@
 [id="configuring-tekton-chains_{context}"]
 = Configuring {tekton-chains}
 
-{tekton-chains} uses a `ConfigMap` object named `chains-config` in the `openshift-pipelines` namespace for configuration.
+The {pipelines-title} Operator installs {tekton-chains} by default. You can configure {tekton-chains} by modifying the `TektonConfig` custom resource; the Operator automatically applies the changes that you make in this custom resource.
 
-To configure {tekton-chains}, use the following example:
+To edit the custom resource, use the following command:
 
-.Example: Configuring {tekton-chains}
 [source,terminal]
 ----
-$ oc patch configmap chains-config -n openshift-pipelines -p='{"data":{"artifacts.oci.storage": "", "artifacts.taskrun.format":"tekton", "artifacts.taskrun.storage": "tekton"}}' <1>
+$ oc edit TektonConfig config
 ----
-<1> Use a combination of supported key-value pairs in the JSON payload.
 
+The custom resource includes a `chain:` array. You can add any supported configuration parameters to this array, as shown in the following example:
+
+[source,yaml]
+----
+apiVersion: operator.tekton.dev/v1alpha1
+kind: TektonConfig
+metadata:
+  name: config
+spec:
+  addon: {}
+  chain:
+    artifacts.taskrun.format: tekton
+  config: {}
+----

modules/op-creating-and-verifying-task-run-signatures-without-any-additional-authentication.adoc

@@ -4,7 +4,7 @@
 
 :_content-type: PROCEDURE
 [id="creating-and-verifying-task-run-signatures-without-any-additional-authentication_{context}"]
-== Creating and verifying task run signatures without any additional authentication
+= Creating and verifying task run signatures without any additional authentication
 
 [role="_abstract"]
 To verify signatures of task runs using {tekton-chains} with any additional authentication, perform the following tasks:
@@ -16,51 +16,64 @@ To verify signatures of task runs using {tekton-chains} with any additional auth
 * Verify the signature of the task run.
 
 .Prerequisites
-Ensure that the following are installed on the cluster:
+Ensure that the following components are installed on the cluster:
 
 * {pipelines-title} Operator
 * {tekton-chains}
 * link:https://docs.sigstore.dev/cosign/installation/[Cosign]
 
 .Procedure
 
-. Create an encrypted x509 key pair and save it as a Kubernetes secret:
+. Create an encrypted x509 key pair and save it as a Kubernetes secret. For more information about creating a key pair and saving it as a secret, see "Signing secrets in {tekton-chains}".
+. In the {tekton-chains} configuration, disable the OCI storage, and set the task run storage and format to `tekton`. In the `TektonConfig` custom resource set the following values:
 +
-[source,terminal]
+[source,yaml]
 ----
-$ cosign generate-key-pair k8s://openshift-pipelines/signing-secrets
+apiVersion: operator.tekton.dev/v1alpha1
+kind: TektonConfig
+metadata:
+  name: config
+spec:
+# ...
+    chain:
+      artifacts.oci.storage: ""
+      artifacts.taskrun.format: tekton
+      artifacts.taskrun.storage: tekton
+# ...
 ----
 +
-Provide a password when prompted. Cosign stores the resulting private key as part of the `signing-secrets` Kubernetes secret in the `openshift-pipelines` namespace.
-
-. In the {tekton-chains} configuration, disable the OCI storage, and set the task run storage and format to `tekton`. 
-+
-[source,terminal]
-----
-$ oc patch configmap chains-config -n openshift-pipelines -p='{"data":{"artifacts.oci.storage": "", "artifacts.taskrun.format":"tekton", "artifacts.taskrun.storage": "tekton"}}'
-----
-
-. Restart the {tekton-chains} controller to ensure that the modified configuration is applied.
+For more information about configuring {tekton-chains} using the `TektonConfig` custom resource, see "Configuring {tekton-chains}".
+. To restart the {tekton-chains} controller to ensure that the modified configuration is applied, enter the following command:
 +
 [source.terminal]
 ----
 $ oc delete po -n openshift-pipelines -l app=tekton-chains-controller
 ----
 
-. Create a task run. 
+. Create a task run by entering the following command:
 +
 [source,terminal]
 ----
 $ oc create -f https://raw.githubusercontent.com/tektoncd/chains/main/examples/taskruns/task-output-image.yaml <1>
+----
+<1> Replace the example URI with the URI or file path pointing to your task run.
++
+.Example output
+[source,terminal]
+----
 taskrun.tekton.dev/build-push-run-output-image-qbjvh created
 ----
-<1> Substitute with the URI or file path pointing to your task run.
 
