Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cleanup resolved object before validating through dry-run #8051

Merged
merged 1 commit into from
Jun 18, 2024

Conversation

vdemeester
Copy link
Member

@vdemeester vdemeester commented Jun 13, 2024

Changes

This ensure that we are not going to fail during validation with
dry-run. An example of such a failure would be the following scenario.

  • A task in a namespace has ownerReferences with
    blockOwnerDeletion: true
  • A user uses the cluster resolver to fetch that task
  • That user doesn't have a lot of rights in that namespace (only
    listing Tasks for example).

/kind bug

Signed-off-by: Vincent Demeester [email protected]

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Has Docs if any changes are user facing, including updates to minimum requirements e.g. Kubernetes version bumps
  • Has Tests included if any functionality added or changed
  • pre-commit Passed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including functionality, content, code)
  • Has a kind label. You can add one by adding a comment on this PR that contains /kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tep
  • Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings). See some examples of good release notes.
  • Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

Cleanup resolved object before attempting to validate it through api dry-run call

@tekton-robot
Copy link
Collaborator

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@tekton-robot tekton-robot added release-note-none Denotes a PR that doesnt merit a release note. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/bug Categorizes issue or PR as related to a bug. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jun 13, 2024
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/pipelinerun/resources/pipelineref.go 94.1% 94.3% 0.2
pkg/reconciler/taskrun/resources/taskref.go 94.0% 94.2% 0.2

@vdemeester vdemeester marked this pull request as ready for review June 13, 2024 12:48
@tekton-robot tekton-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 13, 2024
@vdemeester
Copy link
Member Author

cc @JeromeJu @chitrangpatel
This probably need some tests (unit at least), a release note and some refactoring, but does the approach sounds alright ? Also, we can list other fields we may want to clean.

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/pipelinerun/resources/pipelineref.go 94.1% 94.3% 0.2
pkg/reconciler/taskrun/resources/taskref.go 94.0% 94.2% 0.2

This ensure that we are not going to fail during validation with
dry-run. An example of such a failure would be the following scenario.

- A task in a namespace has `ownerReferences` with
`blockOwnerDeletion: true`
- A user uses the `cluster` resolver to fetch that task
- That user doesn't have a lot of rights in that namespace (only
listing Tasks for example).

/kind bug

Signed-off-by: Vincent Demeester <[email protected]>
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/pipelinerun/resources/pipelineref.go 94.1% 94.3% 0.2
pkg/reconciler/taskrun/resources/taskref.go 94.0% 94.2% 0.2

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/pipelinerun/resources/pipelineref.go 94.1% 94.3% 0.2
pkg/reconciler/taskrun/resources/taskref.go 94.0% 94.2% 0.2

Copy link
Contributor

@chitrangpatel chitrangpatel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there is another side to this as well. But that could be a separate PR.

Right now, we only use dryRun to Validate. If users have mutating admission webhooks on the cluster then when we do the dryRun and validate, the mutations will happen before the validation. However, we ignore the mutated object and only continue with the original runtime Object even though we have validated the mutated one. In practice, when we do the dryrun, we should return the mutated object in addition to the validation error so that we use the mutated object in the underlying spec.

@tekton-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: chitrangpatel

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 13, 2024
@vdemeester
Copy link
Member Author

Right now, we only use dryRun to Validate. If users have mutating admission webhooks on the cluster then when we do the dryRun and validate, the mutations will happen before the validation. However, we ignore the mutated object and only continue with the original runtime Object even though we have validated the mutated one. In practice, when we do the dryrun, we should return the mutated object in addition to the validation error so that we use the mutated object in the underlying spec.

Ah that's a good point, we should probably track this into an issue.

@vdemeester vdemeester added this to the Pipeline v0.61 milestone Jun 18, 2024
@vdemeester
Copy link
Member Author

/cherry-pick v0.59.x

@tekton-robot
Copy link
Collaborator

@vdemeester: once the present PR merges, I will cherry-pick it on top of v0.59.x in a new PR and assign it to you.

In response to this:

/cherry-pick v0.59.x

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@vdemeester
Copy link
Member Author

/cherry-pick v0.56.x

@tekton-robot
Copy link
Collaborator

@vdemeester: once the present PR merges, I will cherry-pick it on top of v0.56.x in a new PR and assign it to you.

In response to this:

/cherry-pick v0.56.x

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@vdemeester
Copy link
Member Author

/cherry-pick v0.53.x

@tekton-robot
Copy link
Collaborator

@vdemeester: once the present PR merges, I will cherry-pick it on top of v0.53.x in a new PR and assign it to you.

In response to this:

/cherry-pick v0.53.x

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@vdemeester
Copy link
Member Author

/cherry-pick v0.50.x

@tekton-robot
Copy link
Collaborator

@vdemeester: once the present PR merges, I will cherry-pick it on top of v0.50.x in a new PR and assign it to you.

In response to this:

/cherry-pick v0.50.x

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@savitaashture
Copy link
Contributor

/lgtm

@tekton-robot
Copy link
Collaborator

@savitaashture: changing LGTM is restricted to collaborators

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jkandasa
Copy link
Member

/lgtm

@tekton-robot
Copy link
Collaborator

@jkandasa: changing LGTM is restricted to collaborators

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@piyush-garg
Copy link
Contributor

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Jun 18, 2024
@tekton-robot tekton-robot merged commit d3b18ea into tektoncd:main Jun 18, 2024
14 checks passed
@tekton-robot
Copy link
Collaborator

@vdemeester: cannot checkout v0.59.x: error checking out v0.59.x: exit status 1. output: error: pathspec 'v0.59.x' did not match any file(s) known to git

In response to this:

/cherry-pick v0.59.x

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@vdemeester vdemeester deleted the cleanup-resolved-object branch June 18, 2024 08:04
@tekton-robot
Copy link
Collaborator

@vdemeester: cannot checkout v0.56.x: error checking out v0.56.x: exit status 1. output: error: pathspec 'v0.56.x' did not match any file(s) known to git

In response to this:

/cherry-pick v0.56.x

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tekton-robot
Copy link
Collaborator

@vdemeester: cannot checkout v0.53.x: error checking out v0.53.x: exit status 1. output: error: pathspec 'v0.53.x' did not match any file(s) known to git

In response to this:

/cherry-pick v0.53.x

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tekton-robot
Copy link
Collaborator

@vdemeester: cannot checkout v0.50.x: error checking out v0.50.x: exit status 1. output: error: pathspec 'v0.50.x' did not match any file(s) known to git

In response to this:

/cherry-pick v0.50.x

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@vdemeester
Copy link
Member Author

/cherry-pick release-v0.59.x

@tekton-robot
Copy link
Collaborator

@vdemeester: #8051 failed to apply on top of branch "release-v0.59.x":

Applying: Cleanup resolved object before validating through dry-run
Using index info to reconstruct a base tree...
M	pkg/reconciler/pipelinerun/resources/pipelineref.go
M	pkg/reconciler/taskrun/resources/taskref.go
Falling back to patching base and 3-way merge...
Auto-merging pkg/reconciler/taskrun/resources/taskref.go
CONFLICT (content): Merge conflict in pkg/reconciler/taskrun/resources/taskref.go
Auto-merging pkg/reconciler/pipelinerun/resources/pipelineref.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 Cleanup resolved object before validating through dry-run
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-v0.59.x

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@vdemeester
Copy link
Member Author

Arf… I'll have to manually cherry-pick..

@tekton-robot tekton-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesnt merit a release note. labels Jun 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants