Conforma Data Flow Diagram

The OpenShift API Server serves as the central control plane for the Kubernetes cluster, managing all API operations and serving as the primary interface for Kubernetes resources. It maintains the authoritative state of all cluster objects including PipelineRuns, TaskRuns, and associated metadata that drive the supply chain security workflow.

etcd provides the distributed key-value store that backs the OpenShift API Server, persisting all Kubernetes resource definitions and cluster state. It stores critical information about pipeline executions, component definitions, snapshots, and other Konflux resources that participate in the build and validation process.

The Tekton Chains Controller is a Kubernetes controller that automatically generates cryptographic attestations for completed Tekton PipelineRuns and TaskRuns. It watches for pipeline completion events through the API server and creates SLSA provenance attestations that describe how artifacts were built, including source code references, build parameters, and execution environment details.

The Signing key contains the cryptographic keys used by Tekton Chains to sign attestations. These keys are securely stored as Kubernetes secrets and accessed by the Chains controller to ensure the authenticity and integrity of generated attestations. The signing process follows industry standards to create verifiable proof of artifact provenance.

The OpenShift Internal Image Registry and Image Registry represent OCI-compliant registries (such as Quay.io) where finalized container images, SBOMs, attestations, and other artifacts are stored for distribution and consumption. These registries serve as the authoritative source for validated artifacts that have passed security checks.

Rekor is the transparency log component of the Sigstore ecosystem that provides an immutable, append-only log of software supply chain metadata. It stores attestations generated by Tekton Chains and Conforma, creating a permanent, publicly verifiable record of all security validations and artifact metadata.

Redis provides high-performance caching for Rekor to improve query performance and reduce latency when accessing frequently requested attestation data.

Trillian provides the underlying cryptographic infrastructure for Rekor’s transparency log functionality. It implements a Merkle tree-based approach to ensure the integrity and immutability of log entries, enabling efficient verification of log consistency and inclusion proofs for stored attestations.

The Trillian Log Signer is responsible for periodically signing the Merkle tree heads in Trillian, creating cryptographic proof that the log has not been tampered with. This component ensures the long-term integrity and trustworthiness of the transparency log infrastructure.

MySQL serves as the persistent storage backend for Trillian, storing the actual log data, tree nodes, and metadata required for the transparency log operations.

Conforma integrates with this infrastructure by reading container images, signatures, and attestations from both internal and external image registries.

It retrieves attestation data from Rekor to validate that artifacts have been properly signed and that their provenance can be verified through the transparency log.

It then processes the retrieved attestations and artifact metadata to evaluate them against defined security policies. This includes validating SLSA provenance requirements, checking for required signatures, and ensuring that all build processes followed approved security practices.