jagathprakash
diff --git a/‎cmd/controller/main.go‎
Lines changed: 8 additions & 0 deletions b/‎cmd/controller/main.go‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎cmd/imagedigestexporter/main.go‎
Lines changed: 20 additions & 0 deletions b/‎cmd/imagedigestexporter/main.go‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎config/config-feature-flags.yaml‎
Lines changed: 4 additions & 0 deletions b/‎config/config-feature-flags.yaml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎docs/spire.md‎
Lines changed: 285 additions & 0 deletions b/‎docs/spire.md‎
Lines changed: 285 additions & 0 deletions
diff --git a/‎examples/v1beta1/pipelineruns/4808-regression.yaml‎
Lines changed: 1 addition & 1 deletion b/‎examples/v1beta1/pipelineruns/4808-regression.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎pkg/apis/pipeline/options.go‎
Lines changed: 6 additions & 1 deletion b/‎pkg/apis/pipeline/options.go‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎pkg/pod/pod.go‎
Lines changed: 41 additions & 2 deletions b/‎pkg/pod/pod.go‎
Lines changed: 41 additions & 2 deletions
@@ -62,12 +62,20 @@ func main() {
 	flag.StringVar(&opts.Images.ImageDigestExporterImage, "imagedigest-exporter-image", "", "The container image containing our image digest exporter binary.")
 	flag.StringVar(&opts.Images.WorkingDirInitImage, "workingdirinit-image", "", "The container image containing our working dir init binary.")
 
+	flag.StringVar(&opts.SpireConfig.TrustDomain, "spire-trust-domain", "example.org", "Experimental: The SPIRE Trust domain to use.")
+	flag.StringVar(&opts.SpireConfig.SocketPath, "spire-socket-path", "unix:///spiffe-workload-api/spire-agent.sock", "Experimental: The SPIRE agent socket for SPIFFE workload API.")
+	flag.StringVar(&opts.SpireConfig.ServerAddr, "spire-server-addr", "spire-server.spire.svc.cluster.local:8081", "Experimental: The SPIRE server address for workload/node registration.")
+	flag.StringVar(&opts.SpireConfig.NodeAliasPrefix, "spire-node-alias-prefix", "/tekton-node/", "Experimental: The SPIRE node alias prefix to use.")
+
 	// This parses flags.
 	cfg := injection.ParseAndGetRESTConfigOrDie()
 
 	if err := opts.Images.Validate(); err != nil {
 		log.Fatal(err)
 	}
+	if err := opts.SpireConfig.Validate(); err != nil {
+		log.Fatal(err)
+	}
 	if cfg.QPS == 0 {
 		cfg.QPS = 2 * rest.DefaultQPS
 	}
 
@@ -17,9 +17,12 @@ limitations under the License.
 package main
 
 import (
+	"context"
 	"encoding/json"
 	"flag"
 
+	"github.com/tektoncd/pipeline/pkg/spire"
+	"github.com/tektoncd/pipeline/pkg/spire/config"
 	"github.com/tektoncd/pipeline/pkg/termination"
 	"knative.dev/pkg/logging"
 
@@ -31,6 +34,8 @@ import (
 var (
 	images                 = flag.String("images", "", "List of images resources built by task in json format")
 	terminationMessagePath = flag.String("terminationMessagePath", "/tekton/termination", "Location of file containing termination message")
+	enableSpire            = flag.Bool("enable_spire", false, "If specified by configmap, this enables spire signing and verification")
+	socketPath             = flag.String("spire_socket_path", "unix:///spiffe-workload-api/spire-agent.sock", "Experimental: The SPIRE agent socket for SPIFFE workload API.")
 )
 
 /* The input of this go program will be a JSON string with all the output PipelineResources of type
@@ -76,6 +81,21 @@ func main() {
 
 	}
 
+	if enableSpire != nil && *enableSpire && socketPath != nil && *socketPath != "" {
+		ctx := context.Background()
+		spireConfig := config.SpireConfig{
+			SocketPath: *socketPath,
+		}
+
+		spireWorkloadAPI := spire.NewEntrypointerAPIClient(&spireConfig)
+		signed, err := spireWorkloadAPI.Sign(ctx, output)
+		if err != nil {
+			logger.Fatal(err)
+		}
+
+		output = append(output, signed...)
+	}
+
 	if err := termination.WriteMessage(*terminationMessagePath, output); err != nil {
 		logger.Fatalf("Unexpected error writing message %s to %s", *terminationMessagePath, err)
 	}
 
@@ -90,3 +90,7 @@ data:
   # in the TaskRun/PipelineRun such as the source from where a remote Task/Pipeline
   # definition was fetched.
   enable-provenance-in-status: "false"
+  # Setting this flag to "true" enables spire integration with pipeline.
+  # This is an experimental feature and thus should still be considered
+  # an alpha feature.
+  enable-spire: "false"
@@ -92,4 +92,4 @@ spec:
     name: result-test
   params:
   - name: RESULT_STRING_LENGTH
-    value: "3000"
+    value: "2000"
@@ -16,8 +16,13 @@ limitations under the License.
 
 package pipeline
 
+import (
+	spireconfig "github.com/tektoncd/pipeline/pkg/spire/config"
+)
+
 // Options holds options passed to the Tekton Pipeline controllers
 // typically via command-line flags.
 type Options struct {
-	Images Images
+	Images      Images
+	SpireConfig spireconfig.SpireConfig
 }
@@ -30,6 +30,7 @@ import (
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
 	"github.com/tektoncd/pipeline/pkg/internal/computeresources/tasklevel"
 	"github.com/tektoncd/pipeline/pkg/names"
+	"github.com/tektoncd/pipeline/pkg/spire"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -120,6 +121,12 @@ func (b *Builder) Build(ctx context.Context, taskRun *v1beta1.TaskRun, taskSpec
 	featureFlags := config.FromContextOrDefaults(ctx).FeatureFlags
 	alphaAPIEnabled := featureFlags.EnableAPIFields == config.AlphaAPIFields
 
+	// Entrypoint arg to enable or disable spire
+	var commonExtraEntrypointArgs []string
+	if config.FromContextOrDefaults(ctx).FeatureFlags.EnableSpire {
+		commonExtraEntrypointArgs = append(commonExtraEntrypointArgs, "-enable_spire")
+	}
+
 	// Add our implicit volumes first, so they can be overridden by the user if they prefer.
 	volumes = append(volumes, implicitVolumes...)
 	volumeMounts = append(volumeMounts, implicitVolumeMounts...)
@@ -190,11 +197,13 @@ func (b *Builder) Build(ctx context.Context, taskRun *v1beta1.TaskRun, taskSpec
 	}
 
 	readyImmediately := isPodReadyImmediately(*featureFlags, taskSpec.Sidecars)
+	// append credEntrypointArgs with entrypoint arg that contains if spire is enabled by configmap
+	commonExtraEntrypointArgs = append(commonExtraEntrypointArgs, credEntrypointArgs...)
 
 	if alphaAPIEnabled {
-		stepContainers, err = orderContainers(credEntrypointArgs, stepContainers, &taskSpec, taskRun.Spec.Debug, !readyImmediately)
+		stepContainers, err = orderContainers(commonExtraEntrypointArgs, stepContainers, &taskSpec, taskRun.Spec.Debug, !readyImmediately)
 	} else {
-		stepContainers, err = orderContainers(credEntrypointArgs, stepContainers, &taskSpec, nil, !readyImmediately)
+		stepContainers, err = orderContainers(commonExtraEntrypointArgs, stepContainers, &taskSpec, nil, !readyImmediately)
 	}
 	if err != nil {
 		return nil, err
@@ -275,6 +284,36 @@ func (b *Builder) Build(ctx context.Context, taskRun *v1beta1.TaskRun, taskSpec
 		return nil, err
 	}
 
+	readonly := true
+	if config.FromContextOrDefaults(ctx).FeatureFlags.EnableSpire {
+		volumes = append(volumes, corev1.Volume{
+			Name: spire.WorkloadAPI,
+			VolumeSource: corev1.VolumeSource{
+				CSI: &corev1.CSIVolumeSource{
+					Driver:   "csi.spiffe.io",
+					ReadOnly: &readonly,
+				},
+			},
+		})
+
+		for i := range stepContainers {
+			c := &stepContainers[i]
+			c.VolumeMounts = append(c.VolumeMounts, corev1.VolumeMount{
+				Name:      spire.WorkloadAPI,
+				MountPath: spire.VolumeMountPath,
+				ReadOnly:  true,
+			})
+		}
+		for i := range initContainers {
+			c := &initContainers[i]
+			c.VolumeMounts = append(c.VolumeMounts, corev1.VolumeMount{
+				Name:      spire.WorkloadAPI,
+				MountPath: spire.VolumeMountPath,
+				ReadOnly:  true,
+			})
+		}
+	}
+
 	mergedPodContainers := stepContainers
 
 	// Merge sidecar containers with step containers.