Tekton Chains on Power
In today’s world of CICD pipelines, software supply chain attacks are rapidly becoming a big problem. Whether you’re trying to prevent these attacks, responding to an ongoing one or recovering from one, you understand that knowing what is happening in your CI/CD pipeline is critical.
Tekton Chains is a security subsystem of the Kubernetes Tekton CI/CD pipeline. Chains will enable Tekton continuous delivery to securely capture metadata about PipelineRun and TaskRun execution for post-run auditing. In its default mode of operation, Chains works by observing all TaskRuns executions in your cluster. When TaskRuns complete, Chains takes a snapshot of them. Chains then converts this snapshot to one or more standard payload formats, signs them and stores them somewhere.
Well, here’s a great news for Power community! Tekton Chains is now officially supported on Power from release v0.10.0 onwards.
Installing Tekton Chains on Power
Pre-requisites:
- A ppc64le OCP cluster for deploying Tekton Chains
You can deploy a Red Hat OpenShift cluster on IBM Power Systems Virtual Servers using steps in this article: https://developer.ibm.com/components/ibm-power/tutorials/install-ocp-on-power-vs/
- Install Go
git clone https://github.com/rpsene/goconfig.gitcd ./goconfigsource ./go.sh install
- Install Tekton Pipelines on the cluster
Login to your Openshift cluster UI and install “RedHat OpenShift Pipelines” operator in the OperatorHub section. It will get installed within a few seconds.
- Install Tekton CLI
curl -LO https://github.com/tektoncd/cli/releases/download/v0.24.0/tkn_0.24.0_Linux_ppc64le.tar.gzsudo tar xvzf tkn_0.24.0_Linux_ppc64le.tar.gz -C /usr/local/bin/ tkn
Installing Tekton Chains
oc login -u <admin-user> -p <password>oc new-project tekton-chainsoc adm policy add-scc-to-user nonroot -z tekton-chains-controlleroc apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.10.0/release.yamloc get pods --namespace tekton-chains --watch
Getting Started with Tekton Chains
In this tutorial, we will be creating a TaskRun, signing it, and storing the signature and the payload as annotations on the TaskRun itself.
Step 1: Generate x509 keypair and save it as a Kubernetes secret
go install github.com/sigstore/cosign/cmd/cosign@latestcosign generate-key-pair k8s://tekton-chains/signing-secrets
cosign will prompt you for a password, which will be stored in a Kubernetes secret named signing-secrets in the tekton-chains namespace.
Step 2: Configure Tekton Chains
You will need to make sure that OCI storage is disabled and that the taskrun storage and format is set to tekton.
oc patch configmap chains-config -n tekton-chains -p='{"data":{"artifacts.oci.storage": "", "artifacts.taskrun.format":"tekton", "artifacts.taskrun.storage": "tekton"}}'oc delete po -n tekton-chains -l app=tekton-chains-controller
Step 3: Create a simple TaskRun
oc create -f https://raw.githubusercontent.com/tektoncd/chains/main/examples/taskruns/task-output-image.yamltkn tr describe --last
Step 4: Retrieve the signature and payload from the TaskRun object
export TASKRUN_UID=$(tkn tr describe --last -o jsonpath='{.metadata.uid}')tkn tr describe --last -o jsonpath="{.metadata.annotations.chains\.tekton\.dev/signature-taskrun-$TASKRUN_UID}" > signaturetkn tr describe --last -o jsonpath="{.metadata.annotations.chains\.tekton\.dev/payload-taskrun-$TASKRUN_UID}" | base64 -d > payload
Step 5: Verify the signature with cosign
cosign verify-blob --key k8s://tekton-chains/signing-secrets --signature ./signature ./payloadIf the output is Verified OK , then it means that we have a verifiable record of the TaskRun!
Thats all folks! Thanks for reading. Hope you found this tutorial helpful :)
