Promote the provenance field in status

Fixes tektoncd#6309.

Prior, the `provenance` field in status was gated by the dedicated feature
flag named `enable-provenance-in-status`.

This PR moves the field out of the feature flag.

Signed-off-by: Chuang Wang <chuangw@google.com>

config/config-feature-flags.yaml

@@ -81,11 +81,6 @@ data:
  # If it is set to "warn", TaskRuns and PipelineRuns will run to completion if no matching policies are found, and an error will be logged.
  # If it is set to "ignore", TaskRuns and PipelineRuns will run to completion if no matching policies are found, and no error will be logged.
  trusted-resources-verification-no-match-policy: "ignore"
- # Setting this flag to "true" enables populating the "provenance" field in TaskRun
- # and PipelineRun status. This field contains metadata about resources used
- # in the TaskRun/PipelineRun such as the source from where a remote Task/Pipeline
- # definition was fetched.
- enable-provenance-in-status: "false"
  # Setting this flag will determine how Tekton pipelines will handle non-falsifiable provenance.
  # If set to "spire", then SPIRE will be used to ensure non-falsifiable provenance.
  # If set to "none", then Tekton will not have non-falsifiable provenance.

docs/additional-configs.md

@@ -245,10 +245,6 @@ Defaults to "ignore".
 
 - `results-from`: set this flag to "termination-message" to use the container's termination message to fetch results from. This is the default method of extracting results. Set it to "sidecar-logs" to enable use of a results sidecar logs to extract results instead of termination message.
 
-- `enable-provenance-in-status`: set this flag to "true" to enable recording
- the `provenance` field in `TaskRun` and `PipelineRun` status. The `provenance`
- field contains metadata about resources used in the TaskRun/PipelineRun such as the
- source from where a remote Task/Pipeline definition was fetched.
 
 For example:
 
@@ -284,7 +280,6 @@ Features currently in "alpha" are:
 | [Task-level Resource Requirements](compute-resources.md#task-level-compute-resources-configuration) | [TEP-0104](https://github.com/tektoncd/community/blob/main/teps/0104-tasklevel-resource-requirements.md) | [v0.39.0](https://github.com/tektoncd/pipeline/releases/tag/v0.39.0) | |
 | [Object Params and Results](pipelineruns.md#specifying-parameters) | [TEP-0075](https://github.com/tektoncd/community/blob/main/teps/0075-object-param-and-result-types.md) | [v0.38.0](https://github.com/tektoncd/pipeline/releases/tag/v0.38.0) | | |
 | [Trusted Resources](./trusted-resources.md) | [TEP-0091](https://github.com/tektoncd/community/blob/main/teps/0091-trusted-resources.md) | N/A | `trusted-resources-verification-no-match-policy` |
-| [`Provenance` field in Status](pipeline-api.md#provenance) | [issue#5550](https://github.com/tektoncd/pipeline/issues/5550) | N/A | `enable-provenance-in-status` |
 | [Larger Results via Sidecar Logs](#enabling-larger-results-using-sidecar-logs) | [TEP-0127](https://github.com/tektoncd/community/blob/main/teps/0127-larger-results-via-sidecar-logs.md) | [v0.43.0](https://github.com/tektoncd/pipeline/releases/tag/v0.43.0) | `results-from` |
 | [Configure Default Resolver](./resolution.md#configuring-built-in-resolvers) | [TEP-0133](https://github.com/tektoncd/community/blob/main/teps/0133-configure-default-resolver.md) | N/A | |
 

pkg/apis/config/default.go

@@ -59,6 +59,9 @@ const (
  defaultResolverTypeKey = "default-resolver-type"
 )
 
+// DefaultConfig holds all the default configurations for the config.
+var DefaultConfig, _ = NewDefaultsFromMap(map[string]string{})
+
 // Defaults holds the default configurations
 // +k8s:deepcopy-gen=true
 type Defaults struct {

pkg/apis/config/feature_flags.go

@@ -70,8 +70,6 @@ const (
  DefaultEnforceNonfalsifiability = EnforceNonfalsifiabilityNone
  // DefaultNoMatchPolicyConfig is the default value for "trusted-resources-verification-no-match-policy".
  DefaultNoMatchPolicyConfig = IgnoreNoMatchPolicy
- // DefaultEnableProvenanceInStatus is the default value for "enable-provenance-status".
- DefaultEnableProvenanceInStatus = false
  // DefaultResultExtractionMethod is the default value for ResultExtractionMethod
  DefaultResultExtractionMethod = ResultExtractionMethodTerminationMessage
  // DefaultMaxResultSize is the default value in bytes for the size of a result
@@ -87,11 +85,13 @@ const (
  sendCloudEventsForRuns = "send-cloudevents-for-runs"
  enforceNonfalsifiability = "enforce-nonfalsifiability"
  verificationNoMatchPolicy = "trusted-resources-verification-no-match-policy"
- enableProvenanceInStatus = "enable-provenance-in-status"
  resultExtractionMethod = "results-from"
  maxResultSize = "max-result-size"
 )
 
+// DefaultFeatureFlags holds all the default configurations for the feature flags configmap.
+var DefaultFeatureFlags, _ = NewFeatureFlagsFromMap(map[string]string{})
+
 // FeatureFlags holds the features configurations
 // +k8s:deepcopy-gen=true
 //
@@ -113,7 +113,6 @@ type FeatureFlags struct {
  // warn: skip trusted resources verification when no matching verification policies found and log a warning
  // fail: fail the taskrun or pipelines run if no matching verification policies found
  VerificationNoMatchPolicy string
- EnableProvenanceInStatus bool
  ResultExtractionMethod string
  MaxResultSize int
 }
@@ -167,9 +166,6 @@ func NewFeatureFlagsFromMap(cfgMap map[string]string) (*FeatureFlags, error) {
  if err := setVerificationNoMatchPolicy(cfgMap, DefaultNoMatchPolicyConfig, &tc.VerificationNoMatchPolicy); err != nil {
  return nil, err
  }
- if err := setFeature(enableProvenanceInStatus, DefaultEnableProvenanceInStatus, &tc.EnableProvenanceInStatus); err != nil {
- return nil, err
- }
  if err := setResultExtractionMethod(cfgMap, DefaultResultExtractionMethod, &tc.ResultExtractionMethod); err != nil {
  return nil, err
  }

pkg/apis/config/feature_flags_test.go

@@ -48,7 +48,6 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) {
  EnableAPIFields: config.DefaultEnableAPIFields,
  SendCloudEventsForRuns: config.DefaultSendCloudEventsForRuns,
  VerificationNoMatchPolicy: config.DefaultNoMatchPolicyConfig,
- EnableProvenanceInStatus: config.DefaultEnableProvenanceInStatus,
  ResultExtractionMethod: config.DefaultResultExtractionMethod,
  MaxResultSize: config.DefaultMaxResultSize,
  },
@@ -65,7 +64,6 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) {
  SendCloudEventsForRuns: true,
  EnforceNonfalsifiability: "spire",
  VerificationNoMatchPolicy: config.FailNoMatchPolicy,
- EnableProvenanceInStatus: true,
  ResultExtractionMethod: "termination-message",
  MaxResultSize: 4096,
  },
@@ -172,7 +170,6 @@ func TestNewFeatureFlagsFromEmptyConfigMap(t *testing.T) {
  SendCloudEventsForRuns: config.DefaultSendCloudEventsForRuns,
  EnforceNonfalsifiability: config.DefaultEnforceNonfalsifiability,
  VerificationNoMatchPolicy: config.DefaultNoMatchPolicyConfig,
- EnableProvenanceInStatus: config.DefaultEnableProvenanceInStatus,
  ResultExtractionMethod: config.DefaultResultExtractionMethod,
  MaxResultSize: config.DefaultMaxResultSize,
  }

pkg/apis/config/metrics.go

@@ -82,6 +82,9 @@ const (
  DurationPipelinerunTypeLastValue = "lastvalue"
 )
 
+// DefaultMetrics holds all the default configurations for the metrics.
+var DefaultMetrics, _ = NewMetricsFromConfigMap(&corev1.ConfigMap{Data: map[string]string{}})
+
 // Metrics holds the configurations for the metrics
 // +k8s:deepcopy-gen=true
 type Metrics struct {

pkg/apis/config/spire_config.go

@@ -47,6 +47,9 @@ const (
  SpireNodeAliasPrefixDefault = "/tekton-node/"
 )
 
+// DefaultSpire hols all the default configurations for the spire.
+var DefaultSpire, _ = NewSpireConfigFromMap(map[string]string{})
+
 // NewSpireConfigFromMap creates a Config from the supplied map
 func NewSpireConfigFromMap(data map[string]string) (*sc.SpireConfig, error) {
  cfg := &sc.SpireConfig{}

pkg/apis/config/store.go

@@ -49,16 +49,12 @@ func FromContextOrDefaults(ctx context.Context) *Config {
  if cfg := FromContext(ctx); cfg != nil {
  return cfg
  }
- defaults, _ := NewDefaultsFromMap(map[string]string{})
- featureFlags, _ := NewFeatureFlagsFromMap(map[string]string{})
- metrics, _ := newMetricsFromMap(map[string]string{})
- spireconfig, _ := NewSpireConfigFromMap(map[string]string{})
 
  return &Config{
- Defaults: defaults,
- FeatureFlags: featureFlags,
- Metrics: metrics,
- SpireConfig: spireconfig,
+ Defaults: DefaultConfig,
+ FeatureFlags: DefaultFeatureFlags,
+ Metrics: DefaultMetrics,
+ SpireConfig: DefaultSpire,
  }
 }
 
@@ -102,20 +98,20 @@ func (s *Store) ToContext(ctx context.Context) context.Context {
 func (s *Store) Load() *Config {
  defaults := s.UntypedLoad(GetDefaultsConfigName())
  if defaults == nil {
- defaults, _ = NewDefaultsFromMap(map[string]string{})
+ defaults = DefaultConfig
  }
  featureFlags := s.UntypedLoad(GetFeatureFlagsConfigName())
  if featureFlags == nil {
- featureFlags, _ = NewFeatureFlagsFromMap(map[string]string{})
+ featureFlags = DefaultFeatureFlags
  }
  metrics := s.UntypedLoad(GetMetricsConfigName())
  if metrics == nil {
- metrics, _ = newMetricsFromMap(map[string]string{})
+ metrics = DefaultMetrics
  }
 
  spireconfig := s.UntypedLoad(GetSpireConfigName())
  if spireconfig == nil {
- spireconfig, _ = NewSpireConfigFromMap(map[string]string{})
+ spireconfig = DefaultSpire
  }
 
  return &Config{

pkg/apis/config/store_test.go

@@ -24,7 +24,6 @@ import (
  "github.com/tektoncd/pipeline/pkg/apis/config"
  test "github.com/tektoncd/pipeline/pkg/reconciler/testing"
  "github.com/tektoncd/pipeline/test/diff"
- corev1 "k8s.io/api/core/v1"
  logtesting "knative.dev/pkg/logging/testing"
 )
 
@@ -60,16 +59,11 @@ func TestStoreLoadWithContext(t *testing.T) {
 }
 
 func TestStoreLoadWithContext_Empty(t *testing.T) {
- defaults, _ := config.NewDefaultsFromMap(map[string]string{})
- featureFlags, _ := config.NewFeatureFlagsFromMap(map[string]string{})
- metrics, _ := config.NewMetricsFromConfigMap(&corev1.ConfigMap{Data: map[string]string{}})
- spireConfig, _ := config.NewSpireConfigFromMap(map[string]string{})
-
  want := &config.Config{
- Defaults: defaults,
- FeatureFlags: featureFlags,
- Metrics: metrics,
- SpireConfig: spireConfig,
+ Defaults: config.DefaultConfig,
+ FeatureFlags: config.DefaultFeatureFlags,
+ Metrics: config.DefaultMetrics,
+ SpireConfig: config.DefaultSpire,
  }
 
  store := config.NewStore(logtesting.TestLogger(t))

pkg/apis/config/testdata/feature-flags-all-flags-set.yaml

@@ -28,4 +28,3 @@ data:
  send-cloudevents-for-runs: "true"
  enforce-nonfalsifiability: "spire"
  trusted-resources-verification-no-match-policy: "fail"
- enable-provenance-in-status: "true"

pkg/apis/pipeline/v1beta1/pipelinerun_conversion_test.go

@@ -305,14 +305,7 @@ func TestPipelineRunConversion(t *testing.T) {
  URI: "test-uri",
  Digest: map[string]string{"sha256": "digest"},
  },
- FeatureFlags: &config.FeatureFlags{
- RunningInEnvWithInjectedSidecars: config.DefaultRunningInEnvWithInjectedSidecars,
- EnableAPIFields: config.DefaultEnableAPIFields,
- AwaitSidecarReadiness: config.DefaultAwaitSidecarReadiness,
- VerificationNoMatchPolicy: config.DefaultNoMatchPolicyConfig,
- ResultExtractionMethod: config.DefaultResultExtractionMethod,
- MaxResultSize: config.DefaultMaxResultSize,
- },
+ FeatureFlags: config.DefaultFeatureFlags,
  },
  },
  },

