kind create cluster --image=kindest/node:v1.24.0
kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
kubectl get pods --namespace tekton-pipelines --watch
kubectl apply --filename https://storage.googleapis.com/tekton-releases/chains/latest/release.yaml
kubectl get pods -n tekton-chains --watch
kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"artifacts.taskrun.format": "in-toto"}}'
kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"artifacts.taskrun.storage": "oci"}}'cosign generate-key-pair k8s://tekton-chains/signing-secrets
tkn hub get task kaniko --version 0.6 > kaniko.yaml
- ⚠️ do not forget to add the following to the steps section as a first step:
awk '/steps:/ {print; print " - name: add-dockerfile\n workingDir: $(workspaces.source.path)\n image: bash\n script: |\n set -e\n echo \"FROM alpine@sha256:69e70a79f2d41ab5d637de98c1e0b055206ba40a8145e7bddb55ccc04e13cf8f\" | tee $(params.DOCKERFILE)"; next}1' kaniko.yaml > kaniko.yaml.tmp && mv kaniko.yaml.tmp kaniko.yamlkubectl apply -f kaniko.yaml
tkn task list --all-namespaces
IMAGE_NAME=tekton-chains-demo
REGISTRY=ttl.sh
tkn task start --param IMAGE=$REGISTRY/$IMAGE_NAME --use-param-defaults --workspace name=source,emptyDir="" kaniko
tkn taskrun logs $(tkn taskrun list | awk '{print $1}' | tail -n 1) -f -n defaultkubectl get tr $(tkn taskrun list | awk '{print $1}' | tail -n 1) -o json | jq -r .metadata.annotationscrane ls $REGISTRY/$IMAGE_NAME
cosign verify --key k8s://tekton-chains/signing-secrets $REGISTRY/$IMAGE_NAME | jq
cosign verify-attestation --key k8s://tekton-chains/signing-secrets --type slsaprovenance $REGISTRY/$IMAGE_NAME | jq
- You can pipe the output to see the attestation content 👇
cosign verify-attestation --key k8s://tekton-chains/signing-secrets --type slsaprovenance $REGISTRY/$IMAGE_NAME | jq -r '.payload | @base64d | fromjson'
