[TEP-0089] SPIRE for non-falsifiable provenance.

This PR is a part of a larger set of PRs to provide non-falsifiable
provenance through SPIRE.
In particular this PR uses the SPIRE infrastructure which has already
been merged to sign TaskRunStatus.
It also has support to verify if TaskRunStatus has been modified by
another workload between reconciles.

Author: jagathprakash

cmd/imagedigestexporter/main.go

@@ -17,9 +17,12 @@ limitations under the License.
 package main
 
 import (
+	"context"
 	"encoding/json"
 	"flag"
 
+	"github.com/tektoncd/pipeline/pkg/spire"
+	"github.com/tektoncd/pipeline/pkg/spire/config"
 	"github.com/tektoncd/pipeline/pkg/termination"
 	"knative.dev/pkg/logging"
 
@@ -31,6 +34,8 @@ import (
 var (
 	images                 = flag.String("images", "", "List of images resources built by task in json format")
 	terminationMessagePath = flag.String("terminationMessagePath", "/tekton/termination", "Location of file containing termination message")
+	enableSpire            = flag.Bool("enable_spire", false, "If specified by configmap, this enables spire signing and verification")
+	socketPath             = flag.String("spire_socket_path", "unix:///spiffe-workload-api/spire-agent.sock", "Experimental: The SPIRE agent socket for SPIFFE workload API.")
 )
 
 /*
@@ -75,6 +80,22 @@ func main() {
 			Value:        imageResource.URL,
 			ResourceName: imageResource.Name,
 		})
+
+	}
+
+	if enableSpire != nil && *enableSpire && socketPath != nil && *socketPath != "" {
+		ctx := context.Background()
+		spireConfig := config.SpireConfig{
+			SocketPath: *socketPath,
+		}
+
+		spireWorkloadAPI := spire.NewEntrypointerAPIClient(&spireConfig)
+		signed, err := spireWorkloadAPI.Sign(ctx, output)
+		if err != nil {
+			logger.Fatal(err)
+		}
+
+		output = append(output, signed...)
 	}
 
 	if err := termination.WriteMessage(*terminationMessagePath, output); err != nil {

examples/v1beta1/pipelineruns/4808-regression.yaml

@@ -92,4 +92,4 @@ spec:
     name: result-test
   params:
   - name: RESULT_STRING_LENGTH
-    value: "3000"
+    value: "2000"

pkg/apis/config/feature_flags.go

@@ -369,6 +369,11 @@ func CheckWarnResourceVerificationMode(ctx context.Context) bool {
 	return cfg.FeatureFlags.ResourceVerificationMode == WarnResourceVerificationMode
 }
 
+// IsSpireEnabled checks if non-falsifiable provenance is enforced through SPIRE
+func IsSpireEnabled(ctx context.Context) bool {
+	return FromContextOrDefaults(ctx).FeatureFlags.EnforceNonfalsifiability == EnforceNonfalsifiabilityWithSpire
+}
+
 func setEnableAPIFields(ctx context.Context, want string) context.Context {
 	featureFlags, _ := NewFeatureFlagsFromMap(map[string]string{
 		"enable-api-fields": want,

pkg/apis/config/feature_flags_test.go

@@ -297,6 +297,28 @@ func TestCheckWarnResourceVerificationMode(t *testing.T) {
 	}
 }
 
+func TestIsSpireEnabled(t *testing.T) {
+	ctx := context.Background()
+	if config.IsSpireEnabled(ctx) {
+		t.Errorf("IsSpireEnabled got true but expected to be false")
+	}
+	store := config.NewStore(logging.FromContext(ctx).Named("config-store"))
+	featureflags := &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "feature-flags",
+		},
+		Data: map[string]string{
+			"enable-api-fields":         "alpha",
+			"enforce-nonfalsifiability": config.EnforceNonfalsifiabilityWithSpire,
+		},
+	}
+	store.OnConfigChanged(featureflags)
+	ctx = store.ToContext(ctx)
+	if !config.IsSpireEnabled(ctx) {
+		t.Errorf("IsSpireEnabled got false but expected to be true")
+	}
+}
+
 func verifyConfigFileWithExpectedFeatureFlagsConfig(t *testing.T, fileName string, expectedConfig *config.FeatureFlags) {
 	t.Helper()
 	cm := test.ConfigMapFromTestFile(t, fileName)

pkg/pod/pod.go

@@ -31,6 +31,7 @@ import (
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
 	"github.com/tektoncd/pipeline/pkg/internal/computeresources/tasklevel"
 	"github.com/tektoncd/pipeline/pkg/names"
+	"github.com/tektoncd/pipeline/pkg/spire"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -132,6 +133,10 @@ func (b *Builder) Build(ctx context.Context, taskRun *v1beta1.TaskRun, taskSpec
 	// Secrets, along with any arguments needed by Step entrypoints to process
 	// those secrets.
 	commonExtraEntrypointArgs := []string{}
+	// Entrypoint arg to enable or disable spire
+	if config.FromContextOrDefaults(ctx).FeatureFlags.EnforceNonfalsifiability == config.EnforceNonfalsifiabilityWithSpire {
+		commonExtraEntrypointArgs = append(commonExtraEntrypointArgs, "-enable_spire")
+	}
 	credEntrypointArgs, credVolumes, credVolumeMounts, err := credsInit(ctx, taskRun.Spec.ServiceAccountName, taskRun.Namespace, b.KubeClient)
 	if err != nil {
 		return nil, err
@@ -322,6 +327,36 @@ func (b *Builder) Build(ctx context.Context, taskRun *v1beta1.TaskRun, taskSpec
 		return nil, err
 	}
 
+	readonly := true
+	if config.FromContextOrDefaults(ctx).FeatureFlags.EnforceNonfalsifiability == config.EnforceNonfalsifiabilityWithSpire {
+		volumes = append(volumes, corev1.Volume{
+			Name: spire.WorkloadAPI,
+			VolumeSource: corev1.VolumeSource{
+				CSI: &corev1.CSIVolumeSource{
+					Driver:   "csi.spiffe.io",
+					ReadOnly: &readonly,
+				},
+			},
+		})
+
+		for i := range stepContainers {
+			c := &stepContainers[i]
+			c.VolumeMounts = append(c.VolumeMounts, corev1.VolumeMount{
+				Name:      spire.WorkloadAPI,
+				MountPath: spire.VolumeMountPath,
+				ReadOnly:  true,
+			})
+		}
+		for i := range initContainers {
+			c := &initContainers[i]
+			c.VolumeMounts = append(c.VolumeMounts, corev1.VolumeMount{
+				Name:      spire.WorkloadAPI,
+				MountPath: spire.VolumeMountPath,
+				ReadOnly:  true,
+			})
+		}
+	}
+
 	mergedPodContainers := stepContainers
 
 	// Merge sidecar containers with step containers.

pkg/pod/pod_test.go

@@ -35,6 +35,7 @@ import (
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline/pod"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
+	"github.com/tektoncd/pipeline/pkg/spire"
 	"github.com/tektoncd/pipeline/test/diff"
 	"github.com/tektoncd/pipeline/test/names"
 	corev1 "k8s.io/api/core/v1"
@@ -2458,6 +2459,167 @@ func TestPodBuild_TaskLevelResourceRequirements(t *testing.T) {
 	}
 }
 
+func TestPodBuildwithSpireEnabled(t *testing.T) {
+	initContainers := []corev1.Container{entrypointInitContainer(images.EntrypointImage, []v1beta1.Step{{Name: "name"}})}
+	readonly := true
+	for i := range initContainers {
+		c := &initContainers[i]
+		c.VolumeMounts = append(c.VolumeMounts, corev1.VolumeMount{
+			Name:      spire.WorkloadAPI,
+			MountPath: spire.VolumeMountPath,
+			ReadOnly:  true,
+		})
+	}
+
+	for _, c := range []struct {
+		desc            string
+		trs             v1beta1.TaskRunSpec
+		trAnnotation    map[string]string
+		ts              v1beta1.TaskSpec
+		want            *corev1.PodSpec
+		wantAnnotations map[string]string
+	}{{
+		desc: "simple",
+		ts: v1beta1.TaskSpec{
+			Steps: []v1beta1.Step{{
+				Name:    "name",
+				Image:   "image",
+				Command: []string{"cmd"}, // avoid entrypoint lookup.
+			}},
+		},
+		want: &corev1.PodSpec{
+			RestartPolicy:  corev1.RestartPolicyNever,
+			InitContainers: initContainers,
+			Containers: []corev1.Container{{
+				Name:    "step-name",
+				Image:   "image",
+				Command: []string{"/tekton/bin/entrypoint"},
+				Args: []string{
+					"-wait_file",
+					"/tekton/downward/ready",
+					"-wait_file_content",
+					"-post_file",
+					"/tekton/run/0/out",
+					"-termination_path",
+					"/tekton/termination",
+					"-step_metadata_dir",
+					"/tekton/run/0/status",
+					"-enable_spire",
+					"-entrypoint",
+					"cmd",
+					"--",
+				},
+				VolumeMounts: append([]corev1.VolumeMount{binROMount, runMount(0, false), downwardMount, {
+					Name:      "tekton-creds-init-home-0",
+					MountPath: "/tekton/creds",
+				}, {
+					Name:      spire.WorkloadAPI,
+					MountPath: spire.VolumeMountPath,
+					ReadOnly:  true,
+				}}, implicitVolumeMounts...),
+				TerminationMessagePath: "/tekton/termination",
+			}},
+			Volumes: append(implicitVolumes, binVolume, runVolume(0), downwardVolume, corev1.Volume{
+				Name:         "tekton-creds-init-home-0",
+				VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{Medium: corev1.StorageMediumMemory}},
+			}, corev1.Volume{
+				Name: spire.WorkloadAPI,
+				VolumeSource: corev1.VolumeSource{
+					CSI: &corev1.CSIVolumeSource{
+						Driver:   "csi.spiffe.io",
+						ReadOnly: &readonly,
+					},
+				},
+			}),
+			ActiveDeadlineSeconds: &defaultActiveDeadlineSeconds,
+		},
+	}} {
+		t.Run(c.desc, func(t *testing.T) {
+			featureFlags := map[string]string{
+				"enable-api-fields":         "alpha",
+				"enforce-nonfalsifiability": "spire",
+			}
+			names.TestingSeed()
+			store := config.NewStore(logtesting.TestLogger(t))
+			store.OnConfigChanged(
+				&corev1.ConfigMap{
+					ObjectMeta: metav1.ObjectMeta{Name: config.GetFeatureFlagsConfigName(), Namespace: system.Namespace()},
+					Data:       featureFlags,
+				},
+			)
+			kubeclient := fakek8s.NewSimpleClientset(
+				&corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "default", Namespace: "default"}},
+				&corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "service-account", Namespace: "default"},
+					Secrets: []corev1.ObjectReference{{
+						Name: "multi-creds",
+					}},
+				},
+				&corev1.Secret{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "multi-creds",
+						Namespace: "default",
+						Annotations: map[string]string{
+							"tekton.dev/docker-0": "https://us.gcr.io",
+							"tekton.dev/docker-1": "https://docker.io",
+							"tekton.dev/git-0":    "github.com",
+							"tekton.dev/git-1":    "gitlab.com",
+						}},
+					Type: "kubernetes.io/basic-auth",
+					Data: map[string][]byte{
+						"username": []byte("foo"),
+						"password": []byte("BestEver"),
+					},
+				},
+			)
+			var trAnnotations map[string]string
+			if c.trAnnotation == nil {
+				trAnnotations = map[string]string{
+					ReleaseAnnotation: fakeVersion,
+				}
+			} else {
+				trAnnotations = c.trAnnotation
+				trAnnotations[ReleaseAnnotation] = fakeVersion
+			}
+			tr := &v1beta1.TaskRun{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:        "taskrun-name",
+					Namespace:   "default",
+					Annotations: trAnnotations,
+				},
+				Spec: c.trs,
+			}
+
+			// No entrypoints should be looked up.
+			entrypointCache := fakeCache{}
+			builder := Builder{
+				Images:          images,
+				KubeClient:      kubeclient,
+				EntrypointCache: entrypointCache,
+			}
+
+			got, err := builder.Build(store.ToContext(context.Background()), tr, c.ts)
+			if err != nil {
+				t.Fatalf("builder.Build: %v", err)
+			}
+
+			want := kmeta.ChildName(tr.Name, "-pod")
+			if d := cmp.Diff(got.Name, want); d != "" {
+				t.Errorf("got %v; want %v", got.Name, want)
+			}
+
+			if d := cmp.Diff(c.want, &got.Spec, resourceQuantityCmp, volumeSort, volumeMountSort); d != "" {
+				t.Errorf("Diff %s", diff.PrintWantGot(d))
+			}
+
+			if c.wantAnnotations != nil {
+				if d := cmp.Diff(c.wantAnnotations, got.ObjectMeta.Annotations, cmpopts.IgnoreMapEntries(ignoreReleaseAnnotation)); d != "" {
+					t.Errorf("Annotation Diff(-want, +got):\n%s", d)
+				}
+			}
+		})
+	}
+}
+
 // verifyTaskLevelComputeResources verifies that the given TaskRun's containers have the expected compute resources.
 func verifyTaskLevelComputeResources(expectedComputeResources []ExpectedComputeResources, containers []corev1.Container) error {
 	if len(expectedComputeResources) != len(containers) {