From 91be287a9ad49065d30c4d7c959dfdd41e9d2790 Mon Sep 17 00:00:00 2001
From: Brandon Lum <lumjjb@gmail.com>
Date: Mon, 7 Feb 2022 16:05:00 -0500
Subject: [PATCH] Add pod SPIFFE id annotation for workload registrar

Signed-off-by: Brandon Lum <lumjjb@gmail.com>
---
 pkg/pod/pod.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pkg/pod/pod.go b/pkg/pod/pod.go
index 90652eb95e8..b3c024c2486 100644
--- a/pkg/pod/pod.go
+++ b/pkg/pod/pod.go
@@ -56,6 +56,8 @@ const (
 var (
 	ReleaseAnnotation = "pipeline.tekton.dev/release"
 
+	SpiffeIdAnnotation = "spiffe.io/spiffe-id"
+
 	groupVersionKind = schema.GroupVersionKind{
 		Group:   v1beta1.SchemeGroupVersion.Group,
 		Version: v1beta1.SchemeGroupVersion.Version,
@@ -275,7 +277,9 @@ func (b *Builder) Build(ctx context.Context, taskRun *v1beta1.TaskRun, taskSpec
 		return nil, err
 	}
 
+	podAnnotations := kmeta.CopyMap(taskRun.Annotations)
 	if config.FromContextOrDefaults(ctx).FeatureFlags.EnableSpire {
+		podAnnotations[SpiffeIdAnnotation] = fmt.Sprintf("ns/%v/taskrun/%v", taskRun.Namespace, taskRun.Name)
 		volumes = append(volumes, corev1.Volume{
 			Name: "spiffe-workload-api",
 			VolumeSource: corev1.VolumeSource{
@@ -330,7 +334,6 @@ func (b *Builder) Build(ctx context.Context, taskRun *v1beta1.TaskRun, taskSpec
 		priorityClassName = *podTemplate.PriorityClassName
 	}
 
-	podAnnotations := kmeta.CopyMap(taskRun.Annotations)
 	version, err := changeset.Get()
 	if err != nil {
 		return nil, err