Alauda DevOps Pipelines Docs

Authentication for Chains

TOC

Overview

Authentication must be set up to take advantage of the following features in Chains:

  • Pushing signatures to an OCI registry after signing an image
  • Using Fulcio to get Signing Certificates when utilizing Keyless signing

OCI Registry Authentication

To push to an OCI registry, the Chains controller will look for credentials in two places:

  1. In the pod executing your Task
  2. In the service account configured to run your Task

Creating Registry Credentials

Create a Secret based on existing credentials

If you already ran docker login, you can copy the credentials stored in config.json into Kubernetes.

NOTE

Make sure that any external credentials store, such as the native keychain of the operating system, is not used to store the credentials and the config.json is of the format:

{
 "auths": {
   "<registry>": {
     "auth": "redacted"
   }
 }
}

Create a secret with config.json:

kubectl create secret generic docker-registry \
    --from-file=.dockerconfigjson=<path/to/.docker/config.json> \
    --type=kubernetes.io/dockerconfigjson \
    -n $NAMESPACE

Create a Secret by providing credentials on the command line

First, you will need access to credentials for your registry (they are in a file called credentials.json in this example). Then, create a Docker config type Kubernetes secret:

kubectl create secret docker-registry registry-credentials \
  --docker-server=<gcr.io> \
  --docker-username=<username> \
  --docker-email=<email> \
  --docker-password=<password> \
  -n $NAMESPACE

Set the config.json key

$ DOCKER_CONFIG=$(kubectl get secret -n $NAMESPACE $REGISTRY_CREDENTIALS -o jsonpath='{.data.\.dockerconfigjson}')
$ kubectl patch secret -n $NAMESPACE $REGISTRY_CREDENTIALS -p "{\"data\":{\"config.json\":\"$DOCKER_CONFIG\"}}"

Setting up credentials using the pod

Using Pod Template

Tekton supports specifying a Pod template to customize the Pod running your Task. You must supply the Pod template when starting your Task with the cli or embedding it into your TaskRun.

An example TaskRun configured with the registry-credentials secret:

apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
  name: mytaskrun
  namespace: default
spec:
  taskRef:
    name: mytask
  podTemplate:
    imagePullSecrets:
    - name: registry-credentials

Using ServiceAccount

Give the service account access to the secret:

kubectl patch serviceaccount $SERVICE_ACCOUNT_NAME \
  -p "{\"secrets\": [{\"name\": \"registry-credentials\"}]}" -n $NAMESPACE

Now, Chains has push permissions for any TaskRuns running under the service account $SERVICE_ACCOUNT_NAME.

TIP

The secrets in the imagePullSecrets attribute of the ServiceAccount are also taken into account. However, other Tekton components may not do so. The secrets attribute is the recommended approach.

Fulcio Authentication for Keyless Signing

NOTE
  • This method requires the environment to access the Internet.
  • If you have deployed private Fulcio services, you can also use these capabilities by adjusting the related configurations.
  • About deploying private Fulcio services is not in the scope of this document, please refer to the relevant documentation.

Basic Configuration

The default deployment will work against public Fulcio assuming it is installed into an EKS or GKE cluster. You will just need to add the following to chains-config ConfigMap data section in the tekton-chains namespace:

signers.x509.fulcio.enabled: "true"

Custom Fulcio Endpoint

If you are running your own instance of Fulcio, you need to configure Fulcio for this. You need to additionally point Chains to your fulcio instance by adding this to chains-config:

signers.x509.fulcio.address: <"http://fulcio.fulcio-system.svc">

References