Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 2. Secrets for signing data in Tekton Chains

Cluster administrators can generate a key pair and use Tekton Chains to sign artifacts by using a Kubernetes secret. For Tekton Chains to work, a private key and a password for encrypted keys must exist as part of the signing-secrets secret in the openshift-pipelines namespace.

Currently, Tekton Chains supports the x509 and cosign signature schemes.

Note

Use only one of the supported signature schemes.

  • To use the x509 signing scheme with Tekton Chains, you must fulfill the following requirements:

    • Store the private key in the signing-secrets with the x509.pem structure.
    • Store the private key as an unencrypted PKCS #8 Privacy-Enhanced Mail (PEM) file.
    • The key is of ed25519 or ecdsa type.

  • To use the cosign signing scheme with Tekton Chains, you must fulfill the following requirements:

    • Store the private key in the signing-secrets with the cosign.key structure.
    • Store the password in the signing-secrets with the cosign.password structure.
    • Store the private key as an encrypted PEM file of type ENCRYPTED COSIGN PRIVATE KEY.

2.1. Generating the cosign key pair by using the TektonConfig CR
Link kopieren

To use the cosign signing scheme for Tekton Chains secrets, you can generate a cosign key pair that uses Elliptic Curve Digital Signature Algorithm (ECDSA) encryption by setting the generateSigningSecret field in the TektonConfig custom resource (CR) to true.

Prerequisites

  • You installed the OpenShift CLI (oc) utility.
  • You logged in to your OpenShift Container Platform cluster with administrative rights for the openshift-pipelines namespace.

Procedure

  1. Edit the TektonConfig CR by running the following command: 

    $ oc edit TektonConfig config

  2. In the TektonConfig CR, set the generateSigningSecret value to true:

    Example of creating an ECDSA cosign key pair by using the TektonConfig CR

    apiVersion: operator.tekton.dev/v1
kind: TektonConfig
metadata:
  name: config
spec:
# ...
  chain:
    disabled: false
    generateSigningSecret: true
# ...

    generateSigningSecret
    The default value is false. Setting the value to true generates the ecdsa key pair.

  3. After a few minutes, extract the public key from the secret and store it, so that you can use it to verify artifact attestations. Run the following command to extract the key: 

    $ oc extract -n openshift-pipelines secret/signing-secrets --keys=cosign.pub

    The OpenShift Pipelines Operator generates an ecdsa type cosign key pair and stores it in the signing-secrets secret in the openshift-pipelines namespace. The secret includes the following files:

    • cosign.key: The private key
    • cosign.password: The password for decrypting the private key

    • cosign.pub The public key

      If a signing-secrets secret already exists, the Operator does not overwrite the secret.

      The cosign.pub file in your current directory has the public key extracted from the secret.

      Warning

      If you set the generateSigningSecret field from true to false, the Red Hat OpenShift Pipelines Operator overrides and empties any value in the signing-secrets secret.

      The Red Hat OpenShift Pipelines Operator does not offer the following security functions:

    • Key rotation
    • Auditing key usage
    • Proper access control to the key

2.2. Manually generating signing secrets with the cosign tool
Link kopieren

You can use the cosign signing scheme with Tekton Chains using the cosign tool.

Prerequisites

Procedure

  1. Generate the cosign.key and cosign.pub key pairs by running the following command: 

    $ cosign generate-key-pair k8s://openshift-pipelines/signing-secrets

    Cosign prompts you for a password and then creates a Kubernetes secret.

  2. Store the encrypted cosign.key private key and the cosign.password decryption password in the signing-secrets Kubernetes secret. Ensure that you store the private key as an encrypted Privacy Enhanced Mail (PEM) file of the ENCRYPTED COSIGN PRIVATE KEY type.

2.3. Manually generating signing secrets with the skopeo tool
Link kopieren

You can generate keys by using the skopeo tool and use them in the cosign signing scheme with Tekton Chains.

Prerequisites

  • You installed the skopeo package on your Linux system.

Procedure

  1. Generate a public/private key pair by running the following command: 

    $ skopeo generate-sigstore-key --output-prefix <mykey>
    <mykey>

    Replace <mykey> with a key name of your choice.

    Skopeo prompts you for a passphrase for the private key and then creates the key files named <mykey>.private and <mykey>.pub.

  2. Encode the <mykey>.pub file by using the base64 tool and running the following command: 

    $ base64 -w 0 <mykey>.pub > b64.pub

  3. Encode the <mykey>.private file by using the base64 tool and running the following command: 

    $ base64 -w 0 <mykey>.private > b64.private

  4. Encode the passphrase using the base64 tool by running the following command: 

    $ echo -n '<passphrase>' | base64 -w 0 > b64.passphrase
    <passphrase>
    Replace <passphrase> with the passphrase that you used for the key pair.

  5. Create the signing-secrets secret in the openshift-pipelines namespace by running the following command: 

    $ oc create secret generic signing-secrets -n openshift-pipelines

  6. Edit the signing-secrets secret by running the following command: 

    $ oc edit secret -n openshift-pipelines signing-secrets

    Add the encoded keys in the data of the secret in the following way: 

    apiVersion: v1
data:
  cosign.key: <Encoded <mykey>.private>
  cosign.password: <Encoded passphrase>
  cosign.pub: <Encoded <mykey>.pub>
immutable: true
kind: Secret
metadata:
  name: signing-secrets
# ...
type: Opaque
    <Encoded <mykey>.private>
    Replace with the content of the b64.private file.
    <Encoded passphrase>
    Replace with the content of the b64.passphrase file.
    <Encoded <mykey>.pub>
    Replace with the content of the b64.pub file.

2.4. Resolving the "secret already exists" error
Link kopieren

If the signing-secret secret is already populated, the command to create this secret might output the following error message: 

Error from server (AlreadyExists): secrets "signing-secrets" already exists

You can resolve this error by deleting the secret.

Procedure

  1. Delete the signing-secret secret by running the following command: 

    $ oc delete secret signing-secrets -n openshift-pipelines
  2. Re-create the key pairs and store them in the secret using your preferred signing scheme.
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Legal Notice

Theme

© 2026 Red HatNach oben