Promote the provenance field in *Run status

[chuangw6]

Feature looking for Promotion

The field provenance that was introduced into TaskRun/PipelineRun status in a recent release is an alpha feature gated by the dedicated feature flag enable-provenance-in-status. This ticket is requesting to promote and move the feature out of the feature flag. Specifically, remove the dedicated feature and make it available under beta.

Current Feature Version

enable-provenance-in-status: true

Raise Feature Version

enable-api-fields: beta

Pipeline Release

v0.42

Issues Reported by the Users

• Rename ConfigSource #6350

Usage in Dogfooding Cluster

None

Examples/Tests

• e2e test
• usage example in Chains (where the invocation.configsource and invocation.environment in the provenance are populated with the value from the provenance field.)

[chuangw6]

/assign

[vdemeester]

/area roadmap

[chuangw6]

Before moving this to beta, we should get renaming its subfield done mainly to make sure the name here is not specific to a particular version of SLSA spec.

[chuangw6]

Suggesting we promote this feature directly to stable. The reason is that, unlike an API field that is specified by the user, this provenance field is part of TaskRun/PipelineRun status that will be directly populated by the controller. And this behaviour in the controller is quite stable. Specifically, the value of the subfield Provenance.RefSource is derived from remote resolution which spits out the source information where the remote pipeline/task came from. And the subfield Provenance.FeatureFlags just records the feature flag configmap.

In addition, if we promote this to beta first, that means, beta flag must be enabled for V1 api, whereas both beta and stable (and alpha) are acceptable for v1beta1 api. However, there is no way in V1's admission webhook to check the feature flag for this particular field b/c as mentioned above this field is only populated in the controller. Instead, we have to do this in the controller:

if it's v1 API:
   if beta is enabled:
          populate the field
if it's v1beta1 API:
   populate the field.

[chuangw6]

cc @tektoncd/core-maintainers for thoughts

[lbernick]

@chuangw6 I don't think the snippet you included will work as intended: we have no way of knowing in the reconciler what version a taskrun/pipelinerun was created as; we only operate on the stored version of the api. This means swapping a stored version would be a breaking change, which it's not meant to be. This is another problem related to #6592.

I don't have much insight on the stability of this feature in particular.

[chuangw6]

Thank you @lbernick for the input. That's helpful to know!

Updates from the discussion on May 15, 2023 API WG Meeting, we wanted to promote this feature to beta first. The way to do that is to keep the dedicated feature flag enable-provenance-in-status, but enable it by default with the installation of tekton pipeline. Once we thinks this feature is ready for stable, we will completely remove the feature flag from the code.

The implementation is done in #6495.

cc @tektoncd/core-maintainers.

Please leave a comment if anyone has any thought or comment on this.