Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[TEP-0089] Inject SpireControllerAPIClient into the Taskrun controller and reconciler. #6627

Merged
merged 1 commit into from
May 19, 2023

Conversation

jagathprakash
Copy link
Member

@jagathprakash jagathprakash commented May 5, 2023

This PR injects the spireControllerAPIClient into the pipelines controller and the taskrun reconciler. It makes it available in these objects to be used for signing and verification of the taskrunResults and the taskrun object itself.

Before this change the spireAPIController object was not injected into the taskRun and as such SPIRE was not available to be used.

After this change,

  • spireApiController will be available to be used by the pipeline controller and the taskrun object.
  • The spireApiController will be update with the spire config whenever the config changes.

This commit is part of a series of PRs to implement TEP-0089. The implementation of TEP-0089 is tracked in the issue #6597.

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Has Docs if any changes are user facing, including updates to minimum requirements e.g. Kubernetes version bumps
  • Has Tests included if any functionality added or changed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including functionality, content, code)
  • Has a kind label. You can add one by adding a comment on this PR that contains /kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tep
  • Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings). See some examples of good release notes.
  • Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

NONE

@tekton-robot tekton-robot added the release-note-none Denotes a PR that doesnt merit a release note. label May 5, 2023
@tekton-robot tekton-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label May 5, 2023
@jagathprakash
Copy link
Member Author

/kind feature

@tekton-robot tekton-robot added the kind/feature Categorizes issue or PR as related to a new feature. label May 5, 2023
@jagathprakash
Copy link
Member Author

/assign @jerop , @chuangw6

@jagathprakash jagathprakash changed the title [TEP-0089] SPIRE for non-falsifiable provenance. [TEP-0089] Inject SpireControllerAPIClient into the Taskrun controller and reconciler. May 5, 2023
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/taskrun/controller.go 95.0% 95.2% 0.2
pkg/spire/controller.go 37.7% 42.9% 5.1

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/taskrun/controller.go 95.0% 95.2% 0.2
pkg/spire/controller.go 37.7% 42.9% 5.1

pkg/spire/controller.go Outdated Show resolved Hide resolved
pkg/spire/controller.go Outdated Show resolved Hide resolved
pkg/spire/spire_mock.go Outdated Show resolved Hide resolved
pkg/spire/spire_test.go Outdated Show resolved Hide resolved
pkg/spire/controller.go Show resolved Hide resolved
}
OnStore(ctx, logger)(pconf.GetSpireConfigName(), &want)
got := *GetControllerAPIClient(ctx).(*spireControllerAPIClient).config
if got != want {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be helpful to add some test cases for which the configmap will not be updated i.e. invalid values.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As explained in OnStore comment, we will never get bad values here in the normal flow. We could get default values if the validation fails.

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/taskrun/controller.go 95.0% 95.2% 0.2
pkg/spire/controller.go 37.7% 42.9% 5.1

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/taskrun/controller.go 95.0% 95.2% 0.2
pkg/spire/controller.go 37.7% 42.9% 5.1

Copy link
Member

@dibyom dibyom left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one question and a minor comment but otherwise LGTM

pkg/reconciler/taskrun/controller.go Outdated Show resolved Hide resolved
@@ -45,14 +47,30 @@ func init() {
// controllerKey is a way to associate the ControllerAPIClient from inside the context.Context
type controllerKey struct{}

// OnStore stores the changed spire config into the SpireClientApi
func OnStore(ctx context.Context, logger *zap.SugaredLogger) func(name string, value interface{}) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: why do we need to implement OnStore? Are we supporting changing the SPIRE client without a controller restart if the config changes?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The configStore reads in the config and stores it into its local structures. Spire controller maintains its own local config. This does not get updated with the changes in the actual configMap. Essentially the Spire ConfigMap does not make it to the Spire Controller without this callback.

One way to get around this without the callback could be to load from the ConfigStore into the SpireCntroller at the beginning of the reconciler as done for other configs whcih get copied into the. context.

which will result in something like this.
// If configStore is set, attach the frozen configuration to the context.
if r.configStore != nil {
ctx = r.configStore.ToContext(ctx)
r.SpireClient.SetConfig(ctx)
}

WDYT?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah I see...I think the current impl is fine

@tekton-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dibyom

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 11, 2023
@dibyom
Copy link
Member

dibyom commented May 11, 2023

@jagathprakash the coverage for pkg/spire/controller.go seems low (42%) - is there a PR that will increase this?

@jagathprakash
Copy link
Member Author

There is no PR planned for this, but I can create one which increases the coverage.

@jagathprakash jagathprakash requested a review from dibyom May 16, 2023 17:12
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/taskrun/controller.go 95.0% 95.2% 0.2
pkg/spire/controller.go 37.7% 42.9% 5.1

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/taskrun/controller.go 95.0% 95.2% 0.2
pkg/spire/controller.go 37.7% 42.9% 5.1

@chuangw6
Copy link
Member

Can we clean up the PR description i.e. the descriptions before and after #changes?

@jagathprakash
Copy link
Member Author

Can we clean up the PR description i.e. the descriptions before and after #changes?

@chuangw6 I have updated the description. PTAL.

@chuangw6
Copy link
Member

@jagathprakash Thank you!

If you don't mind, can we just use the following as both commit message and the PR description (remove the text before the title #change)?

This PR injects the spireControllerAPIClient into the pipelines controller and the taskrun reconciler. It makes it available in these objects to be used for signing and verification of the taskrunResults and the taskrun object itself.

Before this change the spireAPIController object was not injected into the taskRun and as such SPIRE was not available to be used.

After this change,
- spireApiController will be available to be used by the pipeline controller and the taskrun object.
- The spireApiController will be update with the spire config whenever the config changes.

This commit is part of a series of PRs to implement TEP-0089. The implementation of TEP-0089 is tracked in the issue https://github.com/tektoncd/pipeline/issues/6597.


@jagathprakash
Copy link
Member Author

@jagathprakash Thank you!

If you don't mind, can we just use the following as both commit message and the PR description (remove the text before the title #change)?

This PR injects the spireControllerAPIClient into the pipelines controller and the taskrun reconciler. It makes it available in these objects to be used for signing and verification of the taskrunResults and the taskrun object itself.

Before this change the spireAPIController object was not injected into the taskRun and as such SPIRE was not available to be used.

After this change,
- spireApiController will be available to be used by the pipeline controller and the taskrun object.
- The spireApiController will be update with the spire config whenever the config changes.

This commit is part of a series of PRs to implement TEP-0089. The implementation of TEP-0089 is tracked in the issue https://github.com/tektoncd/pipeline/issues/6597.

Done.

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/taskrun/controller.go 95.0% 95.2% 0.2
pkg/spire/controller.go 37.7% 42.9% 5.1

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/taskrun/controller.go 95.0% 95.2% 0.2
pkg/spire/controller.go 37.7% 42.9% 5.1

…r and reconciler

This PR injects the spireControllerAPIClient into the pipelines controller and the taskrun reconciler. It makes it available in these objects to be used for signing and verification of the taskrunResults and the taskrun object itself.

Before this change the spireAPIController object was not injected into the taskRun and as such SPIRE was not available to be used.

After this change,
- spireApiController will be available to be used by the pipeline controller and the taskrun object.
- The spireApiController will be update with the spire config whenever the config changes.

This commit is part of a series of PRs to implement TEP-0089. The implementation of TEP-0089 is tracked in the issue https://github.com/tektoncd/pipeline/issues/6597.[TEP-0089] SPIRE for non-falsifiable provenance.
Inject SpireControllerAPIClient into the controller and the taskrun reconciler.

This commit is part of a series of PRs to implement TEP-0089.
The implementation of TEP-0089 is tracked in the issue [tektoncd#6597](tektoncd#6597).
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/taskrun/controller.go 95.0% 95.2% 0.2
pkg/spire/controller.go 37.7% 42.9% 5.1

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/taskrun/controller.go 95.0% 95.2% 0.2
pkg/spire/controller.go 37.7% 42.9% 5.1

@chuangw6
Copy link
Member

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label May 18, 2023
@jagathprakash
Copy link
Member Author

/retest

@chuangw6
Copy link
Member

/retest

maybe try close and reopen the pr?

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/taskrun/controller.go 95.0% 95.2% 0.2
pkg/spire/controller.go 37.7% 42.9% 5.1

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/taskrun/controller.go 95.0% 95.2% 0.2
pkg/spire/controller.go 37.7% 42.9% 5.1

@tekton-robot tekton-robot merged commit 4c9880d into tektoncd:main May 19, 2023
@jagathprakash
Copy link
Member Author

/retest

maybe try close and reopen the pr?

That worked! Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesnt merit a release note. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants