Add support for Grafeas storage backend#389
Conversation
|
/assign @wlynch |
|
@chuangw6: GitHub didn't allow me to assign the following users: wlynch. Note that only tektoncd members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
/retest |
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
/test pull-tekton-chains-unit-tests |
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
hi @wlynch , |
wlynch
left a comment
There was a problem hiding this comment.
Looking good! Few more changes, mostly structural / documentation though!
|
The following is the coverage report on the affected files.
|
|
@wlynch: changing LGTM is restricted to collaborators DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/assign @priyawadhwa |
|
maybe squash the commits before merged? |
Good call! I always miss this 😅 |
|
The following is the coverage report on the affected files.
|
priyawadhwa
left a comment
There was a problem hiding this comment.
Nice! I'm not super familiar with grafeas, but would it be possible to write an integration test for it?
I'm wondering if we could deploy an instance of grafeas to the integration test cluster & test against that?
yah i think that's required! |
|
The following is the coverage report on the affected files.
|
Done! Thanks for the heads up! |
|
The following is the coverage report on the affected files.
|
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: priyawadhwa, wlynch The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Changes
This PR implements the support for Grafeas storage backend (i.e. Google Container Analysis) via Grafeas open source API.
If Google Container Analysis server is chosen, this new feature will enable Tekton Chains to write provenance to Container Analysis that then can be consumed by GCP services such as Binary Authorization.
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
functionality, content, code)
Release Notes
action required
1. configure container analysis as storage backend for taskrun and/or oci artifacts.
kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"artifacts.taskrun.storage": "grafeas"}}'kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"artifacts.oci.storage": "grafeas"}}'2. inform tekton chains project ID and note name that will be used to create occurrences.
kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"storage.grafeas.projectid": "<GCP_PROJECT_ID>"}}'kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"storage.grafeas.noteid": "<NOTE_NAME>"}}'(optional, ifnoteidis not configured, we will generate a name in the format oftekton-<namespace>)3. Authenticate to GCP (if Container Analysis is chosen for the storage backend)
tekton-chains-controllerundertekton-chainsnamespace