Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 887 Commits
.github		.github
cmd/controller		cmd/controller
config		config
docs		docs
examples		examples
hack		hack
images		images
internal/backport		internal/backport
pkg		pkg
release		release
test		test
vendor		vendor
.gitattributes		.gitattributes
.gitignore		.gitignore
.golangci.yaml		.golangci.yaml
.ko.yaml		.ko.yaml
CONTRIBUTING.md		CONTRIBUTING.md
DEVELOPMENT.md		DEVELOPMENT.md
LICENSE		LICENSE
OWNERS		OWNERS
README.md		README.md
ROADMAP.md		ROADMAP.md
code-of-conduct.md		code-of-conduct.md
go.mod		go.mod
go.sum		go.sum
releases.md		releases.md
tekton.pub		tekton.pub
tekton_chains-color.png		tekton_chains-color.png

Repository files navigation

ℹ️Important
Migrate Images fromgcr.io toghcr.io.
To reduce costs, we've migrated all our new and old Tekton releases to the free tier on ghcr.io/tektoncd.
Read morehere.

Tekton Chains

Supply Chain Security in Tekton Pipelines

Getting Started

Tekton Chains is a Kubernetes Custom Resource Definition (CRD) controller thatallows you to manage your supply chain security in Tekton.

In its default mode of operation, Chains works by observing allTaskRuns andPipelineRunsexecutions in your cluster. When they complete, Chains takes a snapshot ofthem. Chains then converts this snapshot to one or more standard payloadformats, signs them and stores them somewhere.

Current features include:

SigningTaskRun andPipelineRun results with user provided cryptographic keys,including theTaskRun orPipelineRun themselves and OCI Images
Attestation formats likeslsa/v1
Signing with a variety of cryptographic key types and services (x509, KMS)
Support for multiple storage backends for signatures

Installation

Prerequisite: you'll needTekton Pipelinesinstalled on your cluster before you install Chains.

To install the latest version of Chains to your Kubernetes cluster, run:

kubectl apply --filename https://storage.googleapis.com/tekton-releases/chains/latest/release.yaml

To install a specific version of Chains, run:

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/${VERSION}/release.yaml

To verify that installation was successful, wait until all Pods have StatusRunning:

kubectl get po -n tekton-chains --watch

NAME                                       READY   STATUS      RESTARTS   AGEtekton-chains-controller-c4f7c57c4-nrjb2   1/1     Running     0          160m

Setup

To finish setting up Chains, please complete the following steps:

Vendor specific documentation

Any additional documentation specific to particular cloud vendors can be foundatdocs/vendor.

Tutorials

To get started with Chains, try out ourgetting started tutorial.

To start signing OCI images and generating signed provenance for them, try oursigned provenance tutorial.

Community tutorials

The Chains community has been hard at work creating tutorials as well:

Dual storage backend setupshowcases how to use multiple storage backends and verify the attestationswithcosign.

Experimental Features

To learn more about experimental features, check outexperimental.md

Want to contribute

We are so excited to have you!

SeeCONTRIBUTING.md for an overview of our processes
SeeDEVELOPMENT.md for how to get started
SeeROADMAP.md for the current roadmap Check out our good firstissues and our help wanted issues to get started!
Seereleases.md for our release cadence and processes

To learn more about Chains: