feat: update chain's controllers to use v1 Tekton APIs natively while…

… converting to v1beta1 to keep formats backwards compatible

.github/workflows/kind-e2e.yaml

@@ -32,7 +32,6 @@ jobs:
       fail-fast: false # Keep running if one leg fails.
       matrix:
         pipelines-release:
-        - v0.41.3  # LTS
         - v0.44.4  # LTS
         - v0.47.3  # LTS
         - v0.50.1  # LTS

cmd/controller/main.go

@@ -41,5 +41,5 @@ func main() {
 	flag.Parse()
 	ctx := injection.WithNamespaceScope(signals.NewContext(), *namespace)
 
-	sharedmain.MainWithContext(ctx, "watcher", taskrun.NewController, pipelinerun.NewController)
+	sharedmain.MainWithContext(ctx, "watcher", taskrun.NewControllerV1, pipelinerun.NewControllerV1)
 }

docs/config.md

@@ -21,20 +21,20 @@ Supported keys include:
 
 | Key                         | Description                                                                                                                                                                                      | Supported Values                           | Default   |
 | :-------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----------------------------------------- | :-------- |
-| `artifacts.taskrun.format`  | The format to store `TaskRun` payloads in.                                                                                                                                                       | `in-toto`, `slsa/v1`, `slsa/v2alpha2`      | `in-toto` |
+| `artifacts.taskrun.format`  | The format to store `TaskRun` payloads in.                                                                                                                                                       | `in-toto`, `slsa/v1`, `slsa/v2alpha3`      | `in-toto` |
 | `artifacts.taskrun.storage` | The storage backend to store `TaskRun` signatures in. Multiple backends can be specified with comma-separated list ("tekton,oci"). To disable the `TaskRun` artifact input an empty string (""). | `tekton`, `oci`, `gcs`, `docdb`, `grafeas` | `tekton`  |
 | `artifacts.taskrun.signer`  | The signature backend to sign `TaskRun` payloads with.                                                                                                                                           | `x509`, `kms`                              | `x509`    |
 
 > NOTE:
 >
 > - `slsa/v1` is an alias of `in-toto` for backwards compatibility.
-> - `slsa/v2alpha2` corresponds to the slsav1.0 spec.
+> - `slsa/v2alpha3` corresponds to the slsav1.0 spec.
 
 ### PipelineRun Configuration
 
 | Key                                            | Description                                                                                                                                                                                                                                                                                 | Supported Values                           | Default   |
 | :--------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :----------------------------------------- | :-------- |
-| `artifacts.pipelinerun.format`                 | The format to store `PipelineRun` payloads in.                                                                                                                                                                                                                                              | `in-toto`, `slsa/v1`, `slsa/v2alpha2`      | `in-toto` |
+| `artifacts.pipelinerun.format`                 | The format to store `PipelineRun` payloads in.                                                                                                                                                                                                                                              | `in-toto`, `slsa/v1`, `slsa/v2alpha3`      | `in-toto` |
 | `artifacts.pipelinerun.storage`                | The storage backend to store `PipelineRun` signatures in. Multiple backends can be specified with comma-separated list ("tekton,oci"). To disable the `PipelineRun` artifact input an empty string ("").                                                                                    | `tekton`, `oci`, `gcs`, `docdb`, `grafeas` | `tekton`  |
 | `artifacts.pipelinerun.signer`                 | The signature backend to sign `PipelineRun` payloads with.                                                                                                                                                                                                                                  | `x509`, `kms`                              | `x509`    |
 | `artifacts.pipelinerun.enable-deep-inspection` | This boolean option will configure whether Chains should inspect child taskruns in order to capture inputs/outputs within a pipelinerun. `"false"` means that Chains only checks pipeline level results, whereas `"true"` means Chains inspects both pipeline level and task level results. | `"true"`, `"false"`                        | `"false"` |
@@ -43,7 +43,7 @@ Supported keys include:
 >
 > - For grafeas storage backend, currently we only support Container Analysis. We will make grafeas server address configurabe within a short time.
 > - `slsa/v1` is an alias of `in-toto` for backwards compatibility.
-> - `slsa/v2alpha2` corresponds to the slsav1.0 spec.
+> - `slsa/v2alpha3` corresponds to the slsav1.0 spec.
 
 ### OCI Configuration
 
@@ -96,7 +96,7 @@ You can read more about Grafeas notes and occurrences [here](https://github.com/
 > NOTE:
 > Considerations for the builddefinition.buildtype parameter:
 >
-> - It is only valid for `slsa/v2alpha2` configurations (see TaskRun or PipelineRun configuration).
+> - It is only valid for `slsa/v2alpha3` configurations (see TaskRun or PipelineRun configuration).
 > - The parameter can take one of two values:
 >   - `https://tekton.dev/chains/v2/slsa`: This buildType strictly conforms to the slsav1.0 spec.
 >   - `https://tekton.dev/chains/v2/slsa-tekton`: This buildType also conforms to the slsav1.0 spec, but adds additional informaton specific to Tekton. This information includes the PipelinRun/TaskRun labels and annotations as internalParameters. It also includes capturing each pipeline task in a PipelinRun under resolvedDependencies.

docs/slsa-provenance.md

@@ -38,7 +38,7 @@ The following shows the mapping between slsa version and formatter name.
 
 | SLSA Version | Formatter Name         |
 | ------------ | ---------------------- |
-| v1.0         | `slsa/v2alpha2`        |
+| v1.0         | `slsa/v2alpha3`        |
 | v0.2         | `slsa/v1` or `in-toto` |
 
 To configure Task-level provenance version

examples/kaniko/gcp/kaniko.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: Task
 metadata:
   name: kaniko-gcp

examples/kaniko/gcp/taskrun.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: TaskRun
 metadata:
   name: kaniko-gcp

examples/kaniko/kaniko.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: Task
 metadata:
   name: kaniko-chains

examples/kaniko/taskrun.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: TaskRun
 metadata:
   name: kaniko-run

examples/pipelineruns/pipeline-output-image.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: PipelineRun
 metadata:
   generateName: image-pipelinerun

examples/releases/v0.3.0-build-chains-taskrun.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: TaskRun
 metadata:
   generateName: build-chains-

examples/taskruns/task-output-image.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: TaskRun
 metadata:
   name: build-push-run-output-image-test

go.mod

@@ -1,6 +1,6 @@
 module github.com/tektoncd/chains
 
-go 1.20
+go 1.21
 
 require (
 	cloud.google.com/go/compute/metadata v0.2.3
@@ -268,6 +268,7 @@ require (
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/jstemmer/go-junit-report v1.0.0 // indirect
 	github.com/julz/importas v0.1.0 // indirect
 	github.com/kelseyhightower/envconfig v1.4.0 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect

go.sum

@@ -834,6 +834,8 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
+github.com/jstemmer/go-junit-report v1.0.0 h1:8X1gzZpR+nVQLAht+L/foqOeX2l9DTZoaIPbEQHxsds=
+github.com/jstemmer/go-junit-report v1.0.0/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=

pkg/artifacts/signable.go

@@ -17,16 +17,19 @@ import (
 	"context"
 	_ "crypto/sha256" // Recommended by go-digest.
 	_ "crypto/sha512" // Recommended by go-digest.
+	"encoding/json"
 	"fmt"
 	"regexp"
 	"strings"
 
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common"
 	"github.com/opencontainers/go-digest"
+	"github.com/opentracing/opentracing-go/log"
 	"github.com/tektoncd/chains/internal/backport"
 	"github.com/tektoncd/chains/pkg/chains/objects"
 	"github.com/tektoncd/chains/pkg/config"
+	v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"knative.dev/pkg/logging"
@@ -65,12 +68,12 @@ type TaskRunArtifact struct{}
 var _ Signable = &TaskRunArtifact{}
 
 func (ta *TaskRunArtifact) ShortKey(obj interface{}) string {
-	tro := obj.(*objects.TaskRunObject)
+	tro := obj.(*objects.TaskRunObjectV1)
 	return "taskrun-" + string(tro.UID)
 }
 
 func (ta *TaskRunArtifact) FullKey(obj interface{}) string {
-	tro := obj.(*objects.TaskRunObject)
+	tro := obj.(*objects.TaskRunObjectV1)
 	gvk := tro.GetGroupVersionKind()
 	return fmt.Sprintf("%s-%s-%s-%s", gvk.Group, gvk.Version, gvk.Kind, tro.UID)
 }
@@ -104,12 +107,12 @@ type PipelineRunArtifact struct{}
 var _ Signable = &PipelineRunArtifact{}
 
 func (pa *PipelineRunArtifact) ShortKey(obj interface{}) string {
-	pro := obj.(*objects.PipelineRunObject)
+	pro := obj.(*objects.PipelineRunObjectV1)
 	return "pipelinerun-" + string(pro.UID)
 }
 
 func (pa *PipelineRunArtifact) FullKey(obj interface{}) string {
-	pro := obj.(*objects.PipelineRunObject)
+	pro := obj.(*objects.PipelineRunObjectV1)
 	gvk := pro.GetGroupVersionKind()
 	return fmt.Sprintf("%s-%s-%s-%s", gvk.Group, gvk.Version, gvk.Kind, pro.UID)
 }
@@ -149,40 +152,56 @@ type image struct {
 }
 
 func (oa *OCIArtifact) ExtractObjects(ctx context.Context, obj objects.TektonObject) []interface{} {
-	log := logging.FromContext(ctx)
 	objs := []interface{}{}
-
-	// TODO: Not applicable to PipelineRuns, should look into a better way to separate this out
-	if tr, ok := obj.GetObject().(*v1beta1.TaskRun); ok {
-		imageResourceNames := map[string]*image{}
-		if tr.Status.TaskSpec != nil && tr.Status.TaskSpec.Resources != nil {
-			for _, output := range tr.Status.TaskSpec.Resources.Outputs {
-				if output.Type == backport.PipelineResourceTypeImage {
-					imageResourceNames[output.Name] = &image{}
-				}
+	if trV1, ok := obj.GetObject().(*v1.TaskRun); ok {
+		var resources v1beta1.TaskResources //nolint:staticcheck
+		shouldReplace := false
+		if serializedResources, ok := trV1.Annotations["tekton.dev/v1beta1-status-taskrunstatusfields-taskspec-resources"]; ok {
+			if err := json.Unmarshal([]byte(serializedResources), &resources); err == nil {
+				shouldReplace = true
 			}
 		}
-
-		for _, rr := range tr.Status.ResourcesResult {
-			img, ok := imageResourceNames[rr.ResourceName]
-			if !ok {
-				continue
-			}
-			// We have a result for an image!
-			if rr.Key == "url" {
-				img.url = rr.Value
-			} else if rr.Key == "digest" {
-				img.digest = rr.Value
+		var results []v1beta1.RunResult //nolint:staticcheck
+		if serializedResources, ok := trV1.Annotations["tekton.dev/v1beta1ResourcesResult"]; ok {
+			if err := json.Unmarshal([]byte(serializedResources), &results); err == nil {
+				shouldReplace = shouldReplace && true
 			}
 		}
+		trV1Beta1 := &v1beta1.TaskRun{} //nolint:staticcheck
+		if err := trV1Beta1.ConvertFrom(ctx, trV1); err == nil {
+			if shouldReplace {
+				trV1Beta1.Status.TaskSpec.Resources = &resources //nolint:staticcheck
+				trV1Beta1.Status.ResourcesResult = results       //nolint:staticcheck
+			}
+			imageResourceNames := map[string]*image{}
+			if trV1Beta1.Status.TaskSpec != nil && trV1Beta1.Status.TaskSpec.Resources != nil { //nolint:staticcheck
+				for _, output := range trV1Beta1.Status.TaskSpec.Resources.Outputs { //nolint:staticcheck
+					if output.Type == backport.PipelineResourceTypeImage {
+						imageResourceNames[output.Name] = &image{}
+					}
+				}
+			}
+			for _, rr := range trV1Beta1.Status.ResourcesResult {
+				img, ok := imageResourceNames[rr.ResourceName]
+				if !ok {
+					continue
+				}
+				// We have a result for an image!
+				if rr.Key == "url" {
+					img.url = rr.Value
+				} else if rr.Key == "digest" {
+					img.digest = rr.Value
+				}
+			}
 
-		for _, image := range imageResourceNames {
-			dgst, err := name.NewDigest(fmt.Sprintf("%s@%s", image.url, image.digest))
-			if err != nil {
-				log.Error(err)
-				continue
+			for _, image := range imageResourceNames {
+				dgst, err := name.NewDigest(fmt.Sprintf("%s@%s", image.url, image.digest))
+				if err != nil {
+					log.Error(err)
+					continue
+				}
+				objs = append(objs, dgst)
 			}
-			objs = append(objs, dgst)
 		}
 	}
 
@@ -208,16 +227,15 @@ func ExtractOCIImagesFromResults(ctx context.Context, obj objects.TektonObject)
 			logger.Errorf("error getting digest: %v", err)
 			continue
 		}
-
 		objs = append(objs, dgst)
 	}
 
 	// look for a comma separated list of images
 	for _, key := range obj.GetResults() {
-		if key.Name != "IMAGES" {
+		if key.GetName() != "IMAGES" {
 			continue
 		}
-		imgs := strings.FieldsFunc(key.Value.StringVal, split)
+		imgs := strings.FieldsFunc(key.GetStringValue(), split)
 
 		for _, img := range imgs {
 			trimmed := strings.TrimSpace(img)
@@ -291,43 +309,36 @@ func ExtractStructuredTargetFromResults(ctx context.Context, obj objects.TektonO
 	}
 
 	// TODO(#592): support structured results using Run
-	results := []objects.Result{}
 	for _, res := range obj.GetResults() {
-		results = append(results, objects.Result{
-			Name:  res.Name,
-			Value: res.Value,
-		})
-	}
-	for _, res := range results {
-		if strings.HasSuffix(res.Name, categoryMarker) {
+		if strings.HasSuffix(res.GetName(), categoryMarker) {
 			valid, err := isStructuredResult(res, categoryMarker)
 			if err != nil {
 				logger.Debugf("ExtractStructuredTargetFromResults: %v", err)
 			}
 			if valid {
-				logger.Debugf("Extracted Structured data from Result %s, %s", res.Value.ObjectVal["uri"], res.Value.ObjectVal["digest"])
-				objs = append(objs, &StructuredSignable{URI: res.Value.ObjectVal["uri"], Digest: res.Value.ObjectVal["digest"]})
+				logger.Debugf("Extracted Structured data from Result %v", res)
+				objs = append(objs, &StructuredSignable{URI: res.GetObjectValue("uri"), Digest: res.GetObjectValue("digest")})
 			}
 		}
 	}
 	return objs
 }
 
-func isStructuredResult(res objects.Result, categoryMarker string) (bool, error) {
-	if !strings.HasSuffix(res.Name, categoryMarker) {
+func isStructuredResult(res objects.GenericResult, categoryMarker string) (bool, error) {
+	if !strings.HasSuffix(res.GetName(), categoryMarker) {
 		return false, nil
 	}
-	if res.Value.ObjectVal == nil {
-		return false, fmt.Errorf("%s should be an object: %v", res.Name, res.Value.ObjectVal)
+	if res.ObjectValueIsNil() {
+		return false, fmt.Errorf("%s should be an object: %v", res.GetName(), res)
 	}
-	if res.Value.ObjectVal["uri"] == "" {
-		return false, fmt.Errorf("%s should have uri field: %v", res.Name, res.Value.ObjectVal)
+	if res.GetObjectValue("uri") == "" {
+		return false, fmt.Errorf("%s should have uri field: %v", res.GetName(), res)
 	}
-	if res.Value.ObjectVal["digest"] == "" {
-		return false, fmt.Errorf("%s should have digest field: %v", res.Name, res.Value.ObjectVal)
+	if res.GetObjectValue("digest") == "" {
+		return false, fmt.Errorf("%s should have digest field: %v", res.GetName(), res)
 	}
-	if _, _, err := ParseDigest(res.Value.ObjectVal["digest"]); err != nil {
-		return false, fmt.Errorf("error getting digest %s: %v", res.Value.ObjectVal["digest"], err)
+	if _, _, err := ParseDigest(res.GetObjectValue("digest")); err != nil {
+		return false, fmt.Errorf("error getting digest %s: %v", res.GetObjectValue("digest"), err)
 	}
 	return true, nil
 }