Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: prevent modification of annotations on completed TaskRuns #7603

Merged
merged 1 commit into from
Feb 9, 2024
Merged

fix: prevent modification of annotations on completed TaskRuns #7603

merged 1 commit into from
Feb 9, 2024

Conversation

l-qing
Copy link
Contributor

@l-qing l-qing commented Jan 23, 2024
edited by dibyom
Loading

In TaskRun, the annotation pipeline.tekton.dev/release records the version information of the pipeline. If the Pipeline is updated, the annotation in the completed TaskRuns should not be modified.

  • pipeline/pkg/reconciler/taskrun/taskrun.go

    Lines 142 to 155 in e1c7828

    // If the TaskRun is complete, run some post run fixtures when applicable
    if tr.IsDone() {
    logger.Infof("taskrun done : %s \n", tr.Name)
    // We may be reading a version of the object that was stored at an older version
    // and may not have had all of the assumed default specified.
    tr.SetDefaults(ctx)
    if err := c.stopSidecars(ctx, tr); err != nil {
    return err
    }
    return c.finishReconcileUpdateEmitEvents(ctx, tr, before, nil)
    }

  • pipeline/pkg/reconciler/taskrun/taskrun.go

    Lines 295 to 319 in e1c7828

    func (c *Reconciler) finishReconcileUpdateEmitEvents(ctx context.Context, tr *v1.TaskRun, beforeCondition *apis.Condition, previousError error) error {
    ctx, span := c.tracerProvider.Tracer(TracerName).Start(ctx, "finishReconcileUpdateEmitEvents")
    defer span.End()
    logger := logging.FromContext(ctx)
    afterCondition := tr.Status.GetCondition(apis.ConditionSucceeded)
    if afterCondition.IsFalse() && !tr.IsCancelled() && tr.IsRetriable() {
    retryTaskRun(tr, afterCondition.Message)
    afterCondition = tr.Status.GetCondition(apis.ConditionSucceeded)
    }
    // Send k8s events and cloud events (when configured)
    events.Emit(ctx, beforeCondition, afterCondition, tr)
    _, err := c.updateLabelsAndAnnotations(ctx, tr)
    if err != nil {
    logger.Warn("Failed to update TaskRun labels/annotations", zap.Error(err))
    events.EmitError(controller.GetEventRecorder(ctx), err, tr)
    }
    merr := multierror.Append(previousError, err).ErrorOrNil()
    if controller.IsPermanentError(previousError) {
    return controller.NewPermanentError(merr)
    }
    return merr
    }

  • pipeline/pkg/reconciler/taskrun/taskrun.go

    Lines 650 to 657 in e1c7828

    func (c *Reconciler) updateLabelsAndAnnotations(ctx context.Context, tr *v1.TaskRun) (*v1.TaskRun, error) {
    ctx, span := c.tracerProvider.Tracer(TracerName).Start(ctx, "updateLabelsAndAnnotations")
    defer span.End()
    // Ensure the TaskRun is properly decorated with the version of the Tekton controller processing it.
    if tr.Annotations == nil {
    tr.Annotations = make(map[string]string, 1)
    }
    tr.Annotations[podconvert.ReleaseAnnotation] = changeset.Get()

Changes

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Has Docs if any changes are user facing, including updates to minimum requirements e.g. Kubernetes version bumps
  • Has Tests included if any functionality added or changed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including functionality, content, code)
  • Has a kind label. You can add one by adding a comment on this PR that contains /kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tep
  • Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings). See some examples of good release notes.
  • Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

fix: the pipeline controller will no longer modify any annotation it has set on completed pipelineruns

/kind bug

@tekton-robot tekton-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jan 23, 2024
@tekton-robot
Copy link
Collaborator

Hi @l-qing. Thanks for your PR.

I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@l-qing l-qing force-pushed the fix/immutable-completed-taskrun-annotations branch from 8da0ef7 to 7fd3ae4 Compare January 23, 2024 11:37
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/taskrun/taskrun.go 85.2% 85.3% 0.1

khrm
khrm reviewed Jan 23, 2024
View reviewed changes
Copy link
Contributor

@khrm khrm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/ok-to-test

@tekton-robot tekton-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jan 23, 2024
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/taskrun/taskrun.go 85.2% 85.3% 0.1

vdemeester
vdemeester requested changes Jan 23, 2024
View reviewed changes
Copy link
Member

@vdemeester vdemeester left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is most likely going to be a problem as some things need to update annotations once the TaskRun or PipelineRun is done. An example is the chains component that signs outputs once the run is done and adds annotations to the object once signed.

cc @tektoncd/core-maintainers @tektoncd/chains-maintainers

@lcarva
Copy link
Contributor

lcarva commented Jan 23, 2024

This is most likely going to be a problem as some things need to update annotations once the TaskRun or PipelineRun is done. An example is the chains component that signs outputs once the run is done and adds annotations to the object once signed.

Yup! I believe this is also true for the Tekton Results project. cc @tektoncd/results-maintainers

@l-qing, could provide more context on why the suggested changes are desired?

@l-qing l-qing force-pushed the fix/immutable-completed-taskrun-annotations branch from 7fd3ae4 to 469906f Compare January 24, 2024 00:26
@l-qing
Copy link
Contributor Author

l-qing commented Jan 24, 2024

could provide more context on why the suggested changes are desired?

As described above: After upgrading the Pipeline, I found that the Annotations pipeline.tekton.dev/release of the historical TaskRun have all been modified. I believe this operation is not expected.
There may be several thousand TaskRuns in my environment.
The Pipeline I'm using is a custom-built version, such annotations changes happen quite frequently, unlike the community ones.

I might not be very familiar with tekton result.
But looking at the code logic here, it seems like it won't affect other components.
Because this change, only affects those taskruns that were already in a done state before entering reconcile. Originally they weren't doing much anyway.

pipeline/pkg/reconciler/taskrun/taskrun.go

Lines 107 to 155 in e1c7828

// ReconcileKind compares the actual state with the desired, and attempts to
// converge the two. It then updates the Status block of the Task Run
// resource with the current status of the resource.
func (c *Reconciler) ReconcileKind(ctx context.Context, tr *v1.TaskRun) pkgreconciler.Event {
logger := logging.FromContext(ctx)
ctx = cloudevent.ToContext(ctx, c.cloudEventClient)
ctx = initTracing(ctx, c.tracerProvider, tr)
ctx, span := c.tracerProvider.Tracer(TracerName).Start(ctx, "TaskRun:ReconcileKind")
defer span.End()
span.SetAttributes(attribute.String("taskrun", tr.Name), attribute.String("namespace", tr.Namespace))
// Read the initial condition
before := tr.Status.GetCondition(apis.ConditionSucceeded)
// Record the duration and count after the reconcile cycle.
defer c.durationAndCountMetrics(ctx, tr, before)
// If the TaskRun is just starting, this will also set the starttime,
// from which the timeout will immediately begin counting down.
if !tr.HasStarted() {
tr.Status.InitializeConditions()
// In case node time was not synchronized, when controller has been scheduled to other nodes.
if tr.Status.StartTime.Sub(tr.CreationTimestamp.Time) < 0 {
logger.Warnf("TaskRun %s createTimestamp %s is after the taskRun started %s", tr.GetNamespacedName().String(), tr.CreationTimestamp, tr.Status.StartTime)
tr.Status.StartTime = &tr.CreationTimestamp
}
// Emit events. During the first reconcile the status of the TaskRun may change twice
// from not Started to Started and then to Running, so we need to sent the event here
// and at the end of 'Reconcile' again.
// We also want to send the "Started" event as soon as possible for anyone who may be waiting
// on the event to perform user facing initialisations, such has reset a CI check status
afterCondition := tr.Status.GetCondition(apis.ConditionSucceeded)
events.Emit(ctx, nil, afterCondition, tr)
}
// If the TaskRun is complete, run some post run fixtures when applicable
if tr.IsDone() {
logger.Infof("taskrun done : %s \n", tr.Name)
// We may be reading a version of the object that was stored at an older version
// and may not have had all of the assumed default specified.
tr.SetDefaults(ctx)
if err := c.stopSidecars(ctx, tr); err != nil {
return err
}
return c.finishReconcileUpdateEmitEvents(ctx, tr, before, nil)
}

I have updated the description to elucidate the impact.

pipeline/pkg/reconciler/taskrun/taskrun.go

Lines 310 to 313 in 469906f

// If the Run has been completed before and remains so at present,
// no need to update the labels and annotations
skipUpdateLabelsAndAnnotations := !afterCondition.IsUnknown() && !beforeCondition.IsUnknown()
if !skipUpdateLabelsAndAnnotations {

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/taskrun/taskrun.go 85.2% 85.3% 0.1

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/taskrun/taskrun.go 85.2% 85.3% 0.1

@vdemeester
Copy link
Member

@l-qing chains doesn't act "until" the taskrun is done (see here), and will put an annotation on it (see here). I didn't see it as obvious as this in the results codebase, but, essentially, it might block possible other "usage" (outside of chains and results).

That said, given your usecase, we probably want to disallow mutating some of the annotations (or ignore these mutation), and essentially, pipeline.tekton.dev/release.

khrm
khrm reviewed Jan 24, 2024
View reviewed changes
Copy link
Contributor

@khrm khrm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@vdemeester
I don't think this PR stops tekton-chains or tekton-results from adding annotations. It just blocks this function

pipeline/pkg/reconciler/taskrun/taskrun.go

Line 650 in 39cdda0

func (c *Reconciler) updateLabelsAndAnnotations(ctx context.Context, tr *v1.TaskRun) (*v1.TaskRun, error) {

Changes aren't in the validator code but reconciler. It's okay if the annotation for a completed pipelinerun/taskrun is not updated by the pipeline controllers.
Is my understanding correct, @l-qing ?

@khrm
Copy link
Contributor

khrm commented Jan 24, 2024

/test pull-tekton-pipeline-unit-tests

@l-qing l-qing force-pushed the fix/immutable-completed-taskrun-annotations branch from 469906f to 09e2c7d Compare January 24, 2024 15:20
@l-qing
Copy link
Contributor Author

l-qing commented Jan 24, 2024

@vdemeester I don't think this PR stops tekton-chains or tekton-results from adding annotations. It just blocks this function

pipeline/pkg/reconciler/taskrun/taskrun.go

Line 650 in 39cdda0

func (c *Reconciler) updateLabelsAndAnnotations(ctx context.Context, tr *v1.TaskRun) (*v1.TaskRun, error) {

Changes aren't in the validator code but reconciler. It's okay if the annotation for a completed pipelinerun/taskrun is not updated by the pipeline controllers. Is my understanding correct, @l-qing ?

Yes, that's exactly what I mean.

In the reconcile of the PipelineRun, I noticed that there is no location where the pipeline.tekton.dev/release annotations are set, so I reverted the code related to PipelineRun. 😆

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/taskrun/taskrun.go 85.2% 85.3% 0.1

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/taskrun/taskrun.go 85.2% 85.3% 0.1

@vdemeester
Copy link
Member

Ah I mis-read the PR then. It's preventing the pipeline controller itself to updated labels and annotations once the run is done 👍🏼. Then yes, it shouldn't be a problem !

/approve

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 24, 2024
@l-qing l-qing force-pushed the fix/immutable-completed-taskrun-annotations branch from 09e2c7d to f48148b Compare January 25, 2024 03:00
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/taskrun/taskrun.go 85.2% 85.3% 0.1

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/taskrun/taskrun.go 85.2% 85.3% 0.1

@l-qing l-qing force-pushed the fix/immutable-completed-taskrun-annotations branch from f48148b to c8588bd Compare January 28, 2024 15:22
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/taskrun/taskrun.go 85.2% 85.3% 0.1

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/taskrun/taskrun.go 85.2% 85.3% 0.1

@l-qing l-qing force-pushed the fix/immutable-completed-taskrun-annotations branch from c8588bd to c44ef71 Compare January 31, 2024 06:01
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/taskrun/taskrun.go 85.2% 85.3% 0.1

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/taskrun/taskrun.go 85.2% 85.3% 0.1

@l-qing l-qing force-pushed the fix/immutable-completed-taskrun-annotations branch from c44ef71 to e00833b Compare February 7, 2024 11:26
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/taskrun/taskrun.go 85.4% 85.5% 0.1

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/taskrun/taskrun.go 85.4% 85.5% 0.1

@l-qing
fix: prevent modification of annotations on completed TaskRuns
4923478 
In TaskRun, the annotation `pipeline.tekton.dev/release` records the version
information of the pipeline. If the Pipeline is updated, the annotation in the
completed TaskRuns should not be modified.
@l-qing l-qing force-pushed the fix/immutable-completed-taskrun-annotations branch from e00833b to 4923478 Compare February 8, 2024 14:07
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/taskrun/taskrun.go 86.5% 86.6% 0.1

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/taskrun/taskrun.go 86.5% 86.6% 0.1

@l-qing
Copy link
Contributor Author

l-qing commented Feb 9, 2024

/retest-required

dibyom
dibyom approved these changes Feb 9, 2024
View reviewed changes
Copy link
Member

@dibyom dibyom left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @l-qing - I updated the release note to make it a bit clearer that this is only preventing modification of the annotations that are set by the pipeline controller.

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Feb 9, 2024
@tekton-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dibyom, vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot merged commit d8c2ce9 into tektoncd:main Feb 9, 2024
12 checks passed
@l-qing l-qing deleted the fix/immutable-completed-taskrun-annotations branch February 10, 2024 13:43
@l-qing
Copy link
Contributor Author

l-qing commented Feb 10, 2024

Thanks @l-qing - I updated the release note to make it a bit clearer that this is only preventing modification of the annotations that are set by the pipeline controller.

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@khrm khrm khrm left review comments

@dibyom dibyom dibyom approved these changes

@vdemeester vdemeester vdemeester approved these changes

@pritidesai pritidesai Awaiting requested review from pritidesai

Assignees

@dibyom dibyom

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@l-qing @tekton-robot @lcarva @vdemeester @khrm @dibyom