Skip to content

Commit 9481711

Browse files
authored
Merge pull request #79150 from mramendi/RHDEVDOCS-5985
RHDEVDOCS 5985 changes for HashiCorp Vault integration
2 parents c466274 + a4c11b2 commit 9481711

5 files changed

+138
-1
lines changed

_attributes/common-attributes.adoc

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,5 +35,7 @@
3535
:cluster-manager-url: link:https://console.redhat.com/openshift[OpenShift Cluster Manager Hybrid Cloud Console]
3636
:cluster-manager-url-pull: link:https://console.redhat.com/openshift/install/pull-secret[pull secret from the Red Hat OpenShift Cluster Manager]
3737

38+
:oc-first: pass:quotes[OpenShift CLI (`oc`)]
39+
3840
// Attributes not present in the main branch
3941
:OCP: OpenShift Container Platform
Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,58 @@
1+
// This module is included in the following assemblies:
2+
// * secure/using-tekton-chains-for-openshift-pipelines-supply-chain-security.adoc
3+
4+
:_mod-docs-content-type: PROCEDURE
5+
[id="creating-mounting-kms-authentication-token-secret_{context}"]
6+
= Creating and mounting the KMS authentication token secret
7+
8+
You can provide the authentication token for the KMS server using a secret. For example, if the KMS provider is Hashicorp Vault, the secret must contain the value of `VAULT_TOKEN`.
9+
10+
You must create this secret, mount it on the {tekton-chains} controller, and set the `signers.kms.auth.token-path` parameter to the full pathname of the authentication token file.
11+
12+
.Prerequisites
13+
14+
* You installed the {oc-first} utility.
15+
* You are logged in to your {OCP} cluster with administrative rights for the `tekton-chains` namespace.
16+
17+
.Procedure
18+
19+
. Create a secret named `kms-secrets` with the `KMS_AUTH_TOKEN` file that contains the authentication token for the KMS server by entering the following command:
20+
+
21+
[source, terminal]
22+
----
23+
$ oc create secret generic kms-secrets -n tekton-chains \
24+
--from-file=KMS_AUTH_TOKEN=<path_and_name> # <1>
25+
----
26+
<1> The full path and name of the file that contains the authentication token for the KMS server, for example, `/home/user/KMS_AUTH_TOKEN`. You can use another file name instead of `KMS_AUTH_TOKEN`.
27+
28+
. In the `TektonConfig` custom resource (CR), in the `chain` section, configure mounting the secret on the {tekton-chains} controller and set the `signers.kms.auth.token-path` parameter to the full pathname of the authentication token file, as shown in the following example:
29+
+
30+
.Example configuration for mounting the `kms-secrets` secret
31+
[source,yaml]
32+
----
33+
apiVersion: operator.tekton.dev/v1
34+
kind: TektonConfig
35+
metadata:
36+
name: config
37+
spec:
38+
# ...
39+
chain:
40+
disabled: false
41+
signers.kms.auth.token-path: /etc/kms-secrets/KMS_AUTH_TOKEN
42+
options:
43+
deployments:
44+
tekton-chains-controller:
45+
spec:
46+
template:
47+
spec:
48+
containers:
49+
- name: tekton-chains-controller
50+
volumeMounts:
51+
- mountPath: /etc/kms-secrets
52+
name: kms-secrets
53+
volumes:
54+
- name: kms-secrets
55+
secret:
56+
secretName: kms-secrets
57+
# ...
58+
----
Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
// This module is included in the following assemblies:
2+
// * secure/using-tekton-chains-for-openshift-pipelines-supply-chain-security.adoc
3+
4+
:_mod-docs-content-type: PROCEDURE
5+
[id="creating-mounting-mongo-server-url-secret_{context}"]
6+
= Creating and mounting the Mongo server URL secret
7+
8+
You can provide the value of the Mongo server URL to use for `docdb` storage (`MONGO_SERVER_URL`) using a secret. You must create this secret, mount it on the {tekton-chains} controller, and set the `storage.docdb.mongo-server-url-dir` parameter to the directory where the secret is mounted.
9+
10+
.Prerequisites
11+
12+
* You installed the {oc-first} utility.
13+
* You are logged in to your {OCP} cluster with administrative rights for the `tekton-chains` namespace.
14+
15+
.Procedure
16+
17+
. Create a secret named `mongo-url` with the `MONGO_SERVER_URL` file that contains the the Mongo server URL value by entering the following command:
18+
+
19+
[source, terminal]
20+
----
21+
$ oc create secret generic mongo-url -n tekton-chains \
22+
--from-file=MONGO_SERVER_URL=<path>/MONGO_SERVER_URL # <1>
23+
----
24+
<1> The full path and name of the `MONGO_SERVER_URL` file that contains the the Mongo server URL value.
25+
26+
. In the `TektonConfig` custom resource (CR), in the `chain` section, configure mounting the secret on the {tekton-chains} controller and set the `storage.docdb.mongo-server-url-dir` parameter to the directory where the secret is mounted, as shown in the following example:
27+
+
28+
.Example configuration for mounting the `mongo-url` secret
29+
[source,yaml]
30+
----
31+
apiVersion: operator.tekton.dev/v1
32+
kind: TektonConfig
33+
metadata:
34+
name: config
35+
spec:
36+
# ...
37+
chain:
38+
disabled: false
39+
storage.docdb.mongo-server-url-dir: /tmp/mongo-url
40+
options:
41+
deployments:
42+
tekton-chains-controller:
43+
spec:
44+
template:
45+
spec:
46+
containers:
47+
- name: tekton-chains-controller
48+
volumeMounts:
49+
- mountPath: /tmp/mongo-url
50+
name: mongo-url
51+
volumes:
52+
- name: mongo-url
53+
secret:
54+
secretName: mongo-url
55+
# ...
56+
----

modules/op-supported-parameters-tekton-chains-configuration.adoc

Lines changed: 19 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -162,6 +162,16 @@ If you enable the `docdb` storage method is for any artifacts, configure docstor
162162
| `firestore://projects/[PROJECT]/databases/(default)/documents/[COLLECTION]?name_field=name`
163163
|
164164

165+
| `storage.docdb.mongo-server-url`
166+
| The value for the Mongo server URL to use for `docdb` storage (`MONGO_SERVER_URL`). This URL can include authentication information. For production environments, providing authentication information as plain-text configuration might be insecure. Use the alternative `storage.docdb.mongo-server-url-dir` configuration setting for production environments.
167+
|
168+
|
169+
170+
| `storage.docdb.mongo-server-url-dir`
171+
| The directory where a file named `MONGO_SERVER_URL` is located. This file contains the Mongo server URL to use for `docdb` storage (`MONGO_SERVER_URL`). Provide this file as a secret and configure mounting this file for the {tekton-chains} controller, as described in _Creating and mounting the Mongo server URL secret_.
172+
| Example value: `/tmp/mongo-url`
173+
|
174+
165175
|===
166176

167177
If you enable the `grafeas` storage method for any artifacts, configure Grafeas storage options. For more information about Grafeas notes and occurrences, see link:https://github.com/grafeas/grafeas/blob/master/docs/grafeas_concepts.md[Grafeas concepts].
@@ -271,15 +281,23 @@ If you configure the `kms` signature backend, set the KMS configuration, includi
271281
|
272282

273283
| `signers.kms.auth.token`
274-
| Authentication token for the KMS server (the value of `VAULT_TOKEN`).
284+
| Authentication token for the KMS server (the value of `VAULT_TOKEN`). Providing the token as plain-text configuration might be insecure. Use the alternative `signers.kms.auth.token-path` configuration setting for production environments.
275285
|
276286
|
277287

288+
289+
| `signers.kms.auth.token-path`
290+
| The full pathname of the file that contains the authentication token for the KMS server (the value of `VAULT_TOKEN`).
291+
Provide this file as a secret and configure mounting this file for the {tekton-chains} controller, as described in _Creating and mounting the KMS authentication token secret_.
292+
| Example value: `/etc/kms-secrets/KMS_AUTH_TOKEN`
293+
|
294+
278295
| `signers.kms.auth.oidc.path`
279296
| The path for OIDC authentication (for example, `jwt` for Vault).
280297
|
281298
|
282299

300+
283301
| `signers.kms.auth.oidc.role`
284302
| The role for OIDC authentication.
285303
|

secure/using-tekton-chains-for-openshift-pipelines-supply-chain-security.adoc

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,10 @@ To capture information about task runs, {tekton-chains} uses `Result` objects. W
2121

2222
include::modules/op-configuring-tekton-chains.adoc[leveloffset=+1]
2323
include::modules/op-supported-parameters-tekton-chains-configuration.adoc[leveloffset=+2]
24+
include::modules/op-creating-mounting-mongo-server-url-secret.adoc[leveloffset=+2]
25+
include::modules/op-creating-mounting-kms-authentication-token-secret.adoc[leveloffset=+2]
2426
include::modules/op-enabling-tekton-chains-to-operate-only-in-selected-namespaces.adoc[leveloffset=+2]
27+
2528
include::modules/op-signing-secrets-in-tekton-chains.adoc[leveloffset=+1]
2629
include::modules/op-chains-signing-secrets-cosign.adoc[leveloffset=+2]
2730
include::modules/op-chains-signing-secrets-skopeo.adoc[leveloffset=+2]

0 commit comments

Comments
 (0)