Reproducible/deterministic bundles

docs/cmd/tkn_bundle_push.md

@@ -30,6 +30,7 @@ Input:
 
 ```
       --annotate strings         OCI Manifest annotation in the form of key=value to be added to the OCI image. Can be provided multiple times to add multiple annotations.
+      --ctime string             YYYY-MM-DD, YYYY-MM-DDTHH:MM:SS or RFC3339 formatted created time to set, defaults to current time. In non RFC3339 syntax dates are in UTC timezone.
   -f, --filenames strings        List of fully-qualified file paths containing YAML or JSON defined Tekton objects to include in this bundle
   -h, --help                     help for push
       --remote-bearer string     A Bearer token to authenticate against the repository

docs/man/man1/tkn-bundle-push.1

@@ -45,6 +45,10 @@ Input:
 \fB\-\-annotate\fP=[]
     OCI Manifest annotation in the form of key=value to be added to the OCI image. Can be provided multiple times to add multiple annotations.
 
+.PP
+\fB\-\-ctime\fP=""
+    YYYY\-MM\-DD, YYYY\-MM\-DDTHH:MM:SS or RFC3339 formatted created time to set, defaults to current time. In non RFC3339 syntax dates are in UTC timezone.
+
 .PP
 \fB\-f\fP, \fB\-\-filenames\fP=[]
     List of fully\-qualified file paths containing YAML or JSON defined Tekton objects to include in this bundle

pkg/bundle/builder.go

@@ -3,9 +3,11 @@ package bundle
 import (
 	"archive/tar"
 	"bytes"
+	"crypto/sha256"
 	"errors"
 	"fmt"
 	"io"
+	"sort"
 	"strings"
 	"time"
 
@@ -21,7 +23,7 @@ import (
 
 // BuildTektonBundle will return a complete OCI Image usable as a Tekton Bundle built by parsing, decoding, and
 // compressing the provided contents as Tekton objects.
-func BuildTektonBundle(contents []string, annotations map[string]string, log io.Writer) (v1.Image, error) {
+func BuildTektonBundle(contents []string, annotations map[string]string, ctime time.Time, log io.Writer) (v1.Image, error) {
 	img := mutate.Annotations(empty.Image, annotations).(v1.Image)
 
 	if len(contents) > tkremote.MaximumBundleObjects {
@@ -30,6 +32,15 @@ func BuildTektonBundle(contents []string, annotations map[string]string, log io.
 
 	fmt.Fprint(log, "Creating Tekton Bundle:\n")
 
+	// sort the contents based on the digest of the content, this keeps the layer
+	// order in the image manifest deterministic
+	sort.Slice(contents, func(i, j int) bool {
+		iDigest := sha256.Sum256([]byte(contents[i]))
+		jDigest := sha256.Sum256([]byte(contents[j]))
+
+		return bytes.Compare(iDigest[:], jDigest[:]) < 0
+	})
+
 	// For each block of input, attempt to parse all of the YAML/JSON objects as Tekton objects and compress them into
 	// the OCI image as a tar layer.
 	for _, content := range contents {
@@ -85,7 +96,7 @@ func BuildTektonBundle(contents []string, annotations map[string]string, log io.
 	}
 
 	// Set created time for bundle image
-	img, err := mutate.CreatedAt(img, v1.Time{Time: time.Now()})
+	img, err := mutate.CreatedAt(img, v1.Time{Time: ctime})
 	if err != nil {
 		return nil, fmt.Errorf("failed to add created time to image: %w", err)
 	}

pkg/bundle/builder_test.go

@@ -6,7 +6,10 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"math/rand"
+	"sort"
 	"testing"
+	"time"
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
@@ -16,6 +19,37 @@ import (
 	"sigs.k8s.io/yaml"
 )
 
+var threeTasks = []string{
+	`apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  name: task1
+spec:
+  description: task1
+`,
+	`apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  name: task2
+spec:
+  description: task2
+`,
+	`apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  name: task3
+spec:
+  description: task3
+`,
+}
+
+func init() {
+	// shuffle the test tasks
+	sort.Slice(threeTasks, func(i, j int) bool {
+		return rand.Intn(2) == 0
+	})
+}
+
 // Note, that for this test we are only using one object type to precisely test the image contents. The
 // #TestDecodeFromRaw tests the general parsing logic.
 func TestBuildTektonBundle(t *testing.T) {
@@ -35,7 +69,7 @@ func TestBuildTektonBundle(t *testing.T) {
 	}
 
 	annotations := map[string]string{"org.opencontainers.image.license": "Apache-2.0", "org.opencontainers.image.url": "https://example.org"}
-	img, err := BuildTektonBundle([]string{string(raw)}, annotations, &bytes.Buffer{})
+	img, err := BuildTektonBundle([]string{string(raw)}, annotations, time.Now(), &bytes.Buffer{})
 	if err != nil {
 		t.Error(err)
 	}
@@ -129,7 +163,7 @@ func TestBadObj(t *testing.T) {
 		t.Error(err)
 		return
 	}
-	_, err = BuildTektonBundle([]string{string(raw)}, nil, &bytes.Buffer{})
+	_, err = BuildTektonBundle([]string{string(raw)}, nil, time.Now(), &bytes.Buffer{})
 	noNameErr := errors.New("kubernetes resources should have a name")
 	if err == nil {
 		t.Errorf("expected error: %v", noNameErr)
@@ -152,7 +186,7 @@ func TestLessThenMaxBundle(t *testing.T) {
 		return
 	}
 	// no error for less then max
-	_, err = BuildTektonBundle([]string{string(raw)}, nil, &bytes.Buffer{})
+	_, err = BuildTektonBundle([]string{string(raw)}, nil, time.Now(), &bytes.Buffer{})
 	if err != nil {
 		t.Error(err)
 	}
@@ -180,7 +214,7 @@ func TestJustEnoughBundleSize(t *testing.T) {
 		justEnoughObj = append(justEnoughObj, string(raw))
 	}
 	// no error for the max
-	_, err := BuildTektonBundle(justEnoughObj, nil, &bytes.Buffer{})
+	_, err := BuildTektonBundle(justEnoughObj, nil, time.Now(), &bytes.Buffer{})
 	if err != nil {
 		t.Error(err)
 	}
@@ -209,8 +243,56 @@ func TestTooManyInBundle(t *testing.T) {
 	}
 
 	// expect error when we hit the max
-	_, err := BuildTektonBundle(toMuchObj, nil, &bytes.Buffer{})
+	_, err := BuildTektonBundle(toMuchObj, nil, time.Now(), &bytes.Buffer{})
 	if err == nil {
 		t.Errorf("expected error: %v", toManyObjErr)
 	}
 }
+
+func TestDeterministicLayers(t *testing.T) {
+	img, err := BuildTektonBundle(threeTasks, nil, time.Now(), &bytes.Buffer{})
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+
+	layers, err := img.Layers()
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+
+	if l := len(layers); l != 3 {
+		t.Errorf("expecting 3 layers got: %d", l)
+	}
+
+	compare := func(n int, expected string) {
+		digest, err := layers[n].Digest()
+		if err != nil {
+			t.Errorf("unexpected error: %v", err)
+		}
+
+		got := digest.String()
+		if got != expected {
+			t.Errorf("unexpected digest for layer %d: %s, expecting %s", n, got, expected)
+		}
+	}
+
+	compare(0, "sha256:561b99bf08733028cbc799caf7f8b74e1f633d3acb7c6d25d880bae4b32cd0b5")
+	compare(1, "sha256:bd941a3b5d1618820ba5283fd0dd4138379fef0e927864d35629cfdc1bdd2f3f")
+	compare(2, "sha256:751deb7e696b6a4f30a2e23f25f97a886cbff22fe832a0c7ed956598ec489f58")
+}
+
+func TestDeterministicManifest(t *testing.T) {
+	img, err := BuildTektonBundle(threeTasks, nil, time.Time{}, &bytes.Buffer{})
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+
+	digest, err := img.Digest()
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+
+	if expected, got := "sha256:7a4f604555b84cdb06cbfebda3fb599cd7485ef2c9c9375ab589f192a3addb4c", digest.String(); expected != got {
+		t.Errorf("unexpected image digest: %s, expecting %s", got, expected)
+	}
+}

pkg/cmd/bundle/list_test.go

@@ -6,6 +6,7 @@ import (
 	"net/http/httptest"
 	"net/url"
 	"testing"
+	"time"
 
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/google/go-containerregistry/pkg/registry"
@@ -47,15 +48,15 @@ func TestListCommand(t *testing.T) {
 		{
 			name:           "no-format",
 			format:         "",
-			expectedStdout: "*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)\ntask.tekton.dev/foobar\npipeline.tekton.dev/foobar\n",
+			expectedStdout: "*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)\npipeline.tekton.dev/foobar\ntask.tekton.dev/foobar\n",
 		}, {
 			name:           "name-format",
 			format:         "name",
-			expectedStdout: "*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)\ntask.tekton.dev/foobar\npipeline.tekton.dev/foobar\n",
+			expectedStdout: "*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)\npipeline.tekton.dev/foobar\ntask.tekton.dev/foobar\n",
 		}, {
 			name:           "yaml-format",
 			format:         "yaml",
-			expectedStdout: "*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)\n" + examplePullTask + examplePullPipeline,
+			expectedStdout: "*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)\n" + examplePullPipeline + examplePullTask,
 		}, {
 			name:           "specify-kind-task",
 			format:         "name",
@@ -104,7 +105,7 @@ func TestListCommand(t *testing.T) {
 				t.Fatal(err)
 			}
 
-			img, err := bundle.BuildTektonBundle([]string{examplePullTask, examplePullPipeline}, nil, &bytes.Buffer{})
+			img, err := bundle.BuildTektonBundle([]string{examplePullTask, examplePullPipeline}, nil, time.Now(), &bytes.Buffer{})
 			if err != nil {
 				t.Fatal(err)
 			}

pkg/cmd/bundle/push.go

@@ -17,6 +17,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"time"
 
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/spf13/cobra"
@@ -34,6 +35,7 @@ type pushOptions struct {
 	remoteOptions      bundle.RemoteOptions
 	annotationParams   []string
 	annotations        map[string]string
+	ctime              time.Time
 }
 
 func pushCommand(_ cli.Params) *cobra.Command {
@@ -55,6 +57,8 @@ Input:
 	Valid input in any form is valid Tekton YAML or JSON with a fully-specified "apiVersion" and "kind". To pass multiple objects in a single input, use "---" separators in YAML or a top-level "[]" in JSON.
 `
 
+	var ctime string
+
 	c := &cobra.Command{
 		Use:   "push",
 		Short: "Create or replace a Tekton bundle",
@@ -69,8 +73,16 @@ Input:
 				return errInvalidRef
 			}
 
-			_, err := name.ParseReference(args[0], name.StrictValidation, name.Insecure)
-			return err
+			if _, err := name.ParseReference(args[0], name.StrictValidation, name.Insecure); err != nil {
+				return err
+			}
+
+			var err error
+			if opts.ctime, err = parseTime(ctime); err != nil {
+				return err
+			}
+
+			return nil
 		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 			opts.stream = &cli.Stream{
@@ -84,6 +96,7 @@ Input:
 	}
 	c.Flags().StringSliceVarP(&opts.bundleContentPaths, "filenames", "f", []string{}, "List of fully-qualified file paths containing YAML or JSON defined Tekton objects to include in this bundle")
 	c.Flags().StringSliceVarP(&opts.annotationParams, "annotate", "", []string{}, "OCI Manifest annotation in the form of key=value to be added to the OCI image. Can be provided multiple times to add multiple annotations.")
+	c.Flags().StringVar(&ctime, "ctime", "", "YYYY-MM-DD, YYYY-MM-DDTHH:MM:SS or RFC3339 formatted created time to set, defaults to current time. In non RFC3339 syntax dates are in UTC timezone.")
 	bundle.AddRemoteFlags(c.Flags(), &opts.remoteOptions)
 
 	return c
@@ -124,7 +137,7 @@ func (p *pushOptions) Run(args []string) error {
 		return err
 	}
 
-	img, err := bundle.BuildTektonBundle(p.bundleContents, p.annotations, p.stream.Out)
+	img, err := bundle.BuildTektonBundle(p.bundleContents, p.annotations, p.ctime, p.stream.Out)
 	if err != nil {
 		return err
 	}
@@ -136,3 +149,28 @@ func (p *pushOptions) Run(args []string) error {
 	fmt.Fprintf(p.stream.Out, "\nPushed Tekton Bundle to %s\n", outputDigest)
 	return err
 }
+
+// to help with testing
+var now = time.Now
+
+func parseTime(t string) (parsed time.Time, err error) {
+	if t == "" {
+		return now(), nil
+	}
+
+	parsed, err = time.Parse(time.DateOnly, t)
+
+	if err != nil {
+		parsed, err = time.Parse("2006-01-02T15:04:05", t)
+	}
+
+	if err != nil {
+		parsed, err = time.Parse(time.RFC3339, t)
+	}
+
+	if err != nil {
+		return parsed, fmt.Errorf("unable to parse provided time %q: %w", t, err)
+	}
+
+	return parsed, nil
+}