|
| 1 | +<!-- |
| 2 | +--- |
| 3 | +title: "Use Trusted Resources with Tekton" |
| 4 | +linkTitle: "Use Trusted Resources" |
| 5 | +weight: 1 |
| 6 | +description: > |
| 7 | + How to sign and verify Tekton resources |
| 8 | +--- |
| 9 | +--> |
| 10 | + |
| 11 | +This guide shows you how to: |
| 12 | + |
| 13 | +1. Sign Tekton Tasks and Pipelines with cosign. |
| 14 | +1. Verify signed Tekton Tasks and Pipelines with cosign. |
| 15 | +1. Sign Tekton Tasks and Pipelines with KMS keys. |
| 16 | +1. Verify signed Tekton Tasks and Pipelines with KMS keys. |
| 17 | + |
| 18 | +## Prerequisites |
| 19 | + |
| 20 | +1. To follow this How-to you must have a Kubernetes cluster up and running and |
| 21 | + [kubectl][kubectl] properly configured to issue commands to your cluster. |
| 22 | + |
| 23 | + |
| 24 | +1. Install the latest release of Tekton Pipelines: |
| 25 | + |
| 26 | + ```bash |
| 27 | + kubectl apply --filename \ |
| 28 | + https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml |
| 29 | + ``` |
| 30 | + |
| 31 | + See the [Pipelines installation documentation][pipelines-inst] for other |
| 32 | + installation options. |
| 33 | + |
| 34 | +1. Install the [Tekton CLI, `tkn`][tkn-inst], on your machine. |
| 35 | + |
| 36 | +1. Install [cosign][cosign]. |
| 37 | + |
| 38 | +## Signing Tasks and Pipelines |
| 39 | + |
| 40 | +You can use two different tools to sign Tasks and Pipelines, Cosign or a Key |
| 41 | +Management System (KMS): |
| 42 | + |
| 43 | +{{% tabs %}} |
| 44 | + |
| 45 | +{{% tab "Cosign" %}} |
| 46 | + |
| 47 | +1. Generate a key pair to sign the artifact provenance: |
| 48 | + |
| 49 | + ```bash |
| 50 | + cosign generate-key-pair k8s://tekton-chains/signing-secrets |
| 51 | + ``` |
| 52 | + |
| 53 | + You are prompted to enter a password for the private key. For this guide, |
| 54 | + leave the password empty and press *Enter* twice. A public key, `cosign.pub`, |
| 55 | + is created in your current directory. |
| 56 | + |
| 57 | +1. Sing the resource YAML file with the private key using the Tekton CLI. |
| 58 | + |
| 59 | + + To sign a Task file named `task.yaml` run the following command: |
| 60 | + |
| 61 | + ```bash |
| 62 | + tkn task sign task.yaml -K="cosign.key" -f="signed-task-cosign.yaml" |
| 63 | + ``` |
| 64 | + |
| 65 | + The output is the signed Task `signed-task-cosign.yaml`. |
| 66 | + |
| 67 | + + To sign a Pipeline file name `pipeline.yaml` run the following command: |
| 68 | + |
| 69 | + ```bash |
| 70 | + tkn pipeline sign pipeline.yaml -K="cosign.key" \ |
| 71 | + -f="signed-pipeline-cosign.yaml" |
| 72 | + ``` |
| 73 | + |
| 74 | + The output is the signed Pipeline `signed-pipeline-cosign.yaml`. |
| 75 | + |
| 76 | +1. You can now push the signed resources to a remote storage and use [remote |
| 77 | + resolution][remote-reso] to use them. |
| 78 | + |
| 79 | +[remote-reso]: https://github.com/tektoncd/pipeline/blob/main/docs/resolution.md |
| 80 | +{{% /tab %}} |
| 81 | + |
| 82 | +{{% tab "KMS" %}} |
| 83 | + |
| 84 | +This section uses Google Cloud's KMS. |
| 85 | +
|
| 86 | +1. Set up a KMS asymmetric signing key. |
| 87 | +
|
| 88 | +1. Log in to your GCP account: |
| 89 | +
|
| 90 | + ```bash |
| 91 | + gcloud auth application-default login |
| 92 | + ``` |
| 93 | +
|
| 94 | +1. Sing the resource YAML file with the KMS private key using the Tekton CLI. |
| 95 | +
|
| 96 | + To sign a Task file named `task.yaml` run the following command: |
| 97 | +
|
| 98 | + ```bash |
| 99 | + tkn task sign task.yaml \ |
| 100 | + -m="gcpkms://projects/yongxuan-test/locations/us/keyRings/trusted-task-demo/cryptoKeys/trusted-task/cryptoKeyVersions/1" \ |
| 101 | + -f="signed-task-kms.yaml" |
| 102 | + ``` |
| 103 | +
|
| 104 | + To sign a Pipeline file name `pipeline.yaml` run the following command: |
| 105 | +
|
| 106 | + ```bash |
| 107 | + tkn pipeline sign pipeline.yaml \ |
| 108 | + -m="gcpkms://projects/yongxuan-test/locations/us/keyRings/trusted-task-demo/cryptoKeys/trusted-task/cryptoKeyVersions/1" \ |
| 109 | + -f="signed-pipeline-kms.yaml" |
| 110 | + ``` |
| 111 | +
|
| 112 | +1. You can now push the signed resources to a remote storage and use [remote |
| 113 | + resolution][remote-reso] to use them. |
| 114 | +
|
| 115 | +[remote-reso]: https://github.com/tektoncd/pipeline/blob/main/docs/resolution.md |
| 116 | +{{% /tab %}} |
| 117 | +
|
| 118 | +{{% /tabs %}} |
| 119 | +
|
| 120 | +## Configure your cluster |
| 121 | +
|
| 122 | +To verify the signatures you must enable policy verification on your cluster. |
| 123 | +Write and apply a VerificationPolicy. |
| 124 | +
|
| 125 | +{{% tabs %}} |
| 126 | +
|
| 127 | +{{% tab "Cosign" %}} |
| 128 | +
|
| 129 | +Verification policy for cosign |
| 130 | +
|
| 131 | +```yaml |
| 132 | +apiVersion: tekton.dev/v1alpha1 |
| 133 | +kind: VerificationPolicy |
| 134 | +metadata: |
| 135 | + name: cosign-policy |
| 136 | + namespace: trusted-resources |
| 137 | +spec: |
| 138 | + resources: |
| 139 | + - pattern: "https://github.com/Yongxuanzhang/sample-tekton-task" |
| 140 | + - pattern: "https://github.com/Yongxuanzhang/sample-tekton-pipeline" |
| 141 | + authorities: |
| 142 | + - name: cosign |
| 143 | + key: |
| 144 | + secretRef: |
| 145 | + name: verification-secrets |
| 146 | + namespace: tekton-pipelines |
| 147 | + mode: enforce |
| 148 | +``` |
| 149 | +
|
| 150 | +{{% /tab %}} |
| 151 | +
|
| 152 | +{{% tab "KMS" %}} |
| 153 | +
|
| 154 | +Verification policy for KMS |
| 155 | +
|
| 156 | +```yaml |
| 157 | +apiVersion: tekton.dev/v1alpha1 |
| 158 | +kind: VerificationPolicy |
| 159 | +metadata: |
| 160 | + name: kms-policy |
| 161 | + namespace: trusted-resources |
| 162 | +spec: |
| 163 | + resources: |
| 164 | + - pattern: "https://github.com/Yongxuanzhang/sample-tekton-task" |
| 165 | + - pattern: "https://github.com/Yongxuanzhang/sample-tekton-pipeline" |
| 166 | + authorities: |
| 167 | + - name: kms |
| 168 | + key: |
| 169 | + kms: |
| 170 | +gcpkms://projects/yongxuan-test/locations/us/keyRings/trusted-task-demo/cryptoKeys/trusted-task/cryptoKeyVersions/1 |
| 171 | + mode: enforce |
| 172 | +``` |
| 173 | +
|
| 174 | +{{% /tab %}} |
| 175 | +
|
| 176 | +{{% /tabs %}} |
| 177 | +
|
| 178 | +Enable trusted resource verification on your cluster. Create the following |
| 179 | +config map: |
| 180 | +
|
| 181 | +```yaml |
| 182 | +piVersion: v1 |
| 183 | +kind: ConfigMap |
| 184 | +metadata: |
| 185 | + name: feature-flags |
| 186 | + namespace: tekton-pipelines |
| 187 | + labels: |
| 188 | + app.kubernetes.io/instance: default |
| 189 | + app.kubernetes.io/part-of: tekton-pipelines |
| 190 | +data: |
| 191 | + trusted-resources-verification-no-match-policy: "fail" |
| 192 | +``` |
| 193 | +
|
| 194 | +And apply it to your cluster. |
| 195 | +
|
| 196 | +
|
| 197 | +## Code samples: |
| 198 | +
|
| 199 | ++ **Sample Task** |
| 200 | +
|
| 201 | ++ **Sample Pipeline** |
| 202 | +
|
| 203 | ++ **Sample PipelineRun for Cosign-signed resource** |
| 204 | +
|
| 205 | ++ **Sample PipelineRun for KMS-signed resources** |
| 206 | +
|
| 207 | +
|
| 208 | +
|
| 209 | +[pipelines-inst]: /docs/pipelines/install/ |
| 210 | +[tkn-inst]: /docs/cli/ |
| 211 | +[kubectl]: https://kubernetes.io/docs/tasks/tools/#kubectl |
| 212 | +[cosign]: https://docs.sigstore.dev/cosign/installation/ |
| 213 | +
|
0 commit comments