Seedwing Tekton Example

Seedwing can be used with Tekton to evaluate policies checking image signatures and build attestations in your pipeline.

This example provides a few tekton tasks and policies that you can reuse in your own CI pipelines.

The resources referred to in this example can be found here.

Kubernetes setup

To run this example locally, you will need a Kubernetes cluster, the Cosign tool, and the tkn tool.

Procedure

  1. Setting up Tekton

    To set up Tekton, you need to install the pipeline and chains components by running these commands:

    kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.42.0/release.yaml
kubectl apply --filename https://storage.googleapis.com/tekton-releases/chains/previous/v0.14.0/release.yaml

  2. You also need to generate keys used to sign artifacts:

    cosign generate-key-pair k8s://tekton-chains/signing-secrets

  3. Configure chains

    To configure chains, run these commands:

    kubectl create configmap tekton-policies --from-file=policies/
kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"artifacts.taskrun.format": "in-toto"}}'
kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"artifacts.taskrun.storage": "oci"}}'
kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"transparency.enabled": "true"}}'
kubectl delete po -n tekton-chains -l app=tekton-chains-controller

Local container registry

You can use an existing OCI registry or run a local registry using

podman. If you choose to run a local registry, make sure you can access the registry host from within your Kubernetes cluster.

Procedure

  1. Run these commands to start a local registry:

    mkdir -p auth
htpasswd -bBc auth/htpasswd testuser 1234
podman run -p 5000:5000 -e REGISTRY_AUTH=htpasswd -e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -v $PWD/auth:/auth:z -e REGISTRY_STORAGE_DELETE_ENABLED=true -ti registry:2

cat<<EOF > /etc/containers/registries.conf.d/001-testregistry.conf
[[registry]]
location = "my-registry-host:5000"
insecure = true
EOF

Configuring the build pipeline

Once you have Tekton fully set up, you can configure the build pipeline to your liking.

Procedure

  1. To configure the build pipeline, modify the environment variables to match your environment, and then run these commands:

    export REGISTRY=my-registry-host:5000
export REGISTRY_USER=testuser
podman login $REGISTRY -u $REGISTRY_USER --authfile config.json
kubectl create secret generic registry-credentials --type=kubernetes.io/dockerconfigjson --from-file=.dockerconfigjson=config.json --from-file=config.json
kubectl create -f tasks
kubectl create -f pipelines

Running a build

Procedure

  1. To run a build, create a pipeline run by running this command:

    kubectl create -f quarkus-pipeline-run.yaml

    This will fetch the source from git as configured in the YAML file and start the build. If the build completes successfully, it will create a container image and push it to the registry as configured in the pipeline run.

    The pipeline will then apply project-specific policies using the swio tool, before applying our policies.

  2. To follow the progress of the pipeline, we can use the tkn tool:

    tkn pipelinerun logs -f

    This will show the logs as the different tasks get executed. Pay attention to the last task (seedwing), as it will fail if policy checks are not passed.