move trusted resources verification after we resolve the remote resou…

…rces This PR moves the trusted resources verification to readRuntimeObjectAsTask and readRuntimeObjectAsPipline, the reasons we need this change include 1) unblock the work for v1, since v1 will mutate, validate and convert the resources, the mutation will break trusted resources verification thus we need to verify right after we resolve the remote resources. 2) Prepare the support for verifying different api versions. This commit also makes it clear that currently we only support verification for remote resources. Signed-off-by: Yongxuan Zhang [email protected]
tektoncd · May 8, 2023 · 3bc54fb · 3bc54fb
1 parent 09d422c
commit 3bc54fb
Show file tree

Hide file tree

Showing 11 changed files with 447 additions and 294 deletions.
diff --git a/docs/trusted-resources.md b/docs/trusted-resources.md
@@ -14,7 +14,9 @@ weight: 312
 
 ## Overview
 
-Trusted Resources is a feature which can be used to sign Tekton Resources and verify them. Details of design can be found at [TEP--0091](https:/tektoncd/community/blob/main/teps/0091-trusted-resources.md). This feature is under `alpha` version and support `v1beta1` version of `Task` and `Pipeline`.
+Trusted Resources is a feature which can be used to sign Tekton Resources and verify them. Details of design can be found at [TEP--0091](https:/tektoncd/community/blob/main/teps/0091-trusted-resources.md). This is an alpha feature and supports `v1beta1` version of `Task` and `Pipeline`.
+
+**Note**: trusted resources support verification of resources from OCI bundle or remote resolution, to use [cluster resolver](./cluster-resolver.md) make sure to set all default values for the resources before applied to cluster, otherwise the verification will fail due to the mutating webhook.
 
 Verification failure will mark corresponding taskrun/pipelinerun as Failed status and stop the execution.
 

diff --git a/pkg/reconciler/pipelinerun/pipelinerun.go b/pkg/reconciler/pipelinerun/pipelinerun.go
@@ -220,7 +220,7 @@ func (c *Reconciler) ReconcileKind(ctx context.Context, pr *v1beta1.PipelineRun)
  if err != nil {
  return fmt.Errorf("failed to list VerificationPolicies from namespace %s with error %w", pr.Namespace, err)
  }
- getPipelineFunc := resources.GetVerifiedPipelineFunc(ctx, c.KubeClientSet, c.PipelineClientSet, c.resolutionRequester, pr, vp)
+ getPipelineFunc := resources.GetPipelineFunc(ctx, c.KubeClientSet, c.PipelineClientSet, c.resolutionRequester, pr, vp)
 
  if pr.IsDone() {
  pr.SetDefaults(ctx)
@@ -331,7 +331,7 @@ func (c *Reconciler) resolvePipelineState(
  if err != nil {
  return nil, fmt.Errorf("failed to list VerificationPolicies from namespace %s with error %w", pr.Namespace, err)
  }
- fn := tresources.GetVerifiedTaskFunc(ctx, c.KubeClientSet, c.PipelineClientSet, c.resolutionRequester, pr, task.TaskRef, trName, pr.Namespace, pr.Spec.ServiceAccountName, vp)
+ fn := tresources.GetTaskFunc(ctx, c.KubeClientSet, c.PipelineClientSet, c.resolutionRequester, pr, task.TaskRef, trName, pr.Namespace, pr.Spec.ServiceAccountName, vp)
 
  getRunObjectFunc := func(name string) (v1beta1.RunObject, error) {
  r, err := c.customRunLister.CustomRuns(pr.Namespace).Get(name)