Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Split array param indexing validation between reconciler and webhook #6652

Merged
merged 1 commit into from
May 16, 2023
Merged

Split array param indexing validation between reconciler and webhook #6652

merged 1 commit into from
May 16, 2023

Conversation

lbernick
Copy link
Member

There are two components to validation of array param indexing:

  1. Validating that beta features are enabled.
  2. Validating that array indexes are in bounds.

Prior to this commit, both of these forms of validation were done in the PipelineRun reconciler. However, the first form of validation differs between the v1beta1 and the v1 API version. In addition, array index bounds checking was skipped if beta features were disabled. This meant that if "enable-api-fields" was set to "stable", a user could create a beta Task/Pipeline using array parameter indexing, and we would not validate whether indexes were in bounds, potentially leading to a confusing error message or reconciler panic.

This commit moves the first form of validation to take place only in the webhook, leaving validation for bounds checking in the reconciler. Bounds checking is performed regardless of what feature flags are enabled.

/kind bug
Partially addresses #6616
Closes #6102
Related: #6607

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • n/a Has Docs if any changes are user facing, including updates to minimum requirements e.g. Kubernetes version bumps
  • Has Tests included if any functionality added or changed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including functionality, content, code)
  • Has a kind label. You can add one by adding a comment on this PR that contains /kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tep
  • Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings). See some examples of good release notes.
  • n/a Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

bug fix: always perform validation of array parameter index bounds checking

@tekton-robot tekton-robot added kind/bug Categorizes issue or PR as related to a bug. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels May 12, 2023
@tekton-robot tekton-robot requested review from bobcatfish and dibyom May 12, 2023 12:50
@lbernick
Split array param indexing validation between reconciler and webhook
412d9c8 
There are two components to validation of array param indexing:

1. Validating that beta features are enabled.
2. Validating that array indexes are in bounds.

Prior to this commit, both of these forms of validation were done in the PipelineRun reconciler.
However, the first form of validation differs between the v1beta1 and the v1 API version.
In addition, array index bounds checking was skipped if beta features were disabled.
This meant that if "enable-api-fields" was set to "stable", a user could create a beta Task/Pipeline
using array parameter indexing, and we would not validate whether indexes were in bounds, potentially
leading to a confusing error message or reconciler panic.

This commit moves the first form of validation to take place only in the webhook,
leaving validation for bounds checking in the reconciler. Bounds checking is performed regardless
of what feature flags are enabled.
@lbernick lbernick mentioned this pull request May 12, 2023
Merged
4 tasks
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/pipeline/v1/pipeline_validation.go 99.4% 99.7% 0.3
pkg/apis/pipeline/v1/task_validation.go 96.8% 97.3% 0.5

@lbernick lbernick added this to the Pipelines v0.48 milestone May 12, 2023
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/pipeline/v1/pipeline_validation.go 99.4% 99.7% 0.3
pkg/apis/pipeline/v1/task_validation.go 96.8% 97.3% 0.5

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/pipeline/v1/pipeline_validation.go 99.4% 99.7% 0.3
pkg/apis/pipeline/v1/task_validation.go 96.8% 97.3% 0.5

Yongxuanzhang

This comment was marked as duplicate.

Sign in to view

@Yongxuanzhang
Copy link
Member

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label May 12, 2023
JeromeJu
JeromeJu approved these changes May 15, 2023
View reviewed changes
Copy link
Member

@JeromeJu JeromeJu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Lee

@tekton-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JeromeJu, jerop

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 16, 2023
@tekton-robot tekton-robot merged commit 8f76a04 into tektoncd:main May 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Yongxuanzhang Yongxuanzhang Yongxuanzhang left review comments

@JeromeJu JeromeJu JeromeJu approved these changes

@jerop jerop jerop approved these changes

@bobcatfish bobcatfish Awaiting requested review from bobcatfish

@dibyom dibyom Awaiting requested review from dibyom

Assignees

@jerop jerop

@Yongxuanzhang Yongxuanzhang

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
Pipelines v0.48
Development

Successfully merging this pull request may close these issues.

improve error message when indexing into an array is used with stable api
5 participants
@lbernick @tekton-robot @Yongxuanzhang @jerop @JeromeJu