Fix PipelineRun serviceAccountNames for finally tasks #3560
Conversation
Mapping a service account to a finally task in a PipelineRun's serviceAccountNames field would result in an error saying that the task doesn't exist in the Pipeline. This commit fixes the ValidateServiceaccountMapping function by iterating over the finally tasks in addition to the normal tasks of a Pipeline.
tekton-robot
added
release-note
tekton-robot
added
the
size/M
|
Hi @ljupchokotev. Thanks for your PR. I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
tekton-robot
added
the
needs-ok-to-test
|
/assign afrittoli pritidesai |
|
/ok-to-test |
tekton-robot
added
ok-to-test
|
The following is the coverage report on the affected files.
|
|
thanks @ljupchokotev for the fix. /approve Please note that the @vdemeester these changes are fixing finally task to use |
tekton-robot
added
the
approved
|
or avoid fixing it? putting it on hold until we clarify /hold |
tekton-robot
added
the
do-not-merge/hold
|
@pritidesai just looked at the code and it seems that even by using Should I fix that part and include it in this PR? EDIT: I tested this using the following objects: apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: echo
spec:
steps:
- name: echo
image: busybox:latest
script: |
echo foo
---
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: echo
spec:
tasks:
- name: echo
taskRef:
name: echo
finally:
- name: echo-final
taskRef:
name: echo
---
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: echo-run
spec:
pipelineRef:
name: echo
taskRunSpecs:
- pipelineTaskName: echo-final
taskServiceAccountName: testerThe |
Definitely yes 😉 |
| for _, task := range p.Finally { | ||
| pipelineTasks[task.Name] = task.Name | ||
| } | ||
|
|
||
| for _, name := range pr.Spec.ServiceAccountNames { |
There was a problem hiding this comment.
Interesting, this is a miss when we deprecated ServiceAccountNames 🤔 it shouldn't be looking here (or at least it should be sharing the same code as what the reconciler does)
There was a problem hiding this comment.
I am still trying to understand this but it looks a bit weird so far 😕
Reconciler runs validation on pipelineRun.Spec.ServiceAccountNames and pipelineRun.Spec.taskRunSpecs, making sure the tasks specified in these sections exist under tasks and finally:
and
But, resolvePipelineState resolves task with pr.Spec.ServiceAccountName:
Only applies to bundle at this point, i.e. bundles does not honor pr.Spec.ServiceAccountNames or pr.Spec.TaskRunSpecs 🤔
Looking further 🔍
There was a problem hiding this comment.
alright, createTaskRun resolves service account name in expected order:
First, read serviceAccountName specified in pr.Spec.ServiceAccountNames:
which get replaced with pr.Spec.TaskRunSpecs if specified:
pipeline/pkg/apis/pipeline/v1beta1/pipelinerun_types.go
Lines 438 to 439 in 4fdd018
There was a problem hiding this comment.
it shouldn't be looking here
pr.Spec.ServiceAccountNames(or at least it should be sharing the same code as what the reconciler does)
It's looking here to validate which is fine from the validation perspective, reconciler reads serviceAccountName, serviceAccountNames, and taskRunSpecs, and sets the service account name in expected order.
Using TaskRunSpecs on finally tasks resulted in an error because the validation function only checked the normal tasks. This commit updates the validation function so that it iterates over the finally tasks too fixing the issue. TaskRunSpecs can now be used to add a custom TaskPodTemplate and TaskServiceAccountName to a finally task.
tekton-robot
added
size/L
|
The following is the coverage report on the affected files.
|
Done, also edited the PR description to match the current state |
|
@vdemeester any more changes needed here? |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: pritidesai, vdemeester The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/hold cancel |
tekton-robot
removed
the
do-not-merge/hold
Changes
Mapping a service account to a finally task in a PipelineRun's
serviceAccountNames field or taskRunSpecs would result in an error saying that the task doesn't
exist in the Pipeline.
This commit fixes the ValidateServiceaccountMapping and ValidateTasskRunSpecs functions by iterating over
the finally tasks in addition to the normal tasks of a Pipeline.
Also, added test cases for the bug.
/kind bug
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
See the contribution guide for more details.
Double check this list of stuff that's easy to miss:
cmddir, please updatethe release Task to build and release this image.
Reviewer Notes
If API changes are included, additive changes must be approved by at least two OWNERS and backwards incompatible changes must be approved by more than 50% of the OWNERS, and they must first be added in a backwards compatible way.
Release Notes