Skip to content

Commit

Permalink
[TEP-0091] Add VerificationPolicy types
Browse files Browse the repository at this point in the history
This commit adds VerificationPolicy as a new type under
`pkg/apis/pipeline/v1alpha1`, via VerificationPolicy users can
config public keys in the CRD for resources verification. The mapping
from resources to keys can be done via `pattern`
  • Loading branch information
Yongxuanzhang authored and tekton-robot committed Dec 19, 2022
1 parent 2b3388c commit c39fd32
Show file tree
Hide file tree
Showing 53 changed files with 4,675 additions and 972 deletions.
5 changes: 3 additions & 2 deletions cmd/webhook/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,8 +51,9 @@ import (

var types = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
// v1alpha1
v1alpha1.SchemeGroupVersion.WithKind("PipelineResource"): &resourcev1alpha1.PipelineResource{},
v1alpha1.SchemeGroupVersion.WithKind("Run"): &v1alpha1.Run{},
v1alpha1.SchemeGroupVersion.WithKind("PipelineResource"): &resourcev1alpha1.PipelineResource{},
v1alpha1.SchemeGroupVersion.WithKind("Run"): &v1alpha1.Run{},
v1alpha1.SchemeGroupVersion.WithKind("VerificationPolicy"): &v1alpha1.VerificationPolicy{},
// v1beta1
v1beta1.SchemeGroupVersion.WithKind("Pipeline"): &v1beta1.Pipeline{},
v1beta1.SchemeGroupVersion.WithKind("Task"): &v1beta1.Task{},
Expand Down
6 changes: 5 additions & 1 deletion config/200-clusterrole.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,14 @@ rules:
- apiGroups: ["tekton.dev"]
resources: ["tasks", "clustertasks", "taskruns", "pipelines", "pipelineruns", "pipelineresources", "runs", "customruns"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["tekton.dev"]
resources: ["verificationpolicies"]
verbs: ["get", "list", "watch"]
- apiGroups: ["tekton.dev"]
resources: ["taskruns/finalizers", "pipelineruns/finalizers", "runs/finalizers", "customruns/finalizers"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["tekton.dev"]
resources: ["tasks/status", "clustertasks/status", "taskruns/status", "pipelines/status", "pipelineruns/status", "pipelineresources/status", "runs/status", "customruns/status"]
resources: ["tasks/status", "clustertasks/status", "taskruns/status", "pipelines/status", "pipelineruns/status", "pipelineresources/status", "runs/status", "customruns/status", "verificationpolicies/status"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
# resolution.tekton.dev
- apiGroups: ["resolution.tekton.dev"]
Expand Down Expand Up @@ -92,6 +95,7 @@ rules:
- pipelineresources.tekton.dev
- resolutionrequests.resolution.tekton.dev
- customruns.tekton.dev
- verificationpolicies.tekton.dev
# knative.dev/pkg needs list/watch permissions to set up informers for the webhook.
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
Expand Down
48 changes: 48 additions & 0 deletions config/300-verificationpolicy.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
# Copyright 2022 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: verificationpolicies.tekton.dev
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
pipeline.tekton.dev/release: "devel"
version: "devel"
spec:
group: tekton.dev
versions:
- name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
# One can use x-kubernetes-preserve-unknown-fields: true
# at the root of the schema (and inside any properties, additionalProperties)
# to get the traditional CRD behaviour that nothing is pruned, despite
# setting spec.preserveUnknownProperties: false.
#
# See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/
# See issue: https://github.com/knative/serving/issues/912
x-kubernetes-preserve-unknown-fields: true
names:
kind: VerificationPolicy
plural: verificationpolicies
singular: verificationpolicy
categories:
- tekton
- tekton-pipelines
scope: Namespaced
17 changes: 11 additions & 6 deletions docs/install.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ This guide explains how to install Tekton Pipelines. It covers the following top
- [Verify Tekton Pipelines release](#verify-tekton-pipelines-release)
- [Verify signatures using `cosign`](#verify-signatures-using-cosign)
- [Verify the tansparency logs using `rekor-cli`](#verify-the-transparency-logs-using-rekor-cli)
- [Verify Tekton Resources](#verify-tekton-resources)
- [Next steps](#next-steps)

## Before you begin
Expand Down Expand Up @@ -271,11 +272,11 @@ data:
## Configuring built-in remote Task and Pipeline resolution

Three remote resolvers are currently provided as part of the Tekton Pipelines installation.
By default, these remote resolvers are disabled. Each resolver is enabled by setting
the appropriate feature flag in the `resolvers-feature-flags` ConfigMap in the `tekton-pipelines-resolvers`
By default, these remote resolvers are disabled. Each resolver is enabled by setting
the appropriate feature flag in the `resolvers-feature-flags` ConfigMap in the `tekton-pipelines-resolvers`
namespace:

1. [The `bundles` resolver](./bundle-resolver.md), enabled by setting the `enable-bundles-resolver`
1. [The `bundles` resolver](./bundle-resolver.md), enabled by setting the `enable-bundles-resolver`
feature flag to `true`.
1. [The `git` resolver](./git-resolver.md), enabled by setting the `enable-git-resolver`
feature flag to `true`.
Expand Down Expand Up @@ -423,9 +424,9 @@ features](#alpha-features) to be used.
- `resource-verification-mode`: Setting this flag to "enforce" will enforce verification of tasks/pipeline. Failing to verify will fail the taskrun/pipelinerun. "warn" will only log the err message and "skip" will skip the whole verification.
- `results-from`: set this flag to "termination-message" to use the container's termination message to fetch results from. This is the default method of extracting results. Set it to "sidecar-logs" to enable use of a results sidecar logs to extract results instead of termination message.
- `enable-provenance-in-status`: set this flag to "true" to enable recording
the `provenance` field in `TaskRun` and `PipelineRun` status. The `provenance`
field contains metadata about resources used in the TaskRun/PipelineRun such as the
- `enable-provenance-in-status`: set this flag to "true" to enable recording
the `provenance` field in `TaskRun` and `PipelineRun` status. The `provenance`
field contains metadata about resources used in the TaskRun/PipelineRun such as the
source from where a remote Task/Pipeline definition was fetched.
- `custom-task-version`: set this flag to "v1alpha1" to have `PipelineRuns` create `Runs`
Expand Down Expand Up @@ -738,6 +739,10 @@ gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/pullrequest-init
gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/webhook
```
## Verify Tekton Resources
Trusted Resources is a feature to verify Tekton Tasks and Pipelines. The current version of feature supports `v1beta1` `Task` and `Pipeline`. For more details please take a look at [Trusted Resources](./trusted-resources.md).
## Next steps
To get started with Tekton Pipelines, see the [Tekton Pipelines Tutorial](./tutorial.md) and take a look at our [examples](https://github.com/tektoncd/pipeline/tree/main/examples).
Expand Down
Loading

0 comments on commit c39fd32

Please sign in to comment.