Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

remove config-trusted-resources #6305

Merged

Conversation

Yongxuanzhang
Copy link
Member

@Yongxuanzhang Yongxuanzhang commented Mar 6, 2023

Changes

This commit removes config-trusted-resources. The deprecation is announced in release v0.45. The reason of removing is that config-trusted-resources is used to store public keys for verificaiton but Verification Policy has already covered all the functionalities and has more advanced features. Since there are not any other fields in trusted-resources-config we decided to remove it. Trusted resources is alpha feature so the configmap can be deprecated with one release notice

Closes #5852

Signed-off-by: Yongxuan Zhang [email protected]

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Has Docs included if any changes are user facing
  • Has Tests included if any functionality added or changed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including
    functionality, content, code)
  • Has a kind label. You can add one by adding a comment on this PR that contains /kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tep
  • Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings)
  • Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

BREAKING CHANGE: [alpha] config-trusted-resources is removed, please refer to https://github.com/tektoncd/pipeline/blob/main/docs/trusted-resources.md for migrating public keys in VerificationPolicy

@tekton-robot tekton-robot added release-note-none Denotes a PR that doesnt merit a release note. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Mar 6, 2023
@Yongxuanzhang Yongxuanzhang changed the title remove trusted-resources-config remove config-trusted-resources Mar 6, 2023
@tekton-robot tekton-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesnt merit a release note. labels Mar 6, 2023
@Yongxuanzhang
Copy link
Member Author

/kind misc

@tekton-robot tekton-robot added the kind/misc Categorizes issue or PR as a miscellaneuous one. label Mar 6, 2023
Comment on lines -91 to -90
# Mount secret for trusted resources
- name: verification-secrets
mountPath: /etc/verification-secrets
readOnly: true
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was introduced to mount secrets(contains public keys) and configmap could refer to the secret.

@@ -55,177 +55,12 @@ func init() {
os.Setenv("PRIVATE_PASSWORD", password)
}

func TestTrustedResourcesVerify_ConfigMap_Success(t *testing.T) {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the e2e test of configmap approach.

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/trustedresources/verify.go 95.8% 93.8% -2.1
test/controller.go 29.1% 28.5% -0.6
test/trustedresources.go 10.2% 10.8% 0.5

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/trustedresources/verify.go 95.8% 93.8% -2.1
test/controller.go 29.1% 28.5% -0.6
test/trustedresources.go 10.2% 10.8% 0.5

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/trustedresources/verify.go 95.8% 93.8% -2.1
test/controller.go 29.1% 28.5% -0.6
test/trustedresources.go 10.2% 10.8% 0.5

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/trustedresources/verify.go 95.8% 93.8% -2.1
test/controller.go 29.1% 28.5% -0.6
test/trustedresources.go 10.2% 10.8% 0.5

Copy link
Member

@lbernick lbernick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks @Yongxuanzhang, please update the release note to include more detail (including a link to where people can find migration instructions) and update the commit message to note that this is an alpha feature.

@@ -82,20 +81,6 @@ func VerifyPipeline(ctx context.Context, pipelineObj v1beta1.PipelineObject, k8s
// 2. If multiple policies are matched, the resource needs to pass all of them to pass verification.
// 3. To pass one policy, the resource can pass any public keys in the policy.
func verifyResource(ctx context.Context, resource metav1.Object, k8s kubernetes.Interface, signature []byte, source string, policies []*v1alpha1.VerificationPolicy) error {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please update the docstring of this function

Copy link
Member Author

@Yongxuanzhang Yongxuanzhang Mar 7, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh thanks! Sorry I should mark this tep as wip, I meant to open it just to run against our ci yesterday
Will take a full pass on the docs and tests

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 7, 2023
@Yongxuanzhang Yongxuanzhang changed the title remove config-trusted-resources [WIP] remove config-trusted-resources Mar 7, 2023
@tekton-robot tekton-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 7, 2023
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/trustedresources/verify.go 95.8% 93.8% -2.1
test/controller.go 29.1% 28.5% -0.6
test/trustedresources.go 10.2% 10.8% 0.5

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/trustedresources/verify.go 95.8% 93.8% -2.1
test/controller.go 29.1% 28.5% -0.6
test/trustedresources.go 10.2% 10.8% 0.5

@Yongxuanzhang Yongxuanzhang changed the title [WIP] remove config-trusted-resources remove config-trusted-resources Mar 7, 2023
@tekton-robot tekton-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 7, 2023
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/trustedresources/verify.go 95.8% 93.8% -2.1
test/controller.go 29.1% 28.5% -0.6
test/trustedresources.go 10.2% 10.8% 0.5

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/trustedresources/verify.go 95.8% 93.8% -2.1
test/controller.go 29.1% 28.5% -0.6
test/trustedresources.go 10.2% 10.8% 0.5

Copy link
Member

@wlynch wlynch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@@ -20,8 +20,8 @@ import "errors"
var (
// ErrorResourceVerificationFailed is returned when trusted resources fails verification.
ErrorResourceVerificationFailed = errors.New("resource verification failed")
// ErrorEmptyVerificationConfig is returned when VerificationPolicy or config-trusted-resources configmap are founded
ErrorEmptyVerificationConfig = errors.New("no policies or config-trusted-resources configmap founded for verification")
// ErrorEmptyVerificationConfig is returned when VerificationPolicy are founded
Copy link
Member

@wlynch wlynch Mar 7, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// ErrorEmptyVerificationConfig is returned when VerificationPolicy are founded
// ErrorEmptyVerificationConfig is returned when no VerificationPolicy is found

maybe? Something about this description is off

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, thanks! This is a mistake

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Mar 7, 2023
@tekton-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lbernick, wlynch

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 7, 2023
This commit removes trusted-resources-config. The deprecation is
announced in release v0.45. The reason of removing is that
trusted-resources-config is used to store public keys for verificaiton
but Verification Policy has already covered all the functionalities and
has more advanced features. Since there are not any other fields in
trusted-resources-config we decided to remove it. Trusted resources is
alpha feature so the configmap can be deprecated with one release
notice.

Closes tektoncd#5852

Signed-off-by: Yongxuan Zhang [email protected]
@tekton-robot tekton-robot removed lgtm Indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Mar 8, 2023
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/trustedresources/verify.go 95.8% 93.8% -2.1
test/controller.go 28.9% 28.2% -0.7
test/trustedresources.go 10.2% 10.8% 0.5

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/trustedresources/verify.go 95.8% 93.8% -2.1
test/controller.go 28.9% 28.2% -0.7
test/trustedresources.go 10.2% 10.8% 0.5

Copy link
Member

@wlynch wlynch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/misc Categorizes issue or PR as a miscellaneuous one. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Deprecate config-trusted-resources when VerificationPolicy is supported
4 participants