Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TEP0122 - Complete build instructions and parameters - implementable #894

Merged
merged 1 commit into from
Jan 23, 2023
Merged

TEP0122 - Complete build instructions and parameters - implementable #894

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 29 additions & 29 deletions teps/0122-complete-build-instructions-and-parameters.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
---
status: proposed
status: implementable
title: Complete Build Instructions and Parameters
creation-date: '2022-09-14'
last-updated: '2022-11-29'
last-updated: '2022-12-14'
authors:
- '@chitrangpatel'
see-also:
Expand Down Expand Up @@ -161,39 +161,39 @@ TaskRef is useful for references to existing tasks on the cluster or remote task

### TaskRun Specification

The table below provides the name and description of the API fields that the TaskRun requires. In addition, it also lists if that information is required, not required, or provided by the provenance. If it is required, it also shows where the information should be provided. Note that since task run provides information during runtime, most of the information is contained in the **invocation.Parameters** section of the provenance.
The table below provides the name and description of the API fields that the TaskRun requires. In addition, it also lists if that information is required, not required, or provided by the provenance. If it is required, it also shows where the information should be provided. Note that since task run provides information during runtime, most of the information is contained in the **invocation.Parameters** section of the [provenance](#provenance-for-executed-taskrun).


| | **Metadata** | | |
| ------ | ------------- | ----- | ----- |
| **Field Name** | **Description** | **Not Required / Required / Provided by provenance** | **Insert in provenance** |
| name| Name of the task run| Required (provide an audit trail)| |
| name| Name of the task run| Not required for completeness | |
| | **Spec** | | |
| resources | resources used by task | Provided (can be extracted from steps/entrypoint) | |
| service account name | name of the service account | Required | buildConfig |
| params | parameter values provided by taskrun | Provided | |
| workspaces | workspaces used by the task | Required | buildConfig |
| pod template | | Required | buildConfig |
| Timeout | time in which a task should complete | Not Required (can probably use default?) | |
| StepOverrides | Override Step configuration specified in a Task. Currently we can override compute resources. | Not Required | |
| SidecarOverrides | Override Sidecar configuration specified in a Task. Currently we can override compute resources. | Not Required | |
| ComputeResources | Configure compute resources required by the steps in the task. | Required (because this could also indicate a minimum amount of resources required for the task run.) | buildConfig |
| resources | resources used by task | Deprecated but required if using older tekton version | invocation.Parameters |
| service account name | name of the service account | Required | invocation.Parameters |
| params | parameter values provided by taskrun | Provided | invocation.Parameters |
| workspaces | workspaces used by the task | Required | invocation.Parameters |
| pod template | | Required | invocation.Parameters |
| Timeout | time in which a task should complete | Required for completeness | invocation.Parameters |
| StepOverrides | Override Step configuration specified in a Task. Currently we can override compute resources. | Required for completeness | invocation.Parameters |
| SidecarOverrides | Override Sidecar configuration specified in a Task. Currently we can override compute resources. | Required for completeness | invocation.Parameters |
| ComputeResources | Configure compute resources required by the steps in the task. | Required (because this could also indicate a minimum amount of resources required for the task run.) | invocation.Parameters |
chitrangpatel marked this conversation as resolved.
Show resolved Hide resolved
| [TaskSpec](#task-specification) | Specification of the resolved task | See [spec](#task-specification) | buildConfig |
| [TaskRef](#taskref) | Details of the referenced task | Not Required (Since we save the complete TaskSpec even that of a remote task) | |
| | **Status** | | |
| Task Results | Results produced by the task run | Not Required | buildConfig |
| Task Results | Results produced by the task run | Not Required since this is an output | |


### Configuration Feature Flags

The feature flags that a user/operator specified during installation of Tekton pipelines that lead to the build are also required. These can be added to the **invocation.Environment** section of the [provenance](#provenance-for-executed-taskrun). The feature flags should be fetched by the task run reconciler and embedded in the **task run status** so that chains can access it easily.

### Materials
To capture [predicate.materials](https://slsa.dev/provenance/v0.2#materials) that were used during the build, we can set the source information in the resolution request CRD (see issue [#5522](https:/tektoncd/pipeline/issues/5522)). If no materials can be parsed from the parameters/results of the task run then we mark **metadata.completeness.materials** as false, making the build non-reproducible. If the materials are captured in the provenance but the build was not running hermetically, we will still mark the completeness as false because we cannot guarantee material completeness unless the build was running hermetically.
We fill in [predicate.materials](https://slsa.dev/provenance/v0.2#materials) for task run by capturing image url and digest of all the `step` and `sidecar` containers. This information should be accessible via `TaskRun.Status` field. If the materials are captured in the provenance but the build was not running hermetically, we will still mark the completeness as false because we cannot guarantee material completeness unless the build was running hermetically.

### Provenance for executed TaskRun

The generated provenance for the executed** task run** should contain the following information:
The generated provenance for the executed **task run** should contain the following information:

```
buildType: uri # contains the schema for invocation and buildConfig. We need to host this somewhere and maintain it of course.
Expand All @@ -204,17 +204,16 @@ The generated provenance for the executed** task run** should contain the follow
sha256 : “123fdf35b4e7b1a56a84b2796aab2827edd65c25” # e.g. could be the commit sha
Entrypoint: “task.yaml” # the yaml config to run
parameters:
[taskRun](https:/tektoncd/pipeline/blob/b301d88cf4af3301cfff40e3df6d85ad3848df0d/pkg/apis/pipeline/v1beta1/taskrun_types.go#L38-L86):
name:
serviceAccountName:
computeResources:
workspaces:
podTemplate:
taskRunResults:
params:
sidecarOverrides:
stepOverrides:
timeout:
resources: json
serviceAccountName: str
computeResources: json
workspaces: json
podTemplate: json
taskRunResults: json
params: json
sidecarOverrides: json
stepOverrides: json
timeout: str
environment:
tekton-config-feature-flags: # feature flags that led to the build
- enable-alpha-api: “alpha”
Expand All @@ -234,8 +233,9 @@ The generated provenance for the executed** task run** should contain the follow
parameters: bool
environment: bool
materials: bool
materials: # provided by users as task run parameters or produced by the task run as results
- uri:
materials: # captured from step and sidecar information in TaskRun.Status.
- uri: "gcr.io/tekton-releases/catalog/upstream/kaniko"
digest:
sha256: 8ee90344c1281efa6e8bcf09b1240ff8e9dda3a7403f0f040891f4644c1ca18e"
...
```
2 changes: 1 addition & 1 deletion teps/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -289,7 +289,7 @@ This is the complete list of Tekton teps:
|[TEP-0119](0119-add-taskrun-template-in-pipelinerun.md) | Add taskRun template in PipelineRun | implementable | 2022-09-01 |
|[TEP-0120](0120-canceling-concurrent-pipelineruns.md) | Canceling Concurrent PipelineRuns | proposed | 2022-09-23 |
|[TEP-0121](0121-refine-retries-for-taskruns-and-customruns.md) | Refine Retries for TaskRuns and CustomRuns | implemented | 2022-12-21 |
|[TEP-0122](0122-complete-build-instructions-and-parameters.md) | Complete Build Instructions and Parameters | proposed | 2022-11-29 |
|[TEP-0122](0122-complete-build-instructions-and-parameters.md) | Complete Build Instructions and Parameters | implementable | 2022-12-14 |
|[TEP-0123](0123-specifying-on-demand-retry-in-pipelinetask.md) | Specifying on-demand-retry in a PipelineTask | proposed | 2022-10-11 |
|[TEP-0124](0124-distributed-tracing-for-tasks-and-pipelines.md) | Distributed tracing for Tasks and Pipelines | implementable | 2022-10-16 |
|[TEP-0125](0125-add-credential-filter-to-entrypoint-logger.md) | Add credential filter to entrypoint logger | proposed | 2022-10-27 |
Expand Down