 Good morning, everyone. I'm really excited to be here. This is my first time and the CD mini summit the first time I see many of you in person. So I'm really really excited about it Today, we're gonna talk about tecton chains and how it works a Quick introduction about me or for those of you that doesn't know me. I'm a developer advocate leading redacted this year I'm a CD ambassador. I'm really excited about it And I'm also in the organization of a Kubernetes community days Italy And I'm out of those two books modernizing enterprise Java and gtops cookbook And I have a link at the end of the session So you can if you want you can download those those books for free. So let's go ahead and let's start with that. Why? You usually when when you buy a car you expect that any part supply to be genuine, right? Moreover for those, you know expensive card you expect those are perfect and What about the software should be the same? When we use a software when we buy a software when we you know Adopt a community software. We expect this software the component of this part are all genuine a lot good This is a very important topic. Let me share some scary numbers with you. Those are the percentage of Supply software supply chain attack over the past three years 742 percent 20% data breach compromises software supply chain but the the good number also that teams are start started the doing initiative to bring DevOps and security together because them the attacks are increasing in the software supply chain and Those kind of those are the most common attack right dependency confusion a stolen certificate malware, you know my ransomware any any any bad thing around but you know dependency confusion and a Compromised build environment. Those are also very common attack So let me start with this tail right a software development tail Here's I really like this diagram because show how development works for for any company now for any Project so you have some developer teams that start developing an app one of more application, right? development usually obtains local laptop local workstation or remote or Even though I'm using directly Kubernetes, but this is what we call the inner loop when you start coding building the bagging hopefully testing The software and then you start pushing your code into git So you do a git action. So your development is in the inner loop When you move things to production or to deployment to the CD part to to quote Jeremy, right? Let's talk about the CD This is called the outer loop. So you move your software your artifact into Kind of an automation that build your software and here's you in this outer loop You can have a pipeline that build run compliancy test run security test integration test unit test Deploy your software artifact into one or more environment and and then you are ready then to push this to production now you see those those are two loops and they are very close to a Forming an infinite loop because when something happened in the outer loop You got to go back in the inner loop or you need to add a new feature So it's a continuous inner loop outer loop and then the connection is always a git action So you have a git push then you have a Pull pull request. So you start with the code review and then you send to probe I had that to this diagram. This is really this arrow here the devs a cop So this means that security should be in place from the first time from when you start a code to when you Deploy this code into production. This is the ideal flow And today we're gonna focus. We're gonna talk about the outer loop how tecton and tecton chain a really help implementing Security aspect for your pipeline. We're gonna talk about it in a moment I want to sometimes I make some history jokes this month today. I Borrowed the Joffrey Chaucer Contemporary tales and this is the start of the contemporary tales Adapted for you know, this context one that dependency and this out at so yeah, I'm not gonna say in all English But this is really cool, right? because this is a kind of a song that Is a in to the dependency Dependency and dependency tales what I want to say is that we're gonna talk today about how to secure the supply chain and how Our how opens our software like tecton help with that Before we go ahead into into it. Let me give you some terminology for those of you. Maybe not not aware of these Terms. So one of the most common term is a SLSA, which is sub supply chain level for software architect artifact and then there's a zest and then you might have heard about CVE when there's a vulnerability There's some CVE published in in some public website That there's this bomb the software bill of material The sick store, but the the important thing today is also the attestation and the provenance So attestation about authenticated statement about metadata about the software architect artifact We're building right and the provenance is the record of the region the history and who made the change so it's like more kind of a git but more on the software artifact and SLSA is a very important the specification and define also some levels So level zero is a you know a best effort is a kind of a dry run And then you go into more levels. Let's say level one level two level three level three is really the one that the prevent Vulnerability prevent injecting the dependencies Not expected. So level three you might want to have SLSA SLSA level three in your outer loop and Here's the another good diagram about the shift left. No We start, you know from the final up goes to your user and then You have the user use some networking and they go to production now production is the final result of all the them They are Tifa software artifact. No promote it across development QA staging But you everything start as a you as a developer coding and pushing into it That's that's why the community the industry is promoting also a Shifted approach from source to product and what what about this the coding part? When we talk about coding we need to we usually have use our favorite package manager for Java It's pom for Python is peep any any any of this right and we have our dependencies. So It's kind of automator, right? You I need an HTTP library I'm writing in my Pomex ML something and the maven eventually downloads two gigabytes of stuff I don't know what it's doing, right usually like this and But if you analyze what what is doing under the hood? This is an example with maven Dependency tree it's downloading lots of stuff, right? And we don't really Look at it where we we we have it as a given, but this is also very important. It's the way An attacker can inject a vulnerability as a malware Or is a single point of failure if you remember when that guy from MPM Removed that no JS library and basically stopped the world for for some reason or if you think about the vulnerability Log for J Java, you know, that is really severe that that was a something the people start recognizing about dependency Important after these issues basically, let me show you some open source friends that help you implementing the shift left approach So you start with any git repos you get Git SCM you can be github githlub whatever you want to use, but Most of the time your production is Kubernetes, right? And Kubernetes today is the factor standard for application deployment application workloads and so Kubernetes has a really rich ecosystem of project to to build software and one of this is tecton and Today we're going to talk about specifically about one extension of tecton called tecton chains that help implementing provenance Implementing at the station together with other open source friend like cosine Which is another open source software that can sign artifact and other Software like Claire Claire is an open source software that scan container image Consult a public list of CVE this kind of image give you a result per layer Then if you're using kubernetes, you might want to use policies and open policy agent is really a popular open source software for that and that you might want to deploy software in kubernetes So tecton usually can build the software can also deploy of course But usually build the software sign the the task sign the container email and then you you can deploy the Argo CD But any software for the gtops, but Argo CD one of the popular one So here's an opinionated open source chain for building secure software chain So we're gonna focus today on the safeguard of the building system so we're gonna focus on the outer loop and I know some some of you are directly involved into tecton development, but I was wondering How many of you are already using tecton? Yeah, that's a good number. That's a good number for those of you not aware of tecton Tecton is open and open source software Governed by the CD foundation that provide the kubernetes native CICD on kubernetes This means that you don't have to install an external Software to run CICD on kubernetes. It's native You just install it those what is called those API called custom resource and you have Pipelines in say kubernetes so you can do kubectl get pipeline or kubectl get pod. It's native to kubernetes So that's the default choice when you have when you want to come have kubernetes being a CICD system The good thing of tecton for those of you not not aware of it is that is declarative like anything in kubernetes You declare the state the decided state of your pipeline as an API It's composable you can insert into a pipeline multiple tasks. It's reproducible and it's a cloud net It means that you it's it's native to the containers and kubernetes A quick recap of the concept because in the quick demo we're gonna see really briefly some of this So the pipeline is a pipeline object for pipeline API that can contain one or more task The task in the pipeline can be sequential or parallel But inside the task you have multiple steps. Those steps are sequential and under the hood those steps are just container image That are executed just because tecton is a kubernetes native. Everything is a container So a step is really a container can be a script in the container by it's a container running and The task is a pod is a pod running in your in your cluster Let me show you a quick tecton architecture So basically you define the pipeline that pipeline contain the task Here's the thing different if you use a other software for CICD outside Kubernetes also the running Object is a is an object is a kubernetes object So you can do a kubectl get pipeline run to see the live execution of your pipeline and the pipeline run as a task run inside So when you run the pipeline under the hood you create basically a Task that represent a pod So you have your pipeline is the decomposed by a task the task is a pod inside the pod You have multiple containers that represent the steps. Those are the Overall picture. Let me focus today on tecton chain So tecton chain is part of the tecton ecosystem and it has been had just to add those Secure supply chain component. We were talking about how tecton chain can do that. Well, it can sign task and with sign task result with cryptographic keys and they can also do attestation format like in total We'll we'll look in in a second So can essentially can sign the execution of your task as a software artifact and can also sign the container image that you Generate it so you can I'll show you In the demo in the registry you can have some kind of a tick that display that this is sign it The the in total attestation is Authenticated metadata for one of more software artifact. This is how it is defined in the in the official website So basically you can sign an OCI image OCI is a crony that means open Container initiative. So any container image today is an OCI image docker images Pogman generated images, whatever is a is an open format So you can sign this open format container image and then you create sign sign at the SLS SA provenance attestation for the task run and the pipeline, but not only the Say the software sign it the content and image sign it But also the pipeline run is sign it you are signing everything in your outer loop I Like the logo of SLSA this cyberdike is super cool But what what do you mean that the sign at the SLS SLS say provenance? It's used for verify which build system produce the attestation how the build system was used So it's a complete Verification of everything so, you know in usually in git you can see who mates what right in the code What about in the build system who mates what who did that who signed this is that valid or not? So in this case you in this way you cannot inject dependencies not expected because those are not sign it and Well how tecton chain know that a task run or a pipeline built an image This is done via the what is called type in thing So when you create Container image on OCA OCI container image you have the URL or the image digest this I just This digest is used and then it's gonna be a sign it So tecton build a container image generate and hash that this hash will be used As a digest and that would be will be signed Will change just sign the man the image yes can also Create a pipeline that pretend to build a certain image. Yes tecton can can be can be all of this And I want to show you in particular like James Brown here doing This I want to show you a demo and for the demo I'm using the official documentation You know usually I take the official documentation example to verify that our that works are up to date So if anything and we can send a full request But this is really cool because it show a really good example of sign and provenance tutorial So the first step is you have to generate a key pair with cosine It's a public key private key pair. So you do your signing with basically this is a Asymmetric cryptography once you generate a cosine pair basically you go you can configure tecton chains and you can tell tecton chain to use SLSA and then you can Create the secrets in the namespace of tecton chain containing your your cosine key the generated key Private key in this case and and the public key So you you configure tecton chain and then you move into the into the pipeline So in this example, we're gonna run a pipeline doing a canico task. Canico is a is a It's a building mechanism as an open source software that can build containers from a Docker file is agnostic So this task will generate a container image This image will be a sign then push in a public registry I'm gonna put to quite a yo is similar to Docker app and we're gonna see that this is sign it so This is also important the step for Chain observable the task run the snapshot the task run and then convert the snapshot to standard pilot format Sign them and store them in the metadata. So let's see that in action. This is the first demo Let me let me check why I'm at a much time. We have we might have used just this demo, but let me check this so I'm doing this demo and I'm using my Quaio registry and I want to show you that there's this There there's this CLI called tecton when you use tecton you can use This CLI that's really help you starting a pipeline. I'm using mini cube in my virtual machine I'm in my Fredora workstation. I'm in this namespace So I'm starting a pipeline that essentially will use this task that I have already downloaded And I'm show you what is this task about? So this is a tecton task that build a container image from a Docker file It expects some Docker file somewhere and then it pushed this container image into a registry somewhere So it's really simple task, but this is just used to to show you how it works Designing everything. So let me grab the log of this it takes some second to start the poll So when you use tecton and you start a task, this will create a pod So now this is running is a running pot in the Kubernetes cluster and it executing a step Each of these are steps. So those are containers into the pod And as you can see is building the container image and is and is pushing into a registry now Let me check what well, let me show you what what what this done? I'm gonna do a tecton TaskRound LS and I want to see if that is sign it so I'm gonna do a tecton The task around describe this one Let me check in the into the annotation here's I hope you can see Yes as you can see this annotation has been add and this means the tecton is Signing this this task and also you have a name and you have a Navidence of everything that is going on into into them Into the task run And I want to show you that also your the container image that we generated Has also an evidence on the registry so we're sending this we're sending the container image over here as you can see This is a little tick here This means that this tag has been sign it with cosine now. I'm using quail that also perform some security scan Under the hood where you use Claire Claire is the open source author that perform the scan So not only you signed it the task you sign the container image with the with the hash you generated Also, you can perform some security scan you can have this in you into your your kind of a outer loop to build the mechanism So that was the one part and I have my script here because I want to show you that you can also verify with cosine that Your public key has been used to to sign that image and then you can verify the attestation I'm gonna run this the command So you can see the output live And we here we should have the payload of the for the hour in total attestation so we also verify this with with cosine and then we can also a Click all the record click that help us giving more info about What we have done? Let me check. This is another click and a lot It's part also of the all the tutorial and give you for the for the container image give all the info What happened for the SL? SA Provenance attestation Mechanism that we did with a Techno chain. So that was one example. I want to show you another exam another demo. This was on mini cube but I Want to show you this that read that also build assas around all of this so tecton chain and The building mechanism can be can it go can be anyone Open open shift in skate the Kubernetes open policy agent So everything is over here and this is implemented the SL SA level 3 So I want to show you if we have time are