Skip to content

Commit 277c36c

Browse files
committed
Trusted Resources e2e tutorial
1 parent 226f2b3 commit 277c36c

1 file changed

Lines changed: 213 additions & 0 deletions

File tree

Lines changed: 213 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,213 @@
1+
<!--
2+
---
3+
title: "Use Trusted Resources with Tekton"
4+
linkTitle: "Use Trusted Resources"
5+
weight: 1
6+
description: >
7+
How to sign and verify Tekton resources
8+
---
9+
-->
10+
11+
This guide shows you how to:
12+
13+
1. Sign Tekton Tasks and Pipelines with cosign.
14+
1. Verify signed Tekton Tasks and Pipelines with cosign.
15+
1. Sign Tekton Tasks and Pipelines with KMS keys.
16+
1. Verify signed Tekton Tasks and Pipelines with KMS keys.
17+
18+
## Prerequisites
19+
20+
1. To follow this How-to you must have a Kubernetes cluster up and running and
21+
[kubectl][kubectl] properly configured to issue commands to your cluster.
22+
23+
24+
1. Install the latest release of Tekton Pipelines:
25+
26+
```bash
27+
kubectl apply --filename \
28+
https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
29+
```
30+
31+
See the [Pipelines installation documentation][pipelines-inst] for other
32+
installation options.
33+
34+
1. Install the [Tekton CLI, `tkn`][tkn-inst], on your machine.
35+
36+
1. Install [cosign][cosign].
37+
38+
## Signing Tasks and Pipelines
39+
40+
You can use two different tools to sign Tasks and Pipelines, Cosign or a Key
41+
Management System (KMS):
42+
43+
{{% tabs %}}
44+
45+
{{% tab "Cosign" %}}
46+
47+
1. Generate a key pair to sign the artifact provenance:
48+
49+
```bash
50+
cosign generate-key-pair k8s://tekton-chains/signing-secrets
51+
```
52+
53+
You are prompted to enter a password for the private key. For this guide,
54+
leave the password empty and press *Enter* twice. A public key, `cosign.pub`,
55+
is created in your current directory.
56+
57+
1. Sing the resource YAML file with the private key using the Tekton CLI.
58+
59+
+ To sign a Task file named `task.yaml` run the following command:
60+
61+
```bash
62+
tkn task sign task.yaml -K="cosign.key" -f="signed-task-cosign.yaml"
63+
```
64+
65+
The output is the signed Task `signed-task-cosign.yaml`.
66+
67+
+ To sign a Pipeline file name `pipeline.yaml` run the following command:
68+
69+
```bash
70+
tkn pipeline sign pipeline.yaml -K="cosign.key" \
71+
-f="signed-pipeline-cosign.yaml"
72+
```
73+
74+
The output is the signed Pipeline `signed-pipeline-cosign.yaml`.
75+
76+
1. You can now push the signed resources to a remote storage and use [remote
77+
resolution][remote-reso] to use them.
78+
79+
[remote-reso]: https://github.com/tektoncd/pipeline/blob/main/docs/resolution.md
80+
{{% /tab %}}
81+
82+
{{% tab "KMS" %}}
83+
84+
This section uses Google Cloud's KMS.
85+
86+
1. Set up a KMS asymmetric signing key.
87+
88+
1. Log in to your GCP account:
89+
90+
```bash
91+
gcloud auth application-default login
92+
```
93+
94+
1. Sing the resource YAML file with the KMS private key using the Tekton CLI.
95+
96+
To sign a Task file named `task.yaml` run the following command:
97+
98+
```bash
99+
tkn task sign task.yaml \
100+
-m="gcpkms://projects/yongxuan-test/locations/us/keyRings/trusted-task-demo/cryptoKeys/trusted-task/cryptoKeyVersions/1" \
101+
-f="signed-task-kms.yaml"
102+
```
103+
104+
To sign a Pipeline file name `pipeline.yaml` run the following command:
105+
106+
```bash
107+
tkn pipeline sign pipeline.yaml \
108+
-m="gcpkms://projects/yongxuan-test/locations/us/keyRings/trusted-task-demo/cryptoKeys/trusted-task/cryptoKeyVersions/1" \
109+
-f="signed-pipeline-kms.yaml"
110+
```
111+
112+
1. You can now push the signed resources to a remote storage and use [remote
113+
resolution][remote-reso] to use them.
114+
115+
[remote-reso]: https://github.com/tektoncd/pipeline/blob/main/docs/resolution.md
116+
{{% /tab %}}
117+
118+
{{% /tabs %}}
119+
120+
## Configure your cluster
121+
122+
To verify the signatures you must enable policy verification on your cluster.
123+
Write and apply a VerificationPolicy.
124+
125+
{{% tabs %}}
126+
127+
{{% tab "Cosign" %}}
128+
129+
Verification policy for cosign
130+
131+
```yaml
132+
apiVersion: tekton.dev/v1alpha1
133+
kind: VerificationPolicy
134+
metadata:
135+
name: cosign-policy
136+
namespace: trusted-resources
137+
spec:
138+
resources:
139+
- pattern: "https://github.com/Yongxuanzhang/sample-tekton-task"
140+
- pattern: "https://github.com/Yongxuanzhang/sample-tekton-pipeline"
141+
authorities:
142+
- name: cosign
143+
key:
144+
secretRef:
145+
name: verification-secrets
146+
namespace: tekton-pipelines
147+
mode: enforce
148+
```
149+
150+
{{% /tab %}}
151+
152+
{{% tab "KMS" %}}
153+
154+
Verification policy for KMS
155+
156+
```yaml
157+
apiVersion: tekton.dev/v1alpha1
158+
kind: VerificationPolicy
159+
metadata:
160+
name: kms-policy
161+
namespace: trusted-resources
162+
spec:
163+
resources:
164+
- pattern: "https://github.com/Yongxuanzhang/sample-tekton-task"
165+
- pattern: "https://github.com/Yongxuanzhang/sample-tekton-pipeline"
166+
authorities:
167+
- name: kms
168+
key:
169+
kms:
170+
gcpkms://projects/yongxuan-test/locations/us/keyRings/trusted-task-demo/cryptoKeys/trusted-task/cryptoKeyVersions/1
171+
mode: enforce
172+
```
173+
174+
{{% /tab %}}
175+
176+
{{% /tabs %}}
177+
178+
Enable trusted resource verification on your cluster. Create the following
179+
config map:
180+
181+
```yaml
182+
piVersion: v1
183+
kind: ConfigMap
184+
metadata:
185+
name: feature-flags
186+
namespace: tekton-pipelines
187+
labels:
188+
app.kubernetes.io/instance: default
189+
app.kubernetes.io/part-of: tekton-pipelines
190+
data:
191+
trusted-resources-verification-no-match-policy: "fail"
192+
```
193+
194+
And apply it to your cluster.
195+
196+
197+
## Code samples:
198+
199+
+ **Sample Task**
200+
201+
+ **Sample Pipeline**
202+
203+
+ **Sample PipelineRun for Cosign-signed resource**
204+
205+
+ **Sample PipelineRun for KMS-signed resources**
206+
207+
208+
209+
[pipelines-inst]: /docs/pipelines/install/
210+
[tkn-inst]: /docs/cli/
211+
[kubectl]: https://kubernetes.io/docs/tasks/tools/#kubectl
212+
[cosign]: https://docs.sigstore.dev/cosign/installation/
213+

0 commit comments

Comments
 (0)