-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add taskRef remote resolution support #4859
Conversation
/assign @vdemeester |
The following is the coverage report on the affected files.
|
Thanks for doing this @abayer! Just FYI that Scott is currently on leave until mid-August. /assign |
/retest |
1 similar comment
/retest |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: vdemeester The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would make sense to start with one PR for adding remote resolution of tasks for TaskRuns, and then have a follow-up PR for adding remote resolution of Pipeline Tasks.
@@ -311,14 +311,14 @@ func TestPipelineTask_ValidateRegularTask_Failure(t *testing.T) { | |||
}, | |||
expectedError: *apis.ErrDisallowedFields("taskref.bundle"), | |||
}, { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please add some test cases for use of resolver and resource with the alpha feature flag set?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup, will do.
@@ -277,7 +277,19 @@ func (c *Reconciler) resolvePipelineState( | |||
pst := resources.PipelineRunState{} | |||
// Resolve each task individually because they each could have a different reference context (remote or local). | |||
for _, task := range tasks { | |||
fn, err := tresources.GetTaskFunc(ctx, c.KubeClientSet, c.PipelineClientSet, task.TaskRef, pr.Namespace, pr.Spec.ServiceAccountName) | |||
// Create a dummy TaskRun for remote resolution. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you help me understand what's going on here? the way I would anticipate this working is that we'd create a TaskRun as normal, but pass the resolver info along to the TaskRun, and have the TaskRun reconciler validate the resolver and resolve the task.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So this is what I'm most unsure about - we resolve the Task
whether or not there's a TaskRun
or even if we're creating a TaskRun
, I believe for situations like when expressions and conditions. But the code in pkg/remote
requires a kmeta.OwnerRefable
. It only ever uses that kmeta.OwnerRefable
to get its Name
and Namespace
, but nonetheless. Since we need to pass that kmeta.OwnerRefable
in to GetTaskFunc
, we don't have the TaskRun
, if it exists, at the time we call GetTaskFunc
.
So there's two aspects here - first, there's the kmeta.OwnerRefable
stuff - that could be refactored to have the resolver code take name and namespace instead, and second, even if we did do that refactor, we'd still need to have the TaskRun
name when calling GetTaskFunc
, because
func buildRequest(resolverName string, owner kmeta.OwnerRefable, params map[string]string) (*resolutionRequest, error) { |
TaskRun
name before resolving.
The options I see are the dummy TaskRun
approach here, refactoring to take name and namespace instead, which still requires generating the TaskRun
name at this location, or reworking the PipelineRun
reconciler to not resolve the Task
until there's already a created TaskRun
, deferring all the remote resolution logic to the TaskRun
reconciler. The last option definitely feels like the ideal one for this particular change, but I'm not sure what the implications would be if we don't resolve the Task
until we have a TaskRun
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the explanation!
I think the middle option (refactoring to take name and namespace instead) is the way to go. I find the dummy TaskRun approach to be confusing, and the last approach sounds like a large refactor that may not be necessary. If you look into buildRequest
, it looks like the reason a name is needed is to make sure there are not multiple requests for the same pipeline's pipelineRef, the same task's taskRef, or the same pipeline task's taskRef. Therefore, what's needed here is not actually the name that will be used but some sort of unique identifier. I think a combo of pipelinerun name + pipeline task name should work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, I'll poke around briefly to try to better understand (for my own edification, if nothing else!) when exactly we end up with a resolved Task
but no TaskRun
and what would be impacted by not resolving the Task
unless/until we resolve the TaskRun
, but so far, it does look like a lot of behavior, particularly around resolving task resources, would barf in that case. Still good to know better. =)
Aaaaah, yeah, you're right re the name. That said, GetTaskRunName
is just checking to see if there already is a name defined in pr.Status.ChildReferences
or pr.Status.TaskRuns
for the pipeline task name, and if not, it returns kmeta.ChildName(prName, fmt.Sprintf("-%s", ptName))
...which is just prName-ptName
unless that would be longer than 63 characters (in which case it trims down prName
and/or ptName
and adds an md5 hash of the "full" string to guarantee uniqueness) anyway. So might as well just use GetTaskRunName
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Aaah - I just checked deeper, and it turns out the kmeta.OwnerRefable
ends up being used to add an owner reference to the generated ResolutionRequest
:
https://github.com/tektoncd/resolution/blob/52bc1f17d4b6d8477e73a059de4b5808012a0386/pkg/resource/crd_resource.go#L104
So I think things need to be tweaked a bit more so that the ResolutionRequest
has the PipelineRun
as its owner reference.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And we should definitely use GetTaskRunName
for the remote resource name in buildRequest
so that we ensure the resolution request made by the PipelineRun
reconciler has