operator
operator copied to clipboard
Feature Request: Add Tekton Chains addon
Feature request
Tekton Chains runs a separate controller that watches Tekton executions and records/signs details of execution history to better ensure supply chain integrity.
It'd be great if users could instruct the operator to install and configure the chains controller.
Use case
I'm a (human) operator who's sensitive to security, and wants to track and sign provenance information for artifacts built by Tekton Pipelines. Chains looks great, but installing it and upgrading it myself can be a pain, and I'd prefer a (computer) operator to do that for me.
cc @dlorenc
/help wanted
@priyawadhwa FYI
It could be useful even just to sketch out what would config be needed for the operator to install and setup Chains. What inputs to the Operator would be needed to setup Chains, and how many of those steps can be automated?
Inputs to the operator would probably include:
- Method of signing (either tell the operator to generate a key pair for signing, or pass in a secret/KMS reference for signing)
- any non-default configuration
And I believe the following could be automated:
- Installing Chains
- Setting up a public/private key pair for signing as a Secret (assuming the user doesn't want to provide their own signing method)
- setting up the configuration, which would include things like enabling signing and build provenance
Users may have to set up some authentication themselves though -- for example, on GKE if using a KMS key for signing, they'll having to give the Chains service account KMS permissions via Workload Identity.
/assign
cc @concaf
as per discussions /unassign @PuneetPunamiya /assign @concaf
@nikhil-thomas: GitHub didn't allow me to assign the following users: concaf.
Note that only tektoncd members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. For more information please see the contributor guide
In response to this:
as per discussions /unassign @PuneetPunamiya /assign @concaf
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
/assign @concaf
@nikhil-thomas: GitHub didn't allow me to assign the following users: concaf.
Note that only tektoncd members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. For more information please see the contributor guide
In response to this:
/assign @concaf
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
/assign @concaf
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen
with a justification.
/lifecycle stale
Send feedback to tektoncd/plumbing.
/remove-lifecycle stale
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen
with a justification.
/lifecycle stale
Send feedback to tektoncd/plumbing.
/remove-lifecycle stale /lifecycle frozen
@nikhil-thomas @concaf correct me if I am wrong, but the latest release integrates chains, and is released right ? 🙃
@vdemeester that is correct, but we could keep this issue open to track a couple of requests that @priyawadhwa made above, specifically:
Setting up a public/private key pair for signing as a Secret (assuming the user doesn't want to provide their own signing method)
@concaf or we may create issue for each of those, if we can split into smaller parts.. and mark this one as done as it is done (it is there, but there is possible enhancements)
@concaf Is this issue still valid?
I think it can be closed.