[TEP-0089] Enforce non-falsifiable provenance using SPIRE #6597
Labels
kind/feature
Categorizes issue or PR as related to a new feature.
Comments
jagathprakash
added
the
kind/feature
wlynch
changed the title
This was referenced Apr 28, 2023
jagathprakash
added a commit
to jagathprakash/pipeline
that referenced
this issue
May 5, 2023
Inject SpireControllerAPIClient into the controller and the taskrun reconciler. This commit is part of a series of PRs to implement TEP-0089. The implementation of TEP-0089 is tracked in the issue [tektoncd#6597](tektoncd#6597).
7 tasks
jagathprakash
added a commit
to jagathprakash/pipeline
that referenced
this issue
May 9, 2023
Inject SpireControllerAPIClient into the controller and the taskrun reconciler. This commit is part of a series of PRs to implement TEP-0089. The implementation of TEP-0089 is tracked in the issue [tektoncd#6597](tektoncd#6597).
jagathprakash
added a commit
to jagathprakash/pipeline
that referenced
this issue
May 16, 2023
Inject SpireControllerAPIClient into the controller and the taskrun reconciler. This commit is part of a series of PRs to implement TEP-0089. The implementation of TEP-0089 is tracked in the issue [tektoncd#6597](tektoncd#6597).
jagathprakash
added a commit
to jagathprakash/pipeline
that referenced
this issue
May 18, 2023
…oller and the taskrun reconciler. It makes it available in these objects to be used for signing and verification of the taskrunResults and the taskrun object itself. Before this change the spireAPIController object was not injected into the taskRun and as such SPIRE was not available to be used. After this change, - spireApiController will be available to be used by the pipeline controller and the taskrun object. - The spireApiController will be update with the spire config whenever the config changes. This commit is part of a series of PRs to implement TEP-0089. The implementation of TEP-0089 is tracked in the issue https://github.com/tektoncd/pipeline/issues/6597.[TEP-0089] SPIRE for non-falsifiable provenance. Inject SpireControllerAPIClient into the controller and the taskrun reconciler. This commit is part of a series of PRs to implement TEP-0089. The implementation of TEP-0089 is tracked in the issue [tektoncd#6597](tektoncd#6597).
jagathprakash
added a commit
to jagathprakash/pipeline
that referenced
this issue
May 18, 2023
…r and reconciler This PR injects the spireControllerAPIClient into the pipelines controller and the taskrun reconciler. It makes it available in these objects to be used for signing and verification of the taskrunResults and the taskrun object itself. Before this change the spireAPIController object was not injected into the taskRun and as such SPIRE was not available to be used. After this change, - spireApiController will be available to be used by the pipeline controller and the taskrun object. - The spireApiController will be update with the spire config whenever the config changes. This commit is part of a series of PRs to implement TEP-0089. The implementation of TEP-0089 is tracked in the issue https://github.com/tektoncd/pipeline/issues/6597.[TEP-0089] SPIRE for non-falsifiable provenance. Inject SpireControllerAPIClient into the controller and the taskrun reconciler. This commit is part of a series of PRs to implement TEP-0089. The implementation of TEP-0089 is tracked in the issue [tektoncd#6597](tektoncd#6597).
tekton-robot
pushed a commit
that referenced
this issue
May 19, 2023
…r and reconciler This PR injects the spireControllerAPIClient into the pipelines controller and the taskrun reconciler. It makes it available in these objects to be used for signing and verification of the taskrunResults and the taskrun object itself. Before this change the spireAPIController object was not injected into the taskRun and as such SPIRE was not available to be used. After this change, - spireApiController will be available to be used by the pipeline controller and the taskrun object. - The spireApiController will be update with the spire config whenever the config changes. This commit is part of a series of PRs to implement TEP-0089. The implementation of TEP-0089 is tracked in the issue https://github.com/tektoncd/pipeline/issues/6597.[TEP-0089] SPIRE for non-falsifiable provenance. Inject SpireControllerAPIClient into the controller and the taskrun reconciler. This commit is part of a series of PRs to implement TEP-0089. The implementation of TEP-0089 is tracked in the issue [#6597](#6597).
jagathprakash
added a commit
to jagathprakash/pipeline
that referenced
this issue
Jun 6, 2023
…TR status. This PR enables the signing and verification of TR results and TR status. Before this change the spireAPIController object was injected into the TR reconciler but it was not used. After this change, - At the start of every reconcile run, the reconciler will verify if the signature on the status can be verified, else it will error out. - At the end of every reconcile run, the reconciler will sign the status and add it as an annotation. - When TR results are read from the termination message and converted into TR results, they will be verified. This commit is part of a series of PRs to implement TEP-0089. The implementation of TEP-0089 is tracked in the issue tektoncd#6597 SPIRE for non-falsifiable provenance.
6 tasks
jagathprakash
added a commit
to jagathprakash/pipeline
that referenced
this issue
Jun 13, 2023
…TR status. This PR enables the signing and verification of TR results and TR status. Before this change the spireAPIController object was injected into the TR reconciler but it was not used. After this change, - At the start of every reconcile run, the reconciler will verify if the signature on the status can be verified, else it will error out. - At the end of every reconcile run, the reconciler will sign the status and add it as an annotation. - When TR results are read from the termination message and converted into TR results, they will be verified. This commit is part of a series of PRs to implement TEP-0089. The implementation of TEP-0089 is tracked in the issue tektoncd#6597 SPIRE for non-falsifiable provenance.
jagathprakash
added a commit
to jagathprakash/pipeline
that referenced
this issue
Jun 13, 2023
…TR status. This PR enables the signing and verification of TR results and TR status. Before this change the spireAPIController object was injected into the TR reconciler but it was not used. After this change, - At the start of every reconcile run, the reconciler will verify if the signature on the status can be verified, else it will error out. - At the end of every reconcile run, the reconciler will sign the status and add it as an annotation. - When TR results are read from the termination message and converted into TR results, they will be verified. This commit is part of a series of PRs to implement TEP-0089. The implementation of TEP-0089 is tracked in the issue tektoncd#6597 SPIRE for non-falsifiable provenance.
jagathprakash
added a commit
to jagathprakash/pipeline
that referenced
this issue
Jun 19, 2023
…TR status. This PR enables the signing and verification of TR results and TR status. Before this change the spireAPIController object was injected into the TR reconciler but it was not used. After this change, - At the start of every reconcile run, the reconciler will verify if the signature on the status can be verified, else it will error out. - At the end of every reconcile run, the reconciler will sign the status and add it as an annotation. - When TR results are read from the termination message and converted into TR results, they will be verified. This commit is part of a series of PRs to implement TEP-0089. The implementation of TEP-0089 is tracked in the issue tektoncd#6597 SPIRE for non-falsifiable provenance.
jagathprakash
added a commit
to jagathprakash/pipeline
that referenced
this issue
Jun 19, 2023
…TR status. This PR enables the signing and verification of TR results and TR status. Before this change the spireAPIController object was injected into the TR reconciler but it was not used. After this change, - At the start of every reconcile run, the reconciler will verify if the signature on the status can be verified, else it will error out. - At the end of every reconcile run, the reconciler will sign the status and add it as an annotation. - When TR results are read from the termination message and converted into TR results, they will be verified. This commit is part of a series of PRs to implement TEP-0089. The implementation of TEP-0089 is tracked in the issue tektoncd#6597 SPIRE for non-falsifiable provenance.
jagathprakash
added a commit
to jagathprakash/pipeline
that referenced
this issue
Jun 19, 2023
…TR status. This PR enables the signing and verification of TR results and TR status. Before this change the spireAPIController object was injected into the TR reconciler but it was not used. After this change, - At the start of every reconcile run, the reconciler will verify if the signature on the status can be verified, else it will error out. - At the end of every reconcile run, the reconciler will sign the status and add it as an annotation. - When TR results are read from the termination message and converted into TR results, they will be verified. This commit is part of a series of PRs to implement TEP-0089. The implementation of TEP-0089 is tracked in the issue tektoncd#6597 SPIRE for non-falsifiable provenance.
jagathprakash
added a commit
to jagathprakash/pipeline
that referenced
this issue
Jun 19, 2023
…TR status. This PR enables the signing and verification of TR results and TR status. Before this change the spireAPIController object was injected into the TR reconciler but it was not used. After this change, - At the start of every reconcile run, the reconciler will verify if the signature on the status can be verified, else it will error out. - At the end of every reconcile run, the reconciler will sign the status and add it as an annotation. - When TR results are read from the termination message and converted into TR results, they will be verified. This commit is part of a series of PRs to implement TEP-0089. The implementation of TEP-0089 is tracked in the issue tektoncd#6597 SPIRE for non-falsifiable provenance.
jagathprakash
added a commit
to jagathprakash/pipeline
that referenced
this issue
Jun 19, 2023
…TR status. This PR enables the signing and verification of TR results and TR status. Before this change the spireAPIController object was injected into the TR reconciler but it was not used. After this change, - At the start of every reconcile run, the reconciler will verify if the signature on the status can be verified, else it will error out. - At the end of every reconcile run, the reconciler will sign the status and add it as an annotation. - When TR results are read from the termination message and converted into TR results, they will be verified. This commit is part of a series of PRs to implement TEP-0089. The implementation of TEP-0089 is tracked in the issue tektoncd#6597 SPIRE for non-falsifiable provenance.
jagathprakash
added a commit
to jagathprakash/pipeline
that referenced
this issue
Jun 19, 2023
…TR status. This PR enables the signing and verification of TR results and TR status. Before this change the spireAPIController object was injected into the TR reconciler but it was not used. After this change, - At the start of every reconcile run, the reconciler will verify if the signature on the status can be verified, else it will error out. - At the end of every reconcile run, the reconciler will sign the status and add it as an annotation. - When TR results are read from the termination message and converted into TR results, they will be verified. This commit is part of a series of PRs to implement TEP-0089. The implementation of TEP-0089 is tracked in the issue tektoncd#6597 SPIRE for non-falsifiable provenance.
|
Lets clear the milestone for now, we can bring it back if someone volunteers or we find someone to work on this. We do not have any owner at this time. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is a tracking bug for the implementation of TEP-0089.
TEP-0089 is a proposal to enforce non-falsifiable provenance using SPIRE.
The PRs created to implement this issue are
The text was updated successfully, but these errors were encountered: