TektonChain custom resource allows user to install and manage Tekton Chains.
It is recommended to install the component through TektonConfig.
-
TektonChain CR is as below
- On Kubernetes, TektonChain CR is as below:
apiVersion: operator.tekton.dev/v1alpha1 kind: TektonChain metadata: name: chain spec: disabled: false targetNamespace: tekton-pipelines
- On OpenShift, TektonChain CR is as below:
apiVersion: operator.tekton.dev/v1alpha1 kind: TektonChain metadata: name: chain spec: disabled: false targetNamespace: openshift-pipelines
-
Check the status of installation using following command:
kubectl get tektonchains.operator.tekton.dev
There are some fields which you can define on Tekton Chains CR to configure the behaviour of the chains If nothing is set, the operator sets these default properties: artifacts.taskrun.format: in-toto artifacts.taskrun.storage: oci artifacts.oci.storage: oci artifacts.oci.format: simplesigning artifacts.pipelinerun.format: in-toto artifacts.pipelinerun.storage: oci
-
targetNamespace
Setting this field to provide the namespace in which you want to install the chains component.
These fields don't have default values so will be considered only if user passes them. By default, Operator won't add these fields in CR and won't configure for chains.
The Default values for some of these fields are already set in chains and are not set by Operator. If user passes some values then those will be set for the particular field.
Details of the field can be found in Tekton Chains Config
Chains CR will look like this after providing all the fields.
apiVersion: operator.tekton.dev/v1alpha1
kind: TektonChain
metadata:
name: chain
spec:
disabled: false
targetNamespace: tekton-pipelines
generateSigningSecret: true # default value: false
controllerEnvs:
- name: MONGO_SERVER_URL # This is the only field supported at the moment which is optional and when added by user, it is added as env to Chains controller
value: #value # This can be provided same as env field of container
artifacts.taskrun.format: in-toto # default value: in-toto
artifacts.taskrun.storage: tekton,oci (comma separated values) # default value: oci
artifacts.taskrun.signer: x509
artifacts.oci.storage: oci (comma separated values)
artifacts.oci.format: simplesigning
artifacts.oci.signer: x509
artifacts.pipelinerun.format: in-toto # default value: in-toto
artifacts.pipelinerun.storage: tekton,oci (comma separated values) # default value: oci
artifacts.pipelinerun.signer: x509
artifacts.pipelinerun.enable-deep-inspection: #value (boolean - true/false)
storage.gcs.bucket: #value
storage.oci.repository: #value
storage.oci.repository.insecure: #value (boolean - true/false)
storage.docdb.url: #value
storage.docdb.mongo-server-url: #value
storage.docdb.mongo-server-url-dir: #value
storage.grafeas.projectid: #value
storage.grafeas.noteid: #value
storage.grafeas.notehint: #value
builder.id: #value
builddefinition.buildtype: #value
signers.x509.fulcio.enabled: #value (boolean - true/false)
signers.x509.fulcio.address: #value
signers.x509.fulcio.issuer: #value
signers.x509.fulcio.provider: #value
signers.x509.identity.token.file: #value
signers.x509.tuf.mirror.url: #value
signers.kms.kmsref: #value
signers.kms.auth.address: #value
signers.kms.auth.token: #value
signers.kms.auth.token-path: #value
signers.kms.auth.oidc.path: #value
signers.kms.auth.oidc.role: #value
signers.kms.auth.spire.sock: #value
signers.kms.auth.spire.audience: #value
transparency.enabled: #value (boolean - true/false)
transparency.url: #value
disabled
: if the value set astrue
, chains feature will be disabled (default:false
)generateSigningSecret
: If set to true, the operator will generate an ECDSA key pair (x509.pem private key and x509-pub.pem public key) and store it in the "signing-secrets" secret in the "tekton-pipelines" namespace. the secret is used by chains controller to sign tekton artifacts(taskruns, pipelineruns). it is important to mention that:
- The user should retrieve and store in a safe place the x509-pub.pem public key to verify later artifact attestations.
- the operator doesnt provide any function about key rotation to limit potential security issues
- the operator doesnt provide any function for auditing key usage
- the operator doesnt provide any function for proper access control to the key