Repository files navigation

ℹ️Important

Migrate Images fromgcr.io toghcr.io.

To reduce costs, we've migrated all our new and old Tekton releases to the free tier onghcr.io/tektoncd.
Read morehere.

Supply Chain Security in Tekton Pipelines

Tekton Chains is a Kubernetes Custom Resource Definition (CRD) controller thatallows you to manage your supply chain security in Tekton.

In its default mode of operation, Chains works by observing allTaskRuns andPipelineRunsexecutions in your cluster. When they complete, Chains takes a snapshot ofthem. Chains then converts this snapshot to one or more standard payloadformats, signs them and stores them somewhere.

Current features include:

• SigningTaskRun andPipelineRun results with user provided cryptographic keys,including theTaskRun orPipelineRun themselves and OCI Images
• Attestation formats likeslsa/v1
• Signing with a variety of cryptographic key types and services (x509, KMS)
• Support for multiple storage backends for signatures

Prerequisite: you'll needTekton Pipelinesinstalled on your cluster before you install Chains.

To install the latest version of Chains to your Kubernetes cluster, run:

kubectl apply --filename https://storage.googleapis.com/tekton-releases/chains/latest/release.yaml

To install a specific version of Chains, run:

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/${VERSION}/release.yaml

To verify that installation was successful, wait until all Pods have StatusRunning:

kubectl get po -n tekton-chains --watch

NAME                                       READY   STATUS      RESTARTS   AGEtekton-chains-controller-c4f7c57c4-nrjb2   1/1     Running     0          160m

To finish setting up Chains, please complete the following steps:

• Add authentication to the Chains controller
• Generate a cryptographic key and configure Chains to use it for signing
• Set up any additional configuration

Any additional documentation specific to particular cloud vendors can be foundatdocs/vendor.

To get started with Chains, try out ourgetting started tutorial.

To start signing OCI images and generating signed provenance for them, try oursigned provenance tutorial.

The Chains community has been hard at work creating tutorials as well:

• Dual storage backend setupshowcases how to use multiple storage backends and verify the attestationswithcosign.

To learn more about experimental features, check outexperimental.md

We are so excited to have you!

• SeeCONTRIBUTING.md for an overview of our processes
• SeeDEVELOPMENT.md for how to get started
• SeeROADMAP.md for the current roadmap Check out our good firstissues and our help wanted issues to get started!
• Seereleases.md for our release cadence and processes

To learn more about Chains:

• Chat with us in the#chainsSlack channel
• Attend the Chains Working Group meeting, detailshere