[TEP-0091] Add VerificationPolicy types

This commit adds VerificationPolicy as a new type under
`pkg/apis/pipeline/v1alpha1`, via VerificationPolicy users can have
better experience to config public keys for resources verification.

cmd/webhook/main.go

@@ -51,8 +51,9 @@ import (
 
 var types = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
  // v1alpha1
- v1alpha1.SchemeGroupVersion.WithKind("PipelineResource"): &resourcev1alpha1.PipelineResource{},
- v1alpha1.SchemeGroupVersion.WithKind("Run"): &v1alpha1.Run{},
+ v1alpha1.SchemeGroupVersion.WithKind("PipelineResource"): &resourcev1alpha1.PipelineResource{},
+ v1alpha1.SchemeGroupVersion.WithKind("Run"): &v1alpha1.Run{},
+ v1alpha1.SchemeGroupVersion.WithKind("VerificationPolicy"): &v1alpha1.VerificationPolicy{},
  // v1beta1
  v1beta1.SchemeGroupVersion.WithKind("Pipeline"): &v1beta1.Pipeline{},
  v1beta1.SchemeGroupVersion.WithKind("Task"): &v1beta1.Task{},

config/200-clusterrole.yaml

@@ -28,13 +28,13 @@ rules:
  # Controller needs cluster access to all of the CRDs that it is responsible for
  # managing.
  - apiGroups: ["tekton.dev"]
- resources: ["tasks", "clustertasks", "taskruns", "pipelines", "pipelineruns", "pipelineresources", "runs", "customruns"]
+ resources: ["tasks", "clustertasks", "taskruns", "pipelines", "pipelineruns", "pipelineresources", "runs", "customruns", "verificationpolicies"]
  verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
  - apiGroups: ["tekton.dev"]
  resources: ["taskruns/finalizers", "pipelineruns/finalizers", "runs/finalizers", "customruns/finalizers"]
  verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
  - apiGroups: ["tekton.dev"]
- resources: ["tasks/status", "clustertasks/status", "taskruns/status", "pipelines/status", "pipelineruns/status", "pipelineresources/status", "runs/status", "customruns/status"]
+ resources: ["tasks/status", "clustertasks/status", "taskruns/status", "pipelines/status", "pipelineruns/status", "pipelineresources/status", "runs/status", "customruns/status", "verificationpolicies/status"]
  verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
  # resolution.tekton.dev
  - apiGroups: ["resolution.tekton.dev"]
@@ -92,6 +92,7 @@ rules:
  - pipelineresources.tekton.dev
  - resolutionrequests.resolution.tekton.dev
  - customruns.tekton.dev
+ - verificationpolicies.tekton.dev
  # knative.dev/pkg needs list/watch permissions to set up informers for the webhook.
  - apiGroups: ["apiextensions.k8s.io"]
  resources: ["customresourcedefinitions"]

config/300-verificationpolicy.yaml

@@ -0,0 +1,52 @@
+# Copyright 2022 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: verificationpolicies.tekton.dev
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ pipeline.tekton.dev/release: "devel"
+ version: "devel"
+spec:
+ group: tekton.dev
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ # One can use x-kubernetes-preserve-unknown-fields: true
+ # at the root of the schema (and inside any properties, additionalProperties)
+ # to get the traditional CRD behaviour that nothing is pruned, despite
+ # setting spec.preserveUnknownProperties: false.
+ #
+ # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/
+ # See issue: https://github.com/knative/serving/issues/912
+ x-kubernetes-preserve-unknown-fields: true
+ # Opt into the status subresource so metadata.generation
+ # starts to increment
+ subresources:
+ status: {}
+ names:
+ kind: VerificationPolicy
+ plural: verificationpolicies
+ singular: verificationpolicy
+ categories:
+ - tekton
+ - tekton-pipelines
+ scope: Namespaced

docs/pipeline-api.md

@@ -5711,6 +5711,8 @@ Resource Types:
 <ul><li>
 <a href="#tekton.dev/v1alpha1.Run">Run</a>
 </li><li>
+<a href="#tekton.dev/v1alpha1.VerificationPolicy">VerificationPolicy</a>
+</li><li>
 <a href="#tekton.dev/v1alpha1.PipelineResource">PipelineResource</a>
 </li></ul>
 <h3 id="tekton.dev/v1alpha1.Run">Run
@@ -5928,6 +5930,84 @@ RunStatus
 </tr>
 </tbody>
 </table>
+<h3 id="tekton.dev/v1alpha1.VerificationPolicy">VerificationPolicy
+</h3>
+<div>
+<p>VerificationPolicy</p>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>apiVersion</code><br/>
+string</td>
+<td>
+<code>
+tekton.dev/v1alpha1
+</code>
+</td>
+</tr>
+<tr>
+<td>
+<code>kind</code><br/>
+string
+</td>
+<td><code>VerificationPolicy</code></td>
+</tr>
+<tr>
+<td>
+<code>metadata</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta">
+Kubernetes meta/v1.ObjectMeta
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+Refer to the Kubernetes API documentation for the fields of the
+<code>metadata</code> field.
+</td>
+</tr>
+<tr>
+<td>
+<code>spec</code><br/>
+<em>
+<a href="#tekton.dev/v1alpha1.VerificationPolicySpec">
+VerificationPolicySpec
+</a>
+</em>
+</td>
+<td>
+<p>Spec holds the desired state of the VerificationPolicy.</p>
+<br/>
+<br/>
+<table>
+<tr>
+<td>
+<code>resourceAuthorities</code><br/>
+<em>
+<a href="#tekton.dev/v1alpha1.ResourceAuthority">
+[]ResourceAuthority
+</a>
+</em>
+</td>
+<td>
+<p>Resources defines the patterns of Resources names that should be subject to this policy. For example, we may want to apply this Policy only from a certain github repo. Then the ResourcesPattern should include the path. If using gitresolver, and we want to config keys from a certain git repo. <code>ResourcesPattern</code> can be <code>https://github.com/tektoncd/catalog.git</code>, we will use regex to filter out those resources.
+Resources []ResourcePattern <code>json:&quot;resources&quot;</code></p>
+</td>
+</tr>
+</table>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="tekton.dev/v1alpha1.PipelineResource">PipelineResource
 </h3>
 <div>
@@ -6058,6 +6138,50 @@ the controller, but was unused as there is no controller for PipelineResource.</
 </tr>
 </tbody>
 </table>
+<h3 id="tekton.dev/v1alpha1.Authority">Authority
+</h3>
+<p>
+(<em>Appears on:</em><a href="#tekton.dev/v1alpha1.ResourceAuthority">ResourceAuthority</a>)
+</p>
+<div>
+<p>The authorities block defines the rules for discovering and
+validating signatures.</p>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>name</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Name is the name for this authority.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>key</code><br/>
+<em>
+<a href="#tekton.dev/v1alpha1.KeyRef">
+KeyRef
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Key defines the type of key to validate the resource.</p>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="tekton.dev/v1alpha1.EmbeddedRunSpec">EmbeddedRunSpec
 </h3>
 <p>
@@ -6129,6 +6253,101 @@ structs.</p>
 </tr>
 </tbody>
 </table>
+<h3 id="tekton.dev/v1alpha1.KeyRef">KeyRef
+</h3>
+<p>
+(<em>Appears on:</em><a href="#tekton.dev/v1alpha1.Authority">Authority</a>)
+</p>
+<div>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>secretRef</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#secretreference-v1-core">
+Kubernetes core/v1.SecretReference
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>SecretRef sets a reference to a secret with the key.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>data</code><br/>
+<em>
+[]string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Data contains the inline public key.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>hashAlgorithm</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>HashAlgorithm always defaults to sha256 if the algorithm hasn&rsquo;t been explicitly set</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="tekton.dev/v1alpha1.ResourceAuthority">ResourceAuthority
+</h3>
+<p>
+(<em>Appears on:</em><a href="#tekton.dev/v1alpha1.VerificationPolicySpec">VerificationPolicySpec</a>)
+</p>
+<div>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>pattern</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Pattern defines a resource pattern. Regex is created to filter resources based on <code>Pattern</code></p>
+</td>
+</tr>
+<tr>
+<td>
+<code>authoritiyList</code><br/>
+<em>
+<a href="#tekton.dev/v1alpha1.Authority">
+[]Authority
+</a>
+</em>
+</td>
+<td>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="tekton.dev/v1alpha1.RunSpec">RunSpec
 </h3>
 <p>
@@ -6301,6 +6520,37 @@ Refer Go&rsquo;s ParseDuration documentation for expected format: <a href="https
 <div>
 <p>RunSpecStatusMessage defines human readable status messages for the TaskRun.</p>
 </div>
+<h3 id="tekton.dev/v1alpha1.VerificationPolicySpec">VerificationPolicySpec
+</h3>
+<p>
+(<em>Appears on:</em><a href="#tekton.dev/v1alpha1.VerificationPolicy">VerificationPolicy</a>)
+</p>
+<div>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>resourceAuthorities</code><br/>
+<em>
+<a href="#tekton.dev/v1alpha1.ResourceAuthority">
+[]ResourceAuthority
+</a>
+</em>
+</td>
+<td>
+<p>Resources defines the patterns of Resources names that should be subject to this policy. For example, we may want to apply this Policy only from a certain github repo. Then the ResourcesPattern should include the path. If using gitresolver, and we want to config keys from a certain git repo. <code>ResourcesPattern</code> can be <code>https://github.com/tektoncd/catalog.git</code>, we will use regex to filter out those resources.
+Resources []ResourcePattern <code>json:&quot;resources&quot;</code></p>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="tekton.dev/v1alpha1.PipelineResourceSpec">PipelineResourceSpec
 </h3>
 <p>
@@ -12419,6 +12669,12 @@ string
 </tr>
 </tbody>
 </table>
+<h3 id="tekton.dev/v1beta1.TaskRunConditionType">TaskRunConditionType
+(<code>string</code> alias)</h3>
+<div>
+<p>TaskRunConditionType is an enum used to store TaskRun custom conditions
+conditions such as one used in spire results verification</p>
+</div>
 <h3 id="tekton.dev/v1beta1.TaskRunDebug">TaskRunDebug
 </h3>
 <p>