Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Archivista storage #1

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Archivista storage #1

wants to merge 2 commits into from

Conversation

colek42
Copy link
Member

@colek42 colek42 commented Feb 12, 2025
edited
Loading

PR Template

Changes

  • New Feature: Added support for the Archivista storage backend in Chains.
  • Updated default configuration for artifacts:
    • TaskRuns now use in-toto format and default to the archivista storage backend.
    • PipelineRuns now use in-toto format and default to the archivista storage backend.
  • Introduced a new configuration key: storage.archivista.url to specify the Archivista service endpoint.
  • Updated configuration parsing logic and documentation accordingly.

Submitter Checklist

  • User-facing documentation has been updated (see NewConfig-README.md).
  • Tests have been added/updated for all new functionality.
  • Commit messages follow the standard commit message format.
  • The code meets Tekton contributor standards regarding functionality, content, and code style.
  • Release notes have been updated with any user-facing changes.
  • If applicable, the release notes include the string "action required" for any additional steps users must take.

Release Notes

  • New Feature: Chains now supports the Archivista storage backend for both TaskRuns and PipelineRuns.
  • Configuration Changes:
    • artifacts.taskrun.storage and artifacts.pipelinerun.storage now support the value archivista.
    • A new configuration key storage.archivista.url has been introduced to specify the Archivista service endpoint.
  • Action Required:
    Users upgrading to this release who wish to use Archivista must update their chains-config ConfigMap accordingly. Example: 
    data:
  artifacts.taskrun.format: in-toto
  artifacts.taskrun.storage: archivista
  artifacts.pipelinerun.format: in-toto
  artifacts.pipelinerun.storage: archivista
  storage.archivista.url: https://archivista.testifysec.io

colek42
colek42 commented Feb 21, 2025
View reviewed changes
config/100-deployment.yaml
# data:
# artifacts.taskrun.format: tekton
# artifacts.taskrun.storage: tekton
data:
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove this change before upstream PR

@mikhailswift
Copy link
Member

Few thoughts:

There's DSSE envelopes being created by chains here:

chains/pkg/chains/signing/wrap.go

Line 128 in 7824cdc

return b, nil

This is used here:

chains/pkg/chains/signing.go

Line 171 in 7824cdc

signer = wrapped

And every payloader I looked at in tree has an implementation of Wrap that returns true

This wrapped signer is being used here:

chains/pkg/chains/signing.go

Line 181 in 7824cdc

signature, err := signer.SignMessage(bytes.NewReader(rawPayload))

And that envelope is being passed in as signature to the StorePayload function here

chains/pkg/chains/signing.go

Line 205 in 7824cdc

if err := b.StorePayload(ctx, tektonObj, rawPayload, string(signature), storageOpts); err != nil {

Reading through this makes it appear as though the envelope is being used as the signature object.

I've spent the last bit of today setting up Tekton and chains locally to test this theory.

I also don't see other storage backends patching kubernetes resources with annotations -- I'm not opposed to it but something that the Red Hat team may or may not bring up.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@colek42 @mikhailswift @kairoaraujo