ArgoCD is widely used for enabling CD GitOps. ArgoCD internally builds manifest from source data in Git repository, and auto-sync it with target clusters.
ArgoCD Interlace enhances ArgoCD capability from end-to-end software supply chain security viewpoint. Interlace adds authenticity of the manifest and the traceability to the source to ArgoCD.
ArgoCD Interlace works as a Kubernetes Custom Resource Definition (CRD) controller. Interlace monitors the trigger from state changes of Application resources on the ArgoCD cluster. When detecting new manifest build, Interlace sign the manifest, record the detail of manifest build such as the source files for the build, the command to produce the manifest for reproducibility. Interlace stores those details as provenance records in in-toto format and upload it to Sigstore log for verification.
The features are
- Pluggable to ArgoCD
- Capture manifest and provenance from application.status automatically
- Sign manifest
- Record provenance in intoto format
Prerequisite: Install ArgoCD on your Kubernetes cluster before you install ArgoCD Interlace.
To install the latest version of ArgoCD Interlace to your cluster, run:
kubectl apply --filename https://raw.githubusercontent.com/IBM/argocd-interlace/main/releases/release.yaml
This creates a default installation of ArgoCD Interlace, however you will need futher setup for seeing it in action.
To verify that installation was successful, ensure Status of pod
$ kubectl get pod -n argocd-interlace -w NAME READY STATUS RESTARTS AGE pod/argocd-interlace-controller-f57fd69fb-72l4h 1/1 Running 0 19m
To complete setting up ArgoCD Interlace, configure secrets for:
- ArgoCD REST API authentication for querying ArgoCD REST API to retrive desired manifest for an application
- OCI image registry authentication for pushing OCI images generated by Interlace
- Cosign based signing keys for creating signature for desired manifest.
To see ArgoCD Interlace in action, check the example scenario.