[TEP-0091] update taskrun and pipelinerun condition based on VerificationResult #6757
Conversation
|
Skipping CI for Draft Pull Request. |
tekton-robot
added
release-note-none
tekton-robot
added
the
size/M
|
/test all |
Yongxuanzhang
changed the title
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
tekton-robot
added
release-note
Yongxuanzhang
force-pushed
the
add-tr-condition
branch
from
ee36af9 to
f95fa03
Compare
tekton-robot
added
size/L
| failNoMatchCondition := &apis.Condition{ | ||
| Type: trustedresources.ConditionTrustedResourcesVerified, | ||
| Status: corev1.ConditionFalse, | ||
| Message: fmt.Sprintf("failed to get matched policies: %s: no matching policies are found for resource: %s against source: %s", trustedresources.ErrNoMatchedPolicies, ts.Name, ""), |
There was a problem hiding this comment.
There are duplicate messages, will clean up the error handling when the feature is done, added an item #6356
Yongxuanzhang
changed the title
|
The following is the coverage report on the affected files.
|
| // ConditionTrustedResourcesVerified specifies that the resources pass trusted resources verification or not. | ||
| ConditionTrustedResourcesVerified apis.ConditionType = "TrustedResourcesVerified" |
There was a problem hiding this comment.
this may not be the best place to put the ConditionType. But I don't know if there are any other places better than this
|
The following is the coverage report on the affected files.
|
Yongxuanzhang
force-pushed
the
add-tr-condition
branch
from
f95fa03 to
1fe170b
Compare
Yongxuanzhang
changed the title
Yongxuanzhang
force-pushed
the
add-tr-condition
branch
from
1fe170b to
62318c9
Compare
|
The following is the coverage report on the affected files.
|
| failNoKeysCondition := &apis.Condition{ | ||
| Type: trustedresources.ConditionTrustedResourcesVerified, | ||
| Status: corev1.ConditionFalse, | ||
| Message: fmt.Sprintf("fails to get verifiers for resource %s from namespace %s: %s", ts.Name, ts.Namespace, verifier.ErrEmptyPublicKeys), |
There was a problem hiding this comment.
| Message: fmt.Sprintf("fails to get verifiers for resource %s from namespace %s: %s", ts.Name, ts.Namespace, verifier.ErrEmptyPublicKeys), | |
| Message: fmt.Sprintf("failed to get verifiers for resource %s from namespace %s: %s", ts.Name, ts.Namespace, verifier.ErrEmptyPublicKeys), |
|
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: lbernick The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
approved
Yongxuanzhang
force-pushed
the
add-tr-condition
branch
from
62318c9 to
f4e05d7
Compare
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
| Message: err.Error(), | ||
| }) | ||
| return nil, controller.NewPermanentError(err) | ||
| case trustedresources.VerificationSkip: |
There was a problem hiding this comment.
can this not be the default?
There was a problem hiding this comment.
Did you mean something like this?
switch verificationResult.VerificationResultType {
case trustedresources.VerificationError:
xxx
case trustedresources.VerificationWarn:
xxx
case trustedresources.VerificationPass:
xxx
default:
There was a problem hiding this comment.
yes. Because that condition was not doing anything. However, it is clearer for readability compared to default so I'm ok with leaving this as is too.
| Type: trustedresources.ConditionTrustedResourcesVerified, | ||
| Status: corev1.ConditionTrue, | ||
| }) | ||
| } |
There was a problem hiding this comment.
The same switch-case seems to be repeated. Can this be wrapped into a function to avoid repitition?
There was a problem hiding this comment.
There are 3 places using the same switch, 2 on pipelinerun and 1 on taskrun. The 2 pipelinerun returns are different.
Do you have any suggestions? 🤔
There was a problem hiding this comment.
let me try out, I think we could wrap it into a function
There was a problem hiding this comment.
The PipelineRuns returns only seem to be happening for the case of verificationError. In one case, you return controller.New... and in other case you return nil, controller.New....
What if this function returned error, conditionToSet? You could catch that and handle it in both cases?
There was a problem hiding this comment.
Something like?
func Verify(verificationResult <typeOfverificationResult>) (error, apis.Condition){
var condition apis.Condition
var err error
switch verificationResult.VerificationResultType {
case trustedresources.VerificationError:
err := fmt.Errorf("PipelineRun %s/%s referred pipeline failed signature verification: %w", pr.Namespace, pr.Name, verificationResult.Err)
// add this line after the output of the function
// pr.Status.MarkFailed(ReasonResourceVerificationFailed, err.Error())
condition = &apis.Condition{
Type: trustedresources.ConditionTrustedResourcesVerified,
Status: corev1.ConditionFalse,
Message: err.Error(),
}
// add this line after the output of the function
// return controller.NewPermanentError(err)
case trustedresources.VerificationSkip:
// do nothing
case trustedresources.VerificationWarn:
condition = &apis.Condition{
Type: trustedresources.ConditionTrustedResourcesVerified,
Status: corev1.ConditionFalse,
Message: verificationResult.Err.Error(),
}
// set the condition when you catch the output of the function
case trustedresources.VerificationPass:
condition = apis.Condition{
Type: trustedresources.ConditionTrustedResourcesVerified,
Status: corev1.ConditionTrue,
}
}
return err, condition
}
err, cond := Verify(verificationResult)
pr.Status.SetCondition(&cond)
if err != nil {
pr.Status.MarkFailed(ReasonResourceVerificationFailed, err.Error())
return controller.NewPermanentError(err)
}There was a problem hiding this comment.
☝️ is how you would use it well.
There was a problem hiding this comment.
Yeah this should work, just pushed the code.
Yongxuanzhang
force-pushed
the
add-tr-condition
branch
from
f4e05d7 to
d080cf3
Compare
|
/lgtm |
Yongxuanzhang
force-pushed
the
add-tr-condition
branch
from
d080cf3 to
4840463
Compare
Yongxuanzhang
force-pushed
the
add-tr-condition
branch
from
4840463 to
a60e8b0
Compare
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
/lgtm |
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
This commits updates taskrun and pipelinerun condition based on VerificationResult to add TrustedResourcesVerified condition. The condition will be marked as false if verification policy fails, or no matching policies when feature flag is set to fail. The condition will be set to true if verification passes. No condition is added when verification is skipped. Signed-off-by: Yongxuan Zhang [email protected]
Yongxuanzhang
force-pushed
the
add-tr-condition
branch
from
a60e8b0 to
97f37ca
Compare
|
/lgtm |
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
Changes
This commits updates taskrun and pipelinerun condition based on VerificationResult to add TrustedResourcesVerified condition. The condition will be marked as false if verification policy fails, or no matching policies when feature flag is set to fail. The condition will be set to true if verification passes. No condition is added when verification is skipped.
Last feature PR of #6665
/kind feature
Signed-off-by: Yongxuan Zhang [email protected]
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
/kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tepRelease Notes