Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added SPIFFE entry registration and SVID entrypointer backoff #2

Merged
merged 3 commits into from
Feb 10, 2022

Conversation

lumjjb
Copy link

@lumjjb lumjjb commented Feb 8, 2022

@lumjjb lumjjb force-pushed the spire-lumjjb branch 2 times, most recently from 8296954 to 92ddb09 Compare February 9, 2022 23:05
@lumjjb lumjjb marked this pull request as ready for review February 9, 2022 23:06
@lumjjb lumjjb changed the title WIP: Added SPIFFE entry registration and SVID entrypointer backoff Added SPIFFE entry registration and SVID entrypointer backoff Feb 10, 2022
@pxp928 pxp928 force-pushed the spire-dlorenc branch 3 times, most recently from ce68e30 to a1adda9 Compare February 10, 2022 15:19
@pxp928 pxp928 merged commit 830d9e4 into pxp928:spire-dlorenc Feb 10, 2022
pxp928 pushed a commit that referenced this pull request Feb 10, 2022
* Added SPIFFE entry registration and SVID entrypointer backoff

Signed-off-by: Brandon Lum <[email protected]>

* Allow SPIRE configuration through opts

Signed-off-by: Brandon Lum <[email protected]>

* Add validation of SpireConfig

Signed-off-by: Brandon Lum <[email protected]>
pxp928 pushed a commit that referenced this pull request Feb 10, 2022
Signed-off-by: Dan Lorenc <[email protected]>

changed to use spiffe-csi

Add pod SPIFFE id annotation for workload registrar

Signed-off-by: Brandon Lum <[email protected]>

removed spire jwt

updated obtaining trust bundle

Added SPIFFE entry registration and SVID entrypointer backoff (#2)

* Added SPIFFE entry registration and SVID entrypointer backoff

Signed-off-by: Brandon Lum <[email protected]>

* Allow SPIRE configuration through opts

Signed-off-by: Brandon Lum <[email protected]>

* Add validation of SpireConfig

Signed-off-by: Brandon Lum <[email protected]>
pxp928 pushed a commit that referenced this pull request Feb 17, 2022
Signed-off-by: Dan Lorenc <[email protected]>

changed to use spiffe-csi

Add pod SPIFFE id annotation for workload registrar

Signed-off-by: Brandon Lum <[email protected]>

removed spire jwt

updated obtaining trust bundle

Added SPIFFE entry registration and SVID entrypointer backoff (#2)

* Added SPIFFE entry registration and SVID entrypointer backoff

Signed-off-by: Brandon Lum <[email protected]>

* Allow SPIRE configuration through opts

Signed-off-by: Brandon Lum <[email protected]>

* Add validation of SpireConfig

Signed-off-by: Brandon Lum <[email protected]>
pxp928 added a commit that referenced this pull request Feb 17, 2022
* cleanup - ApplyContext parameters

Instead of passing around the entire resolvedTaskResources, which is not
necessary at this point, just pass the task name.

No functional changes expected.

* use podtemplate imagepullsecrets to resolve entrypoint

* Update write_test.go

Fixed a typo

* Fix links to Why Aren't PipelineResources in Beta?

Links to the "Why Aren't PipelineResources in Beta?" section in the docs
should have `aren-t` in the fragment instead of `arent`. This can be
confirmed by clicking the link icon beside the heading and checking the
browser address bar.

* Fix tekton_pipelines_controller_taskrun_count recount bug

Added before and after condition check to avoid taskrun metrics recount bug.

* debug is an alpha feature

Documenting that the debug feature is still alpha. The feature was
introduced in pipelines release 0.26 behind enable-api-fields flag.

* Consider osversion when determining platform uniqueness

Prior to this change, an image (such as `golang:1.17`) that provided two
images that shared the same OS+architecture+variant would be considered
invalid, even if they described two different images whose platforms
differed on, for example, osversion (used by Windows images).

This change relaxes our platform uniqueness logic to take this into
account, unblocking Linux users from running such images.

There's still an issue for Windows users however, since when they
attempt to run these images they'll fail to find the correct command
taking into account their osversion. Workarounds in this case include
specifying a single-platform image, or avoiding multi-platform images
that provide two Windows images differing only by osversion.

This also updates our selection logic to take into account slightly
malformed multi-platform images that specify two images with the same
OS+architecture[+variant], so long as the duplicate entries describe the
same image by digest (e.g., anchore/syft:v0.37.10)

* [TEP-0059] Scope `when` expressions to `Task` only

In [TEP-0007: Conditions Beta][tep-0007], we introduced `when`
expressions to guard execution of `Tasks` in `Pipelines`.
To align with `Conditions`, we set scope of `when` expressions
to the guarded `Task` and its dependent `Tasks`.

In [TEP-0059: Skipping Strategies][tep-0059], we proposed changing
the scope of `when` expressions to the guarded `Task` only. This
was implemented in tektoncd#4085.
We provided a feature flag, `scope-when-expressions-to-task`, to
support migration. It defaulted to `false` for 9 months per our
[Beta API compatibility policy][policy], meaning that we continued
to guard the `Task` and its dependent `Tasks`. In this change, we
flip the flag to `true` to guard the `Task` only by default.

[tep-0007]: https://github.com/tektoncd/community/blob/main/teps/0007-conditions-beta.md
[tep-0059]: https://github.com/tektoncd/community/blob/main/teps/0059-skipping-strategies.md
[policy]: https://github.com/tektoncd/pipeline/blob/main/api_compatibility_policy.md

* Update the `scope-when-expressions-to-task` feature flag docs

In tektoncd#4580, we changed the
flag default from "false" to "true". However, the documentation
above the flag was still describing what setting it to "true" would
do. In this change, we update the documentation to focus on the
non-default option that users can choose to set - "false". We also
add a reference to TEP-0059 and relevant docs for more details.

* Patch temp GOPATH hack script to handle nounset option

Prior to this commit the setup-temporary-gopath.sh used the GOPATH variable without
first checking that it was set. When `set -o nounset` is working this
causes the script to exit with an error.

This commit adds a variable wrapping $GOPATH and setting a default if
it's missing, which should work around the `nounset`.

* use helper functions - MarkResource*

Replace updating the conditions directly with the helper functions -
MarkResourceRunning and MarkRunning.

No functional change expected.

* Update the deprecations table

The tekton.dev/task label for ClusterTasks have been removed in
tektoncd#2533, but the table
has not been updated yet, so doing it in here.

Signed-off-by: Andrea Frittoli <[email protected]>

* Remove deprecated flags home-env and working-dir

This change removes two flags:

- disable-home-env-overwrite
- disable-working-dir-overwrite

That two flags that were originally introduced with default to false
and the feature associated to them was deprecated.
Nine months later (as per policy), in Dec 2020, the default value was
switched to default true and the flags were deprecated. Nine months
later we are finally removing the flags.

Signed-off-by: Andrea Frittoli <[email protected]>

* Fix for some arm64 machines.

As said in GoogleContainerTools/distroless#657, in the past, distroless/base:debug used an arm32 busybox binary in its arm64 image. Which doesn't work on some arm64 machines, e.g., Ubuntu 21 arm64 on Parallel Desktop on Apple Silicon M1. It caused this error:
"
$ docker run -it gcr.io/distroless/base@sha256:cfdc553400d41b47fd231b028403469811fcdbc0e69d66ea8030c5a0b5fbac2b
standard_init_linux.go:228: exec user process caused: exec format error
"

This PR GoogleContainerTools/distroless#960 fixes this bug. Hence, update the distroless/base:debug used by Tekton Pipeline in this commit.

* Add Step and Sidecar Overrides to TaskRun API

This commit adds TaskRunStepOverrides and TaskRunSidecarOverrides to TaskRun.Spec and
PipelineRun.Spec.PipelineTaskRunSpec, gated behind the "alpha" API flag.
This is part 1 of implementing TEP-0094: Configuring Resource Requirements at Runtime.
https://github.com/tektoncd/community/blob/main/teps/0094-configuring-resources-at-runtime.md

* WIP spire.

Signed-off-by: Dan Lorenc <[email protected]>

changed to use spiffe-csi

Add pod SPIFFE id annotation for workload registrar

Signed-off-by: Brandon Lum <[email protected]>

removed spire jwt

updated obtaining trust bundle

Added SPIFFE entry registration and SVID entrypointer backoff (#2)

* Added SPIFFE entry registration and SVID entrypointer backoff

Signed-off-by: Brandon Lum <[email protected]>

* Allow SPIRE configuration through opts

Signed-off-by: Brandon Lum <[email protected]>

* Add validation of SpireConfig

Signed-off-by: Brandon Lum <[email protected]>

* merged upstream

Signed-off-by: pxp928 <[email protected]>

* added manifest check

* [WIP] Add SPIRE docs (#4)

* merged upstream

* Add several features/optimizations for SPIRE (#3)

* Record pod latency before SPIRE entry creation

Signed-off-by: Brandon Lum <[email protected]>

* SPIRE client connection caching

Signed-off-by: Brandon Lum <[email protected]>

* Optimize spire entry creation

Signed-off-by: Brandon Lum <[email protected]>

* Add TTL for workload entry based on taskrun timeout

Signed-off-by: Brandon Lum <[email protected]>

* Add SPIRE non-falsification doc

Signed-off-by: Brandon Lum <[email protected]>

Co-authored-by: pxp928 <[email protected]>

* merged upstream

Signed-off-by: pxp928 <[email protected]>

Co-authored-by: pritidesai <[email protected]>
Co-authored-by: Yongxuan Zhang <[email protected]>
Co-authored-by: Anupama Baskar <[email protected]>
Co-authored-by: Alan Greene <[email protected]>
Co-authored-by: Khurram Baig <[email protected]>
Co-authored-by: Jason Hall <[email protected]>
Co-authored-by: Jerop <[email protected]>
Co-authored-by: Scott <[email protected]>
Co-authored-by: Andrea Frittoli <[email protected]>
Co-authored-by: Meng-Yuan Huang <[email protected]>
Co-authored-by: Lee Bernick <[email protected]>
Co-authored-by: Dan Lorenc <[email protected]>
Co-authored-by: Brandon Lum <[email protected]>
pxp928 pushed a commit that referenced this pull request Feb 17, 2022
Signed-off-by: Dan Lorenc <[email protected]>

changed to use spiffe-csi

Add pod SPIFFE id annotation for workload registrar

Signed-off-by: Brandon Lum <[email protected]>

removed spire jwt

updated obtaining trust bundle

Added SPIFFE entry registration and SVID entrypointer backoff (#2)

* Added SPIFFE entry registration and SVID entrypointer backoff

Signed-off-by: Brandon Lum <[email protected]>

* Allow SPIRE configuration through opts

Signed-off-by: Brandon Lum <[email protected]>

* Add validation of SpireConfig

Signed-off-by: Brandon Lum <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants