Promote the provenance field in status to beta

Fixes tektoncd#6309. Prior, the `provenance` field in status was an alpha feature gated by the dedicated feature flag named `enable-provenance-in-status` which is disabled by default. Now, we move this feature to beta by enabling this feature flag by default with the installation of Tekton Pipelines. In future, we will completely remove this feature flag once we feel this feature is stable. Signed-off-by: Chuang Wang <chuangw@google.com>
chuangw6 · May 19, 2023 · 54d9609 · 54d9609
1 parent 5abf7c2
commit 54d9609
Show file tree

Hide file tree

Showing 16 changed files with 353 additions and 101 deletions.
diff --git a/config/config-feature-flags.yaml b/config/config-feature-flags.yaml
@@ -85,7 +85,7 @@ data:
  # and PipelineRun status. This field contains metadata about resources used
  # in the TaskRun/PipelineRun such as the source from where a remote Task/Pipeline
  # definition was fetched.
- enable-provenance-in-status: "false"
+ enable-provenance-in-status: "true"
  # Setting this flag will determine how Tekton pipelines will handle non-falsifiable provenance.
  # If set to "spire", then SPIRE will be used to ensure non-falsifiable provenance.
  # If set to "none", then Tekton will not have non-falsifiable provenance.

diff --git a/docs/additional-configs.md b/docs/additional-configs.md
@@ -245,10 +245,11 @@ Defaults to "ignore".
 
 - `results-from`: set this flag to "termination-message" to use the container's termination message to fetch results from. This is the default method of extracting results. Set it to "sidecar-logs" to enable use of a results sidecar logs to extract results instead of termination message.
 
-- `enable-provenance-in-status`: set this flag to "true" to enable recording
+- `enable-provenance-in-status`: Set this flag to `"true"` to enable populating
  the `provenance` field in `TaskRun` and `PipelineRun` status. The `provenance`
  field contains metadata about resources used in the TaskRun/PipelineRun such as the
- source from where a remote Task/Pipeline definition was fetched.
+ source from where a remote Task/Pipeline definition was fetched. By default, this is set to `true`.
+ To disable populating this field, set this flag to `"false"`.
 
 For example:
 
@@ -284,7 +285,6 @@ Features currently in "alpha" are:
 | [Task-level Resource Requirements](compute-resources.md#task-level-compute-resources-configuration) | [TEP-0104](https://github.com/tektoncd/community/blob/main/teps/0104-tasklevel-resource-requirements.md) | [v0.39.0](https://github.com/tektoncd/pipeline/releases/tag/v0.39.0) | |
 | [Object Params and Results](pipelineruns.md#specifying-parameters) | [TEP-0075](https://github.com/tektoncd/community/blob/main/teps/0075-object-param-and-result-types.md) | [v0.38.0](https://github.com/tektoncd/pipeline/releases/tag/v0.38.0) | | |
 | [Trusted Resources](./trusted-resources.md) | [TEP-0091](https://github.com/tektoncd/community/blob/main/teps/0091-trusted-resources.md) | N/A | `trusted-resources-verification-no-match-policy` |
-| [`Provenance` field in Status](pipeline-api.md#provenance) | [issue#5550](https://github.com/tektoncd/pipeline/issues/5550) | N/A | `enable-provenance-in-status` |
 | [Larger Results via Sidecar Logs](#enabling-larger-results-using-sidecar-logs) | [TEP-0127](https://github.com/tektoncd/community/blob/main/teps/0127-larger-results-via-sidecar-logs.md) | [v0.43.0](https://github.com/tektoncd/pipeline/releases/tag/v0.43.0) | `results-from` |
 | [Configure Default Resolver](./resolution.md#configuring-built-in-resolvers) | [TEP-0133](https://github.com/tektoncd/community/blob/main/teps/0133-configure-default-resolver.md) | N/A | |
 
@@ -304,7 +304,7 @@ Features currently in "beta" are:
 | [Array Results and Array Indexing](pipelineruns.md#specifying-parameters) | [TEP-0076](https://github.com/tektoncd/community/blob/main/teps/0076-array-result-types.md) | [v0.38.0](https://github.com/tektoncd/pipeline/releases/tag/v0.38.0) | [v0.45.0](https://github.com/tektoncd/pipeline/releases/tag/v0.45.0) | |
 | [Object Parameters and Results](pipelineruns.md#specifying-parameters) | [TEP-0075](https://github.com/tektoncd/community/blob/main/teps/0075-object-param-and-result-types.md) | [v0.46.0](https://github.com/tektoncd/pipeline/releases/tag/v0.46.0) |
 | [Remote Tasks](./taskruns.md#remote-tasks) and [Remote Pipelines](./pipelineruns.md#remote-pipelines) | [TEP-0060](https://github.com/tektoncd/community/blob/main/teps/0060-remote-resolution.md) | [v0.41.0](https://github.com/tektoncd/pipeline/releases/tag/v0.41.0) |
-
+| [`Provenance` field in Status](pipeline-api.md#provenance)| [issue#5550](https://github.com/tektoncd/pipeline/issues/5550)| [v0.41.0](https://github.com/tektoncd/pipeline/releases/tag/v0.41.0)| [v0.48.0](https://github.com/tektoncd/pipeline/releases/tag/v0.48.0) | `enable-provenance-in-status`|
 
 ## Enabling larger results using sidecar logs
 

diff --git a/docs/pipelineruns.md b/docs/pipelineruns.md
@@ -1317,7 +1317,9 @@ Your `PipelineRun`'s `status` field can contain the following fields:
  - [`kind`][kubernetes-overview] - Generally either `TaskRun` or `Run`.
  - [`apiVersion`][kubernetes-overview] - The API version for the underlying `TaskRun` or `Run`.
  - [`whenExpressions`](pipelines.md#guard-task-execution-using-when-expressions) - The list of when expressions guarding the execution of this task.
- - `provenance` - Metadata about resources used in the PipelineRun such as the source from where a remote pipeline definition was fetched.
+ - `provenance` - Metadata about the runtime configuration and the resources used in the PipelineRun. The data in the `provenance` field will be recorded into the build provenance by the provenance generator i.e. (Tekton Chains). Currently, there are 2 subfields:
+ - `RefSource`: the source from where a remote pipeline definition was fetched.
+ - `FeatureFlags`: the configuration data of the `feature-flags` configmap.
  - `finallyStartTime`- The time at which the PipelineRun's `finally` Tasks, if any, began
  executing, in [RFC3339](https://tools.ietf.org/html/rfc3339) format.
 

diff --git a/pkg/apis/config/feature_flags.go b/pkg/apis/config/feature_flags.go
@@ -71,7 +71,7 @@ const (
  // DefaultNoMatchPolicyConfig is the default value for "trusted-resources-verification-no-match-policy".
  DefaultNoMatchPolicyConfig = IgnoreNoMatchPolicy
  // DefaultEnableProvenanceInStatus is the default value for "enable-provenance-status".
- DefaultEnableProvenanceInStatus = false
+ DefaultEnableProvenanceInStatus = true
  // DefaultResultExtractionMethod is the default value for ResultExtractionMethod
  DefaultResultExtractionMethod = ResultExtractionMethodTerminationMessage
  // DefaultMaxResultSize is the default value in bytes for the size of a result

