Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-8639

Complete Trusted Resources (TEP-0091) implementation

XMLWordPrintable

    • Implement TEP-0091 for signing and verifying of Tekton resources
    • False
    • Hide

      None

      Show
      None
    • False
    • To Do
    • 100% To Do, 0% In Progress, 0% Done

      Epic Goal

      Implement TEP-0091 Trusted Resources to enable cryptographic verification of Tekton resources (Tasks, Pipelines, etc.) before execution, ensuring resource integrity and authenticity throughout the CI/CD pipeline lifecycle.

      Why is this important?

      prevents tampering of pipeline definitions between authoring and execution, moves towards SLSA Level 3 by providing non-falsifiable provenance, protects against unauthorized modifications via mutating webhooks

      Scenarios

      Scenario 1: Sign and Verify Tasks

      As a Task developer
      I want to sign my Tasks and have them verified before execution
      So that users can trust the Tasks are authentic and unmodified

      Scenario 2: Enforce Verification in Production

      As a Platform administrator
      I want to enforce signature verification for all production pipelines
      So that only approved resources execute in sensitive environments

      Scenario 3: Automated Signing in CI/CD

      As a CI/CD system
      I want to automatically sign resources during the build process
      So that all resources are consistently signed without manual intervention

      Acceptance Criteria (Mandatory)

      Functional Requirements

      • [x] VerificationPolicy CRD implementation with enforce/warn/skip modes
      • [x] Signature verification integrated into TaskRun and PipelineRun reconcilers
      • [x] CLI tool for signing and verifying resources
      • [x] Support for multiple key types (local files, KMS providers)
      • [x] Signature storage in resource annotations
      • [ ] Integration with Tekton Chains for automatic signing
      • [ ] Chains automatic signing of Task/Pipeline resources when created/updated
      • [ ] OCI Bundle signature storage and retrieval for Tekton resources
      • [ ] Verification status included in Chains provenance attestations
      • [ ] Support for StepAction resource signing and verification
      • [ ] Key rotation support without breaking existing signatures
      • [ ] Signature caching for performance optimization
      • [ ] Multi-namespace VerificationPolicy support with precedence rules

      CI/Testing Requirements:

      • [ ] Integration tests for Chains resource signing flow
      • [ ] E2E tests for OCI bundle signature storage/retrieval
      • [ ] Security tests for signature tampering scenarios

      Observability Requirements:

      • [ ] Prometheus metrics for signature verification (success/failure/latency)
      • [ ] Structured audit logs for all signing and verification events
      • [ ] Grafana dashboard templates for monitoring verification
      • [ ] Alerts for verification failures and policy violations

      Migration and Tooling :

      • [ ] Resource scanner to identify unsigned resources in cluster
      • [ ] Bulk signing tool for existing resources
      • [ ] Verification status reporting tool
      • [ ] Key rotation automation scripts
      • [ ] Pre-flight validation tool for VerificationPolicies

      Documentation (Expand Release Enablement):

      • [ ] Enterprise deployment guide with key management strategies
      • [ ] Troubleshooting guide for common verification failures
      • [ ] Security best practices for key management
      • [ ] Integration guide with CI/CD systems
      • [ ] Compliance guide for SLSA Level 3 requirements

      Release Technical Enablement

      • [ ] User documentation for signing and verification workflows (partially done, missing workflow docs)
      • [ ] Administrator guide for VerificationPolicy configuration (apis exist, missing deployment and ops guide)
      • [ ] Migration guide from unsigned to signed resources
      • [ ] Example configurations and best practices

      Dependencies (internal and external)

      Internal

      • Tekton Pipeline
      • Tekton Chains
      • Tekton CLI

      External

      • Sigstore/Cosign for signature generation
      • Cloud KMS providers (GCP, AWS, Azure)
      • OCI Registry support for artifact storage

      Previous Work (Optional):

      • TEP-0091 specification
      • Experimental verification in Pipeline v0.41.0-v0.44.0
      • Existing Chains signing infrastructure for attestations

      Open questions::

      •  

      Done Checklist

      • Acceptance criteria are met
      • Non-functional properties of the Feature have been validated (such as performance, resource, UX, security or privacy aspects)
      • User Journey automation is delivered
      • Support and SRE teams are provided with enough skills to support the feature in production environment

              rh-ee-vbobade Vibhav Bobade
              rh-ee-vbobade Vibhav Bobade
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: