A Kubernetes-native, event-driven service that automatically triggers enterprise contract verification for application snapshots using Tekton bundles.
The Conforma Verifier Listener is a CloudEvents-based service that monitors for the creation of Snapshot resources and automatically triggers compliance verification workflows. It implements an event-driven architecture to bridge CloudEvents with Tekton pipelines, using bundle resolution to dynamically fetch verification tasks from container registries.
- Listens for CloudEvents of type
dev.knative.apiserver.resource.add - Processes Snapshot resources from the
appstudio.redhat.com/v1alpha1API - Automatically creates Tekton TaskRuns for compliance verification
- Uses Tekton's bundle resolver to fetch tasks from
quay.io/conforma/tekton-task:latest - Eliminates the need for pre-installed tasks in the cluster
- Enables dynamic task updates without redeploying the service
- ConfigMap-based configuration with caching and TTL
- Supports multiple namespaces with isolated configuration
- Configurable parameters for policy verification
- Automated Compliance: Triggers verification workflows without manual intervention
- Multi-Namespace Support: Handles snapshots across different namespaces
- Configurable Policies: Supports custom policy configurations and public keys
- Cloud-Native: Stateless, horizontally scalable, and Kubernetes-native
- Bundle-Based: Dynamic task resolution from container registries
The service reads configuration from a ConfigMap named taskrun-config in each namespace:
apiVersion: v1
kind: ConfigMap
metadata:
name: taskrun-config
namespace: default
data:
POLICY_CONFIGURATION: "github.com/enterprise-contract/config//slsa3"
PUBLIC_KEY: |
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZP/0htjhVt2y0ohjgtIIgICOtQtA
naYJRuLprwIv6FDhZ5yFjYUEtsmoNcW7rx2KM6FOXGsCX3BNc7qhHELT+g==
-----END PUBLIC KEY-----
IGNORE_REKOR: "true"- Kubernetes cluster with Tekton installed
- Knative Serving (for CloudEvents support)
- Access to the bundle registry (
quay.io/conforma/tekton-task:latest) - ko installed for building and deploying
Deploy all components using Kustomize and ko:
kustomize build config/ | ko apply -f -This command will:
- Build the container image using ko
- Apply all Kubernetes resources (RBAC, ServiceAccount, Knative Service, etc.)
- Deploy the service to your cluster
Once deployed, the service will automatically:
- Monitor for Snapshot resource creation events
- Read configuration from the snapshot's namespace
- Create Tekton TaskRuns with the appropriate parameters
- Execute enterprise contract verification using bundle resolution
apiVersion: appstudio.redhat.com/v1alpha1
kind: Snapshot
metadata:
name: test-snapshot
namespace: default
spec:
application: application-sample
displayName: test-snapshot
displayDescription: my first snapshot
components:
- name: test-component
containerImage: "test-image:latest"- Make sure you have recent versions of
kn,kn-quickstart,ko,kind, andtkninstalled. - Run
make setup-knative - Do
export KO_DOCKER_REPO=quay.io/yourquayuser - Run
make build - Go to https://quay.io/ and configure the
quay.io/yourquayuser/launch-taskrun-*repo that was just created to be public instead of private. - Run
make deploy - Run
hack/demo.sh
make buildmake testgo run cmd/launch-taskrun/main.go┌─────────────────┐ ┌──────────────────┐ ┌─────────────────┐
│ Kubernetes │ │ Conforma │ │ Tekton │
│ API Server │───▶│ Verifier │───▶│ Pipeline │
│ │ │ Listener │ │ │
└─────────────────┘ └──────────────────┘ └─────────────────┘
│
▼
┌──────────────────┐
│ Bundle Registry │
│ (quay.io/...) │
└──────────────────┘
- Fork the repository
- Create a feature branch
- Make your changes
- Add tests for new functionality
- Submit a pull request
[Add your license information here]