Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

move trusted resources verification after we resolve the remote resources #6621

Merged
merged 1 commit into from
May 10, 2023

Conversation

Yongxuanzhang
Copy link
Member

@Yongxuanzhang Yongxuanzhang commented May 4, 2023

Changes

This PR moves the trusted resources verification to readRuntimeObjectAsTask and readRuntimeObjectAsPipline, the reasons we need this change include:

  1. unblock the work for v1, since v1 will mutate, validate and convert the resources, the mutation will break trusted resources verification thus we need to verify right after we resolve the remote resources.
  2. Prepare the support for verifying different api versions. This commit also makes it clear that currently we only support verification for remote resources.

/kind misc
Closes #6618

Signed-off-by: Yongxuan Zhang [email protected]

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Has Docs if any changes are user facing, including updates to minimum requirements e.g. Kubernetes version bumps
  • Has Tests included if any functionality added or changed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including functionality, content, code)
  • Has a kind label. You can add one by adding a comment on this PR that contains /kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tep
  • Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings). See some examples of good release notes.
  • Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

NONE

@tekton-robot
Copy link
Collaborator

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@tekton-robot
Copy link
Collaborator

@Yongxuanzhang: The label(s) kind/misce cannot be applied, because the repository doesn't have them.

In response to this:

Changes

This PR moves the trusted resources verification to readRuntimeObjectAsTask and readRuntimeObjectAsPipline, the reasons we need this change include:

  1. unblock the work for v1, since v1 will mutate, validate and convert the resources, the mutation will break trusted resources verification thus we need to verify right after we resolve the remote resources.
  2. Prepare the support for verifying different api versions. This commit also makes it clear that currently we only support verification for remote resources.

/kind misce

Signed-off-by: Yongxuan Zhang [email protected]

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Has Docs if any changes are user facing, including updates to minimum requirements e.g. Kubernetes version bumps
  • Has Tests included if any functionality added or changed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including functionality, content, code)
  • Has a kind label. You can add one by adding a comment on this PR that contains /kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tep
  • Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings). See some examples of good release notes.
  • Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

NONE

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tekton-robot tekton-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note-none Denotes a PR that doesnt merit a release note. labels May 4, 2023
@tekton-robot tekton-robot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label May 4, 2023
@Yongxuanzhang
Copy link
Member Author

/test all

@Yongxuanzhang
Copy link
Member Author

/kind misc

@tekton-robot tekton-robot added the kind/misc Categorizes issue or PR as a miscellaneuous one. label May 4, 2023
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.1% 93.8% 0.6
pkg/reconciler/taskrun/resources/taskref.go 89.7% 90.0% 0.3
pkg/trustedresources/verify.go 95.2% 95.6% 0.3

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.1% 93.8% 0.6
pkg/reconciler/taskrun/resources/taskref.go 89.7% 90.0% 0.3
pkg/trustedresources/verify.go 95.2% 95.6% 0.3

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.1% 93.8% 0.6
pkg/reconciler/taskrun/resources/taskref.go 89.7% 90.0% 0.3
pkg/trustedresources/verify.go 95.2% 95.6% 0.3

@Yongxuanzhang
Copy link
Member Author

/test all

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.1% 93.8% 0.6
pkg/reconciler/taskrun/resources/taskref.go 89.7% 90.0% 0.3
pkg/trustedresources/verify.go 95.2% 95.6% 0.3

@@ -112,9 +112,16 @@ spec:
tasks:
- name: task
taskRef:
name: %s
resolver: cluster
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use cluster resolve for e2e test, since we don't have these examples stored in remote storage, it's hard to test other resolvers.

if err != nil {
return nil, nil, fmt.Errorf("failed to convert obj %s into Task", obj.GetObjectKind().GroupVersionKind().String())
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We may return other errors, so we need to return err here instead of a new convert error

@Yongxuanzhang
Copy link
Member Author

/test all

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.1% 93.8% 0.6
pkg/reconciler/taskrun/resources/taskref.go 89.7% 90.0% 0.3
pkg/trustedresources/verify.go 95.2% 95.6% 0.3

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.1% 93.8% 0.6
pkg/reconciler/taskrun/resources/taskref.go 89.7% 90.0% 0.3
pkg/trustedresources/verify.go 95.2% 95.6% 0.3

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.1% 93.8% 0.6
pkg/reconciler/taskrun/resources/taskref.go 89.7% 90.0% 0.3
pkg/trustedresources/verify.go 95.2% 95.6% 0.3

@Yongxuanzhang Yongxuanzhang force-pushed the verify-when-fetch branch 2 times, most recently from 7ddb9a4 to b640cef Compare May 5, 2023 14:00
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.1% 93.8% 0.6
pkg/reconciler/taskrun/resources/taskref.go 89.7% 90.0% 0.3
pkg/trustedresources/verify.go 95.2% 95.6% 0.3

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.1% 93.8% 0.6
pkg/reconciler/taskrun/resources/taskref.go 89.7% 90.0% 0.3
pkg/trustedresources/verify.go 95.2% 95.6% 0.3

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.1% 93.8% 0.6
pkg/reconciler/taskrun/resources/taskref.go 89.7% 90.0% 0.3
pkg/trustedresources/verify.go 95.2% 95.6% 0.3

Comment on lines 11354 to 11360
// Set up a fake registry to push an image to.
s := httptest.NewServer(registry.New())
defer s.Close()
u, err := url.Parse(s.URL)
if err != nil {
t.Fatal(err)
}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use oci bundle to test trusted resources, we could probably test resolver here, but I think e2e test has covered the resolver case (using cluster resolver)

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.1% 93.8% 0.6
pkg/reconciler/taskrun/resources/taskref.go 89.7% 90.0% 0.3
pkg/trustedresources/verify.go 95.2% 95.6% 0.3

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.1% 93.8% 0.6
pkg/reconciler/taskrun/resources/taskref.go 89.7% 90.0% 0.3
pkg/trustedresources/verify.go 95.2% 95.6% 0.3

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.1% 93.8% 0.6
pkg/reconciler/taskrun/resources/taskref.go 89.7% 90.0% 0.3
pkg/trustedresources/verify.go 95.2% 95.6% 0.3

Copy link
Member

@lbernick lbernick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks a lot better! Thanks for fixing this!

@tekton-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lbernick

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 8, 2023
Comment on lines +44 to +45
// OCI bundle and remote resolution pipelines will be verified by trusted resources if the feature is enabled
func GetPipelineFunc(ctx context.Context, k8s kubernetes.Interface, tekton clientset.Interface, requester remoteresource.Requester, pipelineRun *v1beta1.PipelineRun, verificationPolicies []*v1alpha1.VerificationPolicy) rprp.GetPipeline {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why don't we verify the resource in the default case where in-cluster resources are resolved by the local cluster resolver?

Prior to the move, that case seems to be included for verification but after the move the case seems ignored.

Same for task reconciler.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Local resolver is actually not fully supported due to the mutating webhook(the verification may fail) and we didn't make is clear before.

This PR also updates the doc to highlight what we support (resources from resolver&oci bundle). I'm hesitant to update the release notes since we don't actually support it before. Let me know if you have any suggestions. 😄

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean that the in-cluster resources could be mutated by the mutation webhook when they are applied to the cluster, which might cause the verification fail?

If so, the remote resolver is also able to resolve the in-cluster resources via cluster resolver. Will there be same issue and how are we planning to handle that?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I also mentioned this in the doc. If users want to use cluster resolver, the resources need to set all default values.

Copy link
Member Author

@Yongxuanzhang Yongxuanzhang May 9, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think currently we could just document it, then when we finish high priority features(v1 support, condition update), we can start planning solutions for local resources. Wdyt?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

STGM as long as we will support that case.

I thought it's in the scope initially b/c the TEP doc mentions that "Provide an optional mechanism for Resources (local and remote tekton tasks/ pipelines) to be signed and verified."

Copy link
Member Author

@Yongxuanzhang Yongxuanzhang May 9, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, that's still in the scope, but just not the priority at this moment.

@Yongxuanzhang
Copy link
Member Author

/retest

@lbernick
Copy link
Member

lbernick commented May 8, 2023

This looks related to a known flake, so I've commented on the issue tracking it: #6624

@chuangw6
Copy link
Member

chuangw6 commented May 9, 2023

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label May 9, 2023
@chuangw6
Copy link
Member

chuangw6 commented May 9, 2023

/remove-lgtm

@tekton-robot tekton-robot removed the lgtm Indicates that a PR is ready to be merged. label May 9, 2023
Trusted Resources is a feature which can be used to sign Tekton Resources and verify them. Details of design can be found at [TEP--0091](https://github.com/tektoncd/community/blob/main/teps/0091-trusted-resources.md). This feature is under `alpha` version and support `v1beta1` version of `Task` and `Pipeline`.
Trusted Resources is a feature which can be used to sign Tekton Resources and verify them. Details of design can be found at [TEP--0091](https://github.com/tektoncd/community/blob/main/teps/0091-trusted-resources.md). This is an alpha feature and supports `v1beta1` version of `Task` and `Pipeline`.

**Note**: trusted resources support verification of resources from OCI bundle or remote resolution, to use [cluster resolver](./cluster-resolver.md) make sure to set all default values for the resources before applied to cluster, otherwise the verification will fail due to the mutating webhook.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel this paragraph is a bit confusing to users for 3 reasons: 1/. oci bundle is part of remote resolution 2. as discussed, there are 2 ways resolving cluster resources i.e. remote resolver, and local resolver. 3. what should users set for default values?

How about this?
Note: Currently, trusted resources only support verifying Tekton resources that come from remote places i.e. git, OCI registry and Artifact Hub. For in-cluster resources, verification might fail because the mutation webhook will set default values for the type of the parameters and results, which implies the resources will be modified before verification. In-cluster resources will be supported later. If one wants to use trusted resources for this case, they should set those default values for the resources before applying to the cluster so that mutation webhook doesn't affect the originality of the resource.

(Please add other areas that mutation webhook will take affect on if missed above)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Emmm, OCI bundle is another feature not part of remote resolution, this feature is supported for v1beta1 but will not be supported in v1. I can update the doc to add link. https://github.com/tektoncd/pipeline/blob/main/docs/pipelineruns.md#tekton-bundles

Thanks for the suggestion! I will update the doc.

Copy link
Member

@chuangw6 chuangw6 May 9, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The link you shared is the remote resolver that resolves OCI resource. The old bundle field in PipelineRef will be deprecated for v1beta1. "Deprecated: Please use ResolverRef with the bundles resolver instead."

Generally, I think we should mention where the resource came from (i.e. remote place are well supported, in-cluster resources are not supported unless default are well set before applying to cluster), instead of mentioning remote resolution.

Thanks for the suggestion! I will update the doc.

Thanks you for your hard work.

…rces

This PR moves the trusted resources verification to
readRuntimeObjectAsTask and readRuntimeObjectAsPipline, the reasons we
need this change include 1) unblock the work for v1, since v1 will
mutate, validate and convert the resources, the mutation will break
trusted resources verification thus we need to verify right after we
resolve the remote resources. 2) Prepare the support for verifying
different api versions. This commit also makes it clear that currently
we only support verification for remote resources.

Signed-off-by: Yongxuan Zhang [email protected]
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.1% 93.8% 0.6
pkg/reconciler/taskrun/resources/taskref.go 89.7% 90.0% 0.3
pkg/trustedresources/verify.go 95.2% 95.6% 0.3

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.1% 93.8% 0.6
pkg/reconciler/taskrun/resources/taskref.go 89.7% 90.0% 0.3
pkg/trustedresources/verify.go 95.2% 95.6% 0.3

@chuangw6
Copy link
Member

/ltgm

@chuangw6
Copy link
Member

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label May 10, 2023
@tekton-robot tekton-robot merged commit 77f7d0f into tektoncd:main May 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/misc Categorizes issue or PR as a miscellaneuous one. lgtm Indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesnt merit a release note. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Trusted resources works only for storage version of the API
5 participants