Skip to content

Commit

Permalink
Promote the provenance field in status
Browse files Browse the repository at this point in the history
Fixes #6309.

Prior, the `provenance` field in status was gated by the dedicated feature
flag named `enable-provenance-in-status`.

This PR moves the field out of the feature flag.

Signed-off-by: Chuang Wang <chuangw@google.com>
  • Loading branch information
chuangw6 committed May 2, 2023
1 parent 09d422c commit f8b7e4f
Show file tree
Hide file tree
Showing 11 changed files with 176 additions and 90 deletions.
9 changes: 4 additions & 5 deletions config/config-feature-flags.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -81,11 +81,10 @@ data:
# If it is set to "warn", TaskRuns and PipelineRuns will run to completion if no matching policies are found, and an error will be logged.
# If it is set to "ignore", TaskRuns and PipelineRuns will run to completion if no matching policies are found, and no error will be logged.
trusted-resources-verification-no-match-policy: "ignore"
# Setting this flag to "true" enables populating the "provenance" field in TaskRun
# and PipelineRun status. This field contains metadata about resources used
# in the TaskRun/PipelineRun such as the source from where a remote Task/Pipeline
# definition was fetched.
enable-provenance-in-status: "false"
# Setting this flag will determine the version for custom tasks created by PipelineRuns.
# Acceptable values are "v1beta1" and "v1alpha1".
# The default is "v1beta1".
custom-task-version: "v1beta1"
# Setting this flag will determine how Tekton pipelines will handle non-falsifiable provenance.
# If set to "spire", then SPIRE will be used to ensure non-falsifiable provenance.
# If set to "none", then Tekton will not have non-falsifiable provenance.
Expand Down
10 changes: 5 additions & 5 deletions docs/additional-configs.md
Original file line number Diff line number Diff line change
Expand Up @@ -245,10 +245,11 @@ Defaults to "ignore".

- `results-from`: set this flag to "termination-message" to use the container's termination message to fetch results from. This is the default method of extracting results. Set it to "sidecar-logs" to enable use of a results sidecar logs to extract results instead of termination message.

- `enable-provenance-in-status`: set this flag to "true" to enable recording
the `provenance` field in `TaskRun` and `PipelineRun` status. The `provenance`
field contains metadata about resources used in the TaskRun/PipelineRun such as the
source from where a remote Task/Pipeline definition was fetched.
- `custom-task-version`: set this flag to "v1beta1" to have `PipelineRuns` create `CustomRuns`
from Custom Tasks. Set it to "v1alpha1" to have `PipelineRuns` create the legacy alpha
`Runs`. This may be needed if you are using legacy Custom Tasks that listen for `*v1alpha1.Run`
instead of `*v1beta1.CustomRun`. For more information, see [Runs](runs.md) and [CustomRuns](customruns.md).
Flag defaults to "v1beta1".

For example:

Expand Down Expand Up @@ -284,7 +285,6 @@ Features currently in "alpha" are:
| [Task-level Resource Requirements](compute-resources.md#task-level-compute-resources-configuration) | [TEP-0104](https://github.com/tektoncd/community/blob/main/teps/0104-tasklevel-resource-requirements.md) | [v0.39.0](https://github.com/tektoncd/pipeline/releases/tag/v0.39.0) | |
| [Object Params and Results](pipelineruns.md#specifying-parameters) | [TEP-0075](https://github.com/tektoncd/community/blob/main/teps/0075-object-param-and-result-types.md) | [v0.38.0](https://github.com/tektoncd/pipeline/releases/tag/v0.38.0) | | |
| [Trusted Resources](./trusted-resources.md) | [TEP-0091](https://github.com/tektoncd/community/blob/main/teps/0091-trusted-resources.md) | N/A | `trusted-resources-verification-no-match-policy` |
| [`Provenance` field in Status](pipeline-api.md#provenance) | [issue#5550](https://github.com/tektoncd/pipeline/issues/5550) | N/A | `enable-provenance-in-status` |
| [Larger Results via Sidecar Logs](#enabling-larger-results-using-sidecar-logs) | [TEP-0127](https://github.com/tektoncd/community/blob/main/teps/0127-larger-results-via-sidecar-logs.md) | [v0.43.0](https://github.com/tektoncd/pipeline/releases/tag/v0.43.0) | `results-from` |
| [Configure Default Resolver](./resolution.md#configuring-built-in-resolvers) | [TEP-0133](https://github.com/tektoncd/community/blob/main/teps/0133-configure-default-resolver.md) | N/A | |

Expand Down
7 changes: 0 additions & 7 deletions pkg/apis/config/feature_flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -70,8 +70,6 @@ const (
DefaultEnforceNonfalsifiability = EnforceNonfalsifiabilityNone
// DefaultNoMatchPolicyConfig is the default value for "trusted-resources-verification-no-match-policy".
DefaultNoMatchPolicyConfig = IgnoreNoMatchPolicy
// DefaultEnableProvenanceInStatus is the default value for "enable-provenance-status".
DefaultEnableProvenanceInStatus = false
// DefaultResultExtractionMethod is the default value for ResultExtractionMethod
DefaultResultExtractionMethod = ResultExtractionMethodTerminationMessage
// DefaultMaxResultSize is the default value in bytes for the size of a result
Expand All @@ -87,7 +85,6 @@ const (
sendCloudEventsForRuns = "send-cloudevents-for-runs"
enforceNonfalsifiability = "enforce-nonfalsifiability"
verificationNoMatchPolicy = "trusted-resources-verification-no-match-policy"
enableProvenanceInStatus = "enable-provenance-in-status"
resultExtractionMethod = "results-from"
maxResultSize = "max-result-size"
)
Expand All @@ -113,7 +110,6 @@ type FeatureFlags struct {
// warn: skip trusted resources verification when no matching verification policies found and log a warning
// fail: fail the taskrun or pipelines run if no matching verification policies found
VerificationNoMatchPolicy string
EnableProvenanceInStatus bool
ResultExtractionMethod string
MaxResultSize int
}
Expand Down Expand Up @@ -167,9 +163,6 @@ func NewFeatureFlagsFromMap(cfgMap map[string]string) (*FeatureFlags, error) {
if err := setVerificationNoMatchPolicy(cfgMap, DefaultNoMatchPolicyConfig, &tc.VerificationNoMatchPolicy); err != nil {
return nil, err
}
if err := setFeature(enableProvenanceInStatus, DefaultEnableProvenanceInStatus, &tc.EnableProvenanceInStatus); err != nil {
return nil, err
}
if err := setResultExtractionMethod(cfgMap, DefaultResultExtractionMethod, &tc.ResultExtractionMethod); err != nil {
return nil, err
}
Expand Down
3 changes: 0 additions & 3 deletions pkg/apis/config/feature_flags_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,6 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) {
EnableAPIFields: config.DefaultEnableAPIFields,
SendCloudEventsForRuns: config.DefaultSendCloudEventsForRuns,
VerificationNoMatchPolicy: config.DefaultNoMatchPolicyConfig,
EnableProvenanceInStatus: config.DefaultEnableProvenanceInStatus,
ResultExtractionMethod: config.DefaultResultExtractionMethod,
MaxResultSize: config.DefaultMaxResultSize,
},
Expand All @@ -65,7 +64,6 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) {
SendCloudEventsForRuns: true,
EnforceNonfalsifiability: "spire",
VerificationNoMatchPolicy: config.FailNoMatchPolicy,
EnableProvenanceInStatus: true,
ResultExtractionMethod: "termination-message",
MaxResultSize: 4096,
},
Expand Down Expand Up @@ -172,7 +170,6 @@ func TestNewFeatureFlagsFromEmptyConfigMap(t *testing.T) {
SendCloudEventsForRuns: config.DefaultSendCloudEventsForRuns,
EnforceNonfalsifiability: config.DefaultEnforceNonfalsifiability,
VerificationNoMatchPolicy: config.DefaultNoMatchPolicyConfig,
EnableProvenanceInStatus: config.DefaultEnableProvenanceInStatus,
ResultExtractionMethod: config.DefaultResultExtractionMethod,
MaxResultSize: config.DefaultMaxResultSize,
}
Expand Down
2 changes: 1 addition & 1 deletion pkg/apis/config/testdata/feature-flags-all-flags-set.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,4 +28,4 @@ data:
send-cloudevents-for-runs: "true"
enforce-nonfalsifiability: "spire"
trusted-resources-verification-no-match-policy: "fail"
enable-provenance-in-status: "true"
custom-task-version: "v1beta1"
22 changes: 10 additions & 12 deletions pkg/reconciler/pipelinerun/pipelinerun.go
Original file line number Diff line number Diff line change
Expand Up @@ -1224,19 +1224,17 @@ func storePipelineSpecAndMergeMeta(ctx context.Context, pr *v1beta1.PipelineRun,
// Propagate refSource from remote resolution to PipelineRun Status
// This lives outside of the status.spec check to avoid the case where only the spec is available in the first reconcile and source comes in next reconcile.
cfg := config.FromContextOrDefaults(ctx)
if cfg.FeatureFlags.EnableProvenanceInStatus {
if pr.Status.Provenance == nil {
pr.Status.Provenance = &v1beta1.Provenance{}
}
// Store FeatureFlags in the Provenance.
pr.Status.Provenance.FeatureFlags = cfg.FeatureFlags
if pr.Status.Provenance == nil {
pr.Status.Provenance = &v1beta1.Provenance{}
}
// Store FeatureFlags in the Provenance.
pr.Status.Provenance.FeatureFlags = cfg.FeatureFlags

if meta != nil && meta.RefSource != nil && pr.Status.Provenance.RefSource == nil {
pr.Status.Provenance.RefSource = meta.RefSource
}
if meta != nil && meta.RefSource != nil && pr.Status.Provenance.ConfigSource == nil {
pr.Status.Provenance.ConfigSource = (*v1beta1.ConfigSource)(meta.RefSource)
}
if meta != nil && meta.RefSource != nil && pr.Status.Provenance.RefSource == nil {
pr.Status.Provenance.RefSource = meta.RefSource
}
if meta != nil && meta.RefSource != nil && pr.Status.Provenance.ConfigSource == nil {
pr.Status.Provenance.ConfigSource = (*v1beta1.ConfigSource)(meta.RefSource)
}

return nil
Expand Down
Loading

0 comments on commit f8b7e4f

Please sign in to comment.