Failed to sign pipelineRun with error: failed to set finalizers: admission webhook \"webhook.pipeline.tekton.dev\" denied the request: mutation failed: cannot decode incoming new object: json: unknown field \"EnableCELInWhenExpression\"

[Allen-yan]

Expected Behavior

using tekton chain to sign a pipelineRun object

Actual Behavior

after pipelineRun finished. Nothing attached to the pipelineRun annotations and tekton-chains-controller pod throws an error

{"level":"error","ts":"2023-12-06T07:09:27.326Z","logger":"watcher","caller":"controller/controller.go:566","msg":"Reconcile error","knative.dev/controller":"github.aaakk.us.kg.tektoncd.chains.pkg.reconciler.taskrun.Reconciler","knative.dev/kind":"tekton.dev.TaskRun","knative.dev/traceid":"43907be3-2f94-492f-99dc-e5c59219ff8a","knative.dev/key":"default/cicd-pipeline-pd5pr-cut-commit-id","duration":0.013745541,"error":"failed to set finalizers: admission webhook "webhook.pipeline.tekton.dev" denied the request: mutation failed: cannot decode incoming new object: json: unknown field "EnableCELInWhenExpression"","stacktrace":"github.com/tektoncd/chains/vendor/knative.dev/pkg/controller.(*Impl).handleErr\n\tgithub.com/tektoncd/chains/vendor/knative.dev/pkg/controller/controller.go:566\ngithub.com/tektoncd/chains/vendor/knative.dev/pkg/controller.(*Impl).processNextWorkItem\n\tgithub.com/tektoncd/chains/vendor/knative.dev/pkg/controller/controller.go:543\ngithub.com/tektoncd/chains/vendor/knative.dev/pkg/controller.(*Impl).RunContext.func3\n\tgithub.com/tektoncd/chains/vendor/knative.dev/pkg/controller/controller.go:491"}

Steps to Reproduce the Problem

1. start a pipelinerun
2. pipelinerun completed
3. watch the tekton chains controller logs

Additional Info

• Kubernetes version:

Client Version: v1.28.2
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.27.4

• Tekton Pipeline version:

Client version: 0.32.2
Chains version: v0.19.0
Pipeline version: v0.50.3
Triggers version: v0.25.2
Dashboard version: v0.39.0
Operator version: v0.68.1

config-map: chains-config

apiVersion: v1
data:
  artifacts.oci.storage: ""
  artifacts.pipelinerun.format: slsa/v1
  artifacts.pipelinerun.storage: tekton
  artifacts.taskrun.format: in-toto
  artifacts.taskrun.storage: ""
kind: ConfigMap

[lcarva]

I'm unable to reproduce the issue with those versions.

Given the error, I wonder if there's some corner case incompatibility issue with the version of Chains and the version of Pipeline. EnableCELInWhenExpression doesn't exist in Pipeline v0.50.3, for example.

Can you share the output of kubectl -n tekton-pipelines get ConfigMap feature-flags -o yaml ?

[Allen-yan]

@lcarva

apiVersion: v1
data:
  await-sidecar-readiness: "true"
  coschedule: workspaces
  disable-affinity-assistant: "false"
  disable-creds-init: "false"
  enable-api-fields: stable
  enable-custom-tasks: "false"
  enable-provenance-in-status: "true"
  enable-tekton-oci-bundles: "false"
  enforce-nonfalsifiablity: none
  performance: <v1alpha1.PipelinePerformanceProperties Value>
  require-git-ssh-secret-known-hosts: "false"
  results-from: termination-message
  running-in-environment-with-injected-sidecars: "true"
  send-cloudevents-for-runs: "false"
  set-security-context: "false"
  trusted-resources-verification-no-match-policy: ignore
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-pipelines
    operator.tekton.dev/operand-name: tektoncd-pipelines
  name: feature-flags
  namespace: tekton-pipelines

[lcarva]

Quite strange... I still can't reproduce this issue. I tried your exact config as well as variations of it. Can you share the Pipeline and Task definitions you're using?

Can you also try reproducing the issue on a fresh cluster? kind is useful for this. Providing the exact steps to reproduce the problem would be super helpful.