Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: add chains integration #3660

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+88 −0
Open

docs: add chains integration #3660

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions content/en/v3/develop/supply-chain-security/_index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
---
title: Supply Chain Security
linktitle: Supply Chain Security
type: docs
description: Securing Your Supply Chain in Jenkins X
weight: 200
---

For a CI/CD system like Jenkins X to be an all-in-one solution, it's an essential part to secure supply chain of our users.
We've improved support for generating [SBOMs](https://jenkins-x.io/blog/2022/07/24/intro-to-sbom/) and signing generated artifacts so that you can

* easily generate sboms for released artifacts [in the same approach Jenkins X does](https://jenkins-x.io/community/maintainer_guide/supply-chain-security/) by just modifying the files in your `.lighthouse/jenkins-x` folder
* [sign tekton artifacts using chains](chains/) to sign any [TaskRun](https://tekton.dev/docs/pipelines/taskruns/) in your pipelines.
75 changes: 75 additions & 0 deletions content/en/v3/develop/supply-chain-security/chains.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
---
title: chains
linktitle: chains
type: docs
description: Integration with Tekton Chains
weight: 400
---
Securing your supply chain is not just about verifying the dependencies and eliminating vulnerabilities. It also includes ensuring that the building process was not [compromised during operation](https://slsa.dev/spec/v0.1/threats#d-compromise-build-process).
Jenkins X can be integrated with [Tekton Chains](https://tekton.dev/docs/chains/) to sign [TaskRuns](https://tekton.dev/docs/pipelines/taskruns/) and verifying the it was not tampered.

To add it to your cluster, you should do the following:

1. First go to the cluster git repository where you want to add chains. It is integrated in the JX version stream from a [Helm Chart developed by chainguard](https://github.com/chainguard-dev/tekton-helm-charts/tree/main/charts/tekton-chains).

2. Add this line to the `./helmfile.yaml` of the cluster repo

```yaml
helmfiles:
- path: helmfiles/tekton-chains/helmfile.yaml
```

3. Add this line to the `./helmfile.yaml` of the cluster repo
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

point 2 and 3 look very similar to me


```yaml
helmfiles:
- path: helmfiles/tekton-chains/helmfile.yaml
```

4. Create a `./helmfiles/tekton-chains/helmfile.yaml` file with the following configurations

```yaml
filepath: ""
environments:
default:
values:
- jx-values.yaml
namespace: tekton-chains
repositories:
- name: tekton
url: https://chainguard-dev.github.io/tekton-helm-charts/
releases:
- chart: tekton/tekton-chains
version: 0.2.3
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the version come from versionstream?

name: tekton-chains
values:
- ../../versionStream/charts/chainguard-dev/tekton-chains/values.yaml.gotmpl
- jx-values.yaml
templates: {}
renderedvalues: {}
```

This will update the `versionStream` to include default values from the [jx3-versions](https://github.com/jenkins-x/jx3-versions/tree/master/charts/chainguard-dev/tekton-chains) repository.

5. Create a `./helmfiles/tekton-chains/jx-values.yaml` to include additional configurations to suit your use.

6. As a final step you need to generate your own encrypted x509 keypair and save it as a Kubernetes secret, install [cosign](https://github.com/sigstore/cosign) and run the following:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Save in jx namespace?


```bash
cosign generate-key-pair k8s://tekton-chains/signing-secrets
#The secret was created by the helm chart but with empty data
```

## Extra Configurations

In its default mode of operation, Chains works by observing all `TaskRuns` executions in your cluster. When `TaskRuns` complete, Chains takes a snapshot of them. Chains then converts this snapshot to one or more standard payload formats, signs them and stores them as annotations to `TaskRun` itself.

## Verifying the signature

- To verify the signature of the last `TaskRun`, you can run the following

```bash
export TASKRUN_UID=$(tkn tr describe --last -o jsonpath='{.metadata.uid}')
tkn tr describe --last -o jsonpath="{.metadata.annotations.chains\.tekton\.dev/signature-taskrun-$TASKRUN_UID}" > signature
tkn tr describe --last -o jsonpath="{.metadata.annotations.chains\.tekton\.dev/payload-taskrun-$TASKRUN_UID}" | base64 -d > payload
```