-
Notifications
You must be signed in to change notification settings - Fork 69
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
- Loading branch information
Showing
1 changed file
with
47 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| # 36. Trusted Artifacts | ||
|
|
||
| Date: 2024-06-11 | ||
|
|
||
| ## Status | ||
|
|
||
| Accepted | ||
|
|
||
| ## Context | ||
|
|
||
| One of the properties of Konflux is that users should be allowed to include their own Tekton Tasks | ||
| in a build Pipeline, e.g. to execute unit tests, without invalidating the build process. This is | ||
| distinct from other build systems where a rigid process prevents users from applying such | ||
| customizations. To support this, Konflux build Pipelines use Trusted Artifacts to securely share | ||
| data between Tasks. Enterprise Contract is then responsible for verifying that Trusted Artifacts | ||
| were properly used in the parts of the build Pipeline that affect the build outcome, e.g. | ||
| `git-clone` and `buildah` Tasks. | ||
|
|
||
| Trusted Artifacts is inspired by the upcoming work being done by the Tekton Community, | ||
| [TEP-0139](https://github.com/tektoncd/community/blob/main/teps/0139-trusted-artifacts.md). The | ||
| Konflux version is meant to be a stop-gap until that feature is implemented and ready to be used. | ||
| When the time comes, the Konflux implementation should align with what is provided by the Tekton | ||
| Community and this ADR may need a revision. | ||
|
|
||
| Furthermore, Konflux takes the approach of sharing such artifacts between Tasks via an OCI registry, | ||
| e.g. quay.io, instead of using Tekton Workspaces backed by Persistent Volume Claims. This has | ||
| several advantages that were previously discussed | ||
| [here](https://github.com/konflux-ci/build-definitions/pull/913#issue-2215784386). | ||
|
|
||
| ## Decision | ||
|
|
||
| Sharing data between Tasks is done via Trusted Artifacts backed by OCI storage. | ||
|
|
||
| ## Consequences | ||
|
|
||
| * To facilitate the transition, a set of new Tasks have been added to support Trusted Artifacts. | ||
| These are variants of existing Tasks. They follow the naming convention of using the suffix | ||
| `-oci-ta`, e.g. `git-clone-oci-ta`. | ||
| * New Tasks that implement new functionality, e.g. new code scanner, and share data with other Tasks | ||
| do not not need to follow the naming convention. | ||
| * Any Task that *uses* Trusted Artifacts must do so via parameters named with the suffix | ||
| `_ARTIFACT`, e.g. `SOURCE_ARTIFACT`. | ||
| * Any Task that *creates* Trusted Artifacts must do so via results named with the suffix | ||
| `_ARTIFACT`, e.g. `SOURCE_ARTIFACT`. | ||
| * Any Task that uses or creates Trusted Artifacts must NOT accept a general-purpose workspace. Data | ||
| must always be shared as a Trusted Artifact. Workspace can, of course, still be used for other | ||
| purposes, such as mounting Secrets. |