Skip to content

Add blog post: Keyless Security with Tekton Chains#731

Open
anithapriyanatarajan wants to merge 1 commit into
tektoncd:mainfrom
anithapriyanatarajan:add-keyless-blog
Open

Add blog post: Keyless Security with Tekton Chains#731
anithapriyanatarajan wants to merge 1 commit into
tektoncd:mainfrom
anithapriyanatarajan:add-keyless-blog

Conversation

@anithapriyanatarajan

@anithapriyanatarajan anithapriyanatarajan commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

Changes

Adds a new blog post: Keyless Security with Tekton Chains.

The post explains keyless signing with Tekton Chains in practical terms:

  • What Tekton Chains is and what it signs
  • The keyless / Sigstore identity-based model in a nutshell
  • How keyless works inside Tekton including a Mermaid diagram of the full signing flow
  • How to turn it on (config map snippets)
  • Verifying signatures via Rekor
  • The full menu of signing options (keyless, x509, cosign keypair, KMS)
  • Caveats: OIDC token format, cluster OIDC prerequisite, public vs. private infra, and the need for verification/policy

File added: content/en/blog/2026/keyless-security-with-tekton-chains/index.md

@tekton-robot tekton-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jun 3, 2026
@anithapriyanatarajan

Copy link
Copy Markdown
Contributor Author

/kind documentation

@tekton-robot tekton-robot added the kind/documentation Categorizes issue or PR as related to documentation. label Jun 3, 2026
@vdemeester vdemeester self-assigned this Jun 3, 2026

@vdemeester vdemeester left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tekton-robot

Copy link
Copy Markdown

@vdemeester: GitHub didn't allow me to request PR reviews from the following users: arewm, jkhelil.

Note that only tektoncd members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

/cc @jkhelil @arewm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tekton-robot

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 8, 2026

@arewm arewm left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added some comments and included some from Claude as well.

One thing that I struggle with, especially with how this post ends, is how should consumers treat Chains signatures? Chains has no ability to gate its signing based on whether artifacts are good/bad... this results in similar confusion to recent attacks where compromised npm packages had valid SLSA provenance.

When talking about identities, attestations, and signatures, we need to make sure we don't overly-trust the identity/metadata. I view a signature as essentially an "empty" VSA ... but because it is empty, consumers have no ability to consume it to gate anything.

Comment thread content/en/blog/2026/keyless-security-with-tekton-chains/index.md
Comment thread content/en/blog/2026/keyless-security-with-tekton-chains/index.md Outdated
Comment thread content/en/blog/2026/keyless-security-with-tekton-chains/index.md
Comment thread content/en/blog/2026/keyless-security-with-tekton-chains/index.md Outdated
Comment thread content/en/blog/2026/keyless-security-with-tekton-chains/index.md Outdated
Comment thread content/en/blog/2026/keyless-security-with-tekton-chains/index.md Outdated
Comment thread content/en/blog/2026/keyless-security-with-tekton-chains/index.md Outdated
Comment thread content/en/blog/2026/keyless-security-with-tekton-chains/index.md Outdated
Comment thread content/en/blog/2026/keyless-security-with-tekton-chains/index.md Outdated
Comment thread content/en/blog/2026/keyless-security-with-tekton-chains/index.md Outdated
@anithapriyanatarajan anithapriyanatarajan force-pushed the add-keyless-blog branch 4 times, most recently from 94830ea to 3b11a01 Compare June 9, 2026 17:02
Adds a polished blog post explaining keyless signing with Tekton Chains,
including how the Fulcio/Rekor OIDC flow works inside Tekton, configuration,
verification, and a mermaid architecture diagram of the signing flow.
@anithapriyanatarajan

Copy link
Copy Markdown
Contributor Author

/hold

@tekton-robot tekton-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. kind/documentation Categorizes issue or PR as related to documentation. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants