Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trusted resources works only for storage version of the API #6618

Closed
lbernick opened this issue May 3, 2023 · 0 comments · Fixed by #6621
Closed

Trusted resources works only for storage version of the API #6618

lbernick opened this issue May 3, 2023 · 0 comments · Fixed by #6621
Assignees
@Yongxuanzhang
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.

Comments

@lbernick
Copy link
Member

lbernick commented May 3, 2023

Expected Behavior

We can swap the storage version of Pipeline APIs at any time without impacting users.

Actual Behavior

Trusted resources verification happens after a remote Task or remote Pipeline is converted into the storage version of the API. Task conversion happens here and verification happens here.

This means that if someone creates a verified v1beta1 Task and stores it in a git repo, when we swap the storage version of the API, this task can no longer be verified, since it will be converted to v1 before verification.

I understand trusted resources has few (no?) users right now and is in alpha, so this breakage might not be a huge deal; however, this is a problem for 2 reasons:

  1. we will make more storage version swaps in the future; i.e. we will probably have a v2 api eventually
  2. this is blocking resolution of Versioned validation of referenced Pipelines/Tasks #6616, which is in turn blocking moving to v1

Additional Info

It may still be doable to bubble up resources verification results to the taskrun/pipelinerun status, as proposed here, but I suspect it will get messy especially with the addition of "warn" mode. As evidence, #6502 is a refactoring PR that moves trusted resources verification even farther from where the remote task is fetched, in order to make it easier to set the taskrun status.

(sorry in advance for potentially backseat driving a proposal I haven't been super involved with) I'm wondering if we should treat trusted resources verification more how we treat task validation: either it passes and you have a valid task, or it doesn't and you have an invalid task. This might also help with not being able to verify local tasks because we call setdefaults as soon as a task/pipeline is applied to the cluster.

FYI @bobcatfish @wlynch
@lbernick lbernick added the kind/bug Categorizes issue or PR as related to a bug. label May 3, 2023
@lbernick lbernick moved this to Todo in Pipelines V1 May 3, 2023
@lbernick lbernick mentioned this issue May 3, 2023
Closed
@lbernick lbernick added the priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. label May 3, 2023
@lbernick lbernick mentioned this issue May 5, 2023
Merged
7 tasks
@github-project-automation github-project-automation bot moved this from Todo to Done in Pipelines V1 May 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Yongxuanzhang Yongxuanzhang

Labels
kind/bug Categorizes issue or PR as related to a bug. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Projects
Pipelines V1
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

move trusted resources verification after we resolve the remote resources Yongxuanzhang/pipeline
2 participants
@lbernick @Yongxuanzhang