[TEP-0089] - Phase 1 Signed TaskRun Results

Signed-off-by: pxp928 <parth.psu@gmail.com>

cmd/controller/main.go

@@ -61,12 +61,20 @@ func main() {
 	flag.StringVar(&opts.Images.ImageDigestExporterImage, "imagedigest-exporter-image", "", "The container image containing our image digest exporter binary.")
 	flag.StringVar(&opts.Images.WorkingDirInitImage, "workingdirinit-image", "", "The container image containing our working dir init binary.")
 
+	flag.StringVar(&opts.SpireConfig.TrustDomain, "spire-trust-domain", "example.org", "Experimental: The SPIRE Trust domain to use.")
+	flag.StringVar(&opts.SpireConfig.SocketPath, "spire-socket-path", "unix:///spiffe-workload-api/spire-agent.sock", "Experimental: The SPIRE agent socket for SPIFFE workload API.")
+	flag.StringVar(&opts.SpireConfig.ServerAddr, "spire-server-addr", "spire-server.spire.svc.cluster.local:8081", "Experimental: The SPIRE server address for workload/node registration.")
+	flag.StringVar(&opts.SpireConfig.NodeAliasPrefix, "spire-node-alias-prefix", "/tekton-node/", "Experimental: The SPIRE node alias prefix to use.")
+
 	// This parses flags.
 	cfg := injection.ParseAndGetRESTConfigOrDie()
 
 	if err := opts.Images.Validate(); err != nil {
 		log.Fatal(err)
 	}
+	if err := opts.SpireConfig.Validate(); err != nil {
+		log.Fatal(err)
+	}
 	if cfg.QPS == 0 {
 		cfg.QPS = 2 * rest.DefaultQPS
 	}

cmd/entrypoint/main.go

@@ -34,7 +34,12 @@ import (
 	"github.com/tektoncd/pipeline/pkg/credentials/dockercreds"
 	"github.com/tektoncd/pipeline/pkg/credentials/gitcreds"
 	"github.com/tektoncd/pipeline/pkg/entrypoint"
+	"github.com/tektoncd/pipeline/pkg/spire"
+	"github.com/tektoncd/pipeline/pkg/spire/config"
 	"github.com/tektoncd/pipeline/pkg/termination"
+	corev1 "k8s.io/api/core/v1"
+	"knative.dev/pkg/injection"
+	"knative.dev/pkg/signals"
 )
 
 var (
@@ -51,6 +56,8 @@ var (
 	onError             = flag.String("on_error", "", "Set to \"continue\" to ignore an error and continue when a container terminates with a non-zero exit code."+
 		" Set to \"stopAndFail\" to declare a failure with a step error and stop executing the rest of the steps.")
 	stepMetadataDir = flag.String("step_metadata_dir", "", "If specified, create directory to store the step metadata e.g. /tekton/steps/<step-name>/")
+	enableSpire     = flag.Bool("enable_spire", false, "If specified by configmap, this enables spire signing and verification")
+	socketPath      = flag.String("spire_socket_path", "unix:///spiffe-workload-api/spire-agent.sock", "Experimental: The SPIRE agent socket for SPIFFE workload API.")
 )
 
 const (
@@ -131,6 +138,17 @@ func main() {
 		}
 	}
 
+	var spireWorkloadAPI spire.EntrypointerAPIClient
+	if enableSpire != nil && *enableSpire && socketPath != nil && *socketPath != "" {
+		namespace := corev1.NamespaceAll
+		ctx := injection.WithNamespaceScope(signals.NewContext(), namespace)
+		spireConfig := config.SpireConfig{
+			SocketPath: *socketPath,
+		}
+		spireWorkloadAPI = spire.GetEntrypointerAPIClient(ctx)
+		spireWorkloadAPI.SetConfig(spireConfig)
+	}
+
 	e := entrypoint.Entrypointer{
 		Command:         append(cmd, commandArgs...),
 		WaitFiles:       strings.Split(*waitFiles, ","),
@@ -148,6 +166,7 @@ func main() {
 		BreakpointOnFailure: *breakpointOnFailure,
 		OnError:             *onError,
 		StepMetadataDir:     *stepMetadataDir,
+		SpireWorkloadAPI:    spireWorkloadAPI,
 	}
 
 	// Copy any creds injected by the controller into the $HOME directory of the current

cmd/imagedigestexporter/main.go

@@ -20,8 +20,13 @@ import (
 	"encoding/json"
 	"flag"
 
+	"github.com/tektoncd/pipeline/pkg/spire"
+	"github.com/tektoncd/pipeline/pkg/spire/config"
 	"github.com/tektoncd/pipeline/pkg/termination"
+	corev1 "k8s.io/api/core/v1"
+	"knative.dev/pkg/injection"
 	"knative.dev/pkg/logging"
+	"knative.dev/pkg/signals"
 
 	"github.com/google/go-containerregistry/pkg/v1/layout"
 	v1beta1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
@@ -31,6 +36,8 @@ import (
 var (
 	images                 = flag.String("images", "", "List of images resources built by task in json format")
 	terminationMessagePath = flag.String("terminationMessagePath", "/tekton/termination", "Location of file containing termination message")
+	enableSpire            = flag.Bool("enable_spire", false, "If specified by configmap, this enables spire signing and verification")
+	socketPath             = flag.String("spire_socket_path", "unix:///spiffe-workload-api/spire-agent.sock", "Experimental: The SPIRE agent socket for SPIFFE workload API.")
 )
 
 /* The input of this go program will be a JSON string with all the output PipelineResources of type
@@ -76,6 +83,23 @@ func main() {
 
 	}
 
+	if enableSpire != nil && *enableSpire && socketPath != nil && *socketPath != "" {
+		namespace := corev1.NamespaceAll
+		ctx := injection.WithNamespaceScope(signals.NewContext(), namespace)
+		spireConfig := config.SpireConfig{
+			SocketPath: *socketPath,
+		}
+
+		spireWorkloadAPI := spire.GetEntrypointerAPIClient(ctx)
+		spireWorkloadAPI.SetConfig(spireConfig)
+		signed, err := spireWorkloadAPI.Sign(ctx, output)
+		if err != nil {
+			logger.Fatal(err)
+		}
+
+		output = append(output, signed...)
+	}
+
 	if err := termination.WriteMessage(*terminationMessagePath, output); err != nil {
 		logger.Fatalf("Unexpected error writing message %s to %s", *terminationMessagePath, err)
 	}

config/config-feature-flags.yaml

@@ -81,3 +81,7 @@ data:
   # Setting this flag to "true" enables CloudEvents for Runs, as long as a
   # CloudEvents sink is configured in the config-defaults config map
   send-cloudevents-for-runs: "false"
+  # Setting this flag to "true" enables spire integration with pipeline.
+  # This is an experimental feature and thus should still be considered
+  # an alpha feature.
+  enable-spire: "false"