diff --git a/pkg/apis/config/feature_flags_test.go b/pkg/apis/config/feature_flags_test.go
@@ -65,9 +65,10 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) {
  SendCloudEventsForRuns: true,
  EnforceNonfalsifiability: "spire",
  VerificationNoMatchPolicy: config.FailNoMatchPolicy,
- EnableProvenanceInStatus: true,
+ EnableProvenanceInStatus: false,
  ResultExtractionMethod: "termination-message",
- MaxResultSize: 4096,
+
+ MaxResultSize: 4096,
  },
  fileName: "feature-flags-all-flags-set",
  },
@@ -85,6 +86,7 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) {
  RequireGitSSHSecretKnownHosts: config.DefaultRequireGitSSHSecretKnownHosts,
  SendCloudEventsForRuns: config.DefaultSendCloudEventsForRuns,
  VerificationNoMatchPolicy: config.DefaultNoMatchPolicyConfig,
+ EnableProvenanceInStatus: config.DefaultEnableProvenanceInStatus,
  ResultExtractionMethod: config.DefaultResultExtractionMethod,
  MaxResultSize: config.DefaultMaxResultSize,
  },
@@ -102,6 +104,7 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) {
  RequireGitSSHSecretKnownHosts: config.DefaultRequireGitSSHSecretKnownHosts,
  SendCloudEventsForRuns: config.DefaultSendCloudEventsForRuns,
  VerificationNoMatchPolicy: config.DefaultNoMatchPolicyConfig,
+ EnableProvenanceInStatus: config.DefaultEnableProvenanceInStatus,
  ResultExtractionMethod: config.DefaultResultExtractionMethod,
  MaxResultSize: config.DefaultMaxResultSize,
  },
@@ -119,6 +122,7 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) {
  RequireGitSSHSecretKnownHosts: config.DefaultRequireGitSSHSecretKnownHosts,
  SendCloudEventsForRuns: config.DefaultSendCloudEventsForRuns,
  VerificationNoMatchPolicy: config.DefaultNoMatchPolicyConfig,
+ EnableProvenanceInStatus: config.DefaultEnableProvenanceInStatus,
  ResultExtractionMethod: config.DefaultResultExtractionMethod,
  MaxResultSize: config.DefaultMaxResultSize,
  },
@@ -132,6 +136,7 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) {
  VerificationNoMatchPolicy: config.DefaultNoMatchPolicyConfig,
  RunningInEnvWithInjectedSidecars: config.DefaultRunningInEnvWithInjectedSidecars,
  AwaitSidecarReadiness: config.DefaultAwaitSidecarReadiness,
+ EnableProvenanceInStatus: config.DefaultEnableProvenanceInStatus,
  ResultExtractionMethod: config.DefaultResultExtractionMethod,
  MaxResultSize: config.DefaultMaxResultSize,
  },
@@ -143,6 +148,7 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) {
  VerificationNoMatchPolicy: config.DefaultNoMatchPolicyConfig,
  RunningInEnvWithInjectedSidecars: config.DefaultRunningInEnvWithInjectedSidecars,
  AwaitSidecarReadiness: config.DefaultAwaitSidecarReadiness,
+ EnableProvenanceInStatus: config.DefaultEnableProvenanceInStatus,
  ResultExtractionMethod: config.ResultExtractionMethodSidecarLogs,
  MaxResultSize: 8192,
  },

diff --git a/pkg/apis/config/testdata/feature-flags-all-flags-set.yaml b/pkg/apis/config/testdata/feature-flags-all-flags-set.yaml
@@ -28,4 +28,4 @@ data:
  send-cloudevents-for-runs: "true"
  enforce-nonfalsifiability: "spire"
  trusted-resources-verification-no-match-policy: "fail"
- enable-provenance-in-status: "true"
+ enable-provenance-in-status: "false"
diff --git a/pkg/apis/pipeline/v1beta1/pipelinerun_conversion_test.go b/pkg/apis/pipeline/v1beta1/pipelinerun_conversion_test.go
@@ -305,14 +305,7 @@ func TestPipelineRunConversion(t *testing.T) {
  URI: "test-uri",
  Digest: map[string]string{"sha256": "digest"},
  },
- FeatureFlags: &config.FeatureFlags{
- RunningInEnvWithInjectedSidecars: config.DefaultRunningInEnvWithInjectedSidecars,
- EnableAPIFields: config.DefaultEnableAPIFields,
- AwaitSidecarReadiness: config.DefaultAwaitSidecarReadiness,
- VerificationNoMatchPolicy: config.DefaultNoMatchPolicyConfig,
- ResultExtractionMethod: config.DefaultResultExtractionMethod,
- MaxResultSize: config.DefaultMaxResultSize,
- },
+ FeatureFlags: config.DefaultFeatureFlags.DeepCopy(),
  },
  },
  },

diff --git a/pkg/apis/pipeline/v1beta1/taskrun_conversion_test.go b/pkg/apis/pipeline/v1beta1/taskrun_conversion_test.go
@@ -237,14 +237,7 @@ func TestTaskRunConversion(t *testing.T) {
  URI: "test-uri",
  Digest: map[string]string{"sha256": "digest"},
  },
- FeatureFlags: &config.FeatureFlags{
- RunningInEnvWithInjectedSidecars: config.DefaultRunningInEnvWithInjectedSidecars,
- EnableAPIFields: config.DefaultEnableAPIFields,
- AwaitSidecarReadiness: config.DefaultAwaitSidecarReadiness,
- VerificationNoMatchPolicy: config.DefaultNoMatchPolicyConfig,
- ResultExtractionMethod: config.DefaultResultExtractionMethod,
- MaxResultSize: config.DefaultMaxResultSize,
- },
+ FeatureFlags: config.DefaultFeatureFlags.DeepCopy(),
  }},
  },
  },