pkg/apis/pipeline/v1beta1/taskrun_conversion_test.go

@@ -237,14 +237,7 @@ func TestTaskRunConversion(t *testing.T) {
  URI: "test-uri",
  Digest: map[string]string{"sha256": "digest"},
  },
- FeatureFlags: &config.FeatureFlags{
- RunningInEnvWithInjectedSidecars: config.DefaultRunningInEnvWithInjectedSidecars,
- EnableAPIFields: config.DefaultEnableAPIFields,
- AwaitSidecarReadiness: config.DefaultAwaitSidecarReadiness,
- VerificationNoMatchPolicy: config.DefaultNoMatchPolicyConfig,
- ResultExtractionMethod: config.DefaultResultExtractionMethod,
- MaxResultSize: config.DefaultMaxResultSize,
- },
+ FeatureFlags: config.DefaultFeatureFlags,
  }},
  },
  },

pkg/reconciler/events/cloudevent/cloud_event_controller_test.go

@@ -195,10 +195,9 @@ func TestEmitCloudEvents(t *testing.T) {
 
  // Setup the config and add it to the context
  defaults, _ := config.NewDefaultsFromMap(tc.data)
- featureFlags, _ := config.NewFeatureFlagsFromMap(map[string]string{})
  cfg := &config.Config{
  Defaults: defaults,
- FeatureFlags: featureFlags,
+ FeatureFlags: config.DefaultFeatureFlags,
  }
  ctx = config.ToContext(ctx, cfg)
 
@@ -241,10 +240,9 @@ func TestEmitCloudEventsWhenConditionChange(t *testing.T) {
 
  // Setup the config and add it to the context
  defaults, _ := config.NewDefaultsFromMap(data)
- featureFlags, _ := config.NewFeatureFlagsFromMap(map[string]string{})
  cfg := &config.Config{
  Defaults: defaults,
- FeatureFlags: featureFlags,
+ FeatureFlags: config.DefaultFeatureFlags,
  }
  ctx = config.ToContext(ctx, cfg)
 

pkg/reconciler/events/event_test.go

@@ -82,10 +82,9 @@ func TestEmit(t *testing.T) {
 
  // Setup the config and add it to the context
  defaults, _ := config.NewDefaultsFromMap(tc.data)
- featureFlags, _ := config.NewFeatureFlagsFromMap(map[string]string{})
  cfg := &config.Config{
  Defaults: defaults,
- FeatureFlags: featureFlags,
+ FeatureFlags: config.DefaultFeatureFlags,
  }
  ctx = config.ToContext(ctx, cfg)
 

pkg/reconciler/events/k8sevent/event_test.go

@@ -228,10 +228,9 @@ func TestEmitK8sEvents(t *testing.T) {
 
  // Setup the config and add it to the context
  defaults, _ := config.NewDefaultsFromMap(tc.data)
- featureFlags, _ := config.NewFeatureFlagsFromMap(map[string]string{})
  cfg := &config.Config{
  Defaults: defaults,
- FeatureFlags: featureFlags,
+ FeatureFlags: config.DefaultFeatureFlags,
  }
  ctx = config.ToContext(ctx, cfg)
 

pkg/reconciler/pipelinerun/pipelinerun.go

@@ -1224,19 +1224,17 @@ func storePipelineSpecAndMergeMeta(ctx context.Context, pr *v1beta1.PipelineRun,
  // Propagate refSource from remote resolution to PipelineRun Status
  // This lives outside of the status.spec check to avoid the case where only the spec is available in the first reconcile and source comes in next reconcile.
  cfg := config.FromContextOrDefaults(ctx)
- if cfg.FeatureFlags.EnableProvenanceInStatus {
- if pr.Status.Provenance == nil {
- pr.Status.Provenance = &v1beta1.Provenance{}
- }
- // Store FeatureFlags in the Provenance.
- pr.Status.Provenance.FeatureFlags = cfg.FeatureFlags
+ if pr.Status.Provenance == nil {
+ pr.Status.Provenance = &v1beta1.Provenance{}
+ }
+ // Store FeatureFlags in the Provenance.
+ pr.Status.Provenance.FeatureFlags = cfg.FeatureFlags
 
- if meta != nil && meta.RefSource != nil && pr.Status.Provenance.RefSource == nil {
- pr.Status.Provenance.RefSource = meta.RefSource
- }
- if meta != nil && meta.RefSource != nil && pr.Status.Provenance.ConfigSource == nil {
- pr.Status.Provenance.ConfigSource = (*v1beta1.ConfigSource)(meta.RefSource)
- }
+ if meta != nil && meta.RefSource != nil && pr.Status.Provenance.RefSource == nil {
+ pr.Status.Provenance.RefSource = meta.RefSource
+ }
+ if meta != nil && meta.RefSource != nil && pr.Status.Provenance.ConfigSource == nil {
+ pr.Status.Provenance.ConfigSource = (*v1beta1.ConfigSource)(meta.RefSource)
  }
 
  return nil