TEP-0010 Propose optional workspaces feature #169
Conversation
|
Thank for this proposal! I very much like the idea, I will review the TEP asap. |
|
Sure thing, I'm claiming number 10! Edit: update pr, filename, and tep contents to use tep-0010 |
| of that Task in some way. | ||
|
|
||
| Examples of this include: | ||
| - accepting an optional linter configuration to change the warnings/errors that are |
There was a problem hiding this comment.
These are really good examples.
| ### Goals | ||
|
|
||
| 1. Allow Tasks to declare optional support for file-based credentials. | ||
| 2. Enable Tasks to offer support of Tekton's multiple competing credential mechanisms. |
There was a problem hiding this comment.
Isn't this just a benefit we get from having optional support for workspace ? (instead of a goal)
There was a problem hiding this comment.
From the perspective of a catalog task author I actually think this is a desirable non-obvious goal. I think we should use it to decide if the feature is successful or not: If we got to the end of this TEP and catalog authors were stuck writing separate tasks to support workspace creds and creds-init creds I'd consider that a failure of the TEP.
|
/kind tep |
There was a problem hiding this comment.
This looks great @sbwsg ! Thanks for the super thorough write up.
My one question is whether we actually need the bound variable or whether it would be reasonable to ask folks to check for the path being the empty string instead. bound is a bit more verbose, but it feels like it might be a bit simpler to leave it out?
Aside from that I really like it!
Gonna get the ball rolling with an:
/approve
And at the very least, a few folks have looked at it, so i think we could merge as "proposed" for sure - lemme know if you want me to lgtm as well @sbwsg
| A required Workspace today already provides a `path` variable. Required Workspaces | ||
| will be updated to also expose the following variable: | ||
|
|
||
| - `$(workspaces.<workspace-name>.bound)`: the literal string `"true"`. A required |
There was a problem hiding this comment.
im torn: i like how explicit this variable is however i think this information is already available in $(workspaces.<workspace-name>.path) - if $(workspaces.<workspace-name>.path) is the empty string, this implies bound is false, im wondering if we need both?
There was a problem hiding this comment.
I'm personally in favor of the explicit bound variable but it mostly comes down to readability / explicitness for me.
Relying on the path being an empty string as a signal of bound-ness feels to me like a kind of institutional knowledge: if you "know" that that's what it signifies then you'll have no problem reading a Task, but if you don't have that knowledge it will just ... look a bit odd. You'll have to go look at some docs and come back and try to figure out the meaning of this slightly idiosyncratic bit of Tekton's syntax. On the other hand, the language of workspaces already includes "bound" - it's in the type itself (WorkspaceBinding) and repeated in loads of places in the workspaces.md doc already.
In some ways I wish the fields were more explicitly named too: Tasks could include a workspaceDeclarations section and Runs could include a workspaceBindings section. Then the language would tie even more closely together. But I think I've probably missed the boat on that one.
There was a problem hiding this comment.
one more counter point for bound:
if you "know" that that's what it signifies then you'll have no problem reading a Task, but if you don't have that knowledge it will just ... look a bit odd
There will be nothing to force folks to use bound when they can get the same information from the path being the empty string, so having 2 ways of representing this information might be make it even harder to read Tasks using this feature?
That's the last thing I'll say about it tho, happy to defer to your preference having said my piece :D
| or other Tasks in a Pipeline. | ||
|
|
||
| Examples of usage include: | ||
| - Receiving test results as a file as well as printed to stdout. |
There was a problem hiding this comment.
this is really interesting, i like the idea of being able to control this at runtime. i wonder if there's some way this feature could be included in the task specialization proposal such that specializing tasks could provide optional workspaces 🤔 🤔 🤔
gonna think about it a bit more!
teps/0010-optional-workspaces.md
Outdated
| 2. Validation of the file contents of the optional storage. | ||
| 3. Validation of "competing" filesystem fields used in a single TaskRun. An optional Workspace | ||
| and an optional PipelineResource competing for the same location on the filesystem will be left | ||
| up to the runtime to handle. |
There was a problem hiding this comment.
i dont totally understand this last one, maybe you could add an example?
There was a problem hiding this comment.
Does it make more sense with the added knowledge that PipelineResources can already be declared optional today? So a PipelineResource declared optional and a Workspace declared optional could conceivably "fight" for the same location on disk.
There was a problem hiding this comment.
(if they're both provided by a user)
There was a problem hiding this comment.
yes! i didnt realize that, thanks :D
will be left up to the runtime to handle.
im not 100% clear what "the runtime" means in this case - the controller? kubernetes itself?
There was a problem hiding this comment.
Ah, good catch I'll update this to be clearer. Yeah I meant "Kubernetes or whatever system is implementing the Tekton API". I guess maybe platform might be a better identifier here?
There was a problem hiding this comment.
haha and I've confused myself. I do quite specifically mean Kubernetes in this case :- k8s will receive a Pod with two volumeMounts both mounting at the same place (one for the resource and one for the workspace). I'm saying it's just kinda up to kubernetes to figure out how or if that causes problems.
There was a problem hiding this comment.
are you saying that in this case, the pipelines controller would try to create a pod that mounts the workspace to the specified location, and then the pipelineresource may try to mount to it as well, and itll be up to the underlying platform to decide what to do?
(if so, i wonder in this case if it would be a better experience to notice this in the pipeline controller and treat the run as invalid?)
There was a problem hiding this comment.
yeah, that's i'm saying this TEP wouldn't protect the user against. I can add validation for that as a requirement and remove this.
There was a problem hiding this comment.
ah kk thanks for explaining. i think it makes sense as a requirement so sgtm, but plz push back if you disagree!
There was a problem hiding this comment.
Updated to include the new requirement.
| a missing optional Workspace does not result in a Default TaskRun Workspace | ||
| being injected in its place. The reason for this is that optional behaviour | ||
| in a Task should not be switched on automatically by the Default TaskRun | ||
| Workspace mechanism. |
|
|
||
| As a Catalog Task author I want to publish a Task that can support both Workspaces | ||
| and PipelineResources in the same location on a Step's filesystem so that my Task's | ||
| users can choose whether to use either field without requiring separate Tasks. |
There was a problem hiding this comment.
oh interesting! i hadnt thought about optional workspaces allowing this 🤔 would this work without changing PipelineResources? i think that if a task says it needs a PipelineResource, the Task won't run without it? (i.e. we'd have to make PipelineResources optional too?)
There was a problem hiding this comment.
@bobcatfish we do support optional PipelineResource already 😉
teps/0010-optional-workspaces.md
Outdated
|
|
||
| ## Drawbacks | ||
|
|
||
| TBD |
There was a problem hiding this comment.
a couple things that come to mind: (cant quite decide if these are risks or drawbacks)
- a task might run extra containers that it doesnt need in the case of an optional workspace, e.g. imagine the last step in a task copies test results onto an optional workspace, and when the workspace isn't provided, the step still runs but does nothing
- might be a bit more confusing to understand what a Task actually requires? (only a bit tho probably)
There was a problem hiding this comment.
* a task might run extra containers that it doesnt need in the case of an optional workspace, e.g. imagine the last step in a task copies test results onto an optional workspace, and when the workspace isn't provided, the step still runs but does nothing
Is it a drawback though ? It doesn't change anything that could happen now (without this feature). You can have a step that does nothing but still runs (based on some params).
* might be a bit more confusing to understand what a Task actually requires? (only a bit tho probably)
We know what is optional for the task (optional workspace, params with default vaule), so what the task requires is whatever is not optional, nor has defaults. A UI could display that I guess.
There was a problem hiding this comment.
For the second point I agree completely this design means the workspace's description field has to pull double-duty: 1) It has to describe what the workspace is for 2) It has to describe how the Task behaviour changes if it's omitted.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bobcatfish The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
teps/0010-optional-workspaces.md
Outdated
|
|
||
| ## Drawbacks | ||
|
|
||
| TBD |
There was a problem hiding this comment.
* a task might run extra containers that it doesnt need in the case of an optional workspace, e.g. imagine the last step in a task copies test results onto an optional workspace, and when the workspace isn't provided, the step still runs but does nothing
Is it a drawback though ? It doesn't change anything that could happen now (without this feature). You can have a step that does nothing but still runs (based on some params).
* might be a bit more confusing to understand what a Task actually requires? (only a bit tho probably)
We know what is optional for the task (optional workspace, params with default vaule), so what the task requires is whatever is not optional, nor has defaults. A UI could display that I guess.
|
@vdemeester re
I commented above but one downside id like to add is that having 2 ways to get this information (i.e. it is represented in the empty string AND in the bound var) means folks can use either, so we actually might have folks check the empty string anyway and ignore the bound var, so imo this will make things even more confusing |
Workspaces declared in Tasks are currently always required: a TaskRun cannot elect to omit a Workspace even if the data produced or consumed on that Workspace is irrelevant to the user's needs. This TEP proposes a new boolean `optional` field for Workspace declarations in Tasks. When the optional field is true a TaskRun may choose to omit a Workspace binding, resulting in no filesystem being mounted at that location. This feature would support a couple of use cases: - credentials could be optionally provided. e.g. git-clone could accept a .ssh directory for cloning private repos - catalog tasks could be written to accept either an optional pipelineresource OR an optional workspace at the same location on disk, resulting in a Task that is more flexible to user need - catalog tasks could be written to support both creds-init and explicit credentials-via-workspace. - tasks could be written to optionally take some extra configuration, like a lint config that changes some default errors into warnings - tasks could be written to generate some optional data, such as a manifest of files copied to external storage. - tasks would be able to conditionally skip some amount of work if an optional workspace is not provided by a TaskRun: there'd be no need to generate verbose test output to a file if no workspace was passed in to receive that verbose test result file.
|
Thanks @sbwsg ! I'm happy with this as-is, anyone else want to chime in @vdemeester and other @tektoncd/core-maintainers ? i think all open threads are currently addressed so lemme know if you want me to lgtm so we can merge with "proposed" @sbwsg |
|
/lgtm |
The optional workspaces TEP was pretty thoroughly edited and reviewed during the proposal phase (#169). There were no outstanding blockers or requests for more information that I'm aware of that should prevent this TEP moving to implementable. This PR moves the optional workspaces TEP into implementable state with intention to go ahead and add this feature to Tekton Pipelines.
I'm an owner on the pipelines repo and would like to help out with approvals on TEPs related to pipelines. I've contributed a bit to the community repo already with various TEPs and process-related changes: - Step & Sidecar Workspaces TEP: #225 - Optional Workspaces TEP: #169 - TEP Template updates: #268, #270, #238
TEP for tektoncd/pipeline#2119
Workspaces declared in Tasks are currently always required: a TaskRun
cannot elect to omit a Workspace even if the data produced or consumed
on that Workspace is irrelevant to the user's needs.
This TEP proposes a new boolean
optionalfield for Workspacedeclarations in Tasks. When the optional field is true a TaskRun
may choose to omit a Workspace binding, resulting in no filesystem
being mounted at that location. This feature would support a couple of
use cases:
a .ssh directory for cloning private repos
credentials-via-workspace.
like a lint config that changes some default errors into warnings
of the files copied out to external storage.
optional workspace is not provided by a TaskRun: there'd be no need
to generate verbose test output to a file if no workspace was passed in
to receive that verbose test result file.
pipelineresource OR an optional workspace at the same location on
disk, resulting in a Task that is more flexible to user need