[TEP-0089] Enable SPIRE for signing taskrun results in alpha.

Breaking down PR tektoncd#4759 originally proposed by @pxp928 to address TEP-0089 according @lumjjb suggestions. Plan for breaking down PR is PR 1.1: api PR 1.2: entrypointer (+cmd line + test/entrypointer) Entrypoint takes results and signs the results (termination message). PR 1.3: reconciler + pod + cmd/controller + integration tests Controller will verify the signed result. This commit corresponds to 1.3 above.

Author: jagathprakash

cmd/imagedigestexporter/main.go

@@ -33,7 +33,8 @@ var (
 	terminationMessagePath = flag.String("terminationMessagePath", "/tekton/termination", "Location of file containing termination message")
 )
 
-/* The input of this go program will be a JSON string with all the output PipelineResources of type
+/*
+The input of this go program will be a JSON string with all the output PipelineResources of type
 Image, which will include the path to where the index.json file will be located. The program will
 read the related index.json file(s) and log another JSON string including the name of the image resource
 and the digests.

config/config-feature-flags.yaml

@@ -95,3 +95,7 @@ data:
   # `PipelineRun` status with name, kind, and API version information for each `TaskRun` and
   # `Run` in the `PipelineRun` instead. Set it to "both" to do both.
   embedded-status: "full"
+  # Setting this flag to "true" enables spire integration with pipeline.
+  # This is an experimental feature and thus should still be considered
+  # an alpha feature.
+  enable-spire: "false"

config/config-spire.yaml

@@ -0,0 +1,49 @@
+# Copyright 2022 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config-spire
+  namespace: tekton-pipelines
+  labels:
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-pipelines
+data:
+  _example: |
+    ################################
+    #                              #
+    #    EXAMPLE CONFIGURATION     #
+    #                              #
+    ################################
+    # This block is not actually functional configuration,
+    # but serves to illustrate the available configuration
+    # options and document them in a way that is accessible
+    # to users that `kubectl edit` this config map.
+    #
+    # These sample configuration options may be copied out of
+    # this example block and unindented to be in the data block
+    # to actually change the configuration.
+    #
+    # spire-trust-domain specifies the SPIRE trust domain to use.
+    # spire-trust-domain: "example.org"
+    #
+    # spire-socket-path specifies the SPIRE agent socket for SPIFFE workload API.
+    # spire-socket-path: "unix:///spiffe-workload-api/spire-agent.sock"
+    #
+    # spire-server-addr specifies the SPIRE server address for workload/node registration.
+    # spire-server-addr: "spire-server.spire.svc.cluster.local:8081"
+    #
+    # spire-node-alias-prefix specifies the SPIRE node alias prefix to use.
+    # spire-node-alias-prefix: "/tekton-node/"

config/controller.yaml

@@ -116,6 +116,8 @@ spec:
           value: feature-flags
         - name: CONFIG_LEADERELECTION_NAME
           value: config-leader-election
+        - name: CONFIG_SPIRE
+          value: config-spire
         - name: CONFIG_TRUSTED_RESOURCES_NAME
           value: config-trusted-resources
         - name: SSL_CERT_FILE

docs/spire.md

@@ -92,4 +92,4 @@ spec:
     name: result-test
   params:
   - name: RESULT_STRING_LENGTH
-    value: "3000"
+    value: "2000"

examples/v1beta1/pipelineruns/4808-regression.yaml

@@ -57,6 +57,11 @@ ${PREFIX}/deepcopy-gen \
   --go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt \
   -i github.com/tektoncd/pipeline/pkg/apis/config
 
+${PREFIX}/deepcopy-gen \
+  -O zz_generated.deepcopy \
+  --go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt \
+  -i github.com/tektoncd/pipeline/pkg/spire/config
+
 ${PREFIX}/deepcopy-gen \
   -O zz_generated.deepcopy \
   --go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt \

hack/update-codegen.sh

@@ -0,0 +1,83 @@
+/*
+Copyright 2022 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package config
+
+import (
+	"fmt"
+	"os"
+
+	sc "github.com/tektoncd/pipeline/pkg/spire/config"
+	corev1 "k8s.io/api/core/v1"
+)
+
+const (
+	// SpireConfigMapName is the name of the trusted resources configmap
+	SpireConfigMapName = "config-spire"
+
+	// SpireTrustDomain is the key to extract out the SPIRE trust domain to use
+	SpireTrustDomain = "spire-trust-domain"
+	// SpireSocketPath is the key to extract out the SPIRE agent socket for SPIFFE workload API
+	SpireSocketPath = "spire-socket-path"
+	// SpireServerAddr is the key to extract out the SPIRE server address for workload/node registration
+	SpireServerAddr = "spire-server-addr"
+	// SpireNodeAliasPrefix is the key to extract out the SPIRE node alias prefix to use
+	SpireNodeAliasPrefix = "spire-node-alias-prefix"
+
+	// SpireTrustDomainDefault is the default value for the SpireTrustDomain
+	SpireTrustDomainDefault = "example.org"
+	// SpireSocketPathDefault is the default value for the SpireSocketPath
+	SpireSocketPathDefault = "unix:///spiffe-workload-api/spire-agent.sock"
+	// SpireServerAddrDefault is the default value for the SpireServerAddr
+	SpireServerAddrDefault = "spire-server.spire.svc.cluster.local:8081"
+	// SpireNodeAliasPrefixDefault is the default value for the SpireNodeAliasPrefix
+	SpireNodeAliasPrefixDefault = "/tekton-node/"
+)
+
+// NewSpireConfigFromMap creates a Config from the supplied map
+func NewSpireConfigFromMap(data map[string]string) (*sc.SpireConfig, error) {
+	cfg := &sc.SpireConfig{}
+	var ok bool
+	if cfg.TrustDomain, ok = data[SpireTrustDomain]; !ok {
+		cfg.TrustDomain = SpireTrustDomainDefault
+	}
+	if cfg.SocketPath, ok = data[SpireSocketPath]; !ok {
+		cfg.SocketPath = SpireSocketPathDefault
+	}
+	if cfg.ServerAddr, ok = data[SpireServerAddr]; !ok {
+		cfg.ServerAddr = SpireServerAddrDefault
+	}
+	if cfg.NodeAliasPrefix, ok = data[SpireNodeAliasPrefix]; !ok {
+		cfg.NodeAliasPrefix = SpireNodeAliasPrefixDefault
+	}
+	if err := cfg.Validate(); err != nil {
+		return nil, fmt.Errorf("failed to parse SPIRE configmap: %w", err)
+	}
+	return cfg, nil
+}
+
+// NewSpireConfigFromConfigMap creates a Config from the supplied ConfigMap
+func NewSpireConfigFromConfigMap(configMap *corev1.ConfigMap) (*sc.SpireConfig, error) {
+	return NewSpireConfigFromMap(configMap.Data)
+}
+
+// GetSpireConfigName returns the name of Spire ConfigMap
+func GetSpireConfigName() string {
+	if e := os.Getenv("CONFIG_SPIRE"); e != "" {
+		return e
+	}
+	return SpireConfigMapName
+}

pkg/apis/config/spire_config.go

@@ -0,0 +1,72 @@
+/*
+Copyright 2021 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package config_test
+
+import (
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/tektoncd/pipeline/pkg/apis/config"
+	test "github.com/tektoncd/pipeline/pkg/reconciler/testing"
+	sc "github.com/tektoncd/pipeline/pkg/spire/config"
+	"github.com/tektoncd/pipeline/test/diff"
+)
+
+func TestNewSpireConfigFromConfigMap(t *testing.T) {
+	type testCase struct {
+		expectedConfig *sc.SpireConfig
+		fileName       string
+	}
+
+	testCases := []testCase{
+		{
+			expectedConfig: &sc.SpireConfig{
+				TrustDomain:     "test.com",
+				SocketPath:      "unix:///spiffe-workload-api/test-spire-agent.sock",
+				ServerAddr:      "test-spire-server.spire.svc.cluster.local:8081",
+				NodeAliasPrefix: "/test-tekton-node/",
+			},
+			fileName: config.GetSpireConfigName(),
+		},
+	}
+
+	for _, tc := range testCases {
+		verifyConfigFileWithExpectedSpireConfig(t, tc.fileName, tc.expectedConfig)
+	}
+}
+
+func TestNewSpireConfigFromEmptyConfigMap(t *testing.T) {
+	SpireConfigEmptyName := "config-spire-empty"
+	expectedConfig := &sc.SpireConfig{
+		TrustDomain:     "example.org",
+		SocketPath:      "unix:///spiffe-workload-api/spire-agent.sock",
+		ServerAddr:      "spire-server.spire.svc.cluster.local:8081",
+		NodeAliasPrefix: "/tekton-node/",
+	}
+	verifyConfigFileWithExpectedSpireConfig(t, SpireConfigEmptyName, expectedConfig)
+}
+
+func verifyConfigFileWithExpectedSpireConfig(t *testing.T, fileName string, expectedConfig *sc.SpireConfig) {
+	cm := test.ConfigMapFromTestFile(t, fileName)
+	if ab, err := config.NewSpireConfigFromConfigMap(cm); err == nil {
+		if d := cmp.Diff(ab, expectedConfig); d != "" {
+			t.Errorf("Diff:\n%s", diff.PrintWantGot(d))
+		}
+	} else {
+		t.Errorf("NewSpireConfigFromConfigMap(actual) = %v", err)
+	}
+}

pkg/apis/config/spire_config_test.go

@@ -19,6 +19,7 @@ package config
 import (
 	"context"
 
+	sc "github.com/tektoncd/pipeline/pkg/spire/config"
 	"knative.dev/pkg/configmap"
 )
 
@@ -33,6 +34,7 @@ type Config struct {
 	ArtifactPVC      *ArtifactPVC
 	Metrics          *Metrics
 	TrustedResources *TrustedResources
+	SpireConfig      *sc.SpireConfig
 }
 
 // FromContext extracts a Config from the provided context.
@@ -56,13 +58,16 @@ func FromContextOrDefaults(ctx context.Context) *Config {
 	artifactPVC, _ := NewArtifactPVCFromMap(map[string]string{})
 	metrics, _ := newMetricsFromMap(map[string]string{})
 	trustedresources, _ := NewTrustedResourcesConfigFromMap(map[string]string{})
+	spireconfig, _ := NewSpireConfigFromMap(map[string]string{})
+
 	return &Config{
 		Defaults:         defaults,
 		FeatureFlags:     featureFlags,
 		ArtifactBucket:   artifactBucket,
 		ArtifactPVC:      artifactPVC,
 		Metrics:          metrics,
 		TrustedResources: trustedresources,
+		SpireConfig:      spireconfig,
 	}
 }
 
@@ -91,6 +96,7 @@ func NewStore(logger configmap.Logger, onAfterStore ...func(name string, value i
 				GetArtifactPVCConfigName():      NewArtifactPVCFromConfigMap,
 				GetMetricsConfigName():          NewMetricsFromConfigMap,
 				GetTrustedResourcesConfigName(): NewTrustedResourcesConfigFromConfigMap,
+				GetSpireConfigName():            NewSpireConfigFromConfigMap,
 			},
 			onAfterStore...,
 		),
@@ -131,6 +137,10 @@ func (s *Store) Load() *Config {
 	if trustedresources == nil {
 		trustedresources, _ = NewTrustedResourcesConfigFromMap(map[string]string{})
 	}
+	spireconfig := s.UntypedLoad(GetSpireConfigName())
+	if spireconfig == nil {
+		spireconfig, _ = NewSpireConfigFromMap(map[string]string{})
+	}
 
 	return &Config{
 		Defaults:         defaults.(*Defaults).DeepCopy(),
@@ -139,5 +149,6 @@ func (s *Store) Load() *Config {
 		ArtifactPVC:      artifactPVC.(*ArtifactPVC).DeepCopy(),
 		Metrics:          metrics.(*Metrics).DeepCopy(),
 		TrustedResources: trustedresources.(*TrustedResources).DeepCopy(),
+		SpireConfig:      spireconfig.(*sc.SpireConfig).DeepCopy(),
 	}
 }