search

tektoncd / pipeline

A cloud-native Pipeline resource.
https://tekton.dev
Apache License 2.0
8.45k stars 1.77k forks source link

chains annotations missing from `pod` #7101

Open pritidesai opened 1 year ago

pritidesai commented 1 year ago

When a taskRun is created as part of a pipelineRun, chains adds some annotations to the taskRun.

https://github.com/tektoncd/chains/blob/70c8c7de563ba3d6c1e65a1e4e21c83335fa432a/pkg/chains/annotations.go#L68

Should these annotations be added to the pod as well?

The annotations are missing from the pod with latest Tekton Pipelines and chains release.

k describe pod pipelinerun-buildpack-ssmtx-build-trusted-pod
Name:             pipelinerun-buildpack-ssmtx-build-trusted-pod
Namespace:        default
Priority:         0
Service Account:  default
Node:             tekton-control-plane/172.18.0.3
Start Time:       Mon, 11 Sep 2023 14:27:14 -0700
Labels:                app.kubernetes.io/managed-by=tekton-pipelines
                            app.kubernetes.io/version=0.1
                            tekton.dev/memberOf=tasks
                            tekton.dev/pipeline=buildpacks
                            tekton.dev/pipelineRun=pipelinerun-buildpack-ssmtx
                            tekton.dev/pipelineTask=build-trusted
                            tekton.dev/task=buildpacks
                            tekton.dev/taskRun=pipelinerun-buildpack-ssmtx-build-trusted
Annotations:      pipeline.tekton.dev/affinity-assistant: affinity-assistant-05f43c43b3
                           pipeline.tekton.dev/release: 82a405a
                           tekton.dev/categories: Image Build
                           tekton.dev/displayName: Buildpacks
                           tekton.dev/pipelines.minVersion: 0.17.0
                           tekton.dev/platforms: linux/amd64
                           tekton.dev/ready: READY
                           tekton.dev/tags: image-build
k describe tr pipelinerun-buildpack-ssmtx-build-trusted     
Name:         pipelinerun-buildpack-ssmtx-build-trusted
Namespace:    default
Labels:       app.kubernetes.io/managed-by=tekton-pipelines
                   app.kubernetes.io/version=0.1
                   tekton.dev/memberOf=tasks
                   tekton.dev/pipeline=buildpacks
                   tekton.dev/pipelineRun=pipelinerun-buildpack-ssmtx
                   tekton.dev/pipelineTask=build-trusted
                   tekton.dev/task=buildpacks
Annotations:  chains.tekton.dev/cert-taskrun-2ba30c4d-f9ee-4160-a273-3557aac94e0e: 
                       chains.tekton.dev/chain-taskrun-2ba30c4d-f9ee-4160-a273-3557aac94e0e: 
                       chains.tekton.dev/payload-taskrun-2ba30c4d-f9ee-4160-a273-3557aac94e0e:
                eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3...
                      chains.tekton.dev/signature-taskrun-2ba30c4d-f9ee-4160-a273-3557aac94e0e:
             eyJwYXlsb2FkVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5pbi10b3RvK2pzb24iLCJwYXlsb2FkIjoiZXlKZmRIbHdaU0k2SW1oMGRIQnpPaTh2YVc0dGRHOTBieTVwYnk5VGRHRjBaVz...
                      chains.tekton.dev/signed: true
                      pipeline.tekton.dev/affinity-assistant: affinity-assistant-05f43c43b3
                      pipeline.tekton.dev/release: 82a405a
                      tekton.dev/categories: Image Build
                      tekton.dev/displayName: Buildpacks
                      tekton.dev/pipelines.minVersion: 0.17.0
                      tekton.dev/platforms: linux/amd64
                      tekton.dev/tags: image-build
pritidesai commented 1 year ago

/kind question

vdemeester commented 1 year ago

I don't think they should be added. Usually, those annotations are added "after" the execution, and thus, the taskrun itself is not reconciled, and we do not need to update the labels/annotation on them.

In general, there is no rules for having all annotations attached to the TaskRun to be available on the Pod itself.

pritidesai commented 1 year ago

right, they are added after the pod execution is complete.

What is the best way to identify a taskRun was signed by chains in dashboard?

Dashboard lists the taskRuns and each taskRun tab has Parameters, Status, and Pod.

Screenshot 2023-09-21 at 6 15 30 PM

The annotations on a taskRun are not listed on the taskRun.Status section in the dashboard. The Pod section all the details of a pod but the chains annotations are missing since it was added to the taskRun after it was complete.

vdemeester commented 1 year ago

@pritidesai I would assume this should be a feature request for the dashboard then 😛 (to display taskrun annotations — same for pipelinerun at least)

jisoolee commented 10 months ago

Had some discussion with @pritidesai and this would be a feature request for the dashboard as @vdemeester mentioned. We need to add an indication (tekton chains logo) when a task is signed by tekton chains and produces two additional results: image_url and image_digest.

Do we have to open the issue (or feature request) on the other repository?

vdemeester commented 10 months ago

Do we have to open the issue (or feature request) on the other repository?

Yes, tektoncd/dashboard 👼🏼