operator icon indicating copy to clipboard operation
operator copied to clipboard

Published 20 hours ago verified publisher icon tektoncd

Feature Request: Add Tekton Chains addon

Open imjasonh opened this issue 3 years ago • 17 comments

Feature request

Tekton Chains runs a separate controller that watches Tekton executions and records/signs details of execution history to better ensure supply chain integrity.

It'd be great if users could instruct the operator to install and configure the chains controller.

Use case

I'm a (human) operator who's sensitive to security, and wants to track and sign provenance information for artifacts built by Tekton Pipelines. Chains looks great, but installing it and upgrading it myself can be a pain, and I'd prefer a (computer) operator to do that for me.

cc @dlorenc

imjasonh avatar Jun 02 '21 18:06 imjasonh

/help wanted

nikhil-thomas avatar Aug 12 '21 12:08 nikhil-thomas

@priyawadhwa FYI

It could be useful even just to sketch out what would config be needed for the operator to install and setup Chains. What inputs to the Operator would be needed to setup Chains, and how many of those steps can be automated?

imjasonh avatar Aug 12 '21 17:08 imjasonh

Inputs to the operator would probably include:

  • Method of signing (either tell the operator to generate a key pair for signing, or pass in a secret/KMS reference for signing)
  • any non-default configuration

And I believe the following could be automated:

  • Installing Chains
  • Setting up a public/private key pair for signing as a Secret (assuming the user doesn't want to provide their own signing method)
  • setting up the configuration, which would include things like enabling signing and build provenance

Users may have to set up some authentication themselves though -- for example, on GKE if using a KMS key for signing, they'll having to give the Chains service account KMS permissions via Workload Identity.

priyawadhwa avatar Aug 12 '21 17:08 priyawadhwa

/assign

PuneetPunamiya avatar Sep 13 '21 09:09 PuneetPunamiya

cc @concaf

nikhil-thomas avatar Oct 25 '21 13:10 nikhil-thomas

as per discussions /unassign @PuneetPunamiya /assign @concaf

nikhil-thomas avatar Oct 29 '21 07:10 nikhil-thomas

@nikhil-thomas: GitHub didn't allow me to assign the following users: concaf.

Note that only tektoncd members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. For more information please see the contributor guide

In response to this:

as per discussions /unassign @PuneetPunamiya /assign @concaf

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

tekton-robot avatar Oct 29 '21 07:10 tekton-robot

/assign @concaf

nikhil-thomas avatar Oct 29 '21 07:10 nikhil-thomas

@nikhil-thomas: GitHub didn't allow me to assign the following users: concaf.

Note that only tektoncd members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. For more information please see the contributor guide

In response to this:

/assign @concaf

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

tekton-robot avatar Oct 29 '21 07:10 tekton-robot

/assign @concaf

concaf avatar Oct 29 '21 07:10 concaf

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale with a justification. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

tekton-robot avatar Jan 27 '22 07:01 tekton-robot

/remove-lifecycle stale

PuneetPunamiya avatar Jan 27 '22 08:01 PuneetPunamiya

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale with a justification. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

tekton-robot avatar Apr 27 '22 09:04 tekton-robot

/remove-lifecycle stale /lifecycle frozen

imjasonh avatar Apr 27 '22 15:04 imjasonh

@nikhil-thomas @concaf correct me if I am wrong, but the latest release integrates chains, and is released right ? 🙃

vdemeester avatar Apr 27 '22 16:04 vdemeester

@vdemeester that is correct, but we could keep this issue open to track a couple of requests that @priyawadhwa made above, specifically:

Setting up a public/private key pair for signing as a Secret (assuming the user doesn't want to provide their own signing method)

concaf avatar Apr 27 '22 16:04 concaf

@concaf or we may create issue for each of those, if we can split into smaller parts.. and mark this one as done as it is done (it is there, but there is possible enhancements)

vdemeester avatar Apr 27 '22 16:04 vdemeester

@concaf Is this issue still valid?

jkandasa avatar Jun 06 '23 16:06 jkandasa

I think it can be closed.

vdemeester avatar Jun 13 '23 12:06 vdemeester