Quick Start
This guide helps new users quickly set up Tekton Chains to secure their CI/CD pipelines by generating and verifying cryptographic signatures for Tekton TaskRuns.
TOC
Introduction
Use Cases
Tekton Chains helps you secure your software supply chain by automatically generating cryptographic signatures for your build artifacts. This quick start demonstrates how to set up Tekton Chains, generate a signing key, run a simple task, and verify its signature.
Estimated Reading Time
10-15 minutes
Important Notes
- Tekton Chains is installed by default in the
tekton-pipelinesnamespace when using Alauda Devops Pipelines Operator - The signing keys should be securely managed; in production environments, consider using a key management system (KMS)
- This guide uses the simplest configuration for demonstration purposes
Prerequisites
- A Kubernetes cluster with Tekton Pipelines and Tekton Chains installed via Alauda Devops Pipelines Operator
kubectlCLI installed and configured to access your clustertkn(Tekton CLI) installedcosignCLI installed (for key generation and signature verification)
Process Overview
| Step | Operation | Description |
|---|---|---|
| 1 | Generate signing keys | Create a key pair for signing artifacts |
| 2 | Configure Tekton Chains | Set up Chains to use the Tekton storage backend |
| 3 | Run a sample task | Create and run a simple TaskRun |
| 4 | Verify the signature | Extract and verify the signature of the TaskRun |
Step-by-Step Instructions
Step 1: Generate Signing Keys
Tekton Chains uses cryptographic keys to sign artifacts. By default, it looks for a secret named signing-secrets in the Chains namespace.
-
Install cosign if you haven't already
-
Generate a key pair and store it as a Kubernetes secret:
You'll be prompted to enter a password, which will be stored in the secret. This command also generates a public key
cosign.pubin the current folder that will be used later during verification. -
Verify the secret was created:
Step 2: Configure Tekton Chains
By default, Tekton Chains is configured to store signatures in an OCI registry. For this quick start, we'll configure it to store signatures as annotations on the TaskRun itself.
-
Configure Chains to use the Tekton storage backend:
-
Set the format to in-toto (SLSA v0.2):
-
Restart the Chains controller to apply the changes:
Step 3: Run a Sample Task
Now let's create a simple TaskRun that Chains will automatically sign.
-
Create a simple Task and TaskRun:
TIPIf working in a air-gapped environment, please modify the image to a local containing
sh. -
Wait for the TaskRun to complete:
Wait until the status shows
Succeeded.
Step 4: Verify the Signature
Once the TaskRun completes, Tekton Chains will automatically sign it. Let's verify the signature.
-
Get the TaskRun UID:
-
Extract the signature:
-
Verify the signature using cosign:
If successful, you'll see
Verified OK. -
Clean up:
Expected Results
After completing this quick start:
- You have a working Tekton Chains setup with a signing key
- Your TaskRuns are automatically signed when they complete
- You can verify the signatures to ensure the integrity of your builds
This demonstrates the basic functionality of Tekton Chains. In a real-world scenario, you would:
- Configure Chains to sign container images and store signatures in your registry
- Set up a verification step in your deployment process
- Potentially use a cloud KMS for more secure key management
For more advanced configurations, refer to the Tekton Chains documentation.