This controller watches for Tekton PipelineRun resources that have been signed by Tekton Chains and triggers a validation step using a configurable binary. Once validated, it annotates the PipelineRun with the result to prevent duplicate processing.
- Watches
PipelineRunresources across namespaces - Triggers a
TaskRunto validate signed images - Prevents re-processing via annotation
- Compatible with
ko+kustomizeworkflows - Secure metrics endpoint exposed via HTTPS
- Minimal RBAC footprint
- Kubernetes 1.24+
- Tekton Pipelines and Tekton Chains installed
- ko installed for containerless build/deploys
- cert-manager (optional, if you use external TLS for metrics)
-
The controller listens for
PipelineRunobjects that:- Have the annotation:
chains.tekton.dev/signed: "true" - Do not yet have the annotation
conforma.dev/triggered-on
- Have the annotation:
-
For each such
PipelineRun, it triggers aTaskRunthat runs a validation binary (you define the image + logic). -
It annotates the
PipelineRunwith the timestamp of the Conforma cli execution triggered. -
The controller never processes the same
PipelineRuntwice.
| Env Var | Description |
|---|---|
VALIDATOR_IMAGE |
Container image containing your validation logic |
VALIDATOR_SA |
(Optional) ServiceAccount name for the validation TaskRun |
Set these in the Deployment under config/manager/manager.yaml.
Replace
ghcr.io/your-org/validatorwith your actual validator image
# Create the target namespace if needed
kubectl create namespace conforma --dry-run=client -o yaml | kubectl apply -f -
# Create the tekton-chains namespace if needed (for generating the public key)
kubectl create namespace tekton-chains --dry-run=client -o yaml | kubectl apply -f -
# Deploy the controller using ko
KO_DOCKER_REPO=ghcr.io/your-org \
ko apply -f config/default