-. Check the status of the steps, and wait till the process finishes.
+. Check the status of the steps by entering the following command. Wait until the process finishes.
 +
 [source,terminal]
 ----
 $ tkn tr describe --last
+----
++
+.Example output
+[source,terminal]
+----
 [...truncated output...]
 NAME                            STATUS
 ∙ create-dir-builtimage-9467f   Completed
@@ -70,21 +83,27 @@ NAME                            STATUS
 ∙ image-digest-exporter-xlkn7   Completed
 ----
 
-. Retrieve the signature and payload from the object stored as `base64` encoded annotations:
+. To retrieve the signature from the object stored as `base64` encoded annotations, enter the following commands:
++
+[source,terminal]
+----
+$ tkn tr describe --last -o jsonpath="{.metadata.annotations.chains\.tekton\.dev/signature-taskrun-$TASKRUN_UID}" | base64 -d > sig
+----
 +
 [source,terminal]
 ----
 $ export TASKRUN_UID=$(tkn tr describe --last -o  jsonpath='{.metadata.uid}')
-$ tkn tr describe --last -o jsonpath="{.metadata.annotations.chains\.tekton\.dev/signature-taskrun-$TASKRUN_UID}" > signature
-$ tkn tr describe --last -o jsonpath="{.metadata.annotations.chains\.tekton\.dev/payload-taskrun-$TASKRUN_UID}" | base64 -d > payload
 ----
 
-. Verify the signature.
+. To verify the signature using the public key that you created, enter the following command:
+[source,terminal]
+----
+$ cosign verify-blob-attestation --insecure-ignore-tlog --key path/to/cosign.pub --signature sig --type slsaprovenance --check-claims=false /dev/null <1>
+----
+<1> Replace `path/to/cosign.pub` with the path name of the public key file.
 +
+.Example output
 [source,terminal]
 ----
-$ cosign verify-blob --key k8s://openshift-pipelines/signing-secrets --signature ./signature ./payload
 Verified OK
 ----
-
-

modules/op-installing-pipelines-operator-in-web-console.adoc

@@ -74,7 +74,7 @@ $ oc get tektonconfig config
 .Example output
 ----
 NAME     VERSION   READY   REASON
-config   1.9.2     True
+config   1.11.0     True
 ----
 +
 If the *READY* condition is *True*, the Operator and its components have been installed successfully.
@@ -83,17 +83,23 @@ Additonally, check the components' versions by running the following command:
 +
 [source,terminal]
 ----
-$ oc get tektonpipeline,tektontrigger,tektonaddon,pac
+$ oc get tektonpipeline,tektontrigger,tektonchain,tektonaddon,pac
 ----
 +
 .Example output
 ----
 NAME                                          VERSION   READY   REASON
-tektonpipeline.operator.tekton.dev/pipeline   v0.41.1   True
+tektonpipeline.operator.tekton.dev/pipeline   v0.47.0   True
+
 NAME                                        VERSION   READY   REASON
-tektontrigger.operator.tekton.dev/trigger   v0.22.2   True
+tektontrigger.operator.tekton.dev/trigger   v0.23.1   True
+
 NAME                                    VERSION   READY   REASON
-tektonaddon.operator.tekton.dev/addon   1.9.2     True
+tektonchain.operator.tekton.dev/chain   v0.16.0   True
+
+NAME                                    VERSION   READY   REASON
+tektonaddon.operator.tekton.dev/addon   1.11.0     True
+
 NAME                                                             VERSION   READY   REASON
-openshiftpipelinesascode.operator.tekton.dev/pipelines-as-code   v0.15.5   True
+openshiftpipelinesascode.operator.tekton.dev/pipelines-as-code   v0.19.0   True
 ----