Git resolver can no longer be used in remote pipeline

[skv-anders]

We are looking at ways to adapt and roll out Tekton Pipelines-As-Code in our organization. We are trying to create a central CI pipeline file where a single team takes responsability for the pipeline code and its tasks, and the other teams invoke it in their respective repos, by referecing it in their local pipelineRun files.

In this concept we want the pipelineRun to contain parameters and a reference to the central pipeline file, but the contents of the pipeline should be opaque, meaning that adding, updating or replacing tasks should be possible without involve updating the pipelineRun file in the teams git repo (or any resources in their namespace).

And this actually worked, until we upgraded to Red Hat OpenShift Pipelines Operator 1.10.3, from 1.9.2.

In each PipelineRun yaml file, one per repo, we have a PipelineRef referring to a Pipeline yaml file in common git repo. Each PipelineRun pass on the built-in parameters that PAC provides, plus some extra options needed by the pipeline. The pipeline file consists of a Pipeline with tasks that each use the git resolver, like this:

  tasks:
    - name: my-task
      params:
        - name: git_auth_secret
          value: "$(params.git_auth_secret)"        
      taskRef:
        resolver: git
        params:
          - name: org
            value: my-org
          - name: repo
            value: my-repo
          - name: revision
            value: master
          - name: pathInRepo
            value: task/my-task/1.0/my-task.yaml

Since the upgrade I get this error when the pipeline is triggered:

admission webhook "validation.webhook.pipeline.tekton.dev" denied the request: validation failed: must not set the field(s): spec.pipelineSpec.tasks[0].taskref.params, spec.pipelineSpec.tasks[0].taskref.resolver...

Is this an intended update to remove functionallity or is it a bug?

[chmouel]

that's seem like a case of v1beta1 to v1 conversion issue, @vdemeester any idea ?

[skv-patrik]

Accordning to https://tekton.dev/docs/pipelines/git-resolver/#requirements enable-api-fields is required to be set to either beta or stable in cm feature-flags. Our feature-flag was set to stable - when I changed it to beta the pipeline works @skv-anders 😄

Though - if I use tkn-pac resolve (we are using version 0.17.2) it translate from

apiVersion: tekton.dev/v1beta1

to

apiVersion: tekton.dev/v1

and you get the error above when you pipe it to oc create -f -.
Looks like tkn-pac doesn't read the feature flags?

[vdemeester]

@skv-patrik 👋🏼
So this is the admission webhook that returns this issue, and this is because it creates objects in v1. And with v1 you need enable-api-fields to be set as beta for it to work. You are experiencing the very very confusing behaviour reported here.

The "today's workaround" is to set enable-api-fields: beta. Long term, this will get fixed upstream by removing this behaviour, and I think short-term, the default value for enable-api-fields is going to be beta.

[skv-patrik]

@skv-patrik 👋🏼 So this is the admission webhook that returns this issue, and this is because it creates objects in v1. And with v1 you need enable-api-fields to be set as beta for it to work. You are experiencing the very very confusing behaviour reported here.

The "today's workaround" is to set enable-api-fields: beta. Long term, this will get fixed upstream by removing this behaviour, and I think short-term, the default value for enable-api-fields is going to be beta.

We look forward for the long term fix 😸