From 821f7c446131a9cb303a8a9f63ced6ba17ca37fc Mon Sep 17 00:00:00 2001 From: Anitha Natarajan <51791012+anithapriyanatarajan@users.noreply.github.com> Date: Thu, 22 Aug 2024 20:08:12 +0530 Subject: [PATCH] Added visual guide representing chains config options (#1183) --- docs/config.md | 5 + .../signing-storage-config-diagram.drawio.svg | 787 ++++++++++++++++++ 2 files changed, 792 insertions(+) create mode 100644 images/signing-storage-config-diagram.drawio.svg diff --git a/docs/config.md b/docs/config.md index d98747e6bf..50ec734ced 100644 --- a/docs/config.md +++ b/docs/config.md @@ -159,6 +159,11 @@ chains.tekton.dev/transparency-upload: "true" > [!IMPORTANT] > To project the latest token values without needing to recreate the pod, avoid using `subPath` in volume mount. +### Visual Guide: ConfigMap Configuration Options +Refer the diagram below to explore the pictorial representation of signing and storage configuration options, and their usage in the context of chains artifacts. + +![ConfigMap Configuration Diagram](../images/signing-storage-config-diagram.drawio.svg) + ## Namespaces Restrictions in Chains Controller This feature allows you to specify a list of namespaces for the controller to monitor, providing granular control over its operation. If no namespaces are specified, the controller defaults to monitoring all namespaces. diff --git a/images/signing-storage-config-diagram.drawio.svg b/images/signing-storage-config-diagram.drawio.svg new file mode 100644 index 0000000000..e514c30df6 --- /dev/null +++ b/images/signing-storage-config-diagram.drawio.svg @@ -0,0 +1,787 @@ + + + + + + + + + + + + + + + + + + + artifacts.oci + + + + + +
+
+
+ format +
+
+
+
+ + format + +
+
+ + + +
+
+
+ storage +
+
+
+
+ + storage + +
+
+ + + +
+
+
+ signer +
+
+
+
+ + signer + +
+
+ + + + + + artifacts.taskrun + + + + + +
+
+
+ format +
+
+
+
+ + format + +
+
+ + + +
+
+
+ storage +
+
+
+
+ + storage + +
+
+ + + +
+
+
+ signer +
+
+
+
+ + signer + +
+
+ + + + + + artifacts.pipelinerun + + + + + +
+
+
+ format +
+
+
+
+ + format + +
+
+ + + +
+
+
+ storage +
+
+
+
+ + storage + +
+
+ + + +
+
+
+ signer +
+
+
+
+ + signer + +
+
+ + + +
+
+
+ enable-deep-inspection +
+
+
+
+
+
+
+ + enable-deep-inspection + +
+
+ + + + + + storage + + + + + +
+
+
+ Where to store +
+ the signed artifact? +
+
+
+
+
+ + Where to store... + +
+
+ + + + + + signer + + + + + +
+
+
+ What mechanism +
+ should be used to +
+
+ sign the artifact ? +
+
+
+
+
+ + What mechanism... + +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + signer.kms + + + + + + + + signer.x509 + + + + + + + + signer.kms <vault> + + + + + +
+
+
+ kmsref +
+ auth.address +
+
+ auth.token +
+
+ auth.token-path +
+
+ auth.oidc.path +
+
+ auth.oidc.role +
+
+ auth.oidc.spire.sock +
+
+ auth.oidc.spire.audience +
+
+
+
+
+
+
+
+ + kmsref... + +
+
+ + + + + + + + signer.kms <aws> + + + + + +
+
+
+ kmsref +
+ auth.address +
+
+ auth.token +
+
+ auth.token-path +
+
+ auth.oidc.path +
+
+ auth.oidc.role +
+
+ auth.oidc.spire.sock +
+
+ auth.oidc.spire.audience +
+
+
+
+
+
+
+
+ + kmsref... + +
+
+ + + + + + + + signer.kms <azure> + + + + + +
+
+
+ kmsref +
+ auth.address +
+
+ auth.token +
+
+ auth.token-path +
+
+ auth.oidc.path +
+
+ auth.oidc.role +
+
+ auth.oidc.spire.sock +
+
+ auth.oidc.spire.audience +
+
+
+
+
+
+
+
+ + kmsref... + +
+
+ + + + + + signer.kms <gcp> + + + + + +
+
+
+ kmsref +
+ auth.address +
+
+ auth.token +
+
+ auth.token-path +
+
+ auth.oidc.path +
+
+ auth.oidc.role +
+
+ auth.oidc.spire.sock +
+
+ auth.oidc.spire.audience +
+
+
+
+
+
+
+
+ + kmsref... + +
+
+ + + + + + signer.x509<fulcio> + + + + + +
+
+
+
+ fulcio.enabled +
+
+ fulcio.address +
+
+ fulcio.issuer +
+
+ fulcio.provider +
+
+ identity.token.file +
+
+ tuf.mirror.url +
+
+
+
+
+ + fulcio.enabled... + +
+
+ + + + + + signer.x509<x509> + + + + + +
+
+
+ if secret - signing-secrets has key `x509.pem` +
+
+
+
+ + if secret - signing-secret... + +
+
+ + + + + + signer.x509 <cosign> + + + + + +
+
+
+
+ if fulcio not enabled and the secret - signing-secrets does not have key x509.pem then cosign is used if there is a key named 'cosign.key' +
+
+
+
+
+ + if fulcio not enabled and t... + +
+
+ + + + + + + + + + + + + + + + + + + + storage.gcs + + + + + +
+
+
+ bucket +
+
+
+
+ + bucket + +
+
+ + + + + + storage.grafeas + + + + + +
+
+
+ projectid +
+ noteid +
+
+ notehint +
+
+
+
+
+ + projectid... + +
+
+ + + + + + storage.pubsub + + + + + +
+
+
+
+ + General: + +
+
+ - provider +
+
+ - topic +
+
+ Kafka: +
+
+ - kafka.bootstrap.servers +
+
+ InMemory +
+
+ - No additonal properties +
+
+
+
+
+ + General:... + +
+
+ + + + + + storage.oci + + + + + +
+
+
+ repository +
+ repository.insecure +
+
+
+
+
+ + repository... + +
+
+ + + + + + storage.docdb + + + + + + + +
+
+
+ url +
+ mongo-server-url +
+
+ mongo-server-url-dir +
+
+
+
+
+ + url... + +
+
+ + + + + + + + +
+ + + + + Text is not SVG - cannot display + + + +
\ No newline at end of file