From 95f543154bf171b80d1ca26600532ba7abbf3441 Mon Sep 17 00:00:00 2001 From: James Pace Date: Thu, 2 Feb 2023 22:22:45 -0500 Subject: [PATCH] Add chains installation and notes. --- chains/chains-config.yaml | 18 ++++++++++++++++++ notes.md | 21 +++++++++++++++++++-- pipelines/test-report-pipeline.yaml | 2 +- 3 files changed, 38 insertions(+), 3 deletions(-) create mode 100644 chains/chains-config.yaml diff --git a/chains/chains-config.yaml b/chains/chains-config.yaml new file mode 100644 index 0000000..9088190 --- /dev/null +++ b/chains/chains-config.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-chains + name: chains-config + namespace: tekton-chains +data: + artifacts.taskrun.format: in-toto + artifacts.taskrun.storage: tekton + artifacts.taskrun.signer: x509 + artifacts.pipelinerun.format: in-toto + artifacts.pipelinerun.storage: tekton + artifacts.pipelinerun.signer: x509 + artifacts.oci.storage: tekton + artifacts.oci.signer: x509 + builder.id: http://tekton.internal.jpace121.net diff --git a/notes.md b/notes.md index 3538bdf..84c677b 100644 --- a/notes.md +++ b/notes.md @@ -23,6 +23,7 @@ Install Tekton: kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml kubectl apply --filename https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml kubectl apply --filename https://storage.googleapis.com/tekton-releases/triggers/latest/interceptors.yaml + ``` Set up local registry on master. (See below.) @@ -61,8 +62,7 @@ Apply rest of the CRDs. # Set up Tekton Dashboard: ``` -curl -sL https://raw.githubusercontent.com/tektoncd/dashboard/main/scripts/release-installer | \ - bash -s -- install latest --read-only +kubectl apply --filename https://storage.googleapis.com/tekton-releases/dashboard/latest/release.yaml ``` Port forward locally: ``` @@ -187,6 +187,23 @@ helm install --namespace nfs-subdir-external-provisioner nfs-subdir-external-pro --set nfs.path=/srv/nfs ``` +# Chains +Set up: +``` +kubectl apply --filename https://storage.googleapis.com/tekton-releases/chains/previous/v0.14.0/release.yaml +# Apply secret from j7s-intoto. +# name: signing-secrets namespace: tekton-chains data: x509.pem: base64 of pem +kubectl apply -f chains-config.yaml +kubectl rollout restart -n tekton-chains deployment tekton-chains-controller +``` + +See: +``` +export TASKRUN_UID=$(tkn pr describe --namespace j7s-ci --last -o jsonpath='{.metadata.uid}') +tkn pr describe --namespace j7s-ci --last -o jsonpath="{.metadata.annotations.chains\.tekton\.dev/signature-pipelinerun-$TASKRUN_UID}" > signature +tkn pr describe --namespace j7s-ci --last -o jsonpath="{.metadata.annotations.chains\.tekton\.dev/payload-pipelinerun-$TASKRUN_UID}" | base64 -d > payload +``` + # Future Ideas If we later want to do this on an overlay network: diff --git a/pipelines/test-report-pipeline.yaml b/pipelines/test-report-pipeline.yaml index 9f94004..0da680c 100644 --- a/pipelines/test-report-pipeline.yaml +++ b/pipelines/test-report-pipeline.yaml @@ -39,7 +39,7 @@ spec: script: | set -x cat $(workspaces.source.path)/README.md - exit -1 + exit 0 finally: - name: notify-onedev params: