Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: update chain's controllers to support both v1beta1 and v1 Tekton APIs via ConfigMap #1006

Closed
wants to merge 1 commit into from

Conversation

aaron-prindle
Copy link
Contributor

@aaron-prindle aaron-prindle commented Dec 2, 2023

fixes #665 , fixes #985, fixes #986, fixes #987

This PR updates chains to natively use the Tekton Pipeline v1 API ("github.com/tektoncd/pipeline/pkg/apis/pipeline/v1"), updated from the Tekton Pipeline v1beta1 API ("github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"). This PR additionally adds backwards compatibility support for v1beta1 Tekton Objects by adding an additional controller ([pipelinerun|taskrun].NewControllerV1Beta1) that can be toggled so that users can watch v1beta1 objects. The usage of either the v1 controller or the v1beta1 controller is toggled via a new bool chains ConfigMap option - tektonAPI.watchForTektonV1Beta1APIInstead. Internally in the provenance and signing logic v1 Tekton object representation is used w/ v1beta1 objects being converted in/out of v1 as needed for processing fields.

The backwards compatibility works as v1beta1 and v1 Tekton APIs can be converted between types. Due to v1beta1 changes over time, some fields have their own bespoke support (v1beta1 TaskRun .Spec.Resources, and .Status.TaskRunStatusField.TaskSpec.Resources). The implementation for the backwards compatibility w/ v1beta1 is designed around all of the chains methods supporting V1 TaskRun's + some bespoke logic for getting information from deprecated fields in V1. The flow for this is that when a V1Beta1 Tekton Objects is received by the controller, it convert it to a V1 object and adds some serialized information to the annotations (similar to https://github.com/tektoncd/pipeline/blob/main/pkg/apis/pipeline/v1beta1/taskrun_conversion.go, we would just rely on this but due to changes in v1beta1 over time the conversion methods no longer support what chains supported. See this PR here for an example - https://github.com/tektoncd/pipeline/pull/6150/files#diff-b9722861f4853020c0d7b0e17e92ffbf720b74b9c6e5550387ba3157dd210c94).

For a V1 object using the V1 controller, the flow is straightforward like it was initially with V1 objects being used throughout the signing process

For a V1Beta1 object using the v1beta1 controller, the flow has 4 main steps:

  1. The received V1Beta1 Tekton Object ([PipelineRun|TaskRun]) is converted to a V1 Tekton Object adding some additional serialized fields to annotations that chains might need to use later when re-converting.
  2. The V1 object is passed through all methods similar to the V1 controller
  3. When certain extraction/signing logic is hit that needs to check .Spec.Resources, .Spec.ResourceResults, or .Status.TaskRunStatusField.TaskSpec.Resources we convert the V1 object back to V1Beta1 (using Tekton Pipeline conversion lib + bespoke deserialization code) and extract the necessary information as was done prior. Then the V1 Provenance is uploaded.
  4. The originally received V1Beta1 object is passed to .Patch to be updated w/ chains annoations noting it was signed, etc.

The changes required were broadly the following:

  • s/v1beta1/v1 such that all internal signing/provenance logic uses V1
  • update objects.go TektonObject interface to be more generic to support to v1beta1 and v1 objects (some interface types were versioned @ HEAD - Result & Provenance). Making the controller more natively support v1beta1 and v1 is non-trivial as in many places the TektonObject is cast back to a versioned type (eg: v1, or @ priort-to-this-pr v1beta1) for reading fields directly, etc
  • add controllers (PipelineRun & TaskRun) for v1beta1 that converts to v1 internal representation and annotates v1beta1 object
  • where v1beta1 fields were used to generate provenance, add logic to convert back to v1beta1 to extract fields when necessary
  • convert any test files from v1beta1 -> v1
  • add ConfigMap option to watch v1beta1 OR v1. Supporting watching both (or making this the default) has the issue that w/ Tekton > 0.42.0 where it has the conversion webhook both a v1beta1 and v1 watch get triggered which makes watching both likely have strange edge cases as it can be processed twice

Open Questions:

  • I believe this will be able to fully support all of the currently supported Pipeline versions but OOC what is the current version range of support for Pipeline versions?
  • As v1 Tekton Objects are used internally, this means the provenance information uses the v1 Tekton object representation. Is this ok with regards to compatibility?
  • Are there any opinions/suggestions on the current method to have both v1beta1 and v1 Controllers in which both controllers exist and run w/ the ConfigMap option tektonAPI.watchForTektonV1Beta1APIInstead toggling the other controller into inactivity?

@tekton-robot
Copy link

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign wlynch after the PR has been reviewed.
You can assign the PR to them by writing /assign @wlynch in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Dec 2, 2023
@tekton-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 70.2% 71.2% 1.0
pkg/chains/formats/slsa/extract/extract.go 61.5% 64.9% 3.3
pkg/chains/formats/slsa/internal/material/material.go 92.2% 92.6% 0.4
pkg/chains/formats/slsa/v2alpha2/internal/resolved_dependencies/resolved_dependencies.go 86.4% 87.5% 1.1
pkg/chains/objects/objects.go 69.7% 31.7% -38.0
pkg/chains/signing.go 73.7% 68.8% -4.9

@aaron-prindle aaron-prindle force-pushed the fix-985-v2 branch 2 times, most recently from ff59343 to b6dcecc Compare December 2, 2023 01:37
@tekton-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 70.2% 71.2% 1.0
pkg/chains/formats/slsa/extract/extract.go 61.5% 64.9% 3.3
pkg/chains/formats/slsa/internal/material/material.go 92.2% 92.6% 0.4
pkg/chains/formats/slsa/v2alpha2/internal/resolved_dependencies/resolved_dependencies.go 86.4% 87.5% 1.1
pkg/chains/objects/objects.go 69.7% 31.7% -38.0
pkg/chains/signing.go 73.7% 68.8% -4.9

@tekton-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 70.2% 71.2% 1.0
pkg/chains/formats/slsa/extract/extract.go 61.5% 64.9% 3.3
pkg/chains/formats/slsa/internal/material/material.go 92.2% 92.6% 0.4
pkg/chains/formats/slsa/v2alpha2/internal/resolved_dependencies/resolved_dependencies.go 86.4% 87.5% 1.1
pkg/chains/objects/objects.go 69.7% 31.7% -38.0
pkg/chains/signing.go 73.7% 68.8% -4.9
pkg/chains/storage/gcs/gcs.go 70.1% 64.9% -5.2

@tekton-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 70.2% 71.2% 1.0
pkg/chains/formats/slsa/extract/extract.go 61.5% 64.9% 3.3
pkg/chains/formats/slsa/internal/material/material.go 92.2% 92.6% 0.4
pkg/chains/formats/slsa/v2alpha2/internal/resolved_dependencies/resolved_dependencies.go 86.4% 87.5% 1.1
pkg/chains/objects/objects.go 69.7% 31.7% -38.0
pkg/chains/signing.go 73.7% 68.8% -4.9
pkg/chains/storage/gcs/gcs.go 70.1% 64.9% -5.2

@tekton-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 70.2% 71.2% 1.0
pkg/chains/formats/slsa/extract/extract.go 61.5% 64.9% 3.3
pkg/chains/formats/slsa/internal/material/material.go 92.2% 92.6% 0.4
pkg/chains/formats/slsa/v2alpha2/internal/resolved_dependencies/resolved_dependencies.go 86.4% 87.5% 1.1
pkg/chains/objects/objects.go 69.7% 31.7% -38.0
pkg/chains/signing.go 73.7% 68.8% -4.9
pkg/chains/storage/gcs/gcs.go 70.1% 64.9% -5.2

@aaron-prindle aaron-prindle force-pushed the fix-985-v2 branch 2 times, most recently from ed85c4c to 67b0dfd Compare December 2, 2023 05:33
@tekton-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 70.2% 71.2% 1.0
pkg/chains/formats/slsa/extract/extract.go 61.5% 64.9% 3.3
pkg/chains/formats/slsa/internal/material/material.go 92.2% 92.6% 0.4
pkg/chains/formats/slsa/v2alpha2/internal/resolved_dependencies/resolved_dependencies.go 86.4% 87.5% 1.1
pkg/chains/objects/objects.go 69.7% 31.7% -38.0
pkg/chains/signing.go 73.7% 68.8% -4.9
pkg/chains/storage/gcs/gcs.go 70.1% 64.9% -5.2

@tekton-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 70.2% 71.2% 1.0
pkg/chains/formats/slsa/extract/extract.go 61.5% 64.9% 3.3
pkg/chains/formats/slsa/internal/material/material.go 92.2% 92.6% 0.4
pkg/chains/formats/slsa/v2alpha2/internal/resolved_dependencies/resolved_dependencies.go 86.4% 87.5% 1.1
pkg/chains/objects/objects.go 69.7% 31.7% -38.0
pkg/chains/signing.go 73.7% 68.8% -4.9
pkg/chains/storage/gcs/gcs.go 70.1% 64.9% -5.2

@tekton-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 70.2% 71.2% 1.0
pkg/chains/formats/slsa/extract/extract.go 61.5% 64.9% 3.3
pkg/chains/formats/slsa/internal/material/material.go 92.2% 92.6% 0.4
pkg/chains/formats/slsa/v2alpha2/internal/resolved_dependencies/resolved_dependencies.go 86.4% 87.5% 1.1
pkg/chains/objects/objects.go 69.7% 31.7% -38.0
pkg/chains/signing.go 73.7% 68.8% -4.9
pkg/chains/storage/gcs/gcs.go 70.1% 64.9% -5.2

@tekton-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 70.2% 71.2% 1.0
pkg/chains/formats/slsa/extract/extract.go 61.5% 64.9% 3.3
pkg/chains/formats/slsa/internal/material/material.go 92.2% 92.6% 0.4
pkg/chains/formats/slsa/v2alpha2/internal/resolved_dependencies/resolved_dependencies.go 86.4% 87.5% 1.1
pkg/chains/objects/objects.go 69.7% 31.7% -38.0
pkg/chains/signing.go 73.7% 68.8% -4.9
pkg/chains/storage/gcs/gcs.go 70.1% 64.9% -5.2

@tekton-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 70.2% 71.2% 1.0
pkg/chains/formats/slsa/extract/extract.go 61.5% 64.9% 3.3
pkg/chains/formats/slsa/internal/material/material.go 92.2% 92.6% 0.4
pkg/chains/formats/slsa/v2alpha2/internal/resolved_dependencies/resolved_dependencies.go 86.4% 87.5% 1.1
pkg/chains/objects/objects.go 69.7% 31.7% -38.0
pkg/chains/signing.go 73.7% 68.8% -4.9
pkg/chains/storage/gcs/gcs.go 70.1% 64.9% -5.2
pkg/reconciler/pipelinerun/controller.go 95.0% 47.5% -47.5
pkg/reconciler/pipelinerun/pipelinerun.go 80.5% 30.7% -49.8
pkg/reconciler/taskrun/controller.go 94.1% 47.1% -47.1
pkg/reconciler/taskrun/taskrun.go 90.9% 27.9% -63.0

@tekton-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 70.2% 71.2% 1.0
pkg/chains/formats/slsa/extract/extract.go 61.5% 64.9% 3.3
pkg/chains/formats/slsa/internal/material/material.go 92.2% 92.6% 0.4
pkg/chains/formats/slsa/v2alpha2/internal/resolved_dependencies/resolved_dependencies.go 86.4% 87.5% 1.1
pkg/chains/objects/objects.go 69.7% 31.7% -38.0
pkg/chains/signing.go 73.7% 68.8% -4.9
pkg/chains/storage/gcs/gcs.go 70.1% 64.9% -5.2
pkg/reconciler/pipelinerun/controller.go 95.0% 47.5% -47.5
pkg/reconciler/pipelinerun/pipelinerun.go 80.5% 30.7% -49.8
pkg/reconciler/taskrun/controller.go 94.1% 47.1% -47.1
pkg/reconciler/taskrun/taskrun.go 90.9% 27.9% -63.0

@tekton-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 70.2% 71.2% 1.0
pkg/chains/formats/slsa/extract/extract.go 61.5% 64.9% 3.3
pkg/chains/formats/slsa/internal/material/material.go 92.2% 92.6% 0.4
pkg/chains/formats/slsa/v2alpha2/internal/resolved_dependencies/resolved_dependencies.go 86.4% 87.5% 1.1
pkg/chains/objects/objects.go 69.7% 31.7% -38.0
pkg/chains/signing.go 73.7% 68.8% -4.9
pkg/chains/storage/gcs/gcs.go 70.1% 64.9% -5.2
pkg/reconciler/pipelinerun/controller.go 95.0% 47.5% -47.5
pkg/reconciler/pipelinerun/pipelinerun.go 80.5% 30.7% -49.8
pkg/reconciler/taskrun/controller.go 94.1% 47.1% -47.1
pkg/reconciler/taskrun/taskrun.go 90.9% 27.9% -63.0

@tekton-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 70.2% 73.4% 3.2
pkg/chains/formats/slsa/extract/extract.go 61.5% 63.4% 1.9
pkg/chains/formats/slsa/extract/v1beta1/extract.go Do not exist 60.3%
pkg/chains/formats/slsa/internal/artifact/v1beta1/append.go Do not exist 100.0%
pkg/chains/formats/slsa/internal/material/material.go 92.2% 92.6% 0.4
pkg/chains/formats/slsa/internal/material/v1beta1/material.go Do not exist 92.2%
pkg/chains/formats/slsa/v1/intotoite6.go 88.9% 39.4% -49.5
pkg/chains/formats/slsa/v1/pipelinerun/pipelinerun.go 77.6% 77.5% -0.1
pkg/chains/formats/slsa/v2alpha1/slsav2.go 85.7% 50.0% -35.7
pkg/chains/formats/slsa/v2alpha2/slsav2.go 87.5% 28.0% -59.5
pkg/chains/formats/slsa/v2alpha3/internal/external_parameters/external_parameters.go Do not exist 87.5%
pkg/chains/formats/slsa/v2alpha3/internal/internal_parameters/internal_parameters.go Do not exist 100.0%
pkg/chains/formats/slsa/v2alpha3/internal/pipelinerun/pipelinerun.go Do not exist 83.8%
pkg/chains/formats/slsa/v2alpha3/internal/resolved_dependencies/resolved_dependencies.go Do not exist 87.5%
pkg/chains/formats/slsa/v2alpha3/internal/taskrun/taskrun.go Do not exist 86.5%
pkg/chains/formats/slsa/v2alpha3/slsav2.go Do not exist 87.5%
pkg/chains/objects/objects.go 69.7% 31.5% -38.2
pkg/chains/signing.go 73.7% 68.8% -4.9
pkg/reconciler/pipelinerun/pipelinerun.go 80.5% 30.7% -49.8
pkg/reconciler/taskrun/taskrun.go 90.9% 27.9% -63.0

@tekton-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 70.2% 72.3% 2.1
pkg/chains/formats/slsa/extract/extract.go 61.5% 63.4% 1.9
pkg/chains/formats/slsa/extract/v1beta1/extract.go Do not exist 60.3%
pkg/chains/formats/slsa/internal/artifact/v1beta1/append.go Do not exist 100.0%
pkg/chains/formats/slsa/internal/material/material.go 92.2% 92.6% 0.4
pkg/chains/formats/slsa/internal/material/v1beta1/material.go Do not exist 92.2%
pkg/chains/formats/slsa/v1/intotoite6.go 88.9% 39.4% -49.5
pkg/chains/formats/slsa/v1/pipelinerun/pipelinerun.go 77.6% 77.5% -0.1
pkg/chains/formats/slsa/v2alpha1/slsav2.go 85.7% 50.0% -35.7
pkg/chains/formats/slsa/v2alpha2/slsav2.go 87.5% 28.0% -59.5
pkg/chains/formats/slsa/v2alpha3/internal/external_parameters/external_parameters.go Do not exist 87.5%
pkg/chains/formats/slsa/v2alpha3/internal/internal_parameters/internal_parameters.go Do not exist 100.0%
pkg/chains/formats/slsa/v2alpha3/internal/pipelinerun/pipelinerun.go Do not exist 83.8%
pkg/chains/formats/slsa/v2alpha3/internal/resolved_dependencies/resolved_dependencies.go Do not exist 87.5%
pkg/chains/formats/slsa/v2alpha3/internal/taskrun/taskrun.go Do not exist 86.5%
pkg/chains/formats/slsa/v2alpha3/slsav2.go Do not exist 87.5%
pkg/chains/objects/objects.go 69.7% 31.5% -38.2
pkg/chains/signing.go 73.7% 68.8% -4.9
pkg/reconciler/pipelinerun/pipelinerun.go 80.5% 30.7% -49.8
pkg/reconciler/taskrun/taskrun.go 90.9% 27.9% -63.0

@aaron-prindle aaron-prindle force-pushed the fix-985-v2 branch 4 times, most recently from 2c8660b to ea2aaad Compare December 14, 2023 00:45
@tekton-robot
Copy link

@tekton-robot
Copy link

@tekton-robot
Copy link

@tekton-robot
Copy link

@tekton-robot
Copy link

@tekton-robot
Copy link

@tekton-robot
Copy link

@tekton-robot
Copy link

… converting to v1beta1 to keep formats backwards compatible
@tekton-robot
Copy link

@JeromeJu
Copy link
Member

/assign

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment