diff --git a/docs/spire.md b/docs/spire.md
index b43ebdd344e..f537fbb447c 100644
--- a/docs/spire.md
+++ b/docs/spire.md
@@ -63,22 +63,22 @@ This feature relies on a SPIRE installation. This is how it integrates into the
┌─────────────┐ Register TaskRun Workload Identity ┌──────────┐
│ ├──────────────────────────────────────────────►│ │
│ Tekton │ │ SPIRE │
-│ Controller │◄───────────┐ │ Server │
-│ │ │ Listen on TaskRun │ │
-└────────────┬┘ │ └──────────┘
- ▲ │ ┌───────┴───────────────────────────────┐ ▲
- │ │ │ Tekton TaskRun │ │
- │ │ └───────────────────────────────────────┘ │
- │ Configure│ ▲ │ Attest
- │ Pod & │ │ │ +
- │ check │ │ │ Request
- │ ready │ ┌───────────┐ │ │ SVIDs
- │ └────►│ TaskRun ├────────────────────────┘ │
- │ │ Pod │ │
- │ └───────────┘ TaskRun Entrypointer │
- │ ▲ Sign Result and update │
- │ Get │ Get SVID TaskRun status with │
- │ SPIRE │ signature + cert │
+│ Pipelines │◄───────────┐ │ Server │
+│ Controller │ │ Listen on TaskRun │ │
+└────────────┬┘◄┐ │ └──────────┘
+ ▲ │ │ ┌───────┴───────────────────────────────┐ ▲
+ │ │ │ │ Tekton TaskRun │ │
+ │ │ │ └───────────────────────────────────────┘ │
+ │ Configure│ │ │ Attest
+ │ Pod & │ └─────────────────┐ TaskRun Entrypointer │ +
+ │ check │ │ Sign Result and update │ Request
+ │ ready │ ┌───────────┐ │ the status with the │ SVIDs
+ │ └────►│ TaskRun ├──┘ signature + cert │
+ │ │ Pod │ which will be used by │
+ │ └───────────┘ tekton-pipelines-controller │
+ │ ▲ to update TaskRun. │
+ │ Get │ Get SVID │
+ │ SPIRE │ │
│ server │ │
│ Credentials │ ▼
┌┴───────────────────┴─────────────────────────────────────────────────────┐
@@ -280,6 +280,101 @@ The signatures are being verified by the Tekton controller, the process of verif
- For each of the items in the results, verify its content against its associated `.sig` field
+# TaskRun Status attestations
+
+Each TaskRun status that is written by the tekton-pipelines-controller will be signed to ensure that there is no external
+tampering of the TaskRun status. Upon each retrieval of the TaskRun, the tekton-pipelines-controller checks if the status is initialized,
+and that the signature validates the current status.
+The signature and SVID will be stored as annotations on the TaskRun Status field, and can be verified by a client.
+
+The verification is done on every consumption of the TaskRun except when the TaskRun is uninitialized. When uninitialized, the
+tekton-pipelines-controller is not influenced by fields in the status and thus will not sign incorrect reflections of the TaskRun.
+
+The spec and TaskRun annotations/labels are not signed when there are valid interactions from other controllers or users (i.e. cancelling taskrun).
+Editing the object annotations/labels or spec will not result in any unverifiable outcome of the status field.
+
+As the TaskRun progresses, the Pipeline Controller will reconcile the TaskRun object and continually verify the current hash against the `tekton.dev/status-hash-sig` before updating the hash to match the new status and creating a new signature.
+
+An example TaskRun annotations would be:
+
+```console
+$ tkn tr describe non-falsifiable-provenance -oyaml
+apiVersion: tekton.dev/v1beta1
+kind: TaskRun
+metadata:
+ annotations:
+ pipeline.tekton.dev/release: 3ee99ec
+ creationTimestamp: "2022-03-04T19:10:46Z"
+ generation: 1
+ labels:
+ app.kubernetes.io/managed-by: tekton-pipelines
+ name: non-falsifiable-provenance
+ namespace: default
+ resourceVersion: "23088242"
+ uid: 548ebe99-d40b-4580-a9bc-afe80915e22e
+spec:
+ serviceAccountName: default
+ taskSpec:
+ results:
+ - description: ""
+ name: foo
+ - description: ""
+ name: bar
+ steps:
+ - image: ubuntu
+ name: non-falsifiable
+ resources: {}
+ script: |
+ #!/usr/bin/env bash
+ sleep 30
+ printf "%s" "hello" > "$(results.foo.path)"
+ printf "%s" "world" > "$(results.bar.path)"
+ timeout: 1m0s
+status:
+ annotations:
+ tekton.dev/controller-svid: |
+ -----BEGIN CERTIFICATE-----
+ MIIB7jCCAZSgAwIBAgIRAI8/08uXSn9tyv7cRN87uvgwCgYIKoZIzj0EAwIwHjEL
+ MAkGA1UEBhMCVVMxDzANBgNVBAoTBlNQSUZGRTAeFw0yMjAzMDQxODU0NTlaFw0y
+ MjAzMDQxOTU1MDlaMB0xCzAJBgNVBAYTAlVTMQ4wDAYDVQQKEwVTUElSRTBZMBMG
+ ByqGSM49AgEGCCqGSM49AwEHA0IABL+e9OjkMv+7XgMWYtrzq0ESzJi+znA/Pm8D
+ nvApAHg3/rEcNS8c5LgFFRzDfcs9fxGSSkL1JrELzoYul1Q13XejgbMwgbAwDgYD
+ VR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNV
+ HRMBAf8EAjAAMB0GA1UdDgQWBBR+ma+yZfo092FKIM4F3yhEY8jgDDAfBgNVHSME
+ GDAWgBRKiCg5+YdTaQ+5gJmvt2QcDkQ6KjAxBgNVHREEKjAohiZzcGlmZmU6Ly9l
+ eGFtcGxlLm9yZy90ZWt0b24vY29udHJvbGxlcjAKBggqhkjOPQQDAgNIADBFAiEA
+ 8xVWrQr8+i6yMLDm9IUjtvTbz9ofjSsWL6c/+rxmmRYCIBTiJ/HW7di3inSfxwqK
+ 5DKyPrKoR8sq8Ne7flkhgbkg
+ -----END CERTIFICATE-----
+ tekton.dev/status-hash: 76692c9dcd362f8a6e4bda8ccb4c0937ad16b0d23149ae256049433192892511
+ tekton.dev/status-hash-sig: MEQCIFv2bW0k4g0Azx+qaeZjUulPD8Ma3uCUn0tXQuuR1FaEAiBHQwN4XobOXmC2nddYm04AZ74YubUyNl49/vnbnR/HcQ==
+ completionTime: "2022-03-04T19:11:22Z"
+ conditions:
+ - lastTransitionTime: "2022-03-04T19:11:22Z"
+ message: All Steps have completed executing
+ reason: Succeeded
+ status: "True"
+ type: Succeeded
+ - lastTransitionTime: "2022-03-04T19:11:22Z"
+ message: Spire verified
+ reason: TaskRunResultsVerified
+ status: "True"
+ type: SignedResultsVerified
+ podName: non-falsifiable-provenance-pod
+ startTime: "2022-03-04T19:10:46Z"
+ steps:
+ ...
