tkn-admcontroller is an admission controller that checks and verifies sigstore style cryptographic signatures for tekton pipeline / taskrun YAML files.
⚠️ Not ready for use yet!
tkn-admcontroller is still under active development, you're welcome to kick the tyres, but it's advised not to use this until 1.0 is released.
Install the cert-manager, by running the following command:
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.3/cert-manager.yaml
Install tekton, by running the following command:
kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
Once all services tekton and cert-manager are in a Running
state (kubectl get pods --all-namespaces
), we can
proceed to deploy the tekton admission controller.
Two approaches are possible here, you can use the existing image we have available, create an image yourself or build with ko direct from your local source code (the latter being better for development workflows)
To use the local image, `demo/deployment.yaml' requires the following entry (this is already the default):
spec:
containers:
- name: server
image: ghcr.io/opensecuresupplychain/tkn-admission-controllers:0.0.2
This will require setting the registry access credentials into secrets.yaml
Run the following commands:
# replace <oci-registry> with your container registry url
# replace <api-key> with your api key
# replace <api-user> with your username
# replace <email-address> with your email
export oci_secret=$(kubectl create secret --dry-run=true -o yaml docker-registry registry-key --docker-server=<oci-registry> --docker-password=<api-key> --docker-username=<api-user> --docker-email=<email-address>)
# assuming you're in the root directory
echo $oci_secret > demo/secrets.yaml
Update the image reference in demo/deployment.yaml
spec:
containers:
- name: server
image: <your-image>
Change directory to demo
folder and run the deploy.sh
script
# change directory
cd demo/
# change permission for the deploy script
chmod u+x deploy.sh
# run the script
./deploy.sh
Make sure you install ko and that it's in your $PATH
.
Set up a local registry following the steps outlined here.
Set the following environment variables
export KO_DOCKER_REPO="localhost:5000/mypipeline"
Run deploy.sh
, the script will sense ko is installed and deploy from config/100-deployment.yaml
- Create a keypair with cosign
cosign generate-keys
- Upload the public key as a secret
kubectl create secret generic cosign-pub --from-file=./cosign.pub`
- Sign pipeline file with k8s sigstore manifest tool
kubectl-sigstore sign -k cosign.key -f my-manifest.yaml
- this will generate a signed file
my-manifest.yaml.signed
- Deploy the pipeline / taskrun
kubectl apply -f my-manifest.yaml.signed
Example
kubectl apply -f my-manifest.yaml.signed
pipeline.tekton.dev/tekton-pipeline configured
kubectl apply -f my-manifest.yaml
Error from server: error when creating "manifest.yaml": admission webhook "pipeline-validation.default.svc" denied the request: signature or message annotation not found
kubectl apply -f bad-manifest.yaml.signed
Error from server: error when creating "test-bad-sig.yaml": admission webhook "pipeline-validation.default.svc" denied the request: Signature validation failed