a real app Please stop in when when we have to stop I have a real application here, which is there read that cool store So it's a store where you can buy cool swag like read that hat By the way, if you are interested that the hat is at the boot tomorrow at the conference So here we are out of stock, right? And this is some micro service base application I'll show you so I have a front end I will one or two three micro service for the back end Let's say I want to make all this from the inner loop to the outer loop in a secure way I can implement in my Kubernetes cluster through all the software component I was talking to you about but you but I want to show you that you can also use Assas like this that implement this and you can do the same on your own cluster if you want Let me show you how this works. Let's imagine we We do one change in our in our software like we want to increase the the quantity of Of the software, let me do this one so let me do I want to show you the full story if we have time if we don't have time I'm gonna stop and I show you that what I already deployed, right? So I'm gonna start this Java application the development mode, which is also as a Continuous testing mode for some reason my port 8080s, but I don't need it at the moment Let's imagine we want to increase that Fedora quantity not to 10 and I'm gonna go ahead and I'm gonna resume the testing So the first step in your secure software supply chain is to verify in the inner loop if everything is fine Now, you know, I changed the code. I haven't updated the test. This is really bad So I need to update my test as well and acquire cruise and the continuous And the continuous testing mode really really help with that Let me check what I've done here Look that's failed Job and I'm making something really bad. Oh the port 8080s build. Okay. Sorry. Sorry about it And for some reason the port 8080 is a is is busy But I wanted to show that, you know, you need to update the The the test you need to eventually perform some security scan locally and for that, you know, we Read that provides on what we call the dependency analytics report the pen extension. It's just an extension that analyzes your Dependency file like a Pomex ML and provide you early some security scan So before you push before you move into the outer loop, let's say this is in collaboration with Nick I have some I have some kind of important Severity in my in memory database. So let's say let's imagine me I'm not gonna use the memory database in production. So let's let's imagine this is good But here I could stop no, I can I can stop I am I can about sending this to production now Let me update the quantity to 10 and let me push Add into the staging area. I want to show you what what what you what you can done So when we push the application when we get push a web book Automatically will start a tecton pipeline and this this this tool is using a pipeline as a code To to to build a automatically the pipeline. Let me show you the source code over here There we go So when you use the tool is gonna inject in your git repo tecton pipeline as a code and for any push or any Poor request this is gonna start there again the pipeline with the task and the task is gonna build everything now This is something you can build out of the box without tecton chain but let me show you the cool thing when you use tecton chain and and all the ecosystem, you know, you can perform your pipeline security scan and Here's some something cool Not only the clear scan so the container image scan the anti anti-virus scan But also the software bill of material check Sast check so it's a complete suite and and the tecton chain then is used to push this image into The query just so I'm doing the same stuff. I was doing into mini cube. It's a little bit more, you know It's more more Extensive, right? But I'm showing you that this application which has been pushed into Into the production. Let's say with the tool is using a container image on this registry again And this is sign it with a tecton chain and cosine in the same way We were doing with a with mini cube So as you can see I'm using the same mechanism from a SAS and that SAS is also adding more stuff Like enterprise contract Anti-virus scan image can container image scan So you can really build something similar on your own with your Kubernetes cluster with tecton tecton chain Claire OPA and Kubernetes Argos CD. You can automate really everything and the good and and GitHub is not respond and and the good stuff is that you can take benefit of all opens or software for creating your secure software supply chain Now those where the demo wanted to do but the pipeline is gonna take some minutes to do the scan So we're not gonna see this live. Maybe we can check later But this will update the quantity in stock. We can have more Fedors to share tomorrow with you at the boot Don't don't forget about it. And what about the other tags that might interested you we have this panel about Secure software supply chain if you are interested in on the topic, please join as this is on Tuesday So it's tomorrow. It's we're gonna talk about SLSA and we're gonna talk about open SSF So you are you are more in security and those topics. Please join this talk because it's really interesting That was the talk. I hope you enjoy the live demos with all the consequences and If you are interested to know more about tecton, this is I think this is a good book because it starts from zero to get ops So there's a is a list of receipt containing how to build containers how to create Helm chart how to use customized and then it goes into how to create tecton pipeline work tecton task and then move into Argo CD how to Use Argo CD as a CD tool and and then tecton other kind of a CI CD tool So there's no tecton chain in version one, but I hope to add the version do the tecton chain part If you are interested to know more about red dot and red dot developer join us on developers with that I've come with many things of free books and tutorials and everything around developers and yeah Thank you all