Prerequisites

Before deploying Develocity Provenance Governor, ensure you have the following prerequisites. These are organized in a logical order that matches the typical installation workflow: infrastructure setup, external integrations, and security configuration.

Recommended Setup Order:

Infrastructure (set up first):

  1. Develocity License - Required for registry authentication

  2. Kubernetes Cluster - Deployment platform

  3. Hostname - DNS configuration for ingress

  4. TLS Certificate - SSL/TLS for secure access

External Integrations (configure before deployment):

  1. Develocity Instance - Source of build data

  2. Artifactory with Evidence Management - Attestation storage (Enterprise+ required)

Security (prepare before first use):

  1. Signing Key Pair - For attestation signatures

Planning:

  1. Cluster Resources - Review resource requirements

Develocity License

Develocity Provenance Governor uses your existing Develocity license - no separate license is required. Any valid Develocity license works; no special entitlements are needed. If you are already a Develocity customer, you can use your existing license. If you don’t have a Develocity license, contact Gradle’s sales team and mention that you need access for "Develocity Provenance Governor".

Kubernetes Cluster

Develocity Provenance Governor is designed to run in a Kubernetes environment. You will need to install it into a Kubernetes cluster. The Kubernetes cluster must have an Ingress Controller.

Develocity Provenance Governor can be deployed in environments other than Kubernetes. If you need to run Develocity Provenance Governor outside of Kubernetes please open a support ticket and describe your deployment requirements.

Cluster Resources

Plan for these resource requirements: By default, the combined Kubernetes resource requests are 2 CPUs and 1 GiB memory per replica. These values are configurable via Kubernetes Deployment values, but lower values may impact performance.

JFrog Artifactory with Evidence Management

Artifactory Enterprise+ license (version 7.104.2 or later) is required. The Evidence Management feature is mandatory for Develocity Provenance Governor operation. Without Artifactory configured with this feature, Develocity Provenance Governor cannot store or retrieve attestations.

Develocity Provenance Governor requires Artifactory as the attestation store. All attestations are stored in and retrieved from Artifactory, making it a critical component of your deployment.

Requirements:

  • Artifactory version 7.104.2 or later

  • Enterprise+ license

  • Evidence Management feature enabled with support for external evidence

  • Network access from the Develocity Provenance Governor deployment to the Artifactory instance

  • Artifactory Access Token or Identity Token with the following permissions:

    • Read - to retrieve attestations

    • Annotate - to attach evidence metadata to artifacts

Develocity Instance

Develocity Provenance Governor uses Develocity Build Scan data to generate attestations. It requires network access to a Develocity instance.

Develocity Provenance Governor requires a valid Develocity access key for a user with the “Access build data via the API” permission. If the Develocity instance is using Project-level Access Control, Develocity Provenance Governor will only be able to publish attestations for Build Scan data in projects that the user has access to.

The minimum version of Develocity that Develocity Provenance Governor supports is 2023.3. Develocity Provenance Governor supports publishing attestations from Build Scan data from the following build tools:

  • Gradle, with Develocity plugin version 1.16 or later.

    • JVM attestations for Gradle toolchains are only supported for plugin 3.11 or later.

  • Maven, with Develocity extension version 1.4 or later.

We recommend using the latest available version of Develocity and its build tool integrations for the best experience.

Signing Key Pair

Develocity Provenance Governor cryptographically signs all attestations to ensure authenticity and prevent tampering. You need to generate a signing key pair before deployment. The private key remains with Develocity Provenance Governor and is used to sign attestations. The public key must be registered in your Artifactory instance to allow verification of signed attestations.

Supported Key Types:

We support Ed25519, RSA, and Elliptic Curve keys. Ed25519 is recommended because it provides strong security (equivalent to 128-bit security) with significantly smaller keys and faster operations than RSA or ECDSA.

Generating a Key Pair:

Develocity Provenance Governor needs to be configured with a signing key pair in PEM format. You can generate an Ed25519 key pair using OpenSSL:

openssl genpkey -algorithm Ed25519 -out ./key-pair.private-pem
openssl pkey -in ./key-pair.private-pem -pubout -out ./key-pair.public-pem

Keep the private key secure. You’ll configure it as a Kubernetes secret during deployment. The public key will be registered in Artifactory to verify attestation signatures.

Hostname

Develocity Provenance Governor needs a hostname. It will be used in its Ingress. Ensure that the hostname’s DNS is configured to work with the Kubernetes cluster’s Ingress Controller.

TLS Certificate

You’ll need a TLS (Transport Layer Security) certificate for your hostname to enable SSL (Secure Sockets Layer). While SSL/TLS is technically optional, it’s strongly recommended for production environments.

Options include:

  • Using an existing organizational certificate

  • Generating one with cert-manager and Let’s Encrypt (see deployment section for details)

  • Using a self-signed certificate for testing (not recommended for production)