Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TEP-0089] - Phase 2 Signed TaskRun Status #4828

Closed
wants to merge 7 commits into from
Closed

[TEP-0089] - Phase 2 Signed TaskRun Status #4828

wants to merge 7 commits into from

Conversation

pxp928
Copy link
Member

@pxp928 pxp928 commented May 3, 2022

Signed-off-by: pxp928 parth.psu@gmail.com

Changes

Authors - @pxp928 and @lumjjb

In association with TEP-0089: Non-falsifiable provenance support

This PR is the implementation of Phase 2 of the TEP-0089: Non-falsifiable provenance support

This PR builds on Phase 1 [TEP-0089] - Phase 1 Signed TaskRun Results - #4759 so that must be merged first.

Phase 2

  • Implement Signed TaskRuns with SPIRE
  • Add support for Chains verifying Signed TaskRuns

Continuation of phase 1 of TEP-0089. This PR adds signed TaskRuns by adding an annotation to that TaskRun Status. This only allows for changes from the pipeline controller to be valid. All others interactions will be marked as not valid and fail the spire verification.

Once Tekton Pipeline completes, Chains will run to verify both the TaskRun Results and the TaskRun are validated by Spire. If they do not pass the check, Chains will not sign the TaskRun.

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Docs included if any changes are user facing
  • Tests included if any functionality added or changed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including
    functionality, content, code)
  • Release notes block below has been filled in or deleted (only if no user facing changes)

Release Notes

  • Added TaskRun Status annotations to track the validity of the signed TaskRun
  • Utilizes pipeline controller spire SVID, status hash and signature
  • Pipeline controller continuously validates the TaskRun Status for any modifications
  • Tekton Chains will validate the results and status of the TaskRun after completion

Please provide feedback and improvements!

@tekton-robot tekton-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels May 3, 2022
@tekton-robot tekton-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label May 3, 2022
@tekton-robot
Copy link
Collaborator

Hi @pxp928. Thanks for your PR.

I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@pxp928 pxp928 mentioned this pull request May 3, 2022
Closed
5 tasks
@pxp928 pxp928 changed the title [TEP-0089] - Phase 2 Signed TaskRun [TEP-0089] - Phase 2 Signed TaskRun Status May 3, 2022
@tekton-robot tekton-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 6, 2022
@pritidesai pritidesai added this to the Pipelines v0.37 milestone Jun 1, 2022
@dibyom
Copy link
Member

dibyom commented Jun 14, 2022

Clearing the milestone for now since we need to merge the Phase I implementation first.

@dibyom dibyom removed this from the Pipelines v0.37 milestone Jun 14, 2022
@pxp928 pxp928 mentioned this pull request Jun 16, 2022
Closed
@pxp928 pxp928 mentioned this pull request Jul 12, 2022
Merged
5 tasks
pxp928 and others added 3 commits July 28, 2022 11:29
@pxp928
spire package with tests
42b5ad3 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@lumjjb @pxp928
change spire clients to injection based (#26)
cea4e8a 
Signed-off-by: Brandon Lum <lumjjb@gmail.com>
@pxp928
added unit tests with fakeworkloadAPI (#27)
e92f49f 
* added unit tests with fakeworkloadAPI

Signed-off-by: pxp928 <parth.psu@gmail.com>

* added fixes based on open comments

Signed-off-by: pxp928 <parth.psu@gmail.com>
@tekton-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign jerop after the PR has been reviewed.
You can assign the PR to them by writing /assign @jerop in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 29, 2022
@pxp928 pxp928 force-pushed the spire-phase-2 branch 9 times, most recently from 56e68e2 to c1a96d2 Compare July 29, 2022 03:52
pxp928 added 3 commits July 29, 2022 10:20
@pxp928
fixed linting issues and added spire/test to be ignored
1d1fea0 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
[TEP-0089] - Phase 1 Signed TaskRun Results
f65ee29 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
[TEP-0089] - Phase 1 Signed TaskRun Results
b8b9a06 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
[TEP-0089] - Phase 2 Signed TaskRun
7595257 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@tekton-robot
Copy link
Collaborator

@pxp928: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tekton-robot tekton-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 2, 2022
@tekton-robot
Copy link
Collaborator

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

@tekton-robot tekton-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 31, 2022
@tekton-robot
Copy link
Collaborator

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

@tekton-robot tekton-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Nov 30, 2022
@tekton-robot
Copy link
Collaborator

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen with a justification.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

@tekton-robot
Copy link
Collaborator

@tekton-robot: Closed this PR.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen with a justification.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@imjasonh imjasonh Awaiting requested review from imjasonh

@pritidesai pritidesai Awaiting requested review from pritidesai

Assignees
No one assigned
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@pxp928 @tekton-robot @dibyom @pritidesai @lumjjb