[TEP-0089] Add a config map to support SPIRE initialization.

This PR is one among the set of PRs done to implement TEP-0089.
This PR has been derived from the larger PRs  PR#5715 and PR#4759 by
@pxp928 and @lumjjb.

This PR is addressing the problem of non-falisfiable provenance discussed in TEP-0089.
SPIRE is a tool which provides cryptographic identities to workloads in a cluster.
These identities are also associated with a key pair, which can be used to
sign TaskRun results to track if they have been modified by other workloads.

Using SPIRE is one of the ways to address non-falsifiable provenance.

This PR has the following changes
1. Modify the feature flag to control non-falsifiability from enable-spire to enforce-nonfalsifiability="spire".
   This is in accordance to the approved TEP.
2. Add a configmap config-spire to initialize SPIRE.

Signed-off-by: jagathprakash <31057312+jagathprakash@users.noreply.github.com>

Author: jagathprakash

config/config-feature-flags.yaml

@@ -94,3 +94,8 @@ data:
   # Acceptable values are "v1beta1" and "v1alpha1".
   # The default is "v1beta1".
   custom-task-version: "v1beta1"
+  # Setting this flag will determine how Tekton pipelines will handle non-falsifiable provenance.
+  # If set to "spire", then SPIRE will be used to ensure non-falsifiable provenance.
+  # If set to "none", then Tekton will not have non-falsifiable provenance.
+  # This is an experimental feature and thus should still be considered an alpha feature.
+  enforce-nonfalsifiablity: "none"

config/config-spire.yaml

@@ -0,0 +1,49 @@
+# Copyright 2022 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config-spire
+  namespace: tekton-pipelines
+  labels:
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-pipelines
+data:
+  _example: |
+    ################################
+    #                              #
+    #    EXAMPLE CONFIGURATION     #
+    #                              #
+    ################################
+    # This block is not actually functional configuration,
+    # but serves to illustrate the available configuration
+    # options and document them in a way that is accessible
+    # to users that `kubectl edit` this config map.
+    #
+    # These sample configuration options may be copied out of
+    # this example block and unindented to be in the data block
+    # to actually change the configuration.
+    #
+    # spire-trust-domain specifies the SPIRE trust domain to use.
+    # spire-trust-domain: "example.org"
+    #
+    # spire-socket-path specifies the SPIRE agent socket for SPIFFE workload API.
+    # spire-socket-path: "unix:///spiffe-workload-api/spire-agent.sock"
+    #
+    # spire-server-addr specifies the SPIRE server address for workload/node registration.
+    # spire-server-addr: "spire-server.spire.svc.cluster.local:8081"
+    #
+    # spire-node-alias-prefix specifies the SPIRE node alias prefix to use.
+    # spire-node-alias-prefix: "/tekton-node/"

config/controller.yaml

@@ -116,6 +116,8 @@ spec:
           value: feature-flags
         - name: CONFIG_LEADERELECTION_NAME
           value: config-leader-election
+        - name: CONFIG_SPIRE
+          value: config-spire
         - name: CONFIG_TRUSTED_RESOURCES_NAME
           value: config-trusted-resources
         - name: SSL_CERT_FILE

docs/spire.md

@@ -0,0 +1,129 @@
+<!--
+---
+linkTitle: "TaskRun Result Attestation"
+weight: 1660
+---
+-->
+⚠️ This is a work in progress: SPIRE support is not yet functional
+
+TaskRun result attestations is currently an alpha experimental feature. Currently all that is implemented is support for configuring Tekton to connect to SPIRE. See TEP-0089 for details on the overall design and feature set.
+
+This being a large feature, this will be implemented in the following phases. This document will be updated as we implement new phases.
+1.  Add a client for SPIRE (done).
+2.  Add a configMap which initializes SPIRE (in progress).
+3.  Modify TaskRun to sign and verify TaskRun Results using SPIRE.
+4.  Modify Tekton Chains to verify the TaskRun Results.
+
+## Architecture Overview
+
+This feature relies on a SPIRE installation. This is how it integrates into the architecture of Tekton:
+
+```
+┌─────────────┐  Register TaskRun Workload Identity           ┌──────────┐
+│             ├──────────────────────────────────────────────►│          │
+│  Tekton     │                                               │  SPIRE   │
+│  Controller │◄───────────┐                                  │  Server  │
+│             │            │ Listen on TaskRun                │          │
+└────────────┬┘            │                                  └──────────┘
+ ▲           │     ┌───────┴───────────────────────────────┐     ▲
+ │           │     │           Tekton TaskRun              │     │
+ │           │     └───────────────────────────────────────┘     │
+ │  Configure│                                          ▲        │ Attest
+ │  Pod &    │                                          │        │   +
+ │  check    │                                          │        │ Request
+ │  ready    │     ┌───────────┐                        │        │ SVIDs
+ │           └────►│  TaskRun  ├────────────────────────┘        │
+ │                 │  Pod      │                                 │
+ │                 └───────────┘     TaskRun Entrypointer        │
+ │                   ▲               Sign Result and update      │
+ │ Get               │ Get SVID      TaskRun status with         │
+ │ SPIRE             │               signature + cert            │
+ │ server            │                                           │
+ │ Credentials       │                                           ▼
+┌┴───────────────────┴─────────────────────────────────────────────────────┐
+│                                                                          │
+│   SPIRE Agent    ( Runs as   )                                           │
+│   + CSI Driver   ( Daemonset )                                           │
+│                                                                          │
+└──────────────────────────────────────────────────────────────────────────┘
+```
+
+Initial Setup:
+1. As part of the SPIRE deployment, the SPIRE server attests the agents running on each node in the cluster.
+1. The Tekton Controller is configured to have workload identity entry creation permissions to the SPIRE server.
+1. As part of the Tekton Controller operations, the Tekton Controller will retrieve an identity that it can use to talk to the SPIRE server to register TaskRun workloads.
+
+When a TaskRun is created:
+1. The Tekton Controller creates a TaskRun pod and its associated resources
+1. When the TaskRun pod is ready, the Tekton Controller registers an identity with the information of the pod to the SPIRE server. This will tell the SPIRE server the identity of the TaskRun to use as well as how to attest the workload/pod.
+1. After the TaskRun steps complete, as part of the entrypointer code, it requests an SVID from SPIFFE workload API (via the SPIRE agent socket)
+1. The SPIRE agent will attest the workload and request an SVID.
+1. The entrypointer receives an x509 SVID, containing the x509 certificate and associated private key. 
+1. The entrypointer signs the results of the TaskRun and emits the signatures and x509 certificate to the TaskRun results for later verification.
+
+## Enabling TaskRun result attestations
+
+To enable TaskRun attestations:
+1. Make sure `enforce-nonfalsifiability` is set to `"spire"` in the `feature-flags` configmap, see [`install.md`](./install.md#customizing-the-pipelines-controller-behavior) for details
+1. Create a SPIRE deployment containing a SPIRE server, SPIRE agents and the SPIRE CSI driver, for convenience, [this sample single cluster deployment](https://github.com/spiffe/spiffe-csi/tree/main/example/config) can be used.
+1. Register the SPIRE workload entry for Tekton with the "Admin" flag, which will allow the Tekton controller to communicate with the SPIRE server to manage the TaskRun identities dynamically.
+    ```
+
+    # This example is assuming use of the above SPIRE deployment
+    # Example where trust domain is "example.org" and cluster name is "example-cluster"
+    
+    # Register a node alias for all nodes of which the Tekton Controller may reside
+    kubectl -n spire exec -it \
+        deployment/spire-server -- \
+        /opt/spire/bin/spire-server entry create \
+            -node \
+            -spiffeID spiffe://example.org/allnodes \
+            -selector k8s_psat:cluster:example-cluster
+    
+    # Register the tekton controller workload to have access to creating entries in the SPIRE server
+    kubectl -n spire exec -it \
+        deployment/spire-server -- \
+        /opt/spire/bin/spire-server entry create \
+            -admin \
+            -spiffeID spiffe://example.org/tekton/controller \
+            -parentID spiffe://example.org/allnode \
+            -selector k8s:ns:tekton-pipelines \
+            -selector k8s:pod-label:app:tekton-pipelines-controller \
+            -selector k8s:sa:tekton-pipelines-controller
+    
+    ```
+    
+1. Modify the controller (`config/controller.yaml`) to provide access to the SPIRE agent socket.
+    ```yaml
+    # Add the following the volumeMounts of the "tekton-pipelines-controller" container
+    - name: spiffe-workload-api
+      mountPath: /spiffe-workload-api
+      readOnly: true
+    
+    # Add the following to the volumes of the controller pod
+    - name: spiffe-workload-api
+      csi:
+        driver: "csi.spiffe.io"
+    ```
+1. (Optional) Modify the configmap (`config/config-spire.yaml`) to configure non-default SPIRE options.
+    ```yaml
+    apiVersion: v1
+    kind: ConfigMap
+    metadata:
+      name: config-spire
+      namespace: tekton-pipelines
+    labels:
+      app.kubernetes.io/instance: default
+      app.kubernetes.io/part-of: tekton-pipelines
+    data:
+      # More explanation about the fields is at the SPIRE Server Configuration file
+      # https://spiffe.io/docs/latest/deploying/spire_server/#server-configuration-file
+      # spire-trust-domain specifies the SPIRE trust domain to use.
+      spire-trust-domain: "example.org"
+      # spire-socket-path specifies the SPIRE agent socket for SPIFFE workload API.
+      spire-socket-path: "unix:///spiffe-workload-api/spire-agent.sock"
+      # spire-server-addr specifies the SPIRE server address for workload/node registration.
+      spire-server-addr: "spire-server.spire.svc.cluster.local:8081"
+      # spire-node-alias-prefix specifies the SPIRE node alias prefix to use.
+      spire-node-alias-prefix: "/tekton-node/"
+    ```

hack/update-codegen.sh

@@ -57,6 +57,11 @@ ${PREFIX}/deepcopy-gen \
   --go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt \
   -i github.com/tektoncd/pipeline/pkg/apis/config
 
+${PREFIX}/deepcopy-gen \
+  -O zz_generated.deepcopy \
+  --go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt \
+  -i github.com/tektoncd/pipeline/pkg/spire/config
+
 ${PREFIX}/deepcopy-gen \
   -O zz_generated.deepcopy \
   --go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt \

pkg/apis/config/feature_flags.go

@@ -78,8 +78,12 @@ const (
 	DefaultSendCloudEventsForRuns = false
 	// DefaultEmbeddedStatus is the default value for "embedded-status".
 	DefaultEmbeddedStatus = MinimalEmbeddedStatus
-	// DefaultEnableSpire is the default value for "enable-spire".
-	DefaultEnableSpire = false
+	// EnforceNonfalsifiabilityWithSpire is the value used for  "enable-nonfalsifiability" when SPIRE is used to enable non-falsifiability.
+	EnforceNonfalsifiabilityWithSpire = "spire"
+	// EnforceNonfalsifiabilityNone is the value used for  "enable-nonfalsifiability" when non-falsifiability is not enabled.
+	EnforceNonfalsifiabilityNone = ""
+	// DefaultEnforceNonfalsifiability is the default value for "enforce-nonfalsifiability".
+	DefaultEnforceNonfalsifiability = EnforceNonfalsifiabilityNone
 	// DefaultResourceVerificationMode is the default value for "resource-verification-mode".
 	DefaultResourceVerificationMode = SkipResourceVerificationMode
 	// DefaultEnableProvenanceInStatus is the default value for "enable-provenance-status".
@@ -100,7 +104,7 @@ const (
 	enableAPIFields                     = "enable-api-fields"
 	sendCloudEventsForRuns              = "send-cloudevents-for-runs"
 	embeddedStatus                      = "embedded-status"
-	enableSpire                         = "enable-spire"
+	enforceNonfalsifiability            = "enforce-nonfalsifiability"
 	verificationMode                    = "resource-verification-mode"
 	enableProvenanceInStatus            = "enable-provenance-in-status"
 	resultExtractionMethod              = "results-from"
@@ -121,7 +125,7 @@ type FeatureFlags struct {
 	SendCloudEventsForRuns           bool
 	AwaitSidecarReadiness            bool
 	EmbeddedStatus                   string
-	EnableSpire                      bool
+	EnforceNonfalsifiability         string
 	ResourceVerificationMode         string
 	EnableProvenanceInStatus         bool
 	ResultExtractionMethod           string
@@ -138,6 +142,22 @@ func GetFeatureFlagsConfigName() string {
 	return "feature-flags"
 }
 
+func getEnforceNonfalsifiabilityFeature(cfgMap map[string]string) (string, error) {
+	var mapValue struct{}
+	var acceptedValues = map[string]struct{}{
+		EnforceNonfalsifiabilityNone:      mapValue,
+		EnforceNonfalsifiabilityWithSpire: mapValue,
+	}
+	var value = DefaultEnforceNonfalsifiability
+	if cfg, ok := cfgMap[enforceNonfalsifiability]; ok {
+		value = strings.ToLower(cfg)
+	}
+	if _, ok := acceptedValues[value]; !ok {
+		return DefaultEnforceNonfalsifiability, fmt.Errorf("invalid value for feature flag %q: %q", enforceNonfalsifiability, value)
+	}
+	return value, nil
+}
+
 // NewFeatureFlagsFromMap returns a Config given a map corresponding to a ConfigMap
 func NewFeatureFlagsFromMap(cfgMap map[string]string) (*FeatureFlags, error) {
 	setFeature := func(key string, defaultValue bool, feature *bool) error {
@@ -202,13 +222,20 @@ func NewFeatureFlagsFromMap(cfgMap map[string]string) (*FeatureFlags, error) {
 	// defeat the purpose of having a single shared gate for all alpha features.
 	if tc.EnableAPIFields == AlphaAPIFields {
 		tc.EnableTektonOCIBundles = true
-		tc.EnableSpire = true
+		// Only consider SPIRE if alpha is on.
+		enforceNonfalsifiabilityValue, err := getEnforceNonfalsifiabilityFeature(cfgMap)
+		if err != nil {
+			return nil, err
+		}
+		tc.EnforceNonfalsifiability = enforceNonfalsifiabilityValue
 	} else {
 		if err := setFeature(enableTektonOCIBundles, DefaultEnableTektonOciBundles, &tc.EnableTektonOCIBundles); err != nil {
 			return nil, err
 		}
-		if err := setFeature(enableSpire, DefaultEnableSpire, &tc.EnableSpire); err != nil {
-			return nil, err
+		// Do not enable any form of non-falsifiability enforcement in non-alpha mode.
+		tc.EnforceNonfalsifiability = EnforceNonfalsifiabilityNone
+		if enforceNonfalsifiabilityValue, err := getEnforceNonfalsifiabilityFeature(cfgMap); err != nil || enforceNonfalsifiabilityValue != DefaultEnforceNonfalsifiability {
+			return nil, fmt.Errorf("%q can be set to non-default values (%q) only in alpha", enforceNonfalsifiability, enforceNonfalsifiabilityValue)
 		}
 	}
 	return &tc, nil

pkg/apis/config/feature_flags_test.go

@@ -66,7 +66,7 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) {
 				EnableAPIFields:                  "alpha",
 				SendCloudEventsForRuns:           true,
 				EmbeddedStatus:                   "both",
-				EnableSpire:                      true,
+				EnforceNonfalsifiability:         "spire",
 				ResourceVerificationMode:         "enforce",
 				EnableProvenanceInStatus:         true,
 				ResultExtractionMethod:           "termination-message",
@@ -80,9 +80,8 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) {
 				EnableAPIFields: "alpha",
 				// These are prescribed as true by enabling "alpha" API fields, even
 				// if the submitted text value is "false".
-				EnableTektonOCIBundles: true,
-				EnableSpire:            true,
-
+				EnableTektonOCIBundles:           true,
+				EnforceNonfalsifiability:         "",
 				DisableAffinityAssistant:         config.DefaultDisableAffinityAssistant,
 				DisableCredsInit:                 config.DefaultDisableCredsInit,
 				RunningInEnvWithInjectedSidecars: config.DefaultRunningInEnvWithInjectedSidecars,
@@ -137,17 +136,18 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) {
 		},
 		{
 			expectedConfig: &config.FeatureFlags{
-				EnableAPIFields:                  "stable",
-				EmbeddedStatus:                   config.DefaultEmbeddedStatus,
-				EnableSpire:                      true,
+				EnableAPIFields:                  "alpha",
+				EmbeddedStatus:                   "minimal",
+				EnforceNonfalsifiability:         "spire",
+				EnableTektonOCIBundles:           true,
 				ResourceVerificationMode:         config.DefaultResourceVerificationMode,
 				RunningInEnvWithInjectedSidecars: config.DefaultRunningInEnvWithInjectedSidecars,
 				AwaitSidecarReadiness:            config.DefaultAwaitSidecarReadiness,
 				ResultExtractionMethod:           config.DefaultResultExtractionMethod,
 				MaxResultSize:                    config.DefaultMaxResultSize,
 				CustomTaskVersion:                config.DefaultCustomTaskVersion,
 			},
-			fileName: "feature-flags-enable-spire",
+			fileName: "feature-flags-enforce-nonfalsifiability-spire",
 		},
 		{
 			expectedConfig: &config.FeatureFlags{
@@ -185,7 +185,7 @@ func TestNewFeatureFlagsFromEmptyConfigMap(t *testing.T) {
 		EnableAPIFields:                  config.DefaultEnableAPIFields,
 		SendCloudEventsForRuns:           config.DefaultSendCloudEventsForRuns,
 		EmbeddedStatus:                   config.DefaultEmbeddedStatus,
-		EnableSpire:                      config.DefaultEnableSpire,
+		EnforceNonfalsifiability:         config.DefaultEnforceNonfalsifiability,
 		ResourceVerificationMode:         config.DefaultResourceVerificationMode,
 		EnableProvenanceInStatus:         config.DefaultEnableProvenanceInStatus,
 		ResultExtractionMethod:           config.DefaultResultExtractionMethod,
@@ -241,6 +241,10 @@ func TestNewFeatureFlagsConfigMapErrors(t *testing.T) {
 		fileName: "feature-flags-invalid-max-result-size-bad-value",
 	}, {
 		fileName: "feature-flags-invalid-custom-task-version",
+	}, {
+		fileName: "feature-flags-enforce-nonfalsifiability-bad-flag",
+	}, {
+		fileName: "feature-flags-spire-with-stable",
 	}} {
 		t.Run(tc.fileName, func(t *testing.T) {
 			cm := test.ConfigMapFromTestFile(t, tc.fileName)