Tekton pipeline validation crashes on script validation in Openshift

[hunter-read]

Expected Behavior

Tekton Pipelines validation should return an error message about validiation error when openshift validates the yaml on save.

Actual Behavior

Tekton pipelines crashes and is returning the response Failed sync attempt to 12c3ea8e1cf1e2e2e76c61b57cad6a712ef3b5a7: one or more objects failed to apply, reason: Internal error occurred: failed calling webhook "validation.webhook.pipeline.tekton.dev": failed to call webhook: Post "[https://tekton-pipelines-webhook.openshift-pipelines.svc:443/resource-validation?timeout=10s":](https://tekton-pipelines-webhook.openshift-pipelines.svc/resource-validation?timeout=10s%22:) EOF

Steps to Reproduce the Problem

1. Create a task that takes in a script: Example:

   apiVersion: tekton.dev/v1beta1
   kind: Task
   spec:
   params:
   - description: The yq script to execute. Can be multiple lines for complex tasks.
     name: SCRIPT
     type: string
   - description: The yq image to use.
     name: image
     type: string
   steps:
   - args:
       - '$(params.files[*])'
     image: $(params.image)
     name: yq-script
     resources: {}
     script: |
       /usr/bin/env sh
       set -e
   
       # For backwards compatibility with previous versions
       if [ "$(params.SCRIPT)" = "" ]; then
         for var in "$@"
         do
             /usr/bin/yq eval -i "$(params.expression)" "$var"
         done
         exit $?
       fi
   
       $(params.SCRIPT)
     workingDir: $(workspaces.source.path)
   workspaces:
   - description: A workspace that contains the file which needs to be altered.
     name: source

2. Create a pipeline that uses the task and provides an invalid script

   apiVersion: tekton.dev/v1beta1
   kind: Pipeline
   metadata:
   name: example-pipeline
   spec:
   params:
   tasks:
   - name:  example-task
     params:
       - name: SCRIPT
         value: >
           # Do YQ things 
           export env_value_set_from_yq=$(yq '.value' config.yaml)
   
           echo $(env_value_set_from_yq) # The invalid code. It should be ${env_value_set_from_yq}
     taskRef:
       kind: Task
       name: yq
     workspaces:
       - name: source
         workspace: config
   workspaces:
   - name: config

3. Save the pipeline in Openshift. This will throw an error due to the code echo $(env_value_set_from_yq). It should be ${env_value_set_from_yq} but the validation crashes with an unhelpful error.

Additional Info

• Kubernetes version:

  Output of kubectl version:

clientVersion:
  buildDate: "2023-12-20T05:37:08Z"
  compiler: gc
  gitCommit: d4c9e3c75516a96850ac843d0384f4b1eb4f4957
  gitTreeState: clean
  gitVersion: v1.25.2
  goVersion: go1.19.13 X:strictfipsruntime
  major: "1"
  minor: "25"
  platform: linux/amd64
kustomizeVersion: v4.5.7
serverVersion:
  buildDate: "2024-01-02T19:08:18Z"
  compiler: gc
  gitCommit: f5b7c3e8faedd51935d77828a5fc72c7540236f4
  gitTreeState: clean
  gitVersion: v1.25.16+5c97f5b
  goVersion: go1.19.13 X:strictfipsruntime
  major: "1"
  minor: "25"
  platform: linux/amd64

• Tekton Pipeline version:

  Output of tkn version or kubectl get pods -n tekton-pipelines -l app=tekton-pipelines-controller -o=jsonpath='{.items[0].metadata.labels.version}'

Client version: 0.28.0
Chains version: v0.20.0
Pipeline version: v0.56.1
Triggers version: v0.26.1
Operator version: v0.70.1

[the-it-jaeger]

Thank you for reporting this.