feat: support protected repositories with Tekton Chains provenance#136
Open
minmzzhang wants to merge 4 commits into
Open
feat: support protected repositories with Tekton Chains provenance#136minmzzhang wants to merge 4 commits into
minmzzhang wants to merge 4 commits into
Conversation
sabre1041
requested changes
May 25, 2026
Collaborator
sabre1041
left a comment
sabre1041
left a comment
There was a problem hiding this comment.
This is good and works as described. A few items/questions
- See the note regarding hardcoded git host value in the features Python script
- Has there been a thought supporting SSH based auth? Currently, based on this feature, only basic auth is supported. However, given that the VP framework supports SSH, we should also include support as well
Add support for cloning source code from protected (private) Git repositories in the Tekton supply-chain pipeline. Credentials are stored in Vault and delivered to the pipeline via an ExternalSecret that generates .git-credentials and .gitconfig files for the git-clone task's basic-auth workspace. Supply-chain chart changes: - Add init task (skopeo pre-flight image check, skip rebuild) - Add optional git-auth workspace and Chains provenance results (CHAINS-GIT_URL, CHAINS-GIT_COMMIT, IMAGE_URL, IMAGE_DIGEST) - Add ExternalSecret for git credentials (Opaque with .git-credentials) - Conditionally attach git-credentials secret to pipeline SA - Add skopeo image to tasks.images for the init task - Migrate all Tekton resources from v1beta1 to v1 API Generator and feature fragments: - Add protected-repos feature fragment with git.credentials overrides and qtodo.repository placeholder - Add --git-repo CLI argument to gen-feature-variants.py (required when protected-repos feature is enabled) - Add ignoreDifferences for Tekton Task/Pipeline defaulted fields to the supply-chain feature fragment Default values-hub.yaml: - Extend hub-supply-chain-jwt-secret Vault policy to cover secret/data/hub/supply-chain/* - Add commented-out Tekton ignoreDifferences, git.credentials overrides, and qtodo.repository override Documentation: - Update docs/supply-chain.md with protected repos setup, generator --git-repo usage, and git-auth workspace selection - Update scripts/gen-feature-variants.md with --git-repo examples - Add git-credentials entry to values-secret.yaml.template Signed-off-by: Min Zhang <minzhang@redhat.com>
- Support SSH auth for protected repositories - Fix ESO SSH template with index syntax for hyphenated keys - Add Vault NetworkPolicy rules for registry-token-refresher - Update gen-feature-variants with protected-repos feature - Clarify that git credentials use SA injection (no git-auth workspace binding needed) Signed-off-by: Min Zhang <minzhang@redhat.com>
minmzzhang
force-pushed
the
tekton-protected-repos
branch
from
b9ed384 to
e8c14b9
Compare
Collaborator
Author
ssh-auth is added into the PR. |
HTTPS mode requires explicitly binding the git-auth workspace to the qtodo-git-credentials secret, while SSH mode must leave it unbound due to the git-clone ClusterTask's prepare.sh chmod failing on read-only projected volume symlinks. Signed-off-by: Min Zhang <minzhang@redhat.com>
minmzzhang
force-pushed
the
tekton-protected-repos
branch
from
486b5d2 to
b1c6793
Compare
mlorenzofr
requested changes
May 28, 2026
Collaborator
mlorenzofr
left a comment
mlorenzofr
left a comment
There was a problem hiding this comment.
Good work 👍
I have a few suggestions and the gen-feature-variants.py part needs fixing, but otherwise it works correctly (https and ssh methods).
minmzzhang
added a commit
to minmzzhang/layered-zero-trust
that referenced
this pull request
May 28, 2026
…orenzofr) - Restore PR validatedpatterns#139 dedup logic (named list upsert, duplicate override validation) that was inadvertently removed - Use file-based path instead of inline value for HTTPS git credentials to avoid plaintext password leaks in values-secret - Add | trim to ESO password template for path-sourced credentials - Add ssh-keygen instructions and passwordless key requirement - Fix make load-secrets -> ./pattern.sh make load-secrets - Add explicit SSH URL example to qtodo.repository override comment Signed-off-by: Min Zhang <minzhang@redhat.com>
minmzzhang
added a commit
to minmzzhang/layered-zero-trust
that referenced
this pull request
May 28, 2026
…orenzofr) - Restore PR validatedpatterns#139 dedup logic (named list upsert, duplicate override validation) that was inadvertently removed - Use file-based path instead of inline value for HTTPS git credentials to avoid plaintext password leaks in values-secret - Add | trim to ESO password template for path-sourced credentials - Add ssh-keygen instructions and passwordless key requirement - Fix make load-secrets -> ./pattern.sh make load-secrets - Add explicit SSH URL example to qtodo.repository override comment Signed-off-by: Min Zhang <minzhang@redhat.com>
minmzzhang
added a commit
to minmzzhang/layered-zero-trust
that referenced
this pull request
May 28, 2026
…orenzofr) - Restore PR validatedpatterns#139 dedup logic (named list upsert, duplicate override validation) that was inadvertently removed - Use file-based path instead of inline value for HTTPS git credentials to avoid plaintext password leaks in values-secret - Add | trim to ESO password template for path-sourced credentials - Add ssh-keygen instructions and passwordless key requirement - Fix make load-secrets -> ./pattern.sh make load-secrets - Add explicit SSH URL example to qtodo.repository override comment Signed-off-by: Min Zhang <minzhang@redhat.com>
…orenzofr) - Restore PR validatedpatterns#139 dedup logic (named list upsert, duplicate override validation) that was inadvertently removed - Use file-based path instead of inline value for HTTPS git credentials and registry token to avoid plaintext password leaks in values-secret - Add | trim to ESO password template for path-sourced credentials - Add ssh-keygen instructions and passwordless key requirement - Fix make load-secrets -> ./pattern.sh make load-secrets - Add explicit SSH URL example to qtodo.repository override comment Signed-off-by: Min Zhang <minzhang@redhat.com>
minmzzhang
force-pushed
the
tekton-protected-repos
branch
from
cd8da04 to
0a50bb8
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add support for cloning source code from protected (private) Git repositories in the Tekton supply-chain pipeline. Credentials are stored in Vault and delivered to the pipeline via an ExternalSecret that generates .git-credentials and .gitconfig files for the git-clone task's basic-auth workspace.
Supply-chain chart changes:
Generator and feature fragments:
Default values-hub.yaml:
Documentation: