One of the key values of GitOps relies on its fully declarative single source of truth in Git for the desired state of your entire system – configuration that continuously reconciles with the runtime of the system. Validating committer identity in your Git repository is a critical component towards a secure GitOps solution. Although basic capabilities are provided by Git service providers, more granular controls for governance and compliance are a requirement to satisfy most enterprise grade implementations. How do you keep that end to end process secure, from Git to Runtime? Join Weaveworks and Chainguard for a live webinar where we will look at how Chainguard Enforce for Git together with Weave GitOps Enterprise Policy Engine allows you to secure your end to end GitOps workflows, from Git to Runtime. You will learn how to: - Use Chainguard Enforce for Git to ensure only authorized GitOps tooling can modify your desired state. - Provide a secure identity to Weave GitOps Enterprise for all Git operations. - Use Weave GitOps Policy Engine to guarantee compliance on admission.

1. 1
1
End to End Security &
Operations with Chainguard
& Weave GitOps
Trust & validation for builds & configuration
In partnership with:

2. 2
2
Webinar Platform - FAQs
Using Zoom
• You are in listen only mode
• This webinar is being recorded
• Q&A session will follow the presentation, please use the Q&A panel to
submit questions
• Hit escape to exit full screen
• Slides and recording will be shared after the webinar
Technical Issues - please visit Zoom Help
https://support.zoom.us/hc/en-us/articles/206175806-Top-Questions

3. 3
3
James Strong
Solutions Architect
Chainguard
James joined Chainguard after a long stint of helping
customers migrate to the Cloud and Kubernetes.
Security was the number one issue he saw when
completing these migrations, and he now wants to help
secure their supply chains. James is also co-authors of
O’Reilly’s Networking & Kubernetes, KubePhilly meetup
organizer, and ACloud Guru instructor on Advanced
Networking With Kubernetes For AWS. You can find him
in the gym doing Olympic weightlifting or playing Rugby
when he is not at a computer.
Leo Murillo
Principal Solutions Architect
Weaveworks
Leo brings wide-ranging industry perspective, with
over 20 years of experience building technology and
leading teams all the way from Startups to Fortune
500s. He is passionate about cloud native
technologies, organizational transformation and the
open source community. As Principal Partner
Solutions Architect at Weaveworks, he focuses on
helping solve application and infrastructure delivery
challenges on Kubernetes at scale.
Speaker introductions

4. 4
Confidential do not distribute 4
- Software Supply Chain Security
- Identity and Trust
- Chainguard Enforce for Git
- Weave GitOps Enterprise
- Securing Build and Configuration Demo!
Agenda for today

5. 5
Software Supply Chain
Security

6. Chainguard | Make your software supply chain secure by default
1 2 3 4
Source Code Dependencies
Build
Pipelines
Artifacts Deployments
5
A software supply chain is the series of steps performed when writing, testing,
packaging, and distributing application software to end consumers.
Software supply chain

7. 7
Identity and Trust

8. ● On the Internet, nobody knows
you're a dog.
● How do you prove you are who you
say you are?
Identity

9. Attacks in the wild
9

10. # Sign a commit
$ git commit -S
# Verify commit
$ git verify-commit <rev>
How to sign Git commits - tl;dr
Git Config Options
● commit.gpgSign - sign all commits
● commit.tagSign - sign all tags
● user.signingKey - key to use for signing
● gpg.format - key format (gpg, x509, ssh)
● gpg.<format>.program - program to use to
sign (must be on path)
● + more depending on the tool

11. $ git cat-file commit HEAD
tree 7dd968bb81c8eaa2e9cbaaa872ba93eba0d46b3a <- Where are the files
parent 883166b86e62178d1c40eb646675c38bc83a5b0b <- What's the last commit(s)
author James Strong <james.strong@chainguard.dev> 1650465912 -0400 <- Who made the change
committer James Strong <james.strong@chainguard.dev> 1651877196 -0400 <- Who applied it to the repo
Fix the thing with the stuff <- Commit message
gpgsig -----BEGIN SIGNED MESSAGE-----
MIIDawYJKoZIhvcNAQcCoIIDXDCCA1gCAQExDTALBglghkgBZQMEAgEwCwYJKoZI
hvcNAQcBoIICGDCCAhQwggGboAMCAQICFADE86Sdbdy3wusCpdgYNg3GaMiHMAoG
CCqGSM49BAMDMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2ln
-----END SIGNED MESSAGE-----
Signed commit
What's in a signed commit

12. Challenges with
traditional signing
● Encryption?
● Rotation?
● Stored in a well known location
● Compromise Detection
● Revocation
"I have a pretty decent security setup… but GPG is
such a usability nightmare I don't want to touch it
with a 10 foot pole."
- on HN

13. 13
Gitsign – Keyless Git
Commit Signing

14. ● Easy: free users from key
management
● Meet developers where they
are
○ Support GPG keys, hardware
tokens
● Accept centralization
○ With accountability (like web PKI)
● Integrate with other tools
○ Software supply chain solutions
○ Developer tools and infrastructure
Sigstore Goals

15. ● “A new kind of CA”
● Users authenticate
○ OpenID Connect (OIDC ==
“login with Google”)
● Issues X.509 code signing
certificate
○ SubjectAlternativeName:
“James Google account”
○ Ephemeral (10 minute validity)
Identity

16. ● Certificate lifetime:
○ Short-lived? Pain: frequent
re-signing.
○ Long-lived? Risky!
● Sign while cert valid; verify later.
○ Separate signature and cert
lifetime
● Rekor: attest to timestamp!
○ Like timestamp authority (TSA)
○ Extra metadata, searchable
Identity

17. Sigstore Adoption

18. What if…

19. Enter Gitsign!

20. Chainguard | Make your software supply chain secure by default
Enforce for Git

21. Chainguard | Make your software supply chain secure by default
Powered by
Signing git commits Enforcement
https://github.com/apps/chainguard-enforce
No key management
Easy to configure
Just works
git config --local commit.gpgsign true
git config --local tag.gpgsign true
git config --local gpg.x509.program gitsign
git config --local gpg.format x509
https://github.com/sigstore/gitsign

22. Chainguard | Make your software supply chain secure by default
Developer Use
CSM CI/CD Distribution
Source
Dependency
Build Package
Solution
Enforce for Git Cosign
Github Actions

23. 23
Confidential do not distribute 23
Now, let’s look into Weave GitOps

24. 24
Confidential do not distribute 24
A Kubernetes Native Platform for delivery, policy
and lifecycle management of clusters and cloud
native applications applying the GitOps
Operating Model
What is Weave GitOps?

25. 25
Confidential do not distribute 25
Let’s talk real quick about GitOps and the
Weave GitOps Architecture

26. 2
6
Weave GitOps OSS (for Apps)
● App platform + addons
● App dev tools (GUI, IDE)
● App delivery (CICD)
Accelerator Catalog:
Commercial Software
AcceleratorTemplates
Assured Tier
+ Enterprise Flux
+ Assured OSS Builds
+ Weave Certified OSS
Multi-tenant
Workspaces
App
Management
Platform
Accelerator Catalog:
Verified Profiles etc
Multi- Cluster
Manager
Trusted
Delivery
Mixed
Clusters
B/Metal
Accelerator Catalog: Curated addons and supported integrations for
3rd
party vendors eg Terraform Enterprise Edition
Weave GitOps Versions
App platform + addons
● App dev tools (GUI, IDE)
● App delivery (CICD)
Accelerator Catalog:
Commercial Software
Solution Templates
Suite of Open Source tools
Enterprise Flux & Flagger
+ Assured OSS Builds
+ Weave Certified OSS
Accelerator Catalog:
Verified Profiles
Bitstream, Hotfix
Support SLAs + CVEs
Flux and Flagger: Open Source CNCF projects
Weave GitOps OSS: Open Source Flux Extension + GUI
Weave GitOps OSS
Open Source Software with Community Support
Weave GitOps Assured
Open Source Software with Enterprise Support
Weave GitOps Enterprise
Open and Closed Source Software with Enterprise Support

27. 27
Confidential do not distribute 27
● Is Modular: Use the parts of the platform you need.
● Is Secure: Utilizing repository authorization and Kubernetes authorization, Weave GitOps Enterprise doesn’t
require additional authorization configurations to be secure.
● Utilizes the Best of Weaveworks Open Source: Our tools and methodology is the basis for Weave GitOps
Enterprise.
● Is Supported: Not only the Weave GitOps Enterprise tools, but Kubernetes and the surrounding
components as well.
● Is GitOps Top to Bottom: Everything we build uses the GitOps methodology.
Weave GitOps OSS & Enterprise

28. 28
App
Team
workspaces
App
Management Cluster
App
Leaf Cluster
Profile Policy
Management
Management
UI
Weave GitOps Enterprise
Kubernetes
Cluster Management UI
Management UI
Multi Cluster Installer (CAPI)
Weave GitOps Enterprise
Kubernetes

29. 29
29
Desired State
Store all code and
configuration
Actual State
Runtime
environment
Automation
Single interface
to operations
App
Runtime Env
App

30. 3
0
Revert Any change
● Any change to the system will diverge the
‘desired state’ from the actual state
● We can always return to our previous known
good value - every change is automic
kubectl apply
Prod Cluster
Automatic or Manual
Response App App

31. 31
Manual
Approval
Repository
Move fast and don’t break things
● Represents the entire state of the system - platform, services
and applications
● We can easily inspect changes ensuring they meet standards
● We can over-ride and put in guard rails to protect the system
● Revert changes to return to an earlier known good state
Control
Locked
parts
Alert
Pull
Request
Inspect
Audit Manage
App
Prod Cluster
App

32. 32
Confidential do not distribute 32
DEMO

33. 33
33
Q&A
(Please use the Q&A panel to submit a question)

34. 34
34
Whitepaper: Trusted Application Delivery
https://bit.ly/3A0JMOe
Learn more about Weave GitOps
www.weave.works/enterprise and a 5 min demo
https://youtu.be/aqJaHNCz2lM
Request a personal demo
www.weave.works/contact
Thank You

35. Thank You
chainguard.dev/assessment
Where are you in your software supply chain journey?
Chainguard will audit your software supply chain and
deliver concrete steps you can take to fix security gaps.
Supply Chain Assessment
James Strong
james.strong@chainguard.dev
chainguard.dev/newsletter
Stay up to date on software supply chain security
happenings and news from the open source community,
and get sneak peeks at what the Chainguard team is up to.
Subscribe to Chainmail
chainguard.dev/contact
Contact the team!