[TEP-0091] Add VerificationPolicy types

This commit adds VerificationPolicy as a new type under `pkg/apis/pipeline/v1alpha1`, via VerificationPolicy users can config public keys in the CRD for resources verification. The mapping from resources to keys can be done via `pattern`
tektoncd · Dec 16, 2022 · 08bc762 · 08bc762
1 parent e49199a
commit 08bc762
Show file tree

Hide file tree

Showing 53 changed files with 4,609 additions and 974 deletions.
diff --git a/cmd/webhook/main.go b/cmd/webhook/main.go
@@ -51,8 +51,9 @@ import (
 
 var types = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
 	// v1alpha1
-	v1alpha1.SchemeGroupVersion.WithKind("PipelineResource"): &resourcev1alpha1.PipelineResource{},
-	v1alpha1.SchemeGroupVersion.WithKind("Run"):              &v1alpha1.Run{},
+	v1alpha1.SchemeGroupVersion.WithKind("PipelineResource"):   &resourcev1alpha1.PipelineResource{},
+	v1alpha1.SchemeGroupVersion.WithKind("Run"):                &v1alpha1.Run{},
+	v1alpha1.SchemeGroupVersion.WithKind("VerificationPolicy"): &v1alpha1.VerificationPolicy{},
 	// v1beta1
 	v1beta1.SchemeGroupVersion.WithKind("Pipeline"):    &v1beta1.Pipeline{},
 	v1beta1.SchemeGroupVersion.WithKind("Task"):        &v1beta1.Task{},

diff --git a/config/200-clusterrole.yaml b/config/200-clusterrole.yaml
@@ -30,11 +30,14 @@ rules:
   - apiGroups: ["tekton.dev"]
     resources: ["tasks", "clustertasks", "taskruns", "pipelines", "pipelineruns", "pipelineresources", "runs", "customruns"]
     verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+  - apiGroups: ["tekton.dev"]
+    resources: ["verificationpolicies"]
+    verbs: ["get", "list", "watch"]
   - apiGroups: ["tekton.dev"]
     resources: ["taskruns/finalizers", "pipelineruns/finalizers", "runs/finalizers", "customruns/finalizers"]
     verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
   - apiGroups: ["tekton.dev"]
-    resources: ["tasks/status", "clustertasks/status", "taskruns/status", "pipelines/status", "pipelineruns/status", "pipelineresources/status", "runs/status", "customruns/status"]
+    resources: ["tasks/status", "clustertasks/status", "taskruns/status", "pipelines/status", "pipelineruns/status", "pipelineresources/status", "runs/status", "customruns/status", "verificationpolicies/status"]
     verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
   # resolution.tekton.dev
   - apiGroups: ["resolution.tekton.dev"]
@@ -92,6 +95,7 @@ rules:
       - pipelineresources.tekton.dev
       - resolutionrequests.resolution.tekton.dev
       - customruns.tekton.dev
+      - verificationpolicies.tekton.dev
   # knative.dev/pkg needs list/watch permissions to set up informers for the webhook.
   - apiGroups: ["apiextensions.k8s.io"]
     resources: ["customresourcedefinitions"]

diff --git a/config/300-verificationpolicy.yaml b/config/300-verificationpolicy.yaml
@@ -0,0 +1,48 @@
+# Copyright 2022 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: verificationpolicies.tekton.dev
+  labels:
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-pipelines
+    pipeline.tekton.dev/release: "devel"
+    version: "devel"
+spec:
+  group: tekton.dev
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+    schema:
+      openAPIV3Schema:
+        type: object
+        # One can use x-kubernetes-preserve-unknown-fields: true
+        # at the root of the schema (and inside any properties, additionalProperties)
+        # to get the traditional CRD behaviour that nothing is pruned, despite
+        # setting spec.preserveUnknownProperties: false.
+        #
+        # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/
+        # See issue: https://github.com/knative/serving/issues/912
+        x-kubernetes-preserve-unknown-fields: true
+  names:
+    kind: VerificationPolicy
+    plural: verificationpolicies
+    singular: verificationpolicy
+    categories:
+    - tekton
+    - tekton-pipelines
+  scope: Namespaced
diff --git a/docs/install.md b/docs/install.md
@@ -30,6 +30,7 @@ This guide explains how to install Tekton Pipelines. It covers the following top
 - [Verify Tekton Pipelines release](#verify-tekton-pipelines-release)
     - [Verify signatures using `cosign`](#verify-signatures-using-cosign)
     - [Verify the tansparency logs using `rekor-cli`](#verify-the-transparency-logs-using-rekor-cli)
+- [Verify Tekton Resources](#verify-tekton-resources)
 - [Next steps](#next-steps)
 
 ## Before you begin
@@ -271,11 +272,11 @@ data:
 ## Configuring built-in remote Task and Pipeline resolution
 
 Three remote resolvers are currently provided as part of the Tekton Pipelines installation.
-By default, these remote resolvers are disabled. Each resolver is enabled by setting 
-the appropriate feature flag in the `resolvers-feature-flags` ConfigMap in the `tekton-pipelines-resolvers` 
+By default, these remote resolvers are disabled. Each resolver is enabled by setting
+the appropriate feature flag in the `resolvers-feature-flags` ConfigMap in the `tekton-pipelines-resolvers`
 namespace:
 
-1. [The `bundles` resolver](./bundle-resolver.md), enabled by setting the `enable-bundles-resolver` 
+1. [The `bundles` resolver](./bundle-resolver.md), enabled by setting the `enable-bundles-resolver`
   feature flag to `true`.
 1. [The `git` resolver](./git-resolver.md), enabled by setting the `enable-git-resolver`
    feature flag to `true`.
@@ -423,9 +424,9 @@ features](#alpha-features) to be used.
 - `resource-verification-mode`: Setting this flag to "enforce" will enforce verification of tasks/pipeline. Failing to verify will fail the taskrun/pipelinerun. "warn" will only log the err message and "skip" will skip the whole verification.
 - `results-from`: set this flag to "termination-message" to use the container's termination message to fetch results from. This is the default method of extracting results. Set it to "sidecar-logs" to enable use of a results sidecar logs to extract results instead of termination message.
 
-- `enable-provenance-in-status`: set this flag to "true" to enable recording 
-  the `provenance` field in `TaskRun` and `PipelineRun` status. The `provenance` 
-  field contains metadata about resources used in the TaskRun/PipelineRun such as the 
+- `enable-provenance-in-status`: set this flag to "true" to enable recording
+  the `provenance` field in `TaskRun` and `PipelineRun` status. The `provenance`
+  field contains metadata about resources used in the TaskRun/PipelineRun such as the
   source from where a remote Task/Pipeline definition was fetched.
 
 - `custom-task-version`: set this flag to "v1alpha1" to have `PipelineRuns` create `Runs`
@@ -712,6 +713,10 @@ gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/pullrequest-init
 gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/webhook
 ```
 
+## Verify Tekton Resources
+
+Trusted Resources is a feature to verify Tekton Tasks and Pipelines. The current version of feature supports `v1beta1` `Task` and `Pipeline`. For more details please take a look at [Trusted Resources](./trusted-resources.md).
+
 ## Next steps
 
 To get started with Tekton Pipelines, see the [Tekton Pipelines Tutorial](./tutorial.md) and take a look at our [examples](https://github.com/tektoncd/pipeline/tree/main/examples).