From 345cadf2299ebdb98bf63eb4e4d06d907e03f020 Mon Sep 17 00:00:00 2001 From: Romain Arnaud Date: Tue, 12 May 2026 15:03:05 -0400 Subject: [PATCH] docs: user feedback rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED --- docs/antora.yml | 2 +- docs/modules/ROOT/pages/getting-started.adoc | 54 +++++++++++++++++--- 2 files changed, 48 insertions(+), 8 deletions(-) diff --git a/docs/antora.yml b/docs/antora.yml index 4b0206089..c7bb6cf36 100644 --- a/docs/antora.yml +++ b/docs/antora.yml @@ -17,7 +17,7 @@ asciidoc: TSFName: 'Trusted Software Factory' TSFShortName: 'TSF' TSFCli: 'tsf' - TSFInstallerImage: 'quay.io/redhat-ads/tsf-cli:unstable' + TSFInstallerImage: 'quay.io/redhat-ads/tsf-cli:latest' OCPName: 'OpenShift Container Platform' OCPShortName: 'OCP' OCPVersion: '4.20' diff --git a/docs/modules/ROOT/pages/getting-started.adoc b/docs/modules/ROOT/pages/getting-started.adoc index 56b3f2de2..b23107e77 100644 --- a/docs/modules/ROOT/pages/getting-started.adoc +++ b/docs/modules/ROOT/pages/getting-started.adoc @@ -110,8 +110,6 @@ Use `./setup-release.sh -h` for complete options. This script creates the necessary release plan, release policy, and release pipeline resources. -TIP: A `create-tenant.sh` script is also available as a ConfigMap in the `konflux-cli` namespace. Download it the same way to create tenant namespaces with the required RBAC resources. - == Trigger a release After you create a component and configure a release, releases happen automatically from push events. @@ -155,16 +153,58 @@ gunzip cosign.gz chmod +x cosign ---- + -Download `cosign` from the {OCPShortName} cluster to your local machine. The `cosign` binary is not included in the installer container. For download and setup instructions, see link:https://docs.redhat.com/en/documentation/red_hat_trusted_artifact_signer/{RHTASVersion}/html-single/deployment_guide/index#signing-and-verifying-containers-by-using-cosign-from-the-command-line-interface-for-openshift_deploy[Signing and verifying containers by using Cosign from the command-line interface]. -+ -Verify the image signature: +. View the metadata associated with the image: + [source,bash] ---- -./cosign tree +IMAGE="" +./cosign tree $IMAGE +---- + +. Configure cosign to use the TUF server deployed on the cluster: ++ +[source,bash,role="execute"] +---- +TUF_HOST=$(oc get route -A -l "app.kubernetes.io/part-of=trusted-artifact-signer,app.kubernetes.io/component=tuf" -o jsonpath='{.items[0].spec.host}') +curl -sSfL -o /tmp/root.json https://$TUF_HOST/root.json +./cosign initialize \ + --mirror=https://$TUF_HOST \ + --root=/tmp/root.json +---- + +. View the signature details: ++ +[source,bash,role="execute"] +---- +./cosign verify $IMAGE \ + --certificate-identity-regexp '.*' \ + --certificate-oidc-issuer-regexp '.*' ---- + +. View the attestation details: + -View the Rekor transparency log entry for the signing event. +[source,bash,role="execute"] +---- +REKOR_HOST=$(oc get route -A -l "app.kubernetes.io/part-of=trusted-artifact-signer,app.kubernetes.io/component=rekor-server" -o jsonpath='{.items[0].spec.host}') +./cosign verify-attestation $IMAGE \ + --certificate-identity-regexp '.*' \ + --certificate-oidc-issuer-regexp '.*' \ + --rekor-url="https://$REKOR_HOST" \ + --type=slsaprovenance +---- + +. View the SBOM details: ++ +[source,bash,role="execute"] +---- +REKOR_HOST=$(oc get route -A -l "app.kubernetes.io/part-of=trusted-artifact-signer,app.kubernetes.io/component=rekor-server" -o jsonpath='{.items[0].spec.host}') +./cosign verify-attestation $IMAGE \ + --certificate-identity-regexp '.*' \ + --certificate-oidc-issuer-regexp '.*' \ + --type=spdxjson +---- + +. View the Rekor transparency log entry for the signing event. == Next steps