restricting tekton.dev labels in metadata #2891
Conversation
tekton-robot
added
the
do-not-merge/release-note-label-needed
tekton-robot
added
the
size/S
|
This PR cannot be merged: expecting exactly one kind/ label Available
|
|
/kind misc |
tekton-robot
added
do-not-merge/hold
|
The following is the coverage report on the affected files.
|
pritidesai
changed the title
tekton-robot
added
release-note
Interesting, those catalog task shouldn't use that label anyway as it is supposed to be set by the controller 🤔 |
Yup, indeed, @bobcatfish @sbwsg WDYT? |
Ref #2946 - we should probably document this there too |
Is it actually "used" there? The catalog reorg happened so I had to hunt them down (the links changed). Here it is now: https://github.com/tektoncd/catalog/blob/d7e5c6db536d79bd3c205caaf075a50f5c9dee7e/task/github-close-issue/0.1/README.md They only really appear in the READMEs for examples on creating a TaskRun. My wild guess is that someone created the taskrun with the CLI or something, then dumped it as YAML to generate the docs and kept that label. It's only in 3 places: |
|
|
||
| // metadata must not contain any label with tekton.dev/* | ||
| for k := range meta.GetLabels() { | ||
| if strings.HasPrefix(k, pipeline.GroupName) { |
There was a problem hiding this comment.
Do we care/have an opinion on things like "*.tekton.dev" as well?
There was a problem hiding this comment.
This is meant to be Tekton internal, created and utilized by the pipeline controller itself, better to enforce rather than relying on Task/Pipeline/TaskRun/PipelineRun authors to follow recommendations, thoughts?
There was a problem hiding this comment.
+1 on saving the extra namespace. In chains right now we're using "chains.tekton.dev", but only in an annotation.
There was a problem hiding this comment.
This PR is restricting labels, annotations have all the freedom 😉
|
Stale issues rot after 30d of inactivity. /lifecycle rotten Send feedback to tektoncd/plumbing. |
tekton-robot
added
the
lifecycle/rotten
|
/remove-lifecycle rotten |
tekton-robot
removed
the
lifecycle/rotten
|
cc @tektoncd/core-maintainers |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sbwsg The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
approved
Sounds good to me! |
|
/retest |
Tekton resources are automatically assigned certain labels including the ones with tekton.dev. The labels are created and propagated from one resource to another using this group name. We should restrict possibility of overwriting those labels otherwise it could result in conflicting resources.
|
/test pull-tekton-pipeline-integration-tests |
| for k := range meta.GetLabels() { | ||
| if strings.HasPrefix(k, pipeline.GroupName) { | ||
| return &apis.FieldError{ | ||
| Message: "Invalid label key: can not change tekton resource name", |
There was a problem hiding this comment.
NIT: the error message may be confusing if someone is not trying to change the resource name. I think it would be better to say that the tekton.dev/ labels are reserved for internal use.
|
We do use |
There was a problem hiding this comment.
Thanks for this!
I would update the error message, but otherwise it looks good to me.
I think we can reserve extra namespace in further PRs if we decide to?
@pritidesai is the "hold" still needed on this one?
|
thanks. Nope, no more hold needed. |
tekton-robot
removed
the
do-not-merge/hold
Could this be causing integration failure? 🤔 Integration tests failure is consistent with these changes in terms of number of failing Tests: |
|
16 test examples showing this error: |
|
This is actually a legit failure 😢 not related to infra or timeout. Taskrun and Pipelinerun controller injects these labels which are then going through the same validation routine which validates user specified labels. Will update this PR to separate this validation calls next week, putting it on hold until then. /hold |
tekton-robot
added
the
do-not-merge/hold
|
/lgtm cancel |
|
Issues go stale after 90d of inactivity. /lifecycle stale Send feedback to tektoncd/plumbing. |
tekton-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
tekton-robot
removed
the
lifecycle/stale
|
The following is the coverage report on the affected files.
|
|
@pritidesai: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
1 similar comment
|
@pritidesai: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
tekton-robot
added
the
needs-rebase
|
@pritidesai: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@pritidesai @tektoncd/core-maintainers gentle ping 👼🏼 |
|
thanks @vdemeester its a long overdue, will look into it this week 🙏 |
|
Issues go stale after 90d of inactivity. /lifecycle stale Send feedback to tektoncd/plumbing. |
tekton-robot
added
the
lifecycle/stale
|
closing this for now, will open a new PR once I have a breather to implement this. I have created an issue capturing the PR discussion here. |
Changes
Tekton resources are automatically assigned certain labels including the ones with tekton.dev. The labels are created and propagated from one resource to another using this group name. We should restrict possibility of overwriting those labels otherwise it could result in conflicting resources.
Result of the discussion in PR 2826
On hold until we confirm this is something we want to restrict 🤔
This will break folks using these labels in metadata, see an example in catalog.
/cc @vdemeester
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
See the contribution guide for more details.
Double check this list of stuff that's easy to miss:
cmddir, please updatethe release Task to build and release this image.
Reviewer Notes
If API changes are included, additive changes must be approved by at least two OWNERS and backwards incompatible changes must be approved by more than 50% of the OWNERS, and they must first be added in a backwards compatible way.
Release Notes