-
Notifications
You must be signed in to change notification settings - Fork 358
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: osamamagdy <[email protected]>
- Loading branch information
1 parent
0f956c1
commit bbf1819
Showing
2 changed files
with
88 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| --- | ||
| title: Supply Chain Security | ||
| linktitle: Supply Chain Security | ||
| type: docs | ||
| description: Securing Your Supply Chain in Jenkins X | ||
| weight: 200 | ||
| --- | ||
|
|
||
| For a CI/CD system like Jenkins X to be an all-in-one solution, it's an essential part to secure supply chain of our users. | ||
| We've improved support for generating [SBOMs](https://jenkins-x.io/blog/2022/07/24/intro-to-sbom/) and signing generated artifacts so that you can | ||
|
|
||
| * easily generate sboms for released artifacts [in the same approach Jenkins X does](https://jenkins-x.io/community/maintainer_guide/supply-chain-security/) by just modifying the files in your `.lighthouse/jenkins-x` folder | ||
| * [sign tekton artifacts using chains](chains/) to sign any [TaskRun](https://tekton.dev/docs/pipelines/taskruns/) in your pipelines. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,75 @@ | ||
| --- | ||
| title: chains | ||
| linktitle: chains | ||
| type: docs | ||
| description: Integration with Tekton Chains | ||
| weight: 400 | ||
| --- | ||
| Securing your supply chain is not just about verifying the dependencies and eliminating vulnerabilities. It also includes ensuring that the building process was not [compromised during operation](https://slsa.dev/spec/v0.1/threats#d-compromise-build-process). | ||
| Jenkins X can be integrated with [Tekton Chains](https://tekton.dev/docs/chains/) to sign [TaskRuns](https://tekton.dev/docs/pipelines/taskruns/) and verifying the it was not tampered. | ||
|
|
||
| To add it to your cluster, you should do the following: | ||
|
|
||
| 1. First go to the cluster git repository where you want to add chains. It is integrated in the JX version stream from a [Helm Chart developed by chainguard](https://github.com/chainguard-dev/tekton-helm-charts/tree/main/charts/tekton-chains). | ||
|
|
||
| 2. Add this line to the `./helmfile.yaml` of the cluster repo | ||
|
|
||
| ```yaml | ||
| helmfiles: | ||
| - path: helmfiles/tekton-chains/helmfile.yaml | ||
| ``` | ||
| 3. Add this line to the `./helmfile.yaml` of the cluster repo | ||
|
|
||
| ```yaml | ||
| helmfiles: | ||
| - path: helmfiles/tekton-chains/helmfile.yaml | ||
| ``` | ||
|
|
||
| 4. Create a `./helmfiles/tekton-chains/helmfile.yaml` file with the following configurations | ||
|
|
||
| ```yaml | ||
| filepath: "" | ||
| environments: | ||
| default: | ||
| values: | ||
| - jx-values.yaml | ||
| namespace: tekton-chains | ||
| repositories: | ||
| - name: tekton | ||
| url: https://chainguard-dev.github.io/tekton-helm-charts/ | ||
| releases: | ||
| - chart: tekton/tekton-chains | ||
| version: 0.2.3 | ||
| name: tekton-chains | ||
| values: | ||
| - ../../versionStream/charts/chainguard-dev/tekton-chains/values.yaml.gotmpl | ||
| - jx-values.yaml | ||
| templates: {} | ||
| renderedvalues: {} | ||
| ``` | ||
|
|
||
| This will update the `versionStream` to include default values from the [jx3-versions](https://github.com/jenkins-x/jx3-versions/tree/master/charts/chainguard-dev/tekton-chains) repository. | ||
|
|
||
| 5. Create a `./helmfiles/tekton-chains/jx-values.yaml` to include additional configurations to suit your use. | ||
|
|
||
| 6. As a final step you need to generate your own encrypted x509 keypair and save it as a Kubernetes secret, install [cosign](https://github.com/sigstore/cosign) and run the following: | ||
|
|
||
| ```bash | ||
| cosign generate-key-pair k8s://tekton-chains/signing-secrets | ||
| #The secret was created by the helm chart but with empty data | ||
| ``` | ||
|
|
||
| ## Extra Configurations | ||
|
|
||
| In its default mode of operation, Chains works by observing all `TaskRuns` executions in your cluster. When `TaskRuns` complete, Chains takes a snapshot of them. Chains then converts this snapshot to one or more standard payload formats, signs them and stores them as annotations to `TaskRun` itself. | ||
|
|
||
| ## Verifying the signature | ||
|
|
||
| - To verify the signature of the last `TaskRun`, you can run the following | ||
|
|
||
| ```bash | ||
| export TASKRUN_UID=$(tkn tr describe --last -o jsonpath='{.metadata.uid}') | ||
| tkn tr describe --last -o jsonpath="{.metadata.annotations.chains\.tekton\.dev/signature-taskrun-$TASKRUN_UID}" > signature | ||
| tkn tr describe --last -o jsonpath="{.metadata.annotations.chains\.tekton\.dev/payload-taskrun-$TASKRUN_UID}" | base64 -d > payload | ||
| ``` |