Add labels and annotations to attestation (#692)

Labels and annotations are added to the PipelineRun and TaskRun
attestations in `.predicate.invocation.environment`. Additionally, for
PipelineRun attestations, each task also contains its own
`.invocation.environment` with the corresponding labels and annotations.

Fixes #591

Signed-off-by: Luiz Carvalho <[email protected]>

docs/intoto.md

@@ -455,3 +455,17 @@ results:
  digest: sha256@89dedecaca1b85346600c7db9939a4fe090a42ez
 ```
 
+### Invocation Environment
+
+TaskRun attestations include the annotations and labels of the underlying TaskRun resource. The
+same is true for PipelineRun attestations. These are included under the path
+`.predicate.invocation.environment.annotations` and `.predicate.invocation.environment.labels`
+repectively.
+
+PipelineRun attestations also include the annotations and labels of the TaskRuns used at
+`.predicate.buildConfig.tasks[].invocation.environment`.
+
+The following annotations are always excluded:
+
+* `kubectl.kubernetes.io/last-applied-configuration`
+* Annotations starting with `chains.tekton.dev/`

pkg/chains/formats/slsa/attest/attest.go

@@ -22,6 +22,8 @@ import (
 
  slsa "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
  "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
+ corev1 "k8s.io/api/core/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 const (
@@ -55,7 +57,7 @@ func Step(step *v1beta1.Step, stepState *v1beta1.StepState) StepAttestation {
  return attestation
 }
 
-func Invocation(source *v1beta1.ConfigSource, params []v1beta1.Param, paramSpecs []v1beta1.ParamSpec) slsa.ProvenanceInvocation {
+func Invocation(source *v1beta1.ConfigSource, params []v1beta1.Param, paramSpecs []v1beta1.ParamSpec, meta metav1.Object) slsa.ProvenanceInvocation {
  i := slsa.ProvenanceInvocation{
  ConfigSource: convertConfigSource(source),
  }
@@ -74,6 +76,30 @@ func Invocation(source *v1beta1.ConfigSource, params []v1beta1.Param, paramSpecs
  }
 
  i.Parameters = iParams
+
+ environment := map[string]map[string]string{}
+
+ annotations := map[string]string{}
+ for name, value := range meta.GetAnnotations() {
+ // Ignore annotations that are not relevant to provenance information
+ if name == corev1.LastAppliedConfigAnnotation || strings.HasPrefix(name, "chains.tekton.dev/") {
+ continue
+ }
+ annotations[name] = value
+ }
+ if len(annotations) > 0 {
+ environment["annotations"] = annotations
+ }
+
+ labels := meta.GetLabels()
+ if len(labels) > 0 {
+ environment["labels"] = labels
+ }
+
+ if len(environment) > 0 {
+ i.Environment = environment
+ }
+
  return i
 }
 

pkg/chains/formats/slsa/v1/intotoite6_test.go

@@ -96,6 +96,9 @@ func TestTaskRunCreatePayload1(t *testing.T) {
  "CHAINS-GIT_COMMIT": {Type: "string", StringVal: "sha:taskrun"},
  "CHAINS-GIT_URL": {Type: "string", StringVal: "https://git.test.com"},
  },
+ Environment: map[string]map[string]string{
+ "labels": {"tekton.dev/pipelineTask": "build"},
+ },
  },
  Builder: slsa.ProvenanceBuilder{
  ID: "test_builder-1",
@@ -245,6 +248,9 @@ func TestPipelineRunCreatePayload(t *testing.T) {
  "revision": {Type: "string", StringVal: ""},
  "url": {Type: "string", StringVal: "https://git.test.com"},
  },
+ Environment: map[string]map[string]string{
+ "labels": {"tekton.dev/pipelineTask": "git-clone"},
+ },
  },
  Results: []v1beta1.TaskRunResult{
  {
@@ -313,6 +319,9 @@ func TestPipelineRunCreatePayload(t *testing.T) {
  "CHAINS-GIT_URL": {Type: "string", StringVal: "https://git.test.com"},
  "IMAGE": {Type: "string", StringVal: "test.io/test/image"},
  },
+ Environment: map[string]map[string]string{
+ "labels": {"tekton.dev/pipelineTask": "build"},
+ },
  },
  Results: []v1beta1.TaskRunResult{
  {
@@ -457,6 +466,9 @@ func TestPipelineRunCreatePayloadChildRefs(t *testing.T) {
  "revision": {Type: "string", StringVal: ""},
  "url": {Type: "string", StringVal: "https://git.test.com"},
  },
+ Environment: map[string]map[string]string{
+ "labels": {"tekton.dev/pipelineTask": "git-clone"},
+ },
  },
  Results: []v1beta1.TaskRunResult{
  {
@@ -525,6 +537,9 @@ func TestPipelineRunCreatePayloadChildRefs(t *testing.T) {
  "CHAINS-GIT_URL": {Type: "string", StringVal: "https://git.test.com"},
  "IMAGE": {Type: "string", StringVal: "test.io/test/image"},
  },
+ Environment: map[string]map[string]string{
+ "labels": {"tekton.dev/pipelineTask": "build"},
+ },
  },
  Results: []v1beta1.TaskRunResult{
  {
@@ -616,6 +631,9 @@ func TestTaskRunCreatePayload2(t *testing.T) {
  "revision": {Type: "string"},
  "url": {Type: "string", StringVal: "https://git.test.com"},
  },
+ Environment: map[string]map[string]string{
+ "labels": {"tekton.dev/pipelineTask": "git-clone"},
+ },
  },
  BuildType: "tekton.dev/v1beta1/TaskRun",
  BuildConfig: taskrun.BuildConfig{

pkg/chains/formats/slsa/v1/pipelinerun/pipelinerun.go

@@ -82,7 +82,7 @@ func invocation(pro *objects.PipelineRunObject) slsa.ProvenanceInvocation {
  if p := pro.Status.Provenance; p != nil {
  source = p.ConfigSource
  }
- return attest.Invocation(source, pro.Spec.Params, paramSpecs)
+ return attest.Invocation(source, pro.Spec.Params, paramSpecs, pro.GetObjectMeta())
 }
 
 func buildConfig(pro *objects.PipelineRunObject, logger *zap.SugaredLogger) BuildConfig {
@@ -153,7 +153,7 @@ func buildConfig(pro *objects.PipelineRunObject, logger *zap.SugaredLogger) Buil
  FinishedOn: tr.Status.CompletionTime.Time.UTC(),
  Status: getStatus(tr.Status.Conditions),
  Steps: steps,
- Invocation: attest.Invocation(source, params, paramSpecs),
+ Invocation: attest.Invocation(source, params, paramSpecs, &tr.ObjectMeta),
  Results: tr.Status.TaskRunResults,
  }
 

pkg/chains/formats/slsa/v1/pipelinerun/provenance_test.go

@@ -116,6 +116,9 @@ func TestBuildConfig(t *testing.T) {
  "revision": {Type: "string", StringVal: ""},
  "url": {Type: "string", StringVal: "https://git.test.com"},
  },
+ Environment: map[string]map[string]string{
+ "labels": {"tekton.dev/pipelineTask": "git-clone"},
+ },
  },
  Results: []v1beta1.TaskRunResult{
  {
@@ -184,6 +187,9 @@ func TestBuildConfig(t *testing.T) {
  "CHAINS-GIT_URL": {Type: "string", StringVal: "https://git.test.com"},
  "IMAGE": {Type: "string", StringVal: "test.io/test/image"},
  },
+ Environment: map[string]map[string]string{
+ "labels": {"tekton.dev/pipelineTask": "build"},
+ },
  },
  Results: []v1beta1.TaskRunResult{
  {
@@ -300,6 +306,11 @@ func TestBuildConfigTaskOrder(t *testing.T) {
  "url": {Type: "string", StringVal: "https://git.test.com"},
  "revision": {Type: "string", StringVal: ""},
  },
+ Environment: map[string]map[string]string{
+ "labels": {
+ "tekton.dev/pipelineTask": "git-clone",
+ },
+ },
  },
  Results: []v1beta1.TaskRunResult{
  {
@@ -370,6 +381,11 @@ func TestBuildConfigTaskOrder(t *testing.T) {
  "CHAINS-GIT_URL": {Type: "string", StringVal: "https://git.test.com"},
  "IMAGE": {Type: "string", StringVal: "test.io/test/image"},
  },
+ Environment: map[string]map[string]string{
+ "labels": {
+ "tekton.dev/pipelineTask": "build",
+ },
+ },
  },
  Results: []v1beta1.TaskRunResult{
  {

pkg/chains/formats/slsa/v1/taskrun/provenance_test.go

@@ -106,6 +106,14 @@ func TestInvocation(t *testing.T) {
 kind: TaskRun
 metadata:
  uid: my-uid
+ annotations:
+ ann1: ann-one
+ ann2: ann-two
+ kubectl.kubernetes.io/last-applied-configuration: ignored
+ chains.tekton.dev/any: "ignored"
+ labels:
+ label1: label-one
+ label2: label-two
 spec:
  params:
  - name: my-param
@@ -166,6 +174,16 @@ status:
  "my-default-empty-string-param": {Type: "string", StringVal: ""},
  "my-default-empty-array-param": {Type: "array", ArrayVal: []string{}},
  },
+ Environment: map[string]map[string]string{
+ "annotations": {
+ "ann1": "ann-one",
+ "ann2": "ann-two",
+ },
+ "labels": {
+ "label1": "label-one",
+ "label2": "label-two",
+ },
+ },
  }
 
  got := invocation(objects.NewTaskRunObject(taskRun))

pkg/chains/formats/slsa/v1/taskrun/taskrun.go

@@ -62,7 +62,7 @@ func invocation(tro *objects.TaskRunObject) slsa.ProvenanceInvocation {
  if p := tro.Status.Provenance; p != nil {
  source = p.ConfigSource
  }
- return attest.Invocation(source, tro.Spec.Params, paramSpecs)
+ return attest.Invocation(source, tro.Spec.Params, paramSpecs, tro.GetObjectMeta())
 }
 
 func metadata(tro *objects.TaskRunObject) *slsa.ProvenanceMetadata {

test/examples_test.go

@@ -38,7 +38,9 @@ import (
  "time"
 
  "github.com/google/go-cmp/cmp"
+ "github.com/google/go-cmp/cmp/cmpopts"
  intoto "github.com/in-toto/in-toto-golang/in_toto"
+ slsa "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
  "github.com/secure-systems-lab/go-securesystemslib/dsse"
 
  "github.com/ghodss/yaml"
@@ -129,7 +131,15 @@ func runInTotoFormatterTests(ctx context.Context, t *testing.T, ns string, c *cl
  }
  expected := expectedProvenance(t, path, completed)
 
- if diff := cmp.Diff(expected, gotProvenance, OptSortMaterial); diff != "" {
+ opts := []cmp.Option{
+ // Annotations and labels may contain release specific information. Ignore
+ // those to avoid brittle tests.
+ cmpopts.IgnoreFields(slsa.ProvenanceInvocation{}, "Environment"),
+ cmpopts.IgnoreMapEntries(ignoreEnvironmentAnnotationsAndLabels),
+ OptSortMaterial,
+ }
+
+ if diff := cmp.Diff(expected, gotProvenance, opts...); diff != "" {
  t.Errorf("provenance dont match: -want +got: %s", diff)
  }
 
@@ -375,3 +385,18 @@ func pipelineRunFromExample(t *testing.T, ns, example string) objects.TektonObje
  pr.Namespace = ns
  return objects.NewPipelineRunObject(pr)
 }
+
+func ignoreEnvironmentAnnotationsAndLabels(key string, value any) bool {
+ if key != "environment" {
+ return false
+ }
+ // There are multiple maps with the key "environment", so we must carefully
+ // choose the right one.
+ switch v := value.(type) {
+ case map[string]any:
+ _, hasAnnotations := v["annotations"]
+ _, hasLabels := v["labels"]
+ return hasAnnotations || hasLabels
+ }
+ return false
+}