+ <TRUNCATED>
+```
+
+## How is the status being verified
+
+The signature are being verified by the Tekton controller, the process of verification is as follows:
+
+- Verify status-hash fields
+ - verify `tekton.dev/status-hash` content against its associated `tekton.dev/status-hash-sig` field. If status hash does
+ not match invalidate the `tekton.dev/not-verified = yes` annotation will be added
+
## Further Details
-To learn more about SPIRE TaskRun attestations, check out the [TEP](https://github.com/tektoncd/community/blob/main/teps/0089-nonfalsifiable-provenance-support.md).
+To learn more about SPIRE attestations, check out the [TEP](https://github.com/tektoncd/community/blob/main/teps/0089-nonfalsifiable-provenance-support.md).
diff --git a/pkg/apis/config/feature_flags.go b/pkg/apis/config/feature_flags.go
index 7f348b11307..c294daa608b 100644
--- a/pkg/apis/config/feature_flags.go
+++ b/pkg/apis/config/feature_flags.go
@@ -142,9 +142,6 @@ func NewFeatureFlagsFromMap(cfgMap map[string]string) (*FeatureFlags, error) {
if err := setEmbeddedStatus(cfgMap, DefaultEmbeddedStatus, &tc.EmbeddedStatus); err != nil {
return nil, err
}
- if err := setFeature(enableSpire, DefaultEnableSpire, &tc.EnableSpire); err != nil {
- return nil, err
- }
// Given that they are alpha features, Tekton Bundles and Custom Tasks should be switched on if
// enable-api-fields is "alpha". If enable-api-fields is not "alpha" then fall back to the value of
diff --git a/pkg/pod/pod.go b/pkg/pod/pod.go
index 859a9dec238..28638aaebf0 100644
--- a/pkg/pod/pod.go
+++ b/pkg/pod/pod.go
@@ -193,7 +193,6 @@ func (b *Builder) Build(ctx context.Context, taskRun *v1beta1.TaskRun, taskSpec
}
readyImmediately := isPodReadyImmediately(*featureFlags, taskSpec.Sidecars)
-
// append credEntrypointArgs with entrypoint arg that contains if spire is enabled by configmap
commonExtraEntrypointArgs = append(commonExtraEntrypointArgs, credEntrypointArgs...)
diff --git a/pkg/pod/pod_test.go b/pkg/pod/pod_test.go
index 5b11a7f93d6..f079a4bbd40 100644
--- a/pkg/pod/pod_test.go
+++ b/pkg/pod/pod_test.go
@@ -2219,175 +2219,6 @@ func TestPodBuildwithSpireEnabled(t *testing.T) {
}
}
-func TestPodBuildwithSpireEnabled(t *testing.T) {
- placeToolsInit := corev1.Container{
- Name: "place-tools",
- Image: images.EntrypointImage,
- WorkingDir: "/",
- Command: []string{"/ko-app/entrypoint", "cp", "/ko-app/entrypoint", "/tekton/bin/entrypoint"},
- VolumeMounts: []corev1.VolumeMount{binMount},
- }
-
- initContainers := []corev1.Container{placeToolsInit, tektonDirInit(images.EntrypointImage, []v1beta1.Step{{Name: "name"}})}
- for i := range initContainers {
- c := &initContainers[i]
- c.VolumeMounts = append(c.VolumeMounts, corev1.VolumeMount{
- Name: "spiffe-workload-api",
- MountPath: "/spiffe-workload-api",
- })
- }
-
- for _, c := range []struct {
- desc string
- trs v1beta1.TaskRunSpec
- trAnnotation map[string]string
- ts v1beta1.TaskSpec
- want *corev1.PodSpec
- wantAnnotations map[string]string
- }{{
- desc: "simple with debug breakpoint onFailure",
- trs: v1beta1.TaskRunSpec{
- Debug: &v1beta1.TaskRunDebug{
- Breakpoint: []string{breakpointOnFailure},
- },
- },
- ts: v1beta1.TaskSpec{
- Steps: []v1beta1.Step{{
- Name: "name",
- Image: "image",
- Command: []string{"cmd"}, // avoid entrypoint lookup.
- }},
- },
- want: &corev1.PodSpec{
- RestartPolicy: corev1.RestartPolicyNever,
- InitContainers: initContainers,
- Containers: []corev1.Container{{
- Name: "step-name",
- Image: "image",
- Command: []string{"/tekton/bin/entrypoint"},
- Args: []string{
- "-wait_file",
- "/tekton/downward/ready",
- "-wait_file_content",
- "-post_file",
- "/tekton/run/0/out",
- "-termination_path",
- "/tekton/termination",
- "-step_metadata_dir",
- "/tekton/run/0/status",
- "-enable_spire",
- "-entrypoint",
- "cmd",
- "--",
- },
- VolumeMounts: append([]corev1.VolumeMount{binROMount, runMount(0, false), downwardMount, {
- Name: "tekton-creds-init-home-0",
- MountPath: "/tekton/creds",
- }, {
- Name: "spiffe-workload-api",
- MountPath: "/spiffe-workload-api",
- }}, implicitVolumeMounts...),
- TerminationMessagePath: "/tekton/termination",
- }},
- Volumes: append(implicitVolumes, binVolume, runVolume(0), downwardVolume, corev1.Volume{
- Name: "tekton-creds-init-home-0",
- VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{Medium: corev1.StorageMediumMemory}},
- }, corev1.Volume{
- Name: "spiffe-workload-api",
- VolumeSource: corev1.VolumeSource{
- CSI: &corev1.CSIVolumeSource{
- Driver: "csi.spiffe.io",
- },
- },
- }),
- ActiveDeadlineSeconds: &defaultActiveDeadlineSeconds,
- },
- }} {
- t.Run(c.desc, func(t *testing.T) {
- featureFlags := map[string]string{
- "enable-spire": "true",
- }
- names.TestingSeed()
- store := config.NewStore(logtesting.TestLogger(t))
- store.OnConfigChanged(
- &corev1.ConfigMap{
- ObjectMeta: metav1.ObjectMeta{Name: config.GetFeatureFlagsConfigName(), Namespace: system.Namespace()},
- Data: featureFlags,
- },
- )
- kubeclient := fakek8s.NewSimpleClientset(
- &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "default", Namespace: "default"}},
- &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "service-account", Namespace: "default"},
- Secrets: []corev1.ObjectReference{{
- Name: "multi-creds",
- }},
- },
- &corev1.Secret{
- ObjectMeta: metav1.ObjectMeta{
- Name: "multi-creds",
- Namespace: "default",
- Annotations: map[string]string{
- "tekton.dev/docker-0": "https://us.gcr.io",
- "tekton.dev/docker-1": "https://docker.io",
- "tekton.dev/git-0": "github.com",
- "tekton.dev/git-1": "gitlab.com",
- }},
- Type: "kubernetes.io/basic-auth",
- Data: map[string][]byte{
- "username": []byte("foo"),
- "password": []byte("BestEver"),
- },
- },
- )
- var trAnnotations map[string]string
- if c.trAnnotation == nil {
- trAnnotations = map[string]string{
- ReleaseAnnotation: fakeVersion,
- }
- } else {
- trAnnotations = c.trAnnotation
- trAnnotations[ReleaseAnnotation] = fakeVersion
- }
- tr := &v1beta1.TaskRun{
- ObjectMeta: metav1.ObjectMeta{
- Name: "taskrun-name",
- Namespace: "default",
- Annotations: trAnnotations,
- },
- Spec: c.trs,
- }
-
- // No entrypoints should be looked up.
- entrypointCache := fakeCache{}
- builder := Builder{
- Images: images,
- KubeClient: kubeclient,
- EntrypointCache: entrypointCache,
- }
-
- got, err := builder.Build(store.ToContext(context.Background()), tr, c.ts)
- if err != nil {
- t.Fatalf("builder.Build: %v", err)
- }
-
- expectedName := kmeta.ChildName(tr.Name, "-pod")
- if d := cmp.Diff(expectedName, got.Name); d != "" {
- t.Errorf("Pod name does not match: %q", d)
- }
-
- if d := cmp.Diff(c.want, &got.Spec, resourceQuantityCmp, volumeSort, volumeMountSort); d != "" {
- t.Errorf("Diff %s", diff.PrintWantGot(d))
- }
-
- if c.wantAnnotations != nil {
- if d := cmp.Diff(c.wantAnnotations, got.ObjectMeta.Annotations, cmpopts.IgnoreMapEntries(ignoreReleaseAnnotation)); d != "" {
- t.Errorf("Annotation Diff(-want, +got):\n%s", d)
- }
- }
- })
- }
-}
-
func TestMakeLabels(t *testing.T) {
taskRunName := "task-run-name"
want := map[string]string{
diff --git a/pkg/reconciler/taskrun/taskrun.go b/pkg/reconciler/taskrun/taskrun.go
index c4f6533b7c4..124e234f7d9 100644
--- a/pkg/reconciler/taskrun/taskrun.go
+++ b/pkg/reconciler/taskrun/taskrun.go
@@ -117,6 +117,20 @@ func (c *Reconciler) ReconcileKind(ctx context.Context, tr *v1beta1.TaskRun) pkg
// on the event to perform user facing initialisations, such has reset a CI check status
afterCondition := tr.Status.GetCondition(apis.ConditionSucceeded)
events.Emit(ctx, nil, afterCondition, tr)
+ } else if config.FromContextOrDefaults(ctx).FeatureFlags.EnableSpire {
+ var verified = false
+ if c.SpireClient != nil {
+ if err := c.SpireClient.VerifyStatusInternalAnnotation(ctx, tr, logger); err == nil {
+ verified = true
+ }
+ if !verified {
+ if tr.Status.Annotations == nil {
+ tr.Status.Annotations = map[string]string{}
+ }
+ tr.Status.Annotations[spire.NotVerifiedAnnotation] = "yes"
+ }
+ logger.Infof("taskrun verification status: %t with hash %v \n", verified, tr.Status.Annotations[spire.TaskRunStatusHashAnnotation])
+ }
}
// If the TaskRun is complete, run some post run fixtures when applicable
@@ -289,6 +303,20 @@ func (c *Reconciler) finishReconcileUpdateEmitEvents(ctx context.Context, tr *v1
events.Emit(ctx, beforeCondition, afterCondition, tr)
var err error
+ // Add status internal annotations hash only if it was verified
+ if config.FromContextOrDefaults(ctx).FeatureFlags.EnableSpire &&
+ c.SpireClient != nil && c.SpireClient.CheckSpireVerifiedFlag(tr) {
+ if err := spire.CheckStatusInternalAnnotation(tr); err != nil {
+ err = c.SpireClient.AppendStatusInternalAnnotation(ctx, tr)
+ if err != nil {
+ logger.Warn("Failed to sign TaskRun internal status hash", zap.Error(err))
+ events.EmitError(controller.GetEventRecorder(ctx), err, tr)
+ } else {
+ logger.Infof("Successfully signed TaskRun internal status with hash: %v",
+ tr.Status.Annotations[spire.TaskRunStatusHashAnnotation])
+ }
+ }
+ }
merr := multierror.Append(previousError, err).ErrorOrNil()
diff --git a/pkg/reconciler/taskrun/taskrun_test.go b/pkg/reconciler/taskrun/taskrun_test.go
index 04e84d8e206..96f31ce123c 100644
--- a/pkg/reconciler/taskrun/taskrun_test.go
+++ b/pkg/reconciler/taskrun/taskrun_test.go
@@ -63,6 +63,7 @@ import (
ktesting "k8s.io/client-go/testing"
"k8s.io/client-go/tools/record"
"knative.dev/pkg/apis"
+ duckv1beta1 "knative.dev/pkg/apis/duck/v1beta1"
cminformer "knative.dev/pkg/configmap/informer"
"knative.dev/pkg/controller"
"knative.dev/pkg/kmeta"
@@ -4338,6 +4339,124 @@ status:
}
}
+func TestReconcileOnTaskRunSign(t *testing.T) {
+ sc := &spire.MockClient{}
+
+ taskSt := &apis.Condition{
+ Type: apis.ConditionSucceeded,
+ Status: corev1.ConditionTrue,
+ Reason: "Build succeeded",
+ Message: "Build succeeded",
+ }
+ taskRunStartedUnsigned := &v1beta1.TaskRun{
+ ObjectMeta: objectMeta("taskrun-started-unsigned", "foo"),
+ Spec: v1beta1.TaskRunSpec{
+ TaskRef: &v1beta1.TaskRef{
+ Name: simpleTask.Name,
+ },
+ },
+ Status: v1beta1.TaskRunStatus{
+ Status: duckv1beta1.Status{
+ Conditions: duckv1beta1.Conditions{
+ *taskSt,
+ },
+ },
+ TaskRunStatusFields: v1beta1.TaskRunStatusFields{
+ StartTime: &metav1.Time{Time: now.Add(-15 * time.Second)},
+ },
+ },
+ }
+ taskRunUnstarted := &v1beta1.TaskRun{
+ ObjectMeta: objectMeta("taskrun-unstarted", "foo"),
+ Spec: v1beta1.TaskRunSpec{
+ TaskRef: &v1beta1.TaskRef{
+ Name: simpleTask.Name,
+ },
+ },
+ Status: v1beta1.TaskRunStatus{
+ Status: duckv1beta1.Status{
+ Conditions: duckv1beta1.Conditions{
+ *taskSt,
+ },
+ },
+ },
+ }
+ taskRunStartedSigned := &v1beta1.TaskRun{
+ ObjectMeta: objectMeta("taskrun-started-signed", "foo"),
+ Spec: v1beta1.TaskRunSpec{
+ TaskRef: &v1beta1.TaskRef{
+ Name: simpleTask.Name,
+ },
+ },
+ Status: v1beta1.TaskRunStatus{
+ Status: duckv1beta1.Status{
+ Conditions: duckv1beta1.Conditions{
+ *taskSt,
+ },
+ },
+ },
+ }
+ if err := sc.AppendStatusInternalAnnotation(context.Background(), taskRunStartedSigned); err != nil {
+ t.Fatal("failed to sign test taskrun")
+ }
+
+ d := test.Data{
+ ConfigMaps: []*corev1.ConfigMap{{
+ ObjectMeta: metav1.ObjectMeta{Name: config.GetFeatureFlagsConfigName(), Namespace: system.Namespace()},
+ Data: map[string]string{
+ "enable-spire": "true",
+ },
+ }},
+
+ TaskRuns: []*v1beta1.TaskRun{
+ taskRunStartedUnsigned, taskRunUnstarted, taskRunStartedSigned,
+ },
+ Tasks: []*v1beta1.Task{simpleTask},
+ }
+ testAssets, cancel := getTaskRunController(t, d)
+ defer cancel()
+ c := testAssets.Controller
+ clients := testAssets.Clients
+
+ testCases := []struct {
+ name string
+ tr *v1beta1.TaskRun
+ verifiable bool
+ }{
+ {
+ name: "sign/verify unstarted taskrun",
+ tr: taskRunUnstarted,
+ verifiable: true,
+ },
+ {
+ name: "sign/verify signed started taskrun",
+ tr: taskRunStartedSigned,
+ verifiable: true,
+ },
+ {
+ name: "sign/verify unsigned started taskrun should fail",
+ tr: taskRunStartedUnsigned,
+ verifiable: false,
+ },
+ }
+
+ for _, tc := range testCases {
+ t.Run(tc.name, func(t *testing.T) {
+ if err := c.Reconciler.Reconcile(testAssets.Ctx, getRunName(tc.tr)); err != nil {
+ t.Fatalf("Unexpected error when reconciling completed TaskRun : %v", err)
+ }
+ newTr, err := clients.Pipeline.TektonV1beta1().TaskRuns(tc.tr.Namespace).Get(testAssets.Ctx, tc.tr.Name, metav1.GetOptions{})
+ if err != nil {
+ t.Fatalf("Expected completed TaskRun %s to exist but instead got error when getting it: %v", tc.tr.Name, err)
+ }
+ verified := sc.CheckSpireVerifiedFlag(newTr)
+ if verified != tc.verifiable {
+ t.Fatalf("expected verifiable: %v, got %v", tc.verifiable, verified)
+ }
+ })
+ }
+}
+
func Test_validateTaskSpecRequestResources_ValidResources(t *testing.T) {
tcs := []struct {
name string
diff --git a/test/artifact_bucket_test.go b/test/artifact_bucket_test.go
index 98ceafd6219..db75c74f7f2 100644
--- a/test/artifact_bucket_test.go
+++ b/test/artifact_bucket_test.go
@@ -33,11 +33,13 @@ import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "k8s.io/client-go/kubernetes"
knativetest "knative.dev/pkg/test"
"knative.dev/pkg/test/helpers"
)
const (
+ systemNamespace = "tekton-pipelines"
bucketSecretName = "bucket-secret"
bucketSecretKey = "bucket-secret-key"
)
@@ -256,6 +258,26 @@ spec:
}
}
+// updateConfigMap updates the config map for specified @name with values. We can't use the one from knativetest because
+// it assumes that Data is already a non-nil map, and by default, it isn't!
+func updateConfigMap(ctx context.Context, client kubernetes.Interface, name string, configName string, values map[string]string) error {
+ configMap, err := client.CoreV1().ConfigMaps(name).Get(ctx, configName, metav1.GetOptions{})
+ if err != nil {
+ return err
+ }
+
+ if configMap.Data == nil {
+ configMap.Data = make(map[string]string)
+ }
+
+ for key, value := range values {
+ configMap.Data[key] = value
+ }
+
+ _, err = client.CoreV1().ConfigMaps(name).Update(ctx, configMap, metav1.UpdateOptions{})
+ return err
+}
+
func getBucketSecret(t *testing.T, configFilePath, namespace string) *corev1.Secret {
t.Helper()
f, err := ioutil.ReadFile(configFilePath)
diff --git a/test/embed_test.go b/test/embed_test.go
index 5273147faf9..4be790c23df 100644
--- a/test/embed_test.go
+++ b/test/embed_test.go
@@ -72,10 +72,6 @@ func embeddedResourceTest(t *testing.T, spireEnabled bool) {
embedTaskName := helpers.ObjectNameForTest(t)
embedTaskRunName := helpers.ObjectNameForTest(t)
- if spireEnabled {
- originalConfigMapData := enableSpireConfigMap(ctx, c, t)
- defer resetConfigMap(ctx, t, c, systemNamespace, config.GetFeatureFlagsConfigName(), originalConfigMapData)
- }
t.Logf("Creating Task and TaskRun in namespace %s", namespace)
if _, err := c.TaskClient.Create(ctx, getEmbeddedTask(t, embedTaskName, namespace, []string{"/bin/sh", "-c", fmt.Sprintf("echo %s", taskOutput)}), metav1.CreateOptions{}); err != nil {
@@ -99,6 +95,7 @@ func embeddedResourceTest(t *testing.T, spireEnabled bool) {
t.Errorf("Error retrieving taskrun: %s", err)
}
spireShouldPassTaskRunResultsVerify(tr, t)
+ spireShouldPassSpireAnnotation(tr, t)
}
}
diff --git a/test/entrypoint_test.go b/test/entrypoint_test.go
index 579fe886bb9..57275a5b8e7 100644
--- a/test/entrypoint_test.go
+++ b/test/entrypoint_test.go
@@ -68,10 +68,6 @@ func entryPointerTest(t *testing.T, spireEnabled bool) {
defer tearDown(ctx, t, c, namespace)
epTaskRunName := helpers.ObjectNameForTest(t)
- if spireEnabled {
- originalConfigMapData := enableSpireConfigMap(ctx, c, t)
- defer resetConfigMap(ctx, t, c, systemNamespace, config.GetFeatureFlagsConfigName(), originalConfigMapData)
- }
t.Logf("Creating TaskRun in namespace %s", namespace)
if _, err := c.TaskRunClient.Create(ctx, parse.MustParseTaskRun(t, fmt.Sprintf(`
@@ -102,6 +98,7 @@ spec:
t.Errorf("Error retrieving taskrun: %s", err)
}
spireShouldPassTaskRunResultsVerify(tr, t)
+ spireShouldPassSpireAnnotation(tr, t)
}
}
diff --git a/test/helm_task_test.go b/test/helm_task_test.go
index 51a78835f3a..e60bf4e33e3 100644
--- a/test/helm_task_test.go
+++ b/test/helm_task_test.go
@@ -81,11 +81,6 @@ func helmDeploytest(t *testing.T, spireEnabled bool) {
knativetest.CleanupOnInterrupt(func() { tearDown(ctx, t, c, namespace) }, t.Logf)
defer tearDown(ctx, t, c, namespace)
- if spireEnabled {
- originalConfigMapData := enableSpireConfigMap(ctx, c, t)
- defer resetConfigMap(ctx, t, c, systemNamespace, config.GetFeatureFlagsConfigName(), originalConfigMapData)
- }
-
t.Logf("Creating Git PipelineResource %s", sourceResourceName)
if _, err := c.PipelineResourceClient.Create(ctx, getGoHelloworldGitResource(t, sourceResourceName), metav1.CreateOptions{}); err != nil {
t.Fatalf("Failed to create Pipeline Resource `%s`: %s", sourceResourceName, err)
@@ -134,6 +129,7 @@ func helmDeploytest(t *testing.T, spireEnabled bool) {
}
for _, taskrunItem := range taskrunList.Items {
spireShouldPassTaskRunResultsVerify(&taskrunItem, t)
+ spireShouldPassSpireAnnotation(&taskrunItem, t)
}
}
diff --git a/test/hermetic_taskrun_test.go b/test/hermetic_taskrun_test.go
index f5c5482cd87..cca9b0d6a6c 100644
--- a/test/hermetic_taskrun_test.go
+++ b/test/hermetic_taskrun_test.go
@@ -62,11 +62,6 @@ func hermeticTest(t *testing.T, spireEnabled bool) {
t.Parallel()
defer tearDown(ctx, t, c, namespace)
- if spireEnabled {
- originalConfigMapData := enableSpireConfigMap(ctx, c, t)
- defer resetConfigMap(ctx, t, c, systemNamespace, config.GetFeatureFlagsConfigName(), originalConfigMapData)
- }
-
tests := []struct {
desc string
getTaskRun func(*testing.T, string, string, string) *v1beta1.TaskRun
@@ -98,6 +93,7 @@ func hermeticTest(t *testing.T, spireEnabled bool) {
t.Errorf("Error retrieving taskrun: %s", err)
}
spireShouldPassTaskRunResultsVerify(tr, t)
+ spireShouldPassSpireAnnotation(tr, t)
}
// now, run the task mode with hermetic mode
@@ -117,6 +113,7 @@ func hermeticTest(t *testing.T, spireEnabled bool) {
t.Errorf("Error retrieving taskrun: %s", err)
}
spireShouldFailTaskRunResultsVerify(tr, t)
+ spireShouldPassSpireAnnotation(tr, t)
}
})
}
diff --git a/test/ignore_step_error_test.go b/test/ignore_step_error_test.go
index 4dbe0c22648..984b2de2366 100644
--- a/test/ignore_step_error_test.go
+++ b/test/ignore_step_error_test.go
@@ -58,11 +58,6 @@ func stepErrorTest(t *testing.T, spireEnabled bool) {
knativetest.CleanupOnInterrupt(func() { tearDown(ctx, t, c, namespace) }, t.Logf)
defer tearDown(ctx, t, c, namespace)
- if spireEnabled {
- originalConfigMapData := enableSpireConfigMap(ctx, c, t)
- defer resetConfigMap(ctx, t, c, systemNamespace, config.GetFeatureFlagsConfigName(), originalConfigMapData)
- }
-
pipelineRun := parse.MustParsePipelineRun(t, fmt.Sprintf(`
metadata:
name: %s
@@ -124,6 +119,7 @@ spec:
if spireEnabled {
spireShouldPassTaskRunResultsVerify(&taskrunItem, t)
+ spireShouldPassSpireAnnotation(&taskrunItem, t)
}
for _, r := range taskrunItem.Status.TaskRunResults {
diff --git a/test/init_test.go b/test/init_test.go
index 0525f5c00e3..354472c8903 100644
--- a/test/init_test.go
+++ b/test/init_test.go
@@ -33,6 +33,7 @@ import (
"github.com/tektoncd/pipeline/pkg/apis/config"
"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
"github.com/tektoncd/pipeline/pkg/names"
+ "github.com/tektoncd/pipeline/pkg/spire"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -290,3 +291,29 @@ func spireShouldPassTaskRunResultsVerify(tr *v1beta1.TaskRun, t *testing.T) {
}
t.Logf("Taskrun `%s` status results condition verified by spire as true, which is valid", tr.Name)
}
+
+// Verifies if the taskrun status annotation does not contain "not-verified"
+func spireShouldPassSpireAnnotation(tr *v1beta1.TaskRun, t *testing.T) {
+ if _, notVerified := tr.Status.Annotations[spire.NotVerifiedAnnotation]; notVerified {
+ t.Errorf("Taskrun `%s` status not verified. Spire annotation tekton.dev/not-verified = yes. Failed spire verification", tr.Name)
+ }
+ t.Logf("Taskrun `%s` status spire annotation verified", tr.Name)
+}
+
+// Verifies if the taskrun status annotation does contain "not-verified"
+func spireShouldFailSpireAnnotation(tr *v1beta1.TaskRun, t *testing.T) {
+ _, notVerified := tr.Status.Annotations[spire.NotVerifiedAnnotation]
+ _, hash := tr.Status.Annotations[spire.TaskRunStatusHashAnnotation]
+ if !notVerified && hash {
+ t.Errorf("Taskrun `%s` status should be not verified missing spire Annotation tekton.dev/not-verified = yes", tr.Name)
+ }
+ t.Logf("Taskrun `%s` status spire annotation not verified, which is valid", tr.Name)
+}
+
+// Verifies the taskrun status annotation should not exist
+func spireZeroSpireAnnotation(tr *v1beta1.TaskRun, t *testing.T) {
+ if len(tr.Status.Annotations) > 0 {
+ t.Errorf("Taskrun `%s` status should not have any spire annotations", tr.Name)
+ }
+ t.Logf("Taskrun `%s` status spire annotation not found, which is valid", tr.Name)
+}
diff --git a/test/kaniko_task_test.go b/test/kaniko_task_test.go
index 605e9f8d4f4..d4dcb385628 100644
--- a/test/kaniko_task_test.go
+++ b/test/kaniko_task_test.go
@@ -81,11 +81,6 @@ func kanikoTest(t *testing.T, spireEnabled bool) {
t.Fatalf("Failed to create Pipeline Resource `%s`: %s", git.Name, err)
}
- if spireEnabled {
- originalConfigMapData := enableSpireConfigMap(ctx, c, t)
- defer resetConfigMap(ctx, t, c, systemNamespace, config.GetFeatureFlagsConfigName(), originalConfigMapData)
- }
-
image := getImageResource(t, repo)
t.Logf("Creating Image PipelineResource %s", repo)
if _, err := c.PipelineResourceClient.Create(ctx, image, metav1.CreateOptions{}); err != nil {
@@ -147,6 +142,7 @@ func kanikoTest(t *testing.T, spireEnabled bool) {
if spireEnabled {
spireShouldPassTaskRunResultsVerify(tr, t)
+ spireShouldPassSpireAnnotation(tr, t)
}
// match the local digest, which is first capture group against the remote image
diff --git a/test/pipelinefinally_test.go b/test/pipelinefinally_test.go
index 8e9b3005d22..d90ff9b5e6c 100644
--- a/test/pipelinefinally_test.go
+++ b/test/pipelinefinally_test.go
@@ -279,6 +279,7 @@ spec:
}
if spireEnabled {
spireShouldFailTaskRunResultsVerify(&taskrunItem, t)
+ spireShouldPassSpireAnnotation(&taskrunItem, t)
}
dagTask1EndTime = taskrunItem.Status.CompletionTime
case n == "dagtask2":
@@ -287,12 +288,14 @@ spec:
}
if spireEnabled {
spireShouldPassTaskRunResultsVerify(&taskrunItem, t)
+ spireShouldPassSpireAnnotation(&taskrunItem, t)
}
dagTask2EndTime = taskrunItem.Status.CompletionTime
case n == "dagtask4":
if spireEnabled {
// Skipped so status annotations should not be there. Results should not be verified as not run
spireShouldFailTaskRunResultsVerify(&taskrunItem, t)
+ spireZeroSpireAnnotation(&taskrunItem, t)
}
t.Fatalf("task %s should have skipped due to when expression", n)
case n == "dagtask5":
@@ -301,6 +304,7 @@ spec:
}
if spireEnabled {
spireShouldPassTaskRunResultsVerify(&taskrunItem, t)
+ spireShouldPassSpireAnnotation(&taskrunItem, t)
}
case n == "finaltask1":
if err := WaitForTaskRunState(ctx, c, taskrunItem.Name, TaskRunSucceed(taskrunItem.Name), "TaskRunSuccess"); err != nil {
@@ -308,6 +312,7 @@ spec:
}
if spireEnabled {
spireShouldPassTaskRunResultsVerify(&taskrunItem, t)
+ spireShouldPassSpireAnnotation(&taskrunItem, t)
}
finalTaskStartTime = taskrunItem.Status.StartTime
case n == "finaltask2":
@@ -316,6 +321,7 @@ spec:
}
if spireEnabled {
spireShouldPassTaskRunResultsVerify(&taskrunItem, t)
+ spireShouldPassSpireAnnotation(&taskrunItem, t)
}
for _, p := range taskrunItem.Spec.Params {
switch param := p.Name; param {
@@ -344,6 +350,7 @@ spec:
}
if spireEnabled {
spireShouldPassTaskRunResultsVerify(&taskrunItem, t)
+ spireShouldPassSpireAnnotation(&taskrunItem, t)
}
for _, p := range taskrunItem.Spec.Params {
if p.Name == "dagtask-result" && p.Value.StringVal != "Hello" {
@@ -356,6 +363,7 @@ spec:
}
if spireEnabled {
spireShouldPassTaskRunResultsVerify(&taskrunItem, t)
+ spireShouldPassSpireAnnotation(&taskrunItem, t)
}
case n == "guardedfinaltaskusingdagtask5status1":
if !isSuccessful(t, n, taskrunItem.Status.Conditions) {
@@ -363,17 +371,20 @@ spec:
}
if spireEnabled {
spireShouldPassTaskRunResultsVerify(&taskrunItem, t)
+ spireShouldPassSpireAnnotation(&taskrunItem, t)
}
case n == "guardedfinaltaskusingdagtask5result2":
if spireEnabled {
// Skipped so status annotations should not be there. Results should not be verified as not run
spireShouldFailTaskRunResultsVerify(&taskrunItem, t)
+ spireZeroSpireAnnotation(&taskrunItem, t)
}
t.Fatalf("final task %s should have skipped due to when expression evaluating to false", n)
case n == "finaltaskconsumingdagtask1" || n == "finaltaskconsumingdagtask4" || n == "guardedfinaltaskconsumingdagtask4":
if spireEnabled {
// Skipped so status annotations should not be there. Results should not be verified as not run
spireShouldFailTaskRunResultsVerify(&taskrunItem, t)
+ spireZeroSpireAnnotation(&taskrunItem, t)
}
t.Fatalf("final task %s should have skipped due to missing task result reference", n)
default:
@@ -471,11 +482,6 @@ func pipelineLevelFinallyOneFinalTaskFailedFailureWithOptions(t *testing.T, spir
knativetest.CleanupOnInterrupt(func() { tearDown(ctx, t, c, namespace) }, t.Logf)
defer tearDown(ctx, t, c, namespace)
- if spireEnabled {
- originalConfigMapData := enableSpireConfigMap(ctx, c, t)
- defer resetConfigMap(ctx, t, c, systemNamespace, config.GetFeatureFlagsConfigName(), originalConfigMapData)
- }
-
task := getSuccessTask(t, namespace)
if _, err := c.TaskClient.Create(ctx, task, metav1.CreateOptions{}); err != nil {
t.Fatalf("Failed to create dag Task: %s", err)
@@ -528,6 +534,7 @@ spec:
}
if spireEnabled {
spireShouldPassTaskRunResultsVerify(&taskrunItem, t)
+ spireShouldPassSpireAnnotation(&taskrunItem, t)
}
case n == "finaltask1":
if !isFailed(t, n, taskrunItem.Status.Conditions) {
@@ -535,6 +542,7 @@ spec:
}
if spireEnabled {
spireShouldFailTaskRunResultsVerify(&taskrunItem, t)
+ spireShouldPassSpireAnnotation(&taskrunItem, t)
}
default:
t.Fatalf("TaskRuns were not found for both final and dag tasks")
@@ -567,11 +575,6 @@ func pipelineLevelFinallyOneFinalTaskCancelledRunFinallyWithOptions(t *testing.T
knativetest.CleanupOnInterrupt(func() { tearDown(ctx, t, c, namespace) }, t.Logf)
defer tearDown(ctx, t, c, namespace)
- if spireEnabled {
- originalConfigMapData := enableSpireConfigMap(ctx, c, t)
- defer resetConfigMap(ctx, t, c, systemNamespace, config.GetFeatureFlagsConfigName(), originalConfigMapData)
- }
-
task1 := getDelaySuccessTaskProducingResults(t, namespace)
task1.Spec.Results = append(task1.Spec.Results, v1beta1.TaskResult{
Name: "result",
@@ -667,10 +670,12 @@ spec:
}
if spireEnabled {
spireShouldFailTaskRunResultsVerify(&taskrunItem, t)
+ spireShouldPassSpireAnnotation(&taskrunItem, t)
}
case "dagtask2":
if spireEnabled {
spireShouldFailTaskRunResultsVerify(&taskrunItem, t)
+ spireZeroSpireAnnotation(&taskrunItem, t)
}
t.Fatalf("second dag task %s should be skipped as it depends on the result from cancelled 'dagtask1'", n)
case "finaltask1":
@@ -679,10 +684,12 @@ spec:
}
if spireEnabled {
spireShouldPassTaskRunResultsVerify(&taskrunItem, t)
+ spireShouldPassSpireAnnotation(&taskrunItem, t)
}
case "finaltask2":
if spireEnabled {
spireShouldFailTaskRunResultsVerify(&taskrunItem, t)
+ spireZeroSpireAnnotation(&taskrunItem, t)
}
t.Fatalf("second final task %s should be skipped as it depends on the result from cancelled 'dagtask1'", n)
default:
@@ -716,11 +723,6 @@ func pipelineLevelFinallyOneFinalTaskStoppedRunFinallyWithOptions(t *testing.T,
knativetest.CleanupOnInterrupt(func() { tearDown(ctx, t, c, namespace) }, t.Logf)
defer tearDown(ctx, t, c, namespace)
- if spireEnabled {
- originalConfigMapData := enableSpireConfigMap(ctx, c, t)
- defer resetConfigMap(ctx, t, c, systemNamespace, config.GetFeatureFlagsConfigName(), originalConfigMapData)
- }
-
task1 := getDelaySuccessTaskProducingResults(t, namespace)
task1.Spec.Results = append(task1.Spec.Results, v1beta1.TaskResult{
Name: "result",
@@ -816,6 +818,7 @@ spec:
}
if spireEnabled {
spireShouldPassTaskRunResultsVerify(&taskrunItem, t)
+ spireShouldPassSpireAnnotation(&taskrunItem, t)
}
case "finaltask1":
if !isSuccessful(t, n, taskrunItem.Status.Conditions) {
@@ -823,6 +826,7 @@ spec:
}
if spireEnabled {
spireShouldPassTaskRunResultsVerify(&taskrunItem, t)
+ spireShouldPassSpireAnnotation(&taskrunItem, t)
}
case "finaltask2":
if !isSuccessful(t, n, taskrunItem.Status.Conditions) {
@@ -830,6 +834,7 @@ spec:
}
if spireEnabled {
spireShouldPassTaskRunResultsVerify(&taskrunItem, t)
+ spireShouldPassSpireAnnotation(&taskrunItem, t)
}
default:
t.Fatalf("TaskRuns were not found for both final and dag tasks")
diff --git a/test/pipelinerun_test.go b/test/pipelinerun_test.go
index 9cff8c75076..ee713429a77 100644
--- a/test/pipelinerun_test.go
+++ b/test/pipelinerun_test.go
@@ -320,6 +320,7 @@ spec:
i := i // capture range variable
td := td // capture range variable
t.Run(td.name, func(t *testing.T) {
+ t.Parallel()
ctx := context.Background()
ctx, cancel := context.WithCancel(ctx)
defer cancel()
@@ -336,11 +337,6 @@ spec:
knativetest.CleanupOnInterrupt(func() { tearDown(ctx, t, c, namespace) }, t.Logf)
defer tearDown(ctx, t, c, namespace)
- if spireEnabled {
- originalConfigMapData := enableSpireConfigMap(ctx, c, t)
- defer resetConfigMap(ctx, t, c, systemNamespace, config.GetFeatureFlagsConfigName(), originalConfigMapData)
- }
-
t.Logf("Setting up test resources for %q test in namespace %s", td.name, namespace)
resources, p := td.testSetup(ctx, t, c, namespace, i)
@@ -370,6 +366,7 @@ spec:
}
if spireEnabled {
spireShouldPassTaskRunResultsVerify(&actualTaskRunItem, t)
+ spireShouldPassSpireAnnotation(&actualTaskRunItem, t)
}
}
expectedTaskRunNames = append(expectedTaskRunNames, taskRunName)
@@ -565,6 +562,7 @@ spec:
}
for _, taskrunItem := range taskrunList.Items {
spireShouldPassTaskRunResultsVerify(&taskrunItem, t)
+ spireShouldPassSpireAnnotation(&taskrunItem, t)
}
}
@@ -606,10 +604,6 @@ func pipelineRunPendingTestWithOptions(t *testing.T, spireEnabled bool) {
taskName := helpers.ObjectNameForTest(t)
pipelineName := helpers.ObjectNameForTest(t)
prName := helpers.ObjectNameForTest(t)
- if spireEnabled {
- originalConfigMapData := enableSpireConfigMap(ctx, c, t)
- defer resetConfigMap(ctx, t, c, systemNamespace, config.GetFeatureFlagsConfigName(), originalConfigMapData)
- }
t.Logf("Creating Task, Pipeline, and Pending PipelineRun %s in namespace %s", prName, namespace)
@@ -685,6 +679,7 @@ spec:
}
for _, taskrunItem := range taskrunList.Items {
spireShouldPassTaskRunResultsVerify(&taskrunItem, t)
+ spireShouldPassSpireAnnotation(&taskrunItem, t)
}
}
}
diff --git a/test/status_test.go b/test/status_test.go
index 8f6a733e2bd..597697c78c9 100644
--- a/test/status_test.go
+++ b/test/status_test.go
@@ -65,11 +65,6 @@ func taskRunPipelineRunStatus(t *testing.T, spireEnabled bool) {
knativetest.CleanupOnInterrupt(func() { tearDown(ctx, t, c, namespace) }, t.Logf)
defer tearDown(ctx, t, c, namespace)
- if spireEnabled {
- originalConfigMapData := enableSpireConfigMap(ctx, c, t)
- defer resetConfigMap(ctx, t, c, systemNamespace, config.GetFeatureFlagsConfigName(), originalConfigMapData)
- }
-
t.Logf("Creating Task and TaskRun in namespace %s", namespace)
task := parse.MustParseTask(t, fmt.Sprintf(`
metadata:
@@ -104,6 +99,7 @@ spec:
t.Errorf("Error retrieving taskrun: %s", err)
}
spireShouldFailTaskRunResultsVerify(tr, t)
+ spireShouldPassSpireAnnotation(tr, t)
}
pipeline := parse.MustParsePipeline(t, fmt.Sprintf(`
@@ -140,6 +136,7 @@ spec:
}
for _, taskrunItem := range taskrunList.Items {
spireShouldFailTaskRunResultsVerify(&taskrunItem, t)
+ spireShouldPassSpireAnnotation(&taskrunItem, t)
}
}
diff --git a/test/taskrun_test.go b/test/taskrun_test.go
index 6df78077487..a72ff23c641 100644
--- a/test/taskrun_test.go
+++ b/test/taskrun_test.go
@@ -71,11 +71,6 @@ func taskrunFailureTest(t *testing.T, spireEnabled bool) {
taskRunName := helpers.ObjectNameForTest(t)
- if spireEnabled {
- originalConfigMapData := enableSpireConfigMap(ctx, c, t)
- defer resetConfigMap(ctx, t, c, systemNamespace, config.GetFeatureFlagsConfigName(), originalConfigMapData)
- }
-
t.Logf("Creating Task and TaskRun in namespace %s", namespace)
task := parse.MustParseTask(t, fmt.Sprintf(`
metadata:
@@ -120,6 +115,7 @@ spec:
if spireEnabled {
spireShouldFailTaskRunResultsVerify(taskrun, t)
+ spireShouldPassSpireAnnotation(taskrun, t)
}
expectedStepState := []v1beta1.StepState{{
@@ -192,10 +188,6 @@ func taskrunStatusTest(t *testing.T, spireEnabled bool) {
defer tearDown(ctx, t, c, namespace)
taskRunName := helpers.ObjectNameForTest(t)
- if spireEnabled {
- originalConfigMapData := enableSpireConfigMap(ctx, c, t)
- defer resetConfigMap(ctx, t, c, systemNamespace, config.GetFeatureFlagsConfigName(), originalConfigMapData)
- }
fqImageName := getTestImage(busyboxImage)
@@ -237,6 +229,7 @@ spec:
if spireEnabled {
spireShouldPassTaskRunResultsVerify(taskrun, t)
+ spireShouldPassSpireAnnotation(taskrun, t)
}
expectedStepState := []v1beta1.StepState{{
@@ -355,6 +348,7 @@ spec:
if spireEnabled {
spireShouldFailTaskRunResultsVerify(taskrun, t)
+ spireShouldFailSpireAnnotation(taskrun, t)
}
expectedStepState := []v1beta1.StepState{{