Alauda DevOps Pipelines Docs
  • English

    • Quick Start

    This guide helps new users quickly set up Tekton Chains to secure their CI/CD pipelines by generating and verifying cryptographic signatures for Tekton TaskRuns.

    TOC

    IntroductionUse CasesEstimated Reading TimeImportant NotesPrerequisitesProcess OverviewStep-by-Step InstructionsStep 1: Generate Signing KeysStep 2: Configure Tekton ChainsStep 3: Run a Sample TaskStep 4: Verify the SignatureExpected Results

    Introduction

    Use Cases

    Tekton Chains helps you secure your software supply chain by automatically generating cryptographic signatures for your build artifacts. This quick start demonstrates how to set up Tekton Chains, generate a signing key, run a simple task, and verify its signature.

    Estimated Reading Time

    10-15 minutes

    Important Notes

    • Tekton Chains is installed by default in the tekton-pipelines namespace when using Alauda Devops Pipelines Operator
    • The signing keys should be securely managed; in production environments, consider using a key management system (KMS)
    • This guide uses the simplest configuration for demonstration purposes

    Prerequisites

    • A Kubernetes cluster with Tekton Pipelines and Tekton Chains installed via Alauda Devops Pipelines Operator
    • kubectl CLI installed and configured to access your cluster
    • tkn (Tekton CLI) installed
    • cosign CLI installed (for key generation and signature verification)

    Process Overview

    StepOperationDescription
    1Generate signing keysCreate a key pair for signing artifacts
    2Configure Tekton ChainsSet up Chains to use the Tekton storage backend
    3Run a sample taskCreate and run a simple TaskRun
    4Verify the signatureExtract and verify the signature of the TaskRun

    Step-by-Step Instructions

    Step 1: Generate Signing Keys

    Tekton Chains uses cryptographic keys to sign artifacts. By default, it looks for a secret named signing-secrets in the Chains namespace.

    1. Install cosign if you haven't already

    2. Generate a key pair and store it as a Kubernetes secret:

      cosign generate-key-pair k8s://tekton-pipelines/signing-secrets

      You'll be prompted to enter a password, which will be stored in the secret. This command also generates a public key cosign.pub in the current folder that will be used later during verification.

    3. Verify the secret was created:

      kubectl get secret signing-secrets -n tekton-pipelines

    Step 2: Configure Tekton Chains

    By default, Tekton Chains is configured to store signatures in an OCI registry. For this quick start, we'll configure it to store signatures as annotations on the TaskRun itself.

    1. Configure Chains to use the Tekton storage backend:

      kubectl patch configmap chains-config -n tekton-pipelines -p='{"data":{"artifacts.taskrun.storage": "tekton"}}'

    2. Set the format to in-toto (SLSA v0.2):

      kubectl patch configmap chains-config -n tekton-pipelines -p='{"data":{"artifacts.taskrun.format": "in-toto"}}'

    3. Restart the Chains controller to apply the changes:

      kubectl delete pod -n tekton-pipelines -l app=tekton-chains-controller

    Step 3: Run a Sample Task

    Now let's create a simple TaskRun that Chains will automatically sign.

    1. Create a simple Task and TaskRun:

      cat <<EOF | kubectl apply -f -
apiVersion: tekton.dev/v1
kind: Task
metadata:
  name: hello-world
spec:
  steps:
    - name: hello
      image: alpine
      script: |
        #!/bin/sh
        
        echo 'Hello, Tekton Chains!'
---
apiVersion: tekton.dev/v1
kind: TaskRun
metadata:
  name: hello-world-run
spec:
  taskRef:
    name: hello-world
EOF
      TIP

      If working in a air-gapped environment, please modify the image to a local containing sh.

    2. Wait for the TaskRun to complete:

      kubectl get taskrun hello-world-run -w

      Wait until the status shows Succeeded.

    Step 4: Verify the Signature

    Once the TaskRun completes, Tekton Chains will automatically sign it. Let's verify the signature.

    1. Get the TaskRun UID:

      export TASKRUN_UID=$(kubectl get taskrun hello-world-run -o jsonpath='{.metadata.uid}')

    2. Extract the signature:

      kubectl get taskrun hello-world-run -o jsonpath="{.metadata.annotations.chains\\.tekton\\.dev/signature-taskrun-$TASKRUN_UID}" | base64 -d > signature

    3. Verify the signature using cosign:

      cosign verify-blob-attestation \
  --key cosign.pub \
  --signature signature \
  --type slsaprovenance \
  --check-claims=false \
  --insecure-ignore-tlog \
  /dev/null

      If successful, you'll see Verified OK.

    4. Clean up:

      kubectl delete taskrun hello-world-run
kubectl delete task hello-world

    Expected Results

    After completing this quick start:

    • You have a working Tekton Chains setup with a signing key
    • Your TaskRuns are automatically signed when they complete
    • You can verify the signatures to ensure the integrity of your builds

    This demonstrates the basic functionality of Tekton Chains. In a real-world scenario, you would:

    1. Configure Chains to sign container images and store signatures in your registry
    2. Set up a verification step in your deployment process
    3. Potentially use a cloud KMS for more secure key management

    For more advanced configurations, refer to the Tekton Chains documentation.