[TEP-0093] Add sign and verify as experiment subcommands to tekton cli

This commit adds sign and verify as experiment subcommands for task and pipeline.
Examples:
```bash
tkn task sign examples/example-task.yaml -K=cosign.key -f=signed.yaml
tkn task verify examples/signed.yaml -K=cosign.pub
```

Signed-off-by: Yongxuan Zhang [email protected]

docs/cmd/tkn_pipeline.md

@@ -32,5 +32,7 @@ Manage pipelines
 * [tkn pipeline export](tkn_pipeline_export.md)	 - Export Pipeline
 * [tkn pipeline list](tkn_pipeline_list.md)	 - Lists Pipelines in a namespace
 * [tkn pipeline logs](tkn_pipeline_logs.md)	 - Show Pipeline logs
+* [tkn pipeline sign](tkn_pipeline_sign.md)	 - Sign Tekton Pipeline
 * [tkn pipeline start](tkn_pipeline_start.md)	 - Start Pipelines
+* [tkn pipeline verify](tkn_pipeline_verify.md)	 - Verify Tekton Pipeline
 

docs/cmd/tkn_pipeline_sign.md

@@ -0,0 +1,53 @@
+## tkn pipeline sign
+
+Sign Tekton Pipeline
+
+### Usage
+
+```
+tkn pipeline sign
+```
+
+### Synopsis
+
+
+	Sign the Tekton Pipeline with user provided private key file or KMS reference. Key files support ecdsa, ed25519, rsa.
+	For KMS:
+	* GCP, this should have the structure of gcpkms://projects/<project>/locations/<location>/keyRings/<keyring>/cryptoKeys/<key> where location, keyring, and key are filled in appropriately. Run "gcloud auth application-default login" to authenticate
+	* Vault, this should have the structure of hashivault://<keyname>, where the keyname is filled out appropriately.
+	* AWS, this should have the structure of awskms://[ENDPOINT]/[ID/ALIAS/ARN] (endpoint optional).
+	* Azure, this should have the structure of azurekms://[VAULT_NAME][VAULT_URL]/[KEY_NAME].
+
+### Examples
+
+Sign a Pipeline pipeline.yaml:
+	tkn pipeline sign pipeline.yaml -K=cosign.key -f=signed.yaml
+or using kms
+	tkn pipeline sign pipeline.yaml -K=gcpkms://projects/PROJECTID/locations/LOCATION/keyRings/KEYRING/cryptoKeys/KEY/cryptoKeyVersions/VERSION -f=signed.yaml
+
+### Options
+
+```
+      --allow-missing-template-keys   If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. (default true)
+  -f, --file-name string              Fle name of the signed pipeline, using the original file name will overwrite the file
+  -h, --help                          help for sign
+  -K, --key-file string               Key file
+  -m, --kms-key string                KMS key url
+  -o, --output string                 Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
+      --show-managed-fields           If true, keep the managedFields when printing objects in JSON or YAML format.
+      --template string               Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
+```
+
+### Options inherited from parent commands
+
+```
+  -c, --context string      name of the kubeconfig context to use (default: kubectl config current-context)
+  -k, --kubeconfig string   kubectl config file (default: $HOME/.kube/config)
+  -n, --namespace string    namespace to use (default: from $KUBECONFIG)
+  -C, --no-color            disable coloring (default: false)
+```
+
+### SEE ALSO
+
+* [tkn pipeline](tkn_pipeline.md)	 - Manage pipelines
+

docs/cmd/tkn_pipeline_verify.md

@@ -0,0 +1,52 @@
+## tkn pipeline verify
+
+Verify Tekton Pipeline
+
+### Usage
+
+```
+tkn pipeline verify
+```
+
+### Synopsis
+
+
+	Verify the Tekton Pipeline with user provided private key file or KMS reference. Key files support ecdsa, ed25519, rsa.
+	For KMS:
+	* GCP, this should have the structure of gcpkms://projects/<project>/locations/<location>/keyRings/<keyring>/cryptoKeys/<key> where location, keyring, and key are filled in appropriately. Run "gcloud auth application-default login" to authenticate
+	* Vault, this should have the structure of hashivault://<keyname>, where the keyname is filled out appropriately.
+	* AWS, this should have the structure of awskms://[ENDPOINT]/[ID/ALIAS/ARN] (endpoint optional).
+	* Azure, this should have the structure of azurekms://[VAULT_NAME][VAULT_URL]/[KEY_NAME].
+
+### Examples
+
+Verify a Pipeline signed.yaml:
+	tkn pipeline verify signed.yaml -K=cosign.pub
+or using kms
+	tkn pipeline verify signed.yaml -K=gcpkms://projects/PROJECTID/locations/LOCATION/keyRings/KEYRING/cryptoKeys/KEY/cryptoKeyVersions/VERSION
+
+### Options
+
+```
+      --allow-missing-template-keys   If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. (default true)
+  -h, --help                          help for verify
+  -K, --key-file string               Key file
+  -m, --kms-key string                KMS key url
+  -o, --output string                 Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
+      --show-managed-fields           If true, keep the managedFields when printing objects in JSON or YAML format.
+      --template string               Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
+```
+
+### Options inherited from parent commands
+
+```
+  -c, --context string      name of the kubeconfig context to use (default: kubectl config current-context)
+  -k, --kubeconfig string   kubectl config file (default: $HOME/.kube/config)
+  -n, --namespace string    namespace to use (default: from $KUBECONFIG)
+  -C, --no-color            disable coloring (default: false)
+```
+
+### SEE ALSO
+
+* [tkn pipeline](tkn_pipeline.md)	 - Manage pipelines
+

docs/cmd/tkn_task.md

@@ -32,5 +32,7 @@ Manage Tasks
 * [tkn task describe](tkn_task_describe.md)	 - Describe a Task in a namespace
 * [tkn task list](tkn_task_list.md)	 - Lists Tasks in a namespace
 * [tkn task logs](tkn_task_logs.md)	 - Show Task logs
+* [tkn task sign](tkn_task_sign.md)	 - Sign Tekton Task
 * [tkn task start](tkn_task_start.md)	 - Start Tasks
+* [tkn task verify](tkn_task_verify.md)	 - Verify Tekton Task
 

docs/cmd/tkn_task_sign.md

@@ -0,0 +1,53 @@
+## tkn task sign
+
+Sign Tekton Task
+
+### Usage
+
+```
+tkn task sign
+```
+
+### Synopsis
+
+
+	Sign the Tekton Task with user provided private key file or KMS reference. Key files support ecdsa, ed25519, rsa.
+	For KMS:
+	* GCP, this should have the structure of gcpkms://projects/<project>/locations/<location>/keyRings/<keyring>/cryptoKeys/<key> where location, keyring, and key are filled in appropriately. Run "gcloud auth application-default login" to authenticate
+	* Vault, this should have the structure of hashivault://<keyname>, where the keyname is filled out appropriately.
+	* AWS, this should have the structure of awskms://[ENDPOINT]/[ID/ALIAS/ARN] (endpoint optional).
+	* Azure, this should have the structure of azurekms://[VAULT_NAME][VAULT_URL]/[KEY_NAME].
+
+### Examples
+
+Sign a Task task.yaml:
+	tkn task sign task.yaml -K=cosign.key -f=signed.yaml
+or using kms
+	tkn task sign task.yaml -K=gcpkms://projects/PROJECTID/locations/LOCATION/keyRings/KEYRING/cryptoKeys/KEY/cryptoKeyVersions/VERSION -f=signed.yaml
+
+### Options
+
+```
+      --allow-missing-template-keys   If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. (default true)
+  -f, --file-name string              file name of the signed task, using the original file name will overwrite the file
+  -h, --help                          help for sign
+  -K, --key-file string               Key file
+  -m, --kms-key string                KMS key url
+  -o, --output string                 Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
+      --show-managed-fields           If true, keep the managedFields when printing objects in JSON or YAML format.
+      --template string               Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
+```
+
+### Options inherited from parent commands
+
+```
+  -c, --context string      name of the kubeconfig context to use (default: kubectl config current-context)
+  -k, --kubeconfig string   kubectl config file (default: $HOME/.kube/config)
+  -n, --namespace string    namespace to use (default: from $KUBECONFIG)
+  -C, --no-color            disable coloring (default: false)
+```
+
+### SEE ALSO
+
+* [tkn task](tkn_task.md)	 - Manage Tasks
+

