Add Step and Sidecar Workspaces feature #3700
Conversation
ghost
added
the
kind/feature
tekton-robot
added
the
release-note
tekton-robot
added
the
size/L
|
The following is the coverage report on the affected files.
|
tekton-robot
added
size/XL
|
The following is the coverage report on the affected files.
|
|
Build tests are failing with following message: But |
|
The following is the coverage report on the affected files.
|
docs/workspaces.md
Outdated
| # Note: must explicitly include volumeMount for the workspace to be accessible in the Sidecar | ||
| volumeMounts: | ||
| - name: $(workspaces.signals.volume) | ||
| mountPath: $(workspaces.signals.path) |
There was a problem hiding this comment.
ahhh its so much better now :D
| # Note: must explicitly add volumeMount to gain access to Workspace in sidecar | ||
| volumeMounts: | ||
| - name: $(workspaces.signals.volume) | ||
| mountPath: $(workspaces.signals.path) |
| script: | | ||
| #!/usr/bin/env ash | ||
| if [ -f "$(workspaces.signals.path)"/start ] ; then | ||
| echo "This step should not have access to the signals workspace." |
| metadata: | ||
| generateName: workspace-isolation- | ||
| spec: | ||
| timeout: 2m0s |
There was a problem hiding this comment.
oooo is this here b/c of the loop in the sidecar? might be worth adding a couple comments (e.g. in the sidecar loop), i had to work through that myself and was about to say "we should add a timeout"
There was a problem hiding this comment.
Updated with comments in both loops mentioning the use of timeout to prevent looping forever.
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
There was a problem hiding this comment.
I think pretty much all my comments are just idle thoughts or unimportant nitpicks! The only at all "significant" comment I have is a think there might be a bit of missing test coverage on the mount path overriding.
Looks great!
/approve
i wonder if we want to explicitly do anything about how this impacts pipelineresources? since this was implemented using steptemplates, removing the volumes from the step template would also mean removing it from pipelineresources, but right now we don't cover it with any tests or mention it in docs - i think its probably better this way; its hard to imagine any pipelineresources that would be impacted, probably no one even knew that was happening, and lastly we probably want to discourage using pipelineresources anyway, but i wanted to bring it up and see what you think
| @@ -217,13 +217,14 @@ While iterating on the project, you may need to: | |||
| 1. Verify it's working by [looking at the logs](#accessing-logs) | |||
| 1. Update your (external) dependencies with: `./hack/update-deps.sh`. | |||
| 1. Update your type definitions with: `./hack/update-codegen.sh`. | |||
| 1. Update your OpenAPI specs with: `./hack/update-openapigen.sh`. | |||
| Workspaces: []v1beta1.WorkspaceDeclaration{{ | ||
| Name: "source", | ||
| }}, | ||
| }, |
There was a problem hiding this comment.
nice, clear test cases!
tekton-robot
added
the
approved
|
The following is the coverage report on the affected files.
|
|
yaaaasssss
|
|
Thanks for reviewing @bobcatfish ! |
|
The following is the coverage report on the affected files.
|
| workspaces: | ||
| - name: signals | ||
| steps: | ||
| - image: alpine:3.12.0 |
|
Thank you for this, it's a great feature to add. I skimmed through the code and it looks good (thanks for nice docs 🙏 ) - the only concern I have is the lack of a feature flag. Since this adds to a beta API, adding it without a flag means that the new API field becomes beta the moment it's released. I'm aware that we don't have a clear policy right now, I'll try to progress on https://github.com/tektoncd/community/blob/main/teps/0033-tekton-feature-gates.md so that we may have better guidance for the future. I agree with @bobcatfish proposal to have a single API flag for (most) API changes would make sense, and I know @vdemeester expressed positive feedback to that idea, so perhaps we should add the flag along with documentation so that people may start using it. @sbwsg @bobcatfish @vdemeester we're almost at release time, I see three alternatives:
In terms of the change in behaviour (volumes being available to steps right away), I think that should be fine, I cannot imaging that change breaking anyones workflow today - is that correct? |
|
/hold until the need for a feature flag is discussed / clarified |
|
/hold |
|
The following is the coverage report on the affected files.
|
Rebased on top of new feature gates code. I think this is ready for another look. |
|
I'm going to cancel the hold. I can't find the comment where it was added and everythoing's up to date now with the feature gate work. /hold cancel |
tekton-robot
removed
the
do-not-merge/hold
| @@ -19,6 +19,10 @@ spec: | |||
| - name: signals | |||
| steps: | |||
| - image: alpine:3.12.0 | |||
| resources: | |||
pkg/apis/config/feature_flags.go
Outdated
| @@ -118,7 +118,7 @@ func NewFeatureFlagsFromMap(cfgMap map[string]string) (*FeatureFlags, error) { | |||
| } | |||
|
|
|||
| // setEnabledAPIFields sets the "enable-api-fields" flag based on the content of a given map. | |||
| // If the feature gate is invalid or missing then an error is returned. | |||
| // If the feature gate is invalid or missing then the flag is set to its default. | |||
There was a problem hiding this comment.
NIT: this is not true, it does return error if the value is anything outside of stable and alpha, some git weirdness?
There was a problem hiding this comment.
Ah 😅 result of a bad merge. Good catch, thank you!
docs/workspaces.md
Outdated
| @@ -135,6 +158,9 @@ spec: | |||
|
|
|||
| #### Sharing `Workspaces` with `Sidecars` | |||
There was a problem hiding this comment.
NIT: reading for the first time looks like, the two notes in the same section is contradicting each other. The first note is saying with alpha API, the workspaces are automatically available to sidecars and second note is about stable API. With stable API, sidecars have to opt-in. This is fine for now, no need to change anything here. But we might have to repeat ourselves and be explicit about the behavior with stable compared to alpha 😞 May be keep the stable API behavior as is and add changes being introduced with alpha in the end of the section 🤔
There was a problem hiding this comment.
Yeah you're right it was confusing in this context. I removed mention of the alpha api from here.
|
The following is the coverage report on the affected files.
|
pkg/apis/config/feature_flags.go
Outdated
| @@ -118,7 +118,7 @@ func NewFeatureFlagsFromMap(cfgMap map[string]string) (*FeatureFlags, error) { | |||
| } | |||
|
|
|||
| // setEnabledAPIFields sets the "enable-api-fields" flag based on the content of a given map. | |||
| // If the feature gate is invalid or missing then an error is returned. | |||
| // If the feature gate is invalid or missing then the flag is set to its default. | |||
There was a problem hiding this comment.
Ah 😅 result of a bad merge. Good catch, thank you!
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
| for stepIdx, step := range steps { | ||
| if len(step.Workspaces) != 0 { | ||
| errs = errs.Also(ValidateEnabledAPIFields(ctx, "step workspaces", config.AlphaAPIFields).ViaIndex(stepIdx).ViaField("steps")) | ||
| } |
There was a problem hiding this comment.
Should we return an error here or continue validating workspaces even when a feature gate is not set to alpha? 🤔 Generally we accumulate all the validation errors before exiting.
There was a problem hiding this comment.
Yeah, I've decided to leave them accumulating. We can always return early in future if we see reports that it's confusing this way.
|
Is this feature supported for a task within a pipeline? if so, will be great to have an example for the same 🙏 |
|
The following is the coverage report on the affected files.
|
Added a pipelinerun example. |
Thanks a bunch @sbwsg, one more question (sorry for nagging on this, trying to make sure I understand it since this is the first alpha feature 😜 ). I am not seeing the examples under |
Could you mention in the release notes that this change in behaviour is alpha / gated by a feature flag - so there will be no change in default behaviour when upgrading to v0.24? 🙏 |
I created #3896 to tackle it and will pick it up asap.
Sure thing! Done. |
pkg/workspace/apply.go
Outdated
| @@ -98,6 +100,23 @@ func Apply(ts v1beta1.TaskSpec, wb []v1beta1.WorkspaceBinding, v map[string]core | |||
| ts.StepTemplate = &corev1.Container{} | |||
| } | |||
|
|
|||
| isolatedWorkspaces := sets.NewString() | |||
|
|
|||
| alphaAPIEnabled := config.FromContextOrDefaults(ctx).FeatureFlags.EnableAPIFields == "alpha" | |||
There was a problem hiding this comment.
NIT: can use config.AlphaAPIFields instead of string literal "alpha"
Access to Workspaces can now be limited to specific Steps and Sidecars in a Task. This allows Task authors to isolate sensitive data to specific images, reducing exposure of assets like credentials. As a side-effect of this change Workspaces are now mounted to Sidecars by default, just as they are to Steps.
|
The following is the coverage report on the affected files.
|
| if isolatedWorkspaces.Has(w.Name) { | ||
| mountAsIsolatedWorkspace(ts, w.Name, volumeMount) | ||
| } else { | ||
| mountAsSharedWorkspace(ts, volumeMount) |
There was a problem hiding this comment.
I am guessing this will go away once this feature is promoted to stable 🤔
| @@ -522,3 +524,310 @@ func TestApply(t *testing.T) { | |||
| }) | |||
| } | |||
| } | |||
|
|
|||
| func TestApply_IsolatedWorkspaces(t *testing.T) { | |||
There was a problem hiding this comment.
NIT: The tests included here are pretty comprehensive (go coverage is very obvious) 😍 but will be great to have a test with two different workspaces out of which one is isolated to a step and one is isolated to a sidecar.
|
thanks a bunch @sbwsg for your patience on this 🙏 It looks great. I am a little nervous without having /lgtm |
Changes
TEP: https://github.com/tektoncd/community/blob/master/teps/0029-step-workspaces.md
Fixes #2343
Access to Workspaces can now be limited to specific Steps and Sidecars in a Task.
This allows Task authors to isolate sensitive data to specific images, reducing
exposure of assets like credentials.
As a side-effect of this change Workspaces are now mounted to Sidecars by
default, just as they are to Steps.
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
Release Notes