-
Notifications
You must be signed in to change notification settings - Fork 221
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[TEP-0145] CEL in WhenExpression #1074
Conversation
a68eaab
to
6fcec4a
Compare
6fcec4a
to
e721063
Compare
Hi @tektoncd/core-maintainers ptal at this proposal. |
/assign |
/kind tep |
/assign @pritidesai |
/assign @vdemeester |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @Yongxuanzhang, great TEP! I left some comments, but lgtm in general.
I believe having this feature and Param Enum can improve UX significantly.
teps/0145-cel-in-whenexpression.md
Outdated
|
||
The new fields will be gated by a new feature flag, `enable-cel-whenexpression`, which will defaults to `"false"` while the feature is in alpha. | ||
|
||
The validation webhook will validate either the current when `input`+`operator`+`values` or `cel` is used, users cannot use both at the same time for one `WhenExpression`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm wondering if the validation webhook can validate if the given CEL expression is syntactically valid or not?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh this is a great suggestion! Thanks!
d8e5fe2
to
239302d
Compare
239302d
to
739fffd
Compare
- cel: '$(params.branch)'.matches('release/.*')" | ||
``` | ||
|
||
### Variables Substitution |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @vdemeester, I added one more section since last time you reviewed. This section will discuss how we handle variable substitution in CEL expression and how we can prevent the attack. PTAL 🙏
Hi @pritidesai, @JeromeJu could you review this TEP? Thanks! |
- input: "$(params.param1)$(params.param2)" | ||
operator: notin | ||
values: [""] | ||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, this is a workaround but @durera was hopping to implement more complex logic but chose to go this route since their desired conditional logic is not supported.
The desired conditional logic is:
whenAny:
- input: "$(params.param1)"
operator: notin
values: [""]
- input: "$(params.param2)"
operator: in
values: ["8.5", "8.6"]
which I think can supported with a single CEL
expression:
when:
cel: "'$(params.param1)' != '' || '$(params.param2)' == '8.5' || $(params.param2)' == '8.6'"
Do we know if there is any limitation on the length of the cel
expression? If so, its worth documenting here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! I missed the original one the user wants to use. Updated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the length limitation, I have searched a bit but could not find answers...
teps/0145-cel-in-whenexpression.md
Outdated
|
||
### Variables Substitution | ||
|
||
The CEL in When Expressions should support current Tekton’s Params and Results [string substitutions](https://github.com/tektoncd/pipeline/blob/main/docs/variables.md#variables-available-in-a-pipeline). Array and object substitutions are not supported because Tekton doesn’t support whole array/object replacements in a string. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this true? values
is an array and it does honor the star notation, isn't it?
Its reasonable to implement only string params with CEL but are we supporting indexing into an array or referencing an object param using a key in CEL expressions?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I should clarify that we cannot reference to a whole array or object.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I remember there is an issue that we cannot reference param in "script", the case where a long string contains param reference.
I will remove this statement, and rephrase that we will support string replacements first
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed this statement
Thanks a bunch @Yongxuanzhang for all the efforts on this. This will be greatly appreciated and utilized by the pipeline authors. I have left a couple of comments. Please address them before we can merge this since this is marked as implementable. Thanks again! /approve |
739fffd
to
d75bb83
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The proposal LGTM, just some small questions.
teps/0145-cel-in-whenexpression.md
Outdated
- Explicitly document that passing CEL expression from param is not allowed and won’t be executed. | ||
|
||
The solution we proposed is to let CEL handle the variable substitution: | ||
1. Add params, results, context variables to CEL's environment, similar like [Tekton Triggers](https://github.com/tektoncd/triggers/blob/main/pkg/interceptors/cel/cel.go#L104C1-L112) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the tekton trigger examples are nice to add. Would you mind also clarifying the environment here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added link to the cel environment, it would add too many details here if we want to add code snippets.
ead28c8
to
a035184
Compare
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: JeromeJu, pritidesai, vdemeester The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This commit adds the proposal of adding CEL in WhenExpression Signed-off-by: Yongxuan Zhang [email protected]
a035184
to
e27777f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This commit adds the proposal of adding CEL in WhenExpression
Signed-off-by: Yongxuan Zhang [email protected]