tektoncd / chains

Supply Chain Security in Tekton Pipelines
Apache License 2.0
247 stars 130 forks source link

Failed to sign pipelineRun with error: failed to set finalizers: admission webhook \"webhook.pipeline.tekton.dev\" denied the request: mutation failed: cannot decode incoming new object: json: unknown field \"EnableCELInWhenExpression\" #1009

Open Allen-yan opened 11 months ago

Allen-yan commented 11 months ago

Expected Behavior

using tekton chain to sign a pipelineRun object

Actual Behavior

after pipelineRun finished. Nothing attached to the pipelineRun annotations and tekton-chains-controller pod throws an error

{"level":"error","ts":"2023-12-06T07:09:27.326Z","logger":"watcher","caller":"controller/controller.go:566","msg":"Reconcile error","knative.dev/controller":"github.com.tektoncd.chains.pkg.reconciler.taskrun.Reconciler","knative.dev/kind":"tekton.dev.TaskRun","knative.dev/traceid":"43907be3-2f94-492f-99dc-e5c59219ff8a","knative.dev/key":"default/cicd-pipeline-pd5pr-cut-commit-id","duration":0.013745541,"error":"failed to set finalizers: admission webhook \"webhook.pipeline.tekton.dev\" denied the request: mutation failed: cannot decode incoming new object: json: unknown field \"EnableCELInWhenExpression\"","stacktrace":"github.com/tektoncd/chains/vendor/knative.dev/pkg/controller.(Impl).handleErr\n\tgithub.com/tektoncd/chains/vendor/knative.dev/pkg/controller/controller.go:566\ngithub.com/tektoncd/chains/vendor/knative.dev/pkg/controller.(Impl).processNextWorkItem\n\tgithub.com/tektoncd/chains/vendor/knative.dev/pkg/controller/controller.go:543\ngithub.com/tektoncd/chains/vendor/knative.dev/pkg/controller.(*Impl).RunContext.func3\n\tgithub.com/tektoncd/chains/vendor/knative.dev/pkg/controller/controller.go:491"}

Steps to Reproduce the Problem

  1. start a pipelinerun
  2. pipelinerun completed
  3. watch the tekton chains controller logs

Additional Info

Client Version: v1.28.2
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.27.4
Client version: 0.32.2
Chains version: v0.19.0
Pipeline version: v0.50.3
Triggers version: v0.25.2
Dashboard version: v0.39.0
Operator version: v0.68.1

config-map: chains-config

apiVersion: v1
data:
  artifacts.oci.storage: ""
  artifacts.pipelinerun.format: slsa/v1
  artifacts.pipelinerun.storage: tekton
  artifacts.taskrun.format: in-toto
  artifacts.taskrun.storage: ""
kind: ConfigMap
lcarva commented 10 months ago

I'm unable to reproduce the issue with those versions.

Given the error, I wonder if there's some corner case incompatibility issue with the version of Chains and the version of Pipeline. EnableCELInWhenExpression doesn't exist in Pipeline v0.50.3, for example.

Can you share the output of kubectl -n tekton-pipelines get ConfigMap feature-flags -o yaml ?

Allen-yan commented 10 months ago

@lcarva

apiVersion: v1
data:
  await-sidecar-readiness: "true"
  coschedule: workspaces
  disable-affinity-assistant: "false"
  disable-creds-init: "false"
  enable-api-fields: stable
  enable-custom-tasks: "false"
  enable-provenance-in-status: "true"
  enable-tekton-oci-bundles: "false"
  enforce-nonfalsifiablity: none
  performance: <v1alpha1.PipelinePerformanceProperties Value>
  require-git-ssh-secret-known-hosts: "false"
  results-from: termination-message
  running-in-environment-with-injected-sidecars: "true"
  send-cloudevents-for-runs: "false"
  set-security-context: "false"
  trusted-resources-verification-no-match-policy: ignore
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-pipelines
    operator.tekton.dev/operand-name: tektoncd-pipelines
  name: feature-flags
  namespace: tekton-pipelines
lcarva commented 10 months ago

Quite strange... I still can't reproduce this issue. I tried your exact config as well as variations of it. Can you share the Pipeline and Task definitions you're using?

Can you also try reproducing the issue on a fresh cluster? kind is useful for this. Providing the exact steps to reproduce the problem would be super helpful.