tekton chains

Souvik Sarkar · Souvik Sarkar · commit 4e6d87786618 · 2022-04-21T02:49:20.000+05:30
revisions in titles

revisions in titles

revisions in titles

revisions in titles

revisions in titles

revisions in titles

revisions in titles

revisions in titles

revisions in titles

trying to fix section heading anomaly

introduction and key features

installation

installation

troubleshooting build error due to duplicate id

random intermediate checkin

finalizing structure and fixing build error

typo; fixing build error

finalizing structure and fixing build error

complete draft

review comments

final changes
diff --git a/_attributes/common-attributes.adoc b/_attributes/common-attributes.adoc
@@ -70,6 +70,7 @@ endif::[]
 :pipelines-title: Red Hat OpenShift Pipelines
 :pipelines-shortname: Pipelines
 :pipelines-ver: pipelines-1.7
+:tekton-chains: Tekton Chains
 //odo
 :odo-title: odo
 //alibaba cloud
diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml
@@ -1598,6 +1598,8 @@ Topics:
     File: securing-webhooks-with-event-listeners
   - Name: Authenticating pipelines using git secret
     File: authenticating-pipelines-using-git-secret
+  - Name: Using Tekton Chains for OpenShift Pipelines supply chain security
+    File: using-tekton-chains-for-openshift-pipelines-supply-chain-security
   - Name: Viewing pipeline logs using the OpenShift Logging Operator
     File: viewing-pipeline-logs-using-the-openshift-logging-operator
 - Name: GitOps
diff --git a/cicd/pipelines/installing-pipelines.adoc b/cicd/pipelines/installing-pipelines.adoc
@@ -47,6 +47,8 @@ include::modules/op-disabling-automatic-creation-of-rbac-resources.adoc[leveloff
 
 * You can learn more about installing Operators on {product-title} in the xref:../../operators/admin/olm-adding-operators-to-cluster.adoc#olm-adding-operators-to-a-cluster[adding Operators to a cluster] section.
 
+* To install Tekton Chains using the {pipelines-title} Operator, see xref:../../cicd/pipelines/using-tekton-chains-for-openshift-pipelines-supply-chain-security.adoc#using-tekton-chains-for-openshift-pipelines-supply-chain-security[Using Tekton Chains for OpenShift Pipelines supply chain security].
+
 * For more information on using pipelines in a restricted environment, see:
 
 ** xref:../../cicd/pipelines/creating-applications-with-cicd-pipelines.html#op-mirroring-images-to-run-pipelines-in-restricted-environment_creating-applications-with-cicd-pipelines[Mirroring images to run pipelines in a restricted environment]
diff --git a/cicd/pipelines/using-tekton-chains-for-openshift-pipelines-supply-chain-security.adoc b/cicd/pipelines/using-tekton-chains-for-openshift-pipelines-supply-chain-security.adoc
@@ -0,0 +1,49 @@
+:_content-type: ASSEMBLY
+[id="using-tekton-chains-for-openshift-pipelines-supply-chain-security"]
+= Using Tekton Chains for OpenShift Pipelines supply chain security
+include::_attributes/common-attributes.adoc[]
+:context: using-tekton-chains-for-openshift-pipelines-supply-chain-security
+
+toc::[]
+
+:FeatureName: Tekton Chains
+include::snippets/technology-preview.adoc[]
+
+[role="_abstract"]
+{tekton-chains} is a Kubernetes Custom Resource Definition (CRD) controller. You can use it to manage the supply chain security of the tasks and pipelines created using {pipelines-title}.
+
+By default, {tekton-chains} observes all task run executions in your {product-title} cluster. When the task runs complete, {tekton-chains} takes a snapshot of the task runs. It then converts the snapshot to one or more standard payload formats, and finally signs and stores all artifacts. 
+
+To capture information about task runs, {tekton-chains} uses the `Result` and `PipelineResource` objects. When the objects are unavailable, {tekton-chains} the URLs and qualified digests of the OCI images.
+
+[NOTE]
+====
+The `PipelineResource` object is deprecated and will be removed in a future release; for manual use, the `Results` object is recommended.
+====
+
+[id="tc-key-features"]
+== Key features
+* You can sign task runs, task run results, and OCI registry images with cryptographic key types and services such as `cosign`.
+* You can use attestation formats such as `in-toto`.
+* You can securely store signatures and signed artifacts using OCI repository as a storage backend.
+
+include::modules/op-installing-tekton-chains-using-pipelines-operator.adoc[leveloffset=+1]
+
+include::modules/op-configuring-tekton-chains.adoc[leveloffset=+1]
+
+include::modules/op-supported-keys-tekton-chains-configuration.adoc[leveloffset=+2]
+
+include::modules/op-signing-secrets-in-tekton-chains.adoc[leveloffset=+1]
+
+include::modules/op-authenticating-to-an-oci-registry.adoc[leveloffset=+1]
+
+include::modules/op-creating-and-verifying-task-run-signatures-without-any-additional-authentication.adoc[leveloffset=+1]
+
+include::modules/op-using-tekton-chains-to-sign-and-verify-image-and-provenance.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+[id="additional-resources-tekton-chains"]
+== Additional resources
+
+* xref:../../cicd/pipelines/installing-pipelines.adoc#installing-pipelines[Installing OpenShift Pipelines]
+
diff --git a/modules/op-authenticating-to-an-oci-registry.adoc b/modules/op-authenticating-to-an-oci-registry.adoc
@@ -0,0 +1,69 @@
+// This module is included in the following assembly:
+//
+// *cicd/pipelines/using-tekton-chains-for-pipelines-supply-chain-security.adoc
+
+:_content-type: PROCEDURE
+[id="authenticating-to-an-oci-registry_{context}"]
+= Authenticating to an OCI registry
+
+Before pushing signatures to an OCI registry, cluster administrators must configure {tekton-chains} to authenticate with the registry. The {tekton-chains} controller uses the same service account under which the task runs execute. To set up a service account with the necessary credentials for pushing signatures to an OCI registry, perform the following steps:
+
+[discrete]
+.Procedure
+
+. Set the namespace and name of the Kubernetes service account.
++
+[source,terminal]
+----
+$ export NAMESPACE=<namespace> <1>
+$ export SERVICE_ACCOUNT_NAME=<service_account> <2>
+----
+<1> The namespace associated with the service account.
+<2> The name of the service account.
+
+. Create a Kubernetes secret.
++
+[source,terminal]
+----
+$ oc create secret registry-credentials \
+  --from-file=.dockerconfigjson \ <1>
+  --type=kubernetes.io/dockerconfigjson \
+  -n $NAMESPACE
+----
+<1> Substitute with the path to your Docker config file. Default path is `~/.docker/config.json`.
+
+. Give the the service account access to the secret.
++
+[source,terminal]
+----
+$ oc patch serviceaccount $SERVICE_ACCOUNT_NAME \
+  -p "{\"imagePullSecrets\": [{\"name\": \"registry-credentials\"}]}" -n $NAMESPACE
+----
++
+If you patch the default `pipeline` service account that {pipelines-title} assigns to all task runs, the {pipelines-title} Operator will override the service account. As a best practice, you can perform the following steps:
+
+.. Create a separate service account to assign to user's task runs.
++
+[source,terminal]
+----
+$ oc create serviceaccount <service_account_name>
+----
+
+.. Associate the service account to the task runs by setting the value of the `serviceaccountname` field in the task run template.
++
+[source,yaml]
+----
+apiVersion: tekton.dev/v1beta1
+kind: TaskRun
+metadata:
+name: build-push-task-run-2
+spec:
+serviceAccountName: build-bot <1>
+taskRef:
+  name: build-push
+...
+----
+<1> Substitute with the name of the newly created service account.
+
+
+
diff --git a/modules/op-configuring-tekton-chains.adoc b/modules/op-configuring-tekton-chains.adoc
@@ -0,0 +1,19 @@
+// This module is included in the following assembly:
+//
+// *cicd/pipelines/using-tekton-chains-for-pipelines-supply-chain-security.adoc
+
+:_content-type: CONCEPT
+[id="configuring-tekton-chains_{context}"]
+= Configuring {tekton-chains}
+
+{tekton-chains} uses a `ConfigMap` object named `chains-config` in the `openshift-pipelines` namespace for configuration.
+
+To configure {tekton-chains}, use the following example:
+
+.Example: Configuring {tekton-chains}
+[source,terminal]
+----
+$ oc patch configmap chains-config -n openshift-pipelines -p='{"data":{"artifacts.oci.storage": "", "artifacts.taskrun.format":"tekton", "artifacts.taskrun.storage": "tekton"}}' <1>
+----
+<1> Use a combination of supported key-value pairs in the JSON payload.
+
diff --git a/modules/op-creating-and-verifying-task-run-signatures-without-any-additional-authentication.adoc b/modules/op-creating-and-verifying-task-run-signatures-without-any-additional-authentication.adoc
@@ -0,0 +1,92 @@
+// This module is included in the following assembly:
+//
+// *cicd/pipelines/using-tekton-chains-for-pipelines-supply-chain-security.adoc
+
+:_content-type: PROCEDURE
+[id="creating-and-verifying-task-run-signatures-without-any-additional-authentication_{context}"]
+== Creating and verifying task run signatures without any additional authentication
+
+[role="_abstract"]
+To verify signatures of task runs using {tekton-chains} with any additional authentication, perform the following tasks:
+
+* Create an encrypted x509 key pair and save it as a Kubernetes secret.
+* Configure the {tekton-chains} backend storage.
+* Create a task run, sign it, and store the signature and the payload as annotations on the task run itself.
+* Retrieve the signature and payload from the signed task run.
+* Verify the signature of the task run.
+
+[discrete]
+.Prerequisites
+Ensure that the following are installed on the cluster:
+
+* {pipelines-title} Operator
+* {tekton-chains}
+* link:https://docs.sigstore.dev/cosign/installation/[Cosign]
+
+[discrete]
+.Procedure
+
+. Create an encrypted x509 key pair and save it as a Kubernetes secret:
++
+[source,terminal]
+----
+$ cosign generate-key-pair k8s://openshift-pipelines/signing-secrets
+----
++
+Provide a password when prompted. Cosign stores the resulting private key as part of the `signing-secrets` Kubernetes secret in the `openshift-pipelines` namespace.
+
+. In the {tekton-chains} configuration, disable the OCI storage, and set the task run storage and format to `tekton`. 
++
+[source,terminal]
+----
+$ oc patch configmap chains-config -n openshift-pipelines -p='{"data":{"artifacts.oci.storage": "", "artifacts.taskrun.format":"tekton", "artifacts.taskrun.storage": "tekton"}}'
+----
+
+. Restart the {tekton-chains} controller to ensure that the modified configuration is applied.
++
+[source.terminal]
+----
+$ oc delete po -n openshift-pipelines -l app=tekton-chains-controller
+----
+
+. Create a task run. 
++
+[source,terminal]
+----
+$ oc create -f https://raw.githubusercontent.com/tektoncd/chains/main/examples/taskruns/task-output-image.yaml <1>
+taskrun.tekton.dev/build-push-run-output-image-qbjvh created
+----
+<1> Substitute with the URI or file path pointing to your task run.
+
+. Check the status of the steps, and wait till the process finishes.
++
+[source,terminal]
+----
+$ tkn tr describe --last
+[...truncated output...]
+NAME                            STATUS
+∙ create-dir-builtimage-9467f   Completed
+∙ git-source-sourcerepo-p2sk8   Completed
+∙ build-and-push                Completed
+∙ echo                          Completed
+∙ image-digest-exporter-xlkn7   Completed
+----
+
+. Retrieve the signature and payload from the object stored as `base64` encoded annotations:
++
+[source,terminal]
+----
+$ export TASKRUN_UID=$(tkn tr describe --last -o  jsonpath='{.metadata.uid}')
+$ tkn tr describe --last -o jsonpath="{.metadata.annotations.chains\.tekton\.dev/signature-taskrun-$TASKRUN_UID}" > signature
+$ tkn tr describe --last -o jsonpath="{.metadata.annotations.chains\.tekton\.dev/payload-taskrun-$TASKRUN_UID}" | base64 -d > payload
+----
+
+. Verify the signature.
++
+[source,terminal]
+----
+$ cosign verify-blob --key k8s://openshift-pipelines/signing-secrets --signature ./signature ./payload
+Verified OK
+----
+
+
diff --git a/modules/op-installing-tekton-chains-using-pipelines-operator.adoc b/modules/op-installing-tekton-chains-using-pipelines-operator.adoc
@@ -0,0 +1,51 @@
+// This module is included in the following assembly:
+//
+// *cicd/pipelines/using-tekton-chains-for-pipelines-supply-chain-security.adoc
+
+:_content-type: PROCEDURE
+[id="installing-tekton-chains-using-pipelines-operator_{context}"]
+= Installing {tekton-chains} using the {pipelines-title} Operator
+
+Cluster administrators can use the `TektonChain` custom resource (CR) to install and manage {tekton-chains}. 
+
+[NOTE]
+====
+{tekton-chains} is an optional component of {pipelines-title}. Currently, you cannot install it using the `TektonConfig` CR. 
+====
+
+[discrete]
+.Prerequisites
+* Ensure that the {pipelines-title} Operator is installed in the `openshift-pipelines` namespace on your cluster.
+
+[discrete]
+.Procedure
+
+. Create the `TektonChain` CR for your {product-title} cluster.
++
+[source,yaml]
+----
+apiVersion: operator.tekton.dev/v1alpha1
+kind: TektonChain
+metadata:
+  name: chain
+spec:
+  targetNamespace: openshift-pipelines
+----
+
+. Apply the `TektonChain` CR.
++
+[source,terminal]
+----
+$ oc apply -f TektonChain.yaml <1>
+----
++
+<1> Substitute with the file name of the `TektonChain` CR.
+
+. Check the status of the installation.
++
+[source,terminal]
+----
+$ oc get tektonchains.operator.tekton.dev
+----
+
+
diff --git a/modules/op-signing-secrets-in-tekton-chains.adoc b/modules/op-signing-secrets-in-tekton-chains.adoc
@@ -0,0 +1,61 @@
+// This module is included in the following assembly:
+//
+// *cicd/pipelines/using-tekton-chains-for-pipelines-supply-chain-security.adoc
+
+:_content-type: CONCEPT
+[id="signing-secrets-in-tekton-chains_{context}"]
+= Signing secrets in {tekton-chains}
+
+[role="_abstract"]
+Cluster administrators can generate a key pair and use {tekton-chains} to sign artifacts using a Kubernetes secret. For {tekton-chains} to work, a private key and a password for encrypted keys must exist as part of the `signing-secrets` Kubernetes secret, in the `openshift-pipelines` namespace.
+
+Currently, {tekton-chains} supports the `x509` and `cosign` signature schemes.
+
+[NOTE]
+====
+Use only one of the supported signature schemes.
+====
+
+[id="chains-signing-secrets-x509_{context}"]
+== Signing using x509
+
+To use the `x509` signing scheme with {tekton-chains}, store the `x509.pem` private key of the `ed25519` or `ecdsa` type in the `signing-secrets` Kubernetes secret. Ensure that the key is stored as an unencrypted PKCS8 PEM file (`BEGIN PRIVATE KEY`).
+
+[id="chains-signing-secrets-cosign_{context}"]
+== Signing using cosign
+
+To use the `cosign` signing scheme with {tekton-chains}:
+
+. Install link:https://docs.sigstore.dev/cosign/installation/[cosign].
+
+. Generate the `cosign.key` and `cosign.pub` key pairs.
++
+[source,terminal]
+----
+$ cosign generate-key-pair k8s://openshift-pipelines/signing-secrets
+----
++
+Cosign prompts you for a password, and creates a Kubernetes secret.
+
+. Store the encrypted `cosign.key` private key and the `cosign.password` decryption password in the `signing-secrets` Kubernetes secret. Ensure that the private key is stored as an encrypted PEM file of the `ENCRYPTED COSIGN PRIVATE KEY` type.
+
+[id="chains-troubleshooting-signing_{context}"]
+== Troubleshooting signing
+
+If the signing secrets are already populated, you might get the following error:
+
+[source,yaml]
+----
+Error from server (AlreadyExists): secrets "signing-secrets" already exists
+----
+
+To resolve the error:
+
+. Delete the secrets:
++
+[source,terminal]
+----
+$ oc delete secret signing-secrets -n openshift-pipelines
+----
+
+. Recreate the key pairs and store them in the secrets using your preferred signing scheme.
diff --git a/modules/op-supported-keys-tekton-chains-configuration.adoc b/modules/op-supported-keys-tekton-chains-configuration.adoc
diff --git a/modules/op-using-tekton-chains-to-sign-and-verify-image-and-provenance.adoc b/modules/op-using-tekton-chains-to-sign-and-verify-image-and-provenance.adoc
