Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-7359

Operator should create cosign key/pair when generateSigningSecret is enbaled

XMLWordPrintable

    • 2
    • False
    • Hide

      None

      Show
      None
    • False
    • Hide
      generateSigningSecret: When set to true, the operator will generate a Cosign key pair (cosign.key as the private key and cosign.pub as the public key) and store them in the signing-secrets secret within the tekton-pipelines namespace. This secret is used by the Chains controller to sign Tekton artifacts (taskruns, pipelineruns).

      If the signing-secret is empty, enabling generateSigningSecret will create a new Cosign key pair. However, if the secret already contains data, enabling generateSigningSecret will not overwrite the existing secret.

      If you do not specify generateSigningSecret, it defaults to false. In other words, key-generation is disabled by default.
      To enable generateSigningSecret via Tektonconfig, add the generateSigningSecret field under spec.chain in your TektonConfig CR.
      For example
      ```
      apiVersion: operator.tekton.dev/v1
      kind: TektonConfig
      metadata:
        name: config
      spec:
        chain:
          disabled: false
          generateSigningSecret: true # ← set to true to enable Cosign key generation
      ```
      Show
      generateSigningSecret: When set to true, the operator will generate a Cosign key pair (cosign.key as the private key and cosign.pub as the public key) and store them in the signing-secrets secret within the tekton-pipelines namespace. This secret is used by the Chains controller to sign Tekton artifacts (taskruns, pipelineruns). If the signing-secret is empty, enabling generateSigningSecret will create a new Cosign key pair. However, if the secret already contains data, enabling generateSigningSecret will not overwrite the existing secret. If you do not specify generateSigningSecret, it defaults to false. In other words, key-generation is disabled by default. To enable generateSigningSecret via Tektonconfig, add the generateSigningSecret field under spec.chain in your TektonConfig CR. For example ``` apiVersion: operator.tekton.dev/v1 kind: TektonConfig metadata:   name: config spec:   chain:     disabled: false     generateSigningSecret: true # ← set to true to enable Cosign key generation ```
    • Pipelines Sprint Pioneers 26

      Story (Required)

      As an admin trying to enhance artifact signing capabilities, I want to automatically generate a cosign key pair when generateSigningSecret is enabled so that I can ensure secure and verifiable artifact signatures.

      Actually the key pair signing key was of type ECDSA, and for making the process of signing and verifying more easy,we want to move the generated key to cosign key

      Background (Required)

      Organizations require robust methods for signing and verifying artifacts to ensure their integrity and provenance. Cosign provides a lightweight mechanism for container image signing and verification. Currently, operators  creates an ECDSA key pairs, which introduces operational complexity (revocation, rotation)

      Out of scope

      • Key rotation mechanisms
      • Integration with external key management systems
      • Specific key storage implementation details beyond generation
      • Support for key pair types other than Cosign

       

      Approach (Required)

      • When generateSigningSecret is set to true, trigger automatic cosing key pair generation
      • Initial Changes (PR) https://github.com/tektoncd/operator/pull/2299
      • func GenerateSigningSecrets(ctx context.Context) Should return a cosign provate ly rather than ECDSA key pair

      Dependencies

      <Describes what this story depends on. Dependent Stories and EPICs should be linked to the story.>

      Acceptance Criteria (Mandatory)

      <Describe edge cases to consider when implementing the story and defining tests>

      <Provides a required and minimum list of acceptance tests for this story. More is expected as the engineer implements this story>

      INVEST Checklist

      Dependencies identified

      Blockers noted and expected delivery timelines set

      Design is implementable

      Acceptance criteria agreed upon

      Story estimated

      Legend

      Unknown

      Verified

      Unsatisfied

      Done Checklist

      • Code is completed, reviewed, documented and checked in
      • Unit and integration test automation have been delivered and running cleanly in continuous integration/staging/canary environment
      • Continuous Delivery pipeline(s) is able to proceed with new code included
      • Customer facing documentation, API docs etc. are produced/updated, reviewed and published
      • Acceptance criteria are met

        1. image-2025-06-24-16-43-32-171.png
          image-2025-06-24-16-43-32-171.png
          42 kB

              rh-ee-pbheeman Pavan Mandayam Bheeman
              jkhelil abdeljawed khelil
              Sai Raju Manthina Sai Raju Manthina
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: