[TEP-0089] Inject SpireControllerAPIClient into the Taskrun controller and reconciler. #6627
Conversation
tekton-robot
added
the
release-note-none
tekton-robot
added
the
size/M
|
/kind feature |
tekton-robot
added
the
kind/feature
jagathprakash
changed the title
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
pkg/spire/spire_test.go
Outdated
| } | ||
| OnStore(ctx, logger)(pconf.GetSpireConfigName(), &want) | ||
| got := *GetControllerAPIClient(ctx).(*spireControllerAPIClient).config | ||
| if got != want { |
There was a problem hiding this comment.
It would be helpful to add some test cases for which the configmap will not be updated i.e. invalid values.
There was a problem hiding this comment.
As explained in OnStore comment, we will never get bad values here in the normal flow. We could get default values if the validation fails.
jagathprakash
force-pushed
the
spire-onstore
branch
from
d44084e
to
c6f0e13
Compare
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
| @@ -45,14 +47,30 @@ func init() { | |||
| // controllerKey is a way to associate the ControllerAPIClient from inside the context.Context | |||
| type controllerKey struct{} | |||
|
|
|||
| // OnStore stores the changed spire config into the SpireClientApi | |||
| func OnStore(ctx context.Context, logger *zap.SugaredLogger) func(name string, value interface{}) { | |||
There was a problem hiding this comment.
question: why do we need to implement OnStore? Are we supporting changing the SPIRE client without a controller restart if the config changes?
There was a problem hiding this comment.
The configStore reads in the config and stores it into its local structures. Spire controller maintains its own local config. This does not get updated with the changes in the actual configMap. Essentially the Spire ConfigMap does not make it to the Spire Controller without this callback.
One way to get around this without the callback could be to load from the ConfigStore into the SpireCntroller at the beginning of the reconciler as done for other configs whcih get copied into the. context.
which will result in something like this.
// If configStore is set, attach the frozen configuration to the context.
if r.configStore != nil {
ctx = r.configStore.ToContext(ctx)
r.SpireClient.SetConfig(ctx)
}
WDYT?
There was a problem hiding this comment.
ah I see...I think the current impl is fine
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dibyom The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
approved
|
@jagathprakash the coverage for pkg/spire/controller.go seems low (42%) - is there a PR that will increase this? |
jagathprakash
force-pushed
the
spire-onstore
branch
from
c6f0e13
to
810803d
Compare
|
There is no PR planned for this, but I can create one which increases the coverage. |
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
Can we clean up the PR description i.e. the descriptions before and after #changes? |
@chuangw6 I have updated the description. PTAL. |
|
@jagathprakash Thank you! If you don't mind, can we just use the following as both commit message and the PR description (remove the text before the title |
jagathprakash
force-pushed
the
spire-onstore
branch
from
810803d
to
72d1dc5
Compare
Done. |
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
…r and reconciler This PR injects the spireControllerAPIClient into the pipelines controller and the taskrun reconciler. It makes it available in these objects to be used for signing and verification of the taskrunResults and the taskrun object itself. Before this change the spireAPIController object was not injected into the taskRun and as such SPIRE was not available to be used. After this change, - spireApiController will be available to be used by the pipeline controller and the taskrun object. - The spireApiController will be update with the spire config whenever the config changes. This commit is part of a series of PRs to implement TEP-0089. The implementation of TEP-0089 is tracked in the issue https:/tektoncd/pipeline/issues/6597.[TEP-0089] SPIRE for non-falsifiable provenance. Inject SpireControllerAPIClient into the controller and the taskrun reconciler. This commit is part of a series of PRs to implement TEP-0089. The implementation of TEP-0089 is tracked in the issue [tektoncd#6597](tektoncd#6597).
jagathprakash
force-pushed
the
spire-onstore
branch
from
72d1dc5
to
4f00e51
Compare
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
/lgtm |
|
/retest |
maybe try close and reopen the pr? |
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
That worked! Thanks! |
This PR injects the spireControllerAPIClient into the pipelines controller and the taskrun reconciler. It makes it available in these objects to be used for signing and verification of the taskrunResults and the taskrun object itself.
Before this change the spireAPIController object was not injected into the taskRun and as such SPIRE was not available to be used.
After this change,
This commit is part of a series of PRs to implement TEP-0089. The implementation of TEP-0089 is tracked in the issue #6597.
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
/kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tepRelease Notes