Skip to content

Commit

Permalink
TEP-0089: Refactor setting of "enforce-nonfalsifiability" feature flag
Browse files Browse the repository at this point in the history
In this change, we refactor the code for setting "enforce-nonfalsifiability"
feature flag to make it easier to understand, and consistent with the rest
of the code. It also removes a confusing behavior in non-alpha mode where it
would override the user-specified value, set the flag to "none" and then throw
an error message. With this change, we just throw an error message directly.

This refactor will make it easier to promote the feature to beta, and beyond.

This change also documents that `enable-api-fields` has to be set to `"alpha"`
for non-falsifiability to work.
  • Loading branch information
jerop committed Apr 12, 2023
1 parent abd1849 commit b49e78e
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 12 deletions.
2 changes: 1 addition & 1 deletion docs/spire.md
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ When a TaskRun is created:
## Enabling TaskRun result attestations

To enable TaskRun attestations:
1. Make sure `enforce-nonfalsifiability` is set to `"spire"` in the `feature-flags` configmap, see [`install.md`](./install.md#customizing-the-pipelines-controller-behavior) for details
1. Make sure `enforce-nonfalsifiability` is set to `"spire"` and `enable-api-fields` is set to `"alpha"` in the `feature-flags` configmap, see [`install.md`](./install.md#customizing-the-pipelines-controller-behavior) for details
1. Create a SPIRE deployment containing a SPIRE server, SPIRE agents and the SPIRE CSI driver, for convenience, [this sample single cluster deployment](https://github.com/spiffe/spiffe-csi/tree/main/example/config) can be used.
1. Register the SPIRE workload entry for Tekton with the "Admin" flag, which will allow the Tekton controller to communicate with the SPIRE server to manage the TaskRun identities dynamically.
```
Expand Down
34 changes: 23 additions & 11 deletions pkg/apis/config/feature_flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -190,6 +190,9 @@ func NewFeatureFlagsFromMap(cfgMap map[string]string) (*FeatureFlags, error) {
if err := setMaxResultSize(cfgMap, DefaultMaxResultSize, &tc.MaxResultSize); err != nil {
return nil, err
}
if err := setEnforceNonFalsifiability(cfgMap, tc.EnableAPIFields, &tc.EnforceNonfalsifiability); err != nil {
return nil, err
}

// Given that they are alpha features, Tekton Bundles and Custom Tasks should be switched on if
// enable-api-fields is "alpha". If enable-api-fields is not "alpha" then fall back to the value of
Expand All @@ -199,21 +202,10 @@ func NewFeatureFlagsFromMap(cfgMap map[string]string) (*FeatureFlags, error) {
// defeat the purpose of having a single shared gate for all alpha features.
if tc.EnableAPIFields == AlphaAPIFields {
tc.EnableTektonOCIBundles = true
// Only consider SPIRE if alpha is on.
enforceNonfalsifiabilityValue, err := getEnforceNonfalsifiabilityFeature(cfgMap)
if err != nil {
return nil, err
}
tc.EnforceNonfalsifiability = enforceNonfalsifiabilityValue
} else {
if err := setFeature(enableTektonOCIBundles, DefaultEnableTektonOciBundles, &tc.EnableTektonOCIBundles); err != nil {
return nil, err
}
// Do not enable any form of non-falsifiability enforcement in non-alpha mode.
tc.EnforceNonfalsifiability = EnforceNonfalsifiabilityNone
if enforceNonfalsifiabilityValue, err := getEnforceNonfalsifiabilityFeature(cfgMap); err != nil || enforceNonfalsifiabilityValue != DefaultEnforceNonfalsifiability {
return nil, fmt.Errorf("%q can be set to non-default values (%q) only in alpha", enforceNonfalsifiability, enforceNonfalsifiabilityValue)
}
}
return &tc, nil
}
Expand All @@ -234,6 +226,26 @@ func setEnabledAPIFields(cfgMap map[string]string, defaultValue string, feature
return nil
}

// setEnforceNonFalsifiability sets the ""enforce-nonfalsifiability"" flag based on the content of a given map.
// If the feature gate is invalid, then an error is returned.
func setEnforceNonFalsifiability(cfgMap map[string]string, enableAPIFields string, feature *string) error {
value, err := getEnforceNonfalsifiabilityFeature(cfgMap)
if err != nil {
return err
}
switch enableAPIFields {
case AlphaAPIFields:
// Only consider SPIRE if alpha is on.
*feature = value
default:
// Do not consider any form of non-falsifiability enforcement in non-alpha mode.
if value != DefaultEnforceNonfalsifiability {
return fmt.Errorf("%q can be set to non-default values (%q) only in alpha", enforceNonfalsifiability, value)
}
}
return nil
}

// setResultExtractionMethod sets the "results-from" flag based on the content of a given map.
// If the feature gate is invalid or missing then an error is returned.
func setResultExtractionMethod(cfgMap map[string]string, defaultValue string, feature *string) error {
Expand Down

0 comments on commit b49e78e

Please sign in to comment.