docs/cmd/tkn_task_verify.md

@@ -0,0 +1,52 @@
+## tkn task verify
+
+Verify Tekton Task
+
+### Usage
+
+```
+tkn task verify
+```
+
+### Synopsis
+
+
+	Verify the Tekton Task with user provided private key file or KMS reference. Key files support ecdsa, ed25519, rsa.
+	For KMS:
+	* GCP, this should have the structure of gcpkms://projects/<project>/locations/<location>/keyRings/<keyring>/cryptoKeys/<key> where location, keyring, and key are filled in appropriately. Run "gcloud auth application-default login" to authenticate
+	* Vault, this should have the structure of hashivault://<keyname>, where the keyname is filled out appropriately.
+	* AWS, this should have the structure of awskms://[ENDPOINT]/[ID/ALIAS/ARN] (endpoint optional).
+	* Azure, this should have the structure of azurekms://[VAULT_NAME][VAULT_URL]/[KEY_NAME].
+
+### Examples
+
+Verify a Task signed.yaml:
+	tkn Task verify signed.yaml -K=cosign.pub
+or using kms
+	tkn Task verify signed.yaml -K=gcpkms://projects/PROJECTID/locations/LOCATION/keyRings/KEYRING/cryptoKeys/KEY/cryptoKeyVersions/VERSION
+
+### Options
+
+```
+      --allow-missing-template-keys   If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. (default true)
+  -h, --help                          help for verify
+  -K, --key-file string               Key file
+  -m, --kms-key string                KMS key url
+  -o, --output string                 Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
+      --show-managed-fields           If true, keep the managedFields when printing objects in JSON or YAML format.
+      --template string               Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
+```
+
+### Options inherited from parent commands
+
+```
+  -c, --context string      name of the kubeconfig context to use (default: kubectl config current-context)
+  -k, --kubeconfig string   kubectl config file (default: $HOME/.kube/config)
+  -n, --namespace string    namespace to use (default: from $KUBECONFIG)
+  -C, --no-color            disable coloring (default: false)
+```
+
+### SEE ALSO
+
+* [tkn task](tkn_task.md)	 - Manage Tasks
+

docs/man/man1/tkn-pipeline-sign.1

@@ -0,0 +1,95 @@
+.TH "TKN\-PIPELINE\-SIGN" "1" "" "Auto generated by spf13/cobra" "" 
+.nh
+.ad l
+
+
+.SH NAME
+.PP
+tkn\-pipeline\-sign \- Sign Tekton Pipeline
+
+
+.SH SYNOPSIS
+.PP
+\fBtkn pipeline sign\fP
+
+
+.SH DESCRIPTION
+.PP
+.RS
+
+.nf
+Sign the Tekton Pipeline with user provided private key file or KMS reference. Key files support ecdsa, ed25519, rsa.
+For KMS:
+* GCP, this should have the structure of gcpkms://projects/<project>/locations/<location>/keyRings/<keyring>/cryptoKeys/<key> where location, keyring, and key are filled in appropriately. Run "gcloud auth application\-default login" to authenticate
+* Vault, this should have the structure of hashivault://<keyname>, where the keyname is filled out appropriately.
+* AWS, this should have the structure of awskms://[ENDPOINT]/[ID/ALIAS/ARN] (endpoint optional).
+* Azure, this should have the structure of azurekms://[VAULT\_NAME][VAULT\_URL]/[KEY\_NAME].
+
+.fi
+.RE
+
+
+.SH OPTIONS
+.PP
+\fB\-\-allow\-missing\-template\-keys\fP[=true]
+    If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
+
+.PP
+\fB\-f\fP, \fB\-\-file\-name\fP=""
+    Fle name of the signed pipeline, using the original file name will overwrite the file
+
+.PP
+\fB\-h\fP, \fB\-\-help\fP[=false]
+    help for sign
+
+.PP
+\fB\-K\fP, \fB\-\-key\-file\fP=""
+    Key file
+
+.PP
+\fB\-m\fP, \fB\-\-kms\-key\fP=""
+    KMS key url
+
+.PP
+\fB\-o\fP, \fB\-\-output\fP=""
+    Output format. One of: (json, yaml, name, go\-template, go\-template\-file, template, templatefile, jsonpath, jsonpath\-as\-json, jsonpath\-file).
+
+.PP
+\fB\-\-show\-managed\-fields\fP[=false]
+    If true, keep the managedFields when printing objects in JSON or YAML format.
+
+.PP
+\fB\-\-template\fP=""
+    Template string or path to template file to use when \-o=go\-template, \-o=go\-template\-file. The template format is golang templates [
+\[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]].
+
+
+.SH OPTIONS INHERITED FROM PARENT COMMANDS
+.PP
+\fB\-c\fP, \fB\-\-context\fP=""
+    name of the kubeconfig context to use (default: kubectl config current\-context)
+
+.PP
+\fB\-k\fP, \fB\-\-kubeconfig\fP=""
+    kubectl config file (default: $HOME/.kube/config)
+
+.PP
+\fB\-n\fP, \fB\-\-namespace\fP=""
+    namespace to use (default: from $KUBECONFIG)
+
+.PP
+\fB\-C\fP, \fB\-\-no\-color\fP[=false]
+    disable coloring (default: false)
+
+
+.SH EXAMPLE
+.PP
+Sign a Pipeline pipeline.yaml:
+    tkn pipeline sign pipeline.yaml \-K=cosign.key \-f=signed.yaml
+or using kms
+    tkn pipeline sign pipeline.yaml \-K=gcpkms://projects/PROJECTID/locations/LOCATION/keyRings/KEYRING/cryptoKeys/KEY/cryptoKeyVersions/VERSION \-f=signed.yaml
+
+
+.SH SEE ALSO
+.PP
+\fBtkn\-pipeline(1)\fP