feat: support protected repositories with Tekton Chains provenance#136
Open
minmzzhang wants to merge 1 commit into
Open
feat: support protected repositories with Tekton Chains provenance#136minmzzhang wants to merge 1 commit into
minmzzhang wants to merge 1 commit into
Conversation
Add support for cloning source code from protected (private) Git repositories in the Tekton supply-chain pipeline. Credentials are stored in Vault and delivered to the pipeline via an ExternalSecret that generates .git-credentials and .gitconfig files for the git-clone task's basic-auth workspace. Supply-chain chart changes: - Add init task (skopeo pre-flight image check, skip rebuild) - Add optional git-auth workspace and Chains provenance results (CHAINS-GIT_URL, CHAINS-GIT_COMMIT, IMAGE_URL, IMAGE_DIGEST) - Add ExternalSecret for git credentials (Opaque with .git-credentials) - Conditionally attach git-credentials secret to pipeline SA - Add skopeo image to tasks.images for the init task - Migrate all Tekton resources from v1beta1 to v1 API Generator and feature fragments: - Add protected-repos feature fragment with git.credentials overrides and qtodo.repository placeholder - Add --git-repo CLI argument to gen-feature-variants.py (required when protected-repos feature is enabled) - Add ignoreDifferences for Tekton Task/Pipeline defaulted fields to the supply-chain feature fragment Default values-hub.yaml: - Extend hub-supply-chain-jwt-secret Vault policy to cover secret/data/hub/supply-chain/* - Add commented-out Tekton ignoreDifferences, git.credentials overrides, and qtodo.repository override Documentation: - Update docs/supply-chain.md with protected repos setup, generator --git-repo usage, and git-auth workspace selection - Update scripts/gen-feature-variants.md with --git-repo examples - Add git-credentials entry to values-secret.yaml.template Signed-off-by: Min Zhang <minzhang@redhat.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add support for cloning source code from protected (private) Git repositories in the Tekton supply-chain pipeline. Credentials are stored in Vault and delivered to the pipeline via an ExternalSecret that generates .git-credentials and .gitconfig files for the git-clone task's basic-auth workspace.
Supply-chain chart changes:
Generator and feature fragments:
Default values-hub.yaml:
Documentation: