GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → IBM → argocd-interlace

IBM / argocd-interlace

Licence: Apache-2.0 license
Enabling Software Supply Chain Security Capabilities in ArgoCD

Programming Languages

go
31211 projects - #10 most used programming language
shell
77523 projects
Makefile
30231 projects
Dockerfile
14818 projects

Labels

argocdin-totosigstoresoftware-supply-chain-security

Projects that are alternatives of or similar to argocd-interlace

gitops-playground
Reproducible infrastructure to showcase GitOps workflows and evaluate different GitOps Operators on Kubernetes
Stars: ✭ 77 (+79.07%)
Mutual labels:  argocd
okra
Hot-swap Kubernetes clusters while keeping your service up and running.
Stars: ✭ 46 (+6.98%)
Mutual labels:  argocd
helm-charts
📈 Helm charts from Adfinis
Stars: ✭ 31 (-27.91%)
Mutual labels:  argocd
okd-lab
Controlled Environment for OKD4 experiments
Stars: ✭ 24 (-44.19%)
Mutual labels:  argocd
homelab
My self-hosting infrastructure, fully automated from empty disk to operating services
Stars: ✭ 4,451 (+10251.16%)
Mutual labels:  argocd
slsa-provenance-action
Github Action implementation of SLSA Provenance Generation
Stars: ✭ 34 (-20.93%)
Mutual labels:  in-toto
in-toto-golang
A Go implementation of in-toto. in-toto is a framework to protect software supply chain integrity.
Stars: ✭ 48 (+11.63%)
Mutual labels:  in-toto
kubezero
ZeroDownTime Kubernetes platform - https://kubezero.com
Stars: ✭ 18 (-58.14%)
Mutual labels:  argocd
terraform-provider-argocd
Terraform provider for ArgoCD
Stars: ✭ 245 (+469.77%)
Mutual labels:  argocd
aws-eks-accelerator-for-terraform
Configure and deploy complete EKS clusters.
Stars: ✭ 1,220 (+2737.21%)
Mutual labels:  argocd
cicd-demo
A demo repository that shows CI/CD integration using DroneCI + ArgoCD + Kubernetes.
Stars: ✭ 36 (-16.28%)
Mutual labels:  argocd
gitopscli
GitOps CLI - a command line interface (CLI) to perform operations on git repositories with yaml files
Stars: ✭ 25 (-41.86%)
Mutual labels:  argocd
ocistow
Stream, Mutate and Sign Images with AWS Lambda and ECR
Stars: ✭ 17 (-60.47%)
Mutual labels:  sigstore
dhall-packages
Collection of dhall packages
Stars: ✭ 42 (-2.33%)
Mutual labels:  argocd
gke-demo
Demonstration of complete, fully-featured CI/CD and cloud automation for microservices, done with GCP/GKE
Stars: ✭ 47 (+9.3%)
Mutual labels:  argocd
humble
Just a humble project
Stars: ✭ 53 (+23.26%)
Mutual labels:  argocd
applicationset-progressive-sync
Progressive sync controller for Argo ApplicationSet
Stars: ✭ 99 (+130.23%)
Mutual labels:  argocd
sigstore
Common go library shared across sigstore services and clients
Stars: ✭ 285 (+562.79%)
Mutual labels:  sigstore
nebulous
The Kubefirst Open Source Platform
Stars: ✭ 122 (+183.72%)
Mutual labels:  argocd
cncf-platform-stack
🐳 📦 🚀 ⚡ Recursos da série de vídeos sobre stack da CNCF
Stars: ✭ 59 (+37.21%)
Mutual labels:  argocd
View All Similar Projects ➔

ArgoCD Interlace

ArgoCD is widely used for enabling CD GitOps. ArgoCD internally builds manifest from source data in Git repository, and auto-sync it with target clusters.

ArgoCD Interlace enhances ArgoCD capability from end-to-end software supply chain security viewpoint. Interlace adds authenticity of the manifest and the traceability to the source to ArgoCD.

ArgoCD Interlace works as a Kubernetes Custom Resource Definition (CRD) controller. Interlace monitors the trigger from state changes of Application resources on the ArgoCD cluster. When detecting new manifest build, Interlace sign the manifest, record the detail of manifest build such as the source files for the build, the command to produce the manifest for reproducibility. Interlace stores those details as provenance records in in-toto format and upload it to Sigstore log for verification.

ArgoCD-Interlace-Arch

The features are

  • Pluggable to ArgoCD
  • Verify signature of source materials used for generating manifest
  • Capture manifest and provenance from application.status automatically
  • Sign manifest
  • Record provenance in in-toto format

Getting Started

Installation

Prerequisite: Install ArgoCD on your Kubernetes cluster before you install ArgoCD Interlace.

To install ArgoCD Interlace, run:

$ kubectl apply -f https://raw.githubusercontent.com/argoproj-labs/argocd-interlace/main/releases/release.yaml

On OpenShift, use this instead of the above.

$ kubectl apply -f https://raw.githubusercontent.com/argoproj-labs/argocd-interlace/main/releases/release_openshift.yaml

Then you can check whether ArgoCD Interlace is running just by looking at the pod status.

$ kubectl get pod -n argocd-interlace
NAME                                           READY   STATUS    RESTARTS   AGE
argocd-interlace-controller-5b6cd5f896-vwtrj   1/1     Running   0          2m

Quick Start

By default, ArgoCD Interlace stores the generated provenance record in a custom resource ApplicationProvenance in argocd-interlace namespace.

When ArgoCD syncs any Applications, ArgoCD Interlace creates the ApplicationProvenance and you can see the provenance data as below.

$ kubectl get appprov -n argocd-interlace
NAME         AGE
sample-app   3m40s


$ kubectl get appprov -n argocd-interlace sample-app -o json
{
    "apiVersion": "interlace.argocd.dev/v1beta1",
    "kind": "ApplicationProvenance",
    "metadata": {
        "creationTimestamp": "2022-06-15T00:33:07Z",
        "generation": 1,
        "name": "sample-app",
        "namespace": "argocd-interlace",
        "resourceVersion": "1553595",
        "uid": "bc081b63-0595-4917-9a0e-2869a7dd1eeb"
    },
    "spec": {
        "application": {
            "name": "sample-app",
            "namespace": "argocd"
        }
    },
    "status": {
        "lastUpdated": "2022-06-15T07:04:05Z",
        "results": [
            {
                "manifest": "ICBh  ...  ODAK",      // base64 encoded resource manifest
                "provenance": "eyJf  ...  fQ==",    // base64 encoded provenance data
                "sourceVerified": false,            // whether source material was verified or not
                "time": "2022-06-15T07:04:05Z"      // timestamp of the update
            }
        ]
    }
}

In the spec field, you can find which Application was the target of this provenance data.

In the status field, you can find the generated manifest for the Application sync and the provenance data generated by ArgoCD Interlace. (These two values are encoded in base64.)

For more details about the provenance data, you can refer this doc

Additional Features

ArgoCD Interlace supports 3 other features other than provenance recording.

1. Verify source material contents before generating provenance

Before ArgoCD Interlace generates provenance data, it can verify the source metrial contents. For that, you can sign the source meterials (Git Repo / Helm) beforehand (see the doc). This allows you to confirm that the source contents of the synced application is valid by verifying the signature.

You can enable this feature by configuring the secret source-material-verify-key in argocd-interlace namespace. You can do it by the following command. <PATH/TO/PUBLIC_KEY> should be the actual filepath (refer this about key setup).

$ KEY_PATH=<PATH/TO/PUBLIC_KEY> kubectl patch secret source-material-verify-key -n argocd-interlace -p="{\"data\":{\"public_key_pem\":\""(cat $KEY_PATH | base64)"\"}}"

Note that it takes about a minute that the key in the running pod is updated after this command.

With this feature, sourceVerified field in the ApplicationProvenance status will be true if the verification successfully finishes.

2. Sign the generated provenance data

By default, ArgoCD Interlace just generates a provenance data and the data is not authorized. You can enable signing feature for the generated provenance data so that the provenance data can be verified when it is used somewhere other than ArgoCD / ArgoCD Interlace.

By configuring the secret interlace-signing-key in argocd-interlace namespace, you can enable this. You can do it by the following command. <PATH/TO/PRIVATE_KEY> should be the actual filepath (refer this about key setup).

$ KEY_PATH=<PATH/TO/PRIVATE_KEY> kubectl patch secret interlace-signing-key -n argocd-interlace -p="{\"data\":{\"private_key_pem\":\""(cat $KEY_PATH | base64)"\"}}"

Note that it takes about a minute that the key in the running pod is updated after this command.

With this feature, signature field is added to the status in ApplciationProvenance and it contains the generated signature.

3. Sign the manifest generated by ArgoCD

Additionally, you can enable signing feature for the YAML manifest geneated by ArgoCD. For this, ArgoCD Interlace leverages the manifest signing feature provided by sigstore community (k8s-manifest-sigstore).

To enable this, you can add a ConfigMap resource with a label signatureResource: true to your source material repository. When this ConfigMap is found in the synced resources, ArgoCD Interlace signs the YAML manifest and the signature will be stored in the ConfigMap on the cluster. This feature requires the 2 secrets configured by the above steps.

Example Scenario

To see ArgoCD Interlace in action, check the example scenario.

Demo

intro

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].