Add 0036-trusted-artifacts #195
Conversation
|
@ralphbean, @brianwcook, @arewm PTAL 🙏 |
| were properly used in the parts of the build Pipeline that affect the build outcome, e.g. | ||
| `git-clone` and `buildah` Tasks. | ||
|
|
||
| Trusted Artifacts is inspired by the upcoming work being done by the Tekton Community, |
There was a problem hiding this comment.
@lcarva so the "trusted artifacts" referenced here is different from the upcoming upstream work ? If yes, aren't we a bit afraid there might be some confusion (if it's slightly different and we have to "migrate" from one to the other).
There was a problem hiding this comment.
The upstream work will require changes to the Tekton resources IIUC. I don't think there's a way to avoid a migration. But hopefully, this is isolated to Task definitions and we can switch over without requiring a migration from the user side.
ADR/0036-trusted-artifacts.md
Outdated
| location of the archive and its checksum digests are recorded as a Task result. The process of | ||
| *consuming* a Trusted Artifact extracts such archive, while verying its checksum digest, into a | ||
| volume only accessible to the Task, e.g. `emptyDir`. The name and checksum digest of the archive is | ||
| provided via Task parameters. |
There was a problem hiding this comment.
| provided via Task parameters. | |
| provided via Task parameters. | |
| With the artifact checksums being passed over the task parameters we can ensure that | |
| the artifacts are not being tampered with as they are passed between different pipeline | |
| tasks. |
Trying to summarize our other thread
There was a problem hiding this comment.
TY! I reworded this a bit. Let me know what you think
| process. This is distinct from other build systems where a rigid process prevents users from | ||
| applying such customizations. To support this, Konflux build Pipelines use Trusted Artifacts to | ||
| securely share files between Tasks. Enterprise Contract is then responsible for verifying that | ||
| Trusted Artifacts were properly used in the parts of the build Pipeline that affect the build |
There was a problem hiding this comment.
It also is used to verify that the contents were not tainted by untrusted tasks.
There was a problem hiding this comment.
I think this falls under the "Trusted Artifacts were properly used" comment.
| When the time comes, the Konflux implementation should align with what is provided by the Tekton | ||
| Community and this ADR may need a revision. | ||
|
|
||
| In brief, the processes of *creating* a Trusted Artifact wraps files into an archive. Then, the |
There was a problem hiding this comment.
Do we need to be more specific about what the archive is? These archives also need to be tamper-proof.
There was a problem hiding this comment.
I really don't want this ADR to be a design doc of Trusted Artifacts. I think that belongs somewhere else. https://github.com/konflux-ci/build-trusted-artifacts is likely a good place for it.
|
|
||
| ## Decision | ||
|
|
||
| Sharing files between Tasks is done via Trusted Artifacts backed by OCI storage. |
There was a problem hiding this comment.
Do we want to state that we cannot use the referrer's api here because these archives are generated before we produce an image? I don't know if anyone might wonder about it. (no is a fine response).
There was a problem hiding this comment.
I think that's too low level for this doc.
Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
|
@arewm, I believe I addressed all of your comments. Let me know what you think. (BTW, I don't have merge permission here, so if you're happy with it, please merge 🙏) |
No description provided.