[TEP-0029] Isolated steps and sidecar workspaces to beta

This feature has been implemented in Tekton Pipelines v0.24.0. Isolated workspaces gives our user an option for improved security, which is why it's important to work towards making it available to our users by default. No outstanding issue exists for this feature, except for the proposal to promote it to beta. Fixes tektoncd#6109 Signed-off-by: Andrea Frittoli <[email protected]>
afrittoli · Jul 12, 2023 · 2057c67 · 2057c67
1 parent b769b56
commit 2057c67
Show file tree

Hide file tree

Showing 11 changed files with 15 additions and 61 deletions.
diff --git a/docs/additional-configs.md b/docs/additional-configs.md
@@ -298,7 +298,6 @@ Features currently in "alpha" are:
 | Feature                                                                                             | Proposal                                                                                                                   | Release                                                              | Individual Flag               |
 |:----------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------|:------------------------------|
 | [Bundles ](./pipelineruns.md#tekton-bundles)                                                        | [TEP-0005](https://github.com/tektoncd/community/blob/main/teps/0005-tekton-oci-bundles.md)                                | [v0.18.0](https://github.com/tektoncd/pipeline/releases/tag/v0.18.0) | `enable-tekton-oci-bundles`   |
-| [Isolated `Step` & `Sidecar` `Workspaces`](./workspaces.md#isolated-workspaces)                     | [TEP-0029](https://github.com/tektoncd/community/blob/main/teps/0029-step-workspaces.md)                                   | [v0.24.0](https://github.com/tektoncd/pipeline/releases/tag/v0.24.0) |                               |
 | [Hermetic Execution Mode](./hermetic.md)                                                            | [TEP-0025](https://github.com/tektoncd/community/blob/main/teps/0025-hermekton.md)                                         | [v0.25.0](https://github.com/tektoncd/pipeline/releases/tag/v0.25.0) |                               |
 | [Windows Scripts](./tasks.md#windows-scripts)                                                       | [TEP-0057](https://github.com/tektoncd/community/blob/main/teps/0057-windows-support.md)                                   | [v0.28.0](https://github.com/tektoncd/pipeline/releases/tag/v0.28.0) |                               |
 | [Debug](./debug.md)                                                                                 | [TEP-0042](https://github.com/tektoncd/community/blob/main/teps/0042-taskrun-breakpoint-on-failure.md)                     | [v0.26.0](https://github.com/tektoncd/pipeline/releases/tag/v0.26.0) |                               |
@@ -323,11 +322,12 @@ Features currently in "beta" are:
 | Feature                                                            | Proposal                                                                                        | Alpha Release                                                        | Beta Release                                                         | Individual Flag |
 |:-------------------------------------------------------------------|:------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------|:---------------------------------------------------------------------|:----------------|
 | [Array Results and Array Indexing](pipelineruns.md#specifying-parameters)             | [TEP-0076](https://github.com/tektoncd/community/blob/main/teps/0076-array-result-types.md)     | [v0.38.0](https://github.com/tektoncd/pipeline/releases/tag/v0.38.0) | [v0.45.0](https://github.com/tektoncd/pipeline/releases/tag/v0.45.0) |                 |
-| [Object Parameters and Results](pipelineruns.md#specifying-parameters) | [TEP-0075](https://github.com/tektoncd/community/blob/main/teps/0075-object-param-and-result-types.md) | [v0.46.0](https://github.com/tektoncd/pipeline/releases/tag/v0.46.0) |
-| [Remote Tasks](./taskruns.md#remote-tasks) and [Remote Pipelines](./pipelineruns.md#remote-pipelines) | [TEP-0060](https://github.com/tektoncd/community/blob/main/teps/0060-remote-resolution.md) | [v0.41.0](https://github.com/tektoncd/pipeline/releases/tag/v0.41.0) |
+| [Object Parameters and Results](pipelineruns.md#specifying-parameters) | [TEP-0075](https://github.com/tektoncd/community/blob/main/teps/0075-object-param-and-result-types.md) | | [v0.46.0](https://github.com/tektoncd/pipeline/releases/tag/v0.46.0) | 
+| [Remote Tasks](./taskruns.md#remote-tasks) and [Remote Pipelines](./pipelineruns.md#remote-pipelines) | [TEP-0060](https://github.com/tektoncd/community/blob/main/teps/0060-remote-resolution.md) | | [v0.41.0](https://github.com/tektoncd/pipeline/releases/tag/v0.41.0) |
 | [`Provenance` field in Status](pipeline-api.md#provenance)| [issue#5550](https://github.com/tektoncd/pipeline/issues/5550)| [v0.41.0](https://github.com/tektoncd/pipeline/releases/tag/v0.41.0)| [v0.48.0](https://github.com/tektoncd/pipeline/releases/tag/v0.48.0) | `enable-provenance-in-status`|
 | [CSI workspaces](workspaces.md#csi)| [issue#4446](https://github.com/tektoncd/pipeline/issues/4446)| [v0.38.0](https://github.com/tektoncd/pipeline/releases/tag/v0.38.0)| [v0.41.0](https://github.com/tektoncd/pipeline/releases/tag/v0.41.0) | |
 | [Projected volume workspaces](workspaces.md#projected)| [issue#5075](https://github.com/tektoncd/pipeline/issues/5075)| [v0.38.0](https://github.com/tektoncd/pipeline/releases/tag/v0.38.0)| [v0.41.0](https://github.com/tektoncd/pipeline/releases/tag/v0.41.0) | |
+| [Isolated `Step` & `Sidecar` `Workspaces`](./workspaces.md#isolated-workspaces)                     | [TEP-0029](https://github.com/tektoncd/community/blob/main/teps/0029-step-workspaces.md)                                   | [v0.24.0](https://github.com/tektoncd/pipeline/releases/tag/v0.24.0) | [v0.50.0](https://github.com/tektoncd/pipeline/releases/tag/v0.50.0) |
 
 ## Enabling larger results using sidecar logs
 

diff --git a/docs/workspaces.md b/docs/workspaces.md
@@ -67,7 +67,7 @@ information in the `TaskRun` changes.
 configuration involved to add the required `volumeMount`. This allows for a
 long-running process in a `Sidecar` to share data with the executing `Steps` of a `Task`.
 
-**Note**: If the `enable-api-fields` feature-flag is set to `"alpha"` then workspaces
+**Note**: If the `enable-api-fields` feature-flag is set to `"beta"` then workspaces
 will automatically be available to `Sidecars` too!
 
 ### `Workspaces` in `Pipelines` and `PipelineRuns`
@@ -101,7 +101,7 @@ the `optional` field.
 
 ### Isolated `Workspaces`
 
-This is an alpha feature. The `enable-api-fields` feature flag [must be set to `"alpha"`](./install.md)
+This is a beta feature. The `enable-api-fields` feature flag [must be set to `"beta"`](./install.md)
 for Isolated Workspaces to function.
 
 Certain kinds of data are more sensitive than others. To reduce exposure of sensitive data Task
@@ -187,16 +187,16 @@ spec:
         touch "$(workspaces.signals.path)/ready"
 ```
 
-**Note:** Starting in Pipelines v0.24.0 `Sidecars` automatically get access to `Workspaces`.This is an
-alpha feature and requires Pipelines to have [the "alpha" feature gate enabled](./install.md#alpha-features).
+**Note:** Starting in Pipelines v0.24.0 `Sidecars` automatically get access to `Workspaces`. This is a
+beta feature and requires Pipelines to have [the "beta" feature gate enabled](./install.md#beta-features).
 
 If a Sidecar already has a `volumeMount` at the location expected for a `workspace` then that `workspace` is
 not bound to the Sidecar. This preserves backwards-compatibility with any existing uses of the `volumeMount`
 trick described above.
 
 #### Isolating `Workspaces` to Specific `Steps` or `Sidecars`
 
-This is an alpha feature. The `enable-api-fields` feature flag [must be set to `"alpha"`](./install.md)
+This is a beta feature. The `enable-api-fields` feature flag [must be set to `"beta"`](./install.md#beta-features)
 for Isolated Workspaces to function.
 
 To limit access to a `Workspace` from a subset of a `Task's` `Steps` or `Sidecars` requires

diff --git a/...pelineruns/alpha/isolated-workspaces.yaml → ...ipelineruns/beta/isolated-workspaces.yaml b/...pelineruns/alpha/isolated-workspaces.yaml → ...ipelineruns/beta/isolated-workspaces.yaml
diff --git a/...ns/alpha/authenticating-git-commands.yaml → ...uns/beta/authenticating-git-commands.yaml b/...ns/alpha/authenticating-git-commands.yaml → ...uns/beta/authenticating-git-commands.yaml
diff --git a/.../taskruns/alpha/workspace-in-sidecar.yaml → ...1/taskruns/beta/workspace-in-sidecar.yaml b/.../taskruns/alpha/workspace-in-sidecar.yaml → ...1/taskruns/beta/workspace-in-sidecar.yaml
diff --git a/...1/taskruns/alpha/workspace-isolation.yaml → ...a1/taskruns/beta/workspace-isolation.yaml b/...1/taskruns/alpha/workspace-isolation.yaml → ...a1/taskruns/beta/workspace-isolation.yaml
diff --git a/pkg/apis/pipeline/v1/task_validation.go b/pkg/apis/pipeline/v1/task_validation.go
@@ -222,7 +222,7 @@ func validateWorkspaceUsages(ctx context.Context, ts *TaskSpec) (errs *apis.Fiel
 
 	for stepIdx, step := range steps {
 		if len(step.Workspaces) != 0 {
-			errs = errs.Also(version.ValidateEnabledAPIFields(ctx, "step workspaces", config.AlphaAPIFields).ViaIndex(stepIdx).ViaField("steps"))
+			errs = errs.Also(version.ValidateEnabledAPIFields(ctx, "step workspaces", config.BetaAPIFields).ViaIndex(stepIdx).ViaField("steps"))
 		}
 		for workspaceIdx, w := range step.Workspaces {
 			if !wsNames.Has(w.Name) {
@@ -233,7 +233,7 @@ func validateWorkspaceUsages(ctx context.Context, ts *TaskSpec) (errs *apis.Fiel
 
 	for sidecarIdx, sidecar := range sidecars {
 		if len(sidecar.Workspaces) != 0 {
-			errs = errs.Also(version.ValidateEnabledAPIFields(ctx, "sidecar workspaces", config.AlphaAPIFields).ViaIndex(sidecarIdx).ViaField("sidecars"))
+			errs = errs.Also(version.ValidateEnabledAPIFields(ctx, "sidecar workspaces", config.BetaAPIFields).ViaIndex(sidecarIdx).ViaField("sidecars"))
 		}
 		for workspaceIdx, w := range sidecar.Workspaces {
 			if !wsNames.Has(w.Name) {

diff --git a/pkg/apis/pipeline/v1beta1/task_validation.go b/pkg/apis/pipeline/v1beta1/task_validation.go
@@ -176,8 +176,8 @@ func validateDeclaredWorkspaces(workspaces []WorkspaceDeclaration, steps []Step,
 // validateWorkspaceUsages checks that all WorkspaceUsage objects in Steps
 // refer to workspaces that are defined in the Task.
 //
-// This is an alpha feature and will fail validation if it's used by a step
-// or sidecar when the enable-api-fields feature gate is anything but "alpha".
+// This is an beta feature and, until TEP-0138 https://github.com/tektoncd/community/pull/1034
+// is implemented, it will pass validation on v1beta1 resources
 func validateWorkspaceUsages(ctx context.Context, ts *TaskSpec) (errs *apis.FieldError) {
 	workspaces := ts.Workspaces
 	steps := ts.Steps
@@ -189,9 +189,6 @@ func validateWorkspaceUsages(ctx context.Context, ts *TaskSpec) (errs *apis.Fiel
 	}
 
 	for stepIdx, step := range steps {
-		if len(step.Workspaces) != 0 {
-			errs = errs.Also(version.ValidateEnabledAPIFields(ctx, "step workspaces", config.AlphaAPIFields).ViaIndex(stepIdx).ViaField("steps"))
-		}
 		for workspaceIdx, w := range step.Workspaces {
 			if !wsNames.Has(w.Name) {
 				errs = errs.Also(apis.ErrGeneric(fmt.Sprintf("undefined workspace %q", w.Name), "name").ViaIndex(workspaceIdx).ViaField("workspaces").ViaIndex(stepIdx).ViaField("steps"))
@@ -200,9 +197,6 @@ func validateWorkspaceUsages(ctx context.Context, ts *TaskSpec) (errs *apis.Fiel
 	}
 
 	for sidecarIdx, sidecar := range sidecars {
-		if len(sidecar.Workspaces) != 0 {
-			errs = errs.Also(version.ValidateEnabledAPIFields(ctx, "sidecar workspaces", config.AlphaAPIFields).ViaIndex(sidecarIdx).ViaField("sidecars"))
-		}
 		for workspaceIdx, w := range sidecar.Workspaces {
 			if !wsNames.Has(w.Name) {
 				errs = errs.Also(apis.ErrGeneric(fmt.Sprintf("undefined workspace %q", w.Name), "name").ViaIndex(workspaceIdx).ViaField("workspaces").ViaIndex(sidecarIdx).ViaField("sidecars"))

diff --git a/pkg/apis/pipeline/v1beta1/task_validation_test.go b/pkg/apis/pipeline/v1beta1/task_validation_test.go
@@ -1597,37 +1597,6 @@ func TestIncompatibleAPIVersions(t *testing.T) {
 		requiredVersion string
 		spec            v1beta1.TaskSpec
 	}{{
-		name:            "step workspace requires alpha",
-		requiredVersion: "alpha",
-		spec: v1beta1.TaskSpec{
-			Workspaces: []v1beta1.WorkspaceDeclaration{{
-				Name: "foo",
-			}},
-			Steps: []v1beta1.Step{{
-				Image: "foo",
-				Workspaces: []v1beta1.WorkspaceUsage{{
-					Name: "foo",
-				}},
-			}},
-		},
-	}, {
-		name:            "sidecar workspace requires alpha",
-		requiredVersion: "alpha",
-		spec: v1beta1.TaskSpec{
-			Workspaces: []v1beta1.WorkspaceDeclaration{{
-				Name: "foo",
-			}},
-			Steps: []v1beta1.Step{{
-				Image: "foo",
-			}},
-			Sidecars: []v1beta1.Sidecar{{
-				Image: "foo",
-				Workspaces: []v1beta1.WorkspaceUsage{{
-					Name: "foo",
-				}},
-			}},
-		},
-	}, {
 		name:            "windows script support requires alpha",
 		requiredVersion: "alpha",
 		spec: v1beta1.TaskSpec{
@@ -1687,15 +1656,6 @@ func TestIncompatibleAPIVersions(t *testing.T) {
 }
 
 func TestGetArrayIndexParamRefs(t *testing.T) {
-	stepsReferences := []string{}
-	for i := 10; i <= 26; i++ {
-		stepsReferences = append(stepsReferences, fmt.Sprintf("$(params.array-params[%d])", i))
-	}
-	volumesReferences := []string{}
-	for i := 10; i <= 22; i++ {
-		volumesReferences = append(volumesReferences, fmt.Sprintf("$(params.array-params[%d])", i))
-	}
-
 	tcs := []struct {
 		name     string
 		taskspec *v1beta1.TaskSpec

diff --git a/pkg/reconciler/taskrun/resources/apply.go b/pkg/reconciler/taskrun/resources/apply.go
@@ -157,8 +157,8 @@ func ApplyWorkspaces(ctx context.Context, spec *v1.TaskSpec, declarations []v1.W
 			stringReplacements[prefix+"path"] = ""
 		} else {
 			stringReplacements[prefix+"bound"] = "true"
-			alphaAPIEnabled := config.FromContextOrDefaults(ctx).FeatureFlags.EnableAPIFields == config.AlphaAPIFields
-			if alphaAPIEnabled {
+			betaAPIEnabled := config.FromContextOrDefaults(ctx).FeatureFlags.EnableAPIFields == config.BetaAPIFields
+			if betaAPIEnabled {
 				spec = applyWorkspaceMountPath(prefix+"path", spec, declaration)
 			} else {
 				stringReplacements[prefix+"path"] = declaration.GetMountPath()

diff --git a/pkg/reconciler/taskrun/resources/apply_test.go b/pkg/reconciler/taskrun/resources/apply_test.go
@@ -1157,7 +1157,7 @@ func TestApplyWorkspaces_IsolatedWorkspaces(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			ctx := config.ToContext(context.Background(), &config.Config{
 				FeatureFlags: &config.FeatureFlags{
-					EnableAPIFields: "alpha",
+					EnableAPIFields: "beta",
 				},
 			})
 			vols := workspace.CreateVolumes(tc.binds)