|
| 1 | +--- |
| 2 | +title: chains |
| 3 | +linktitle: chains |
| 4 | +type: docs |
| 5 | +description: Integration with Tekton Chains |
| 6 | +weight: 400 |
| 7 | +--- |
| 8 | +Securing your supply chain is not just about verifying the dependencies and eliminating vulnerabilities. It also includes ensuring that the building process was not [compromised during operation](https://slsa.dev/spec/v0.1/threats#d-compromise-build-process). |
| 9 | +Jenkins X can be integrated with [Tekton Chains](https://tekton.dev/docs/chains/) to sign [TaskRuns](https://tekton.dev/docs/pipelines/taskruns/) and verifying the it was not tampered. |
| 10 | + |
| 11 | +To add it to your cluster, you should do the following: |
| 12 | + |
| 13 | +1. First go to the cluster git repository where you want to add chains. It is integrated in the JX version stream from a [Helm Chart developed by chainguard](https://github.com/chainguard-dev/tekton-helm-charts/tree/main/charts/tekton-chains). |
| 14 | + |
| 15 | +2. Add this line to the `./helmfile.yaml` of the cluster repo |
| 16 | + |
| 17 | + ```yaml |
| 18 | + helmfiles: |
| 19 | + - path: helmfiles/tekton-chains/helmfile.yaml |
| 20 | + ``` |
| 21 | +
|
| 22 | +3. Add this line to the `./helmfile.yaml` of the cluster repo |
| 23 | + |
| 24 | + ```yaml |
| 25 | + helmfiles: |
| 26 | + - path: helmfiles/tekton-chains/helmfile.yaml |
| 27 | + ``` |
| 28 | + |
| 29 | +4. Create a `./helmfiles/tekton-chains/helmfile.yaml` file with the following configurations |
| 30 | + |
| 31 | + ```yaml |
| 32 | + filepath: "" |
| 33 | + environments: |
| 34 | + default: |
| 35 | + values: |
| 36 | + - jx-values.yaml |
| 37 | + namespace: tekton-chains |
| 38 | + repositories: |
| 39 | + - name: tekton |
| 40 | + url: https://chainguard-dev.github.io/tekton-helm-charts/ |
| 41 | + releases: |
| 42 | + - chart: tekton/tekton-chains |
| 43 | + version: 0.2.3 |
| 44 | + name: tekton-chains |
| 45 | + values: |
| 46 | + - ../../versionStream/charts/chainguard-dev/tekton-chains/values.yaml.gotmpl |
| 47 | + - jx-values.yaml |
| 48 | + templates: {} |
| 49 | + renderedvalues: {} |
| 50 | + ``` |
| 51 | + |
| 52 | + This will update the `versionStream` to include default values from the [jx3-versions](https://github.com/jenkins-x/jx3-versions/tree/master/charts/chainguard-dev/tekton-chains) repository. |
| 53 | + |
| 54 | +5. Create a `./helmfiles/tekton-chains/jx-values.yaml` to include additional configurations to suit your use. |
| 55 | + |
| 56 | +6. As a final step you need to generate your own encrypted x509 keypair and save it as a Kubernetes secret, install [cosign](https://github.com/sigstore/cosign) and run the following: |
| 57 | + |
| 58 | + ```bash |
| 59 | + cosign generate-key-pair k8s://tekton-chains/signing-secrets |
| 60 | + #The secret was created by the helm chart but with empty data |
| 61 | + ``` |
| 62 | + |
| 63 | +## Extra Configurations |
| 64 | + |
| 65 | +In its default mode of operation, Chains works by observing all `TaskRuns` executions in your cluster. When `TaskRuns` complete, Chains takes a snapshot of them. Chains then converts this snapshot to one or more standard payload formats, signs them and stores them as annotations to `TaskRun` itself. |
| 66 | + |
| 67 | +## Verifying the signature |
| 68 | + |
| 69 | +- To verify the signature of the last `TaskRun`, you can run the following |
| 70 | + |
| 71 | + ```bash |
| 72 | + export TASKRUN_UID=$(tkn tr describe --last -o jsonpath='{.metadata.uid}') |
| 73 | + tkn tr describe --last -o jsonpath="{.metadata.annotations.chains\.tekton\.dev/signature-taskrun-$TASKRUN_UID}" > signature |
| 74 | + tkn tr describe --last -o jsonpath="{.metadata.annotations.chains\.tekton\.dev/payload-taskrun-$TASKRUN_UID}" | base64 -d > payload |
| 75 | + ``` |
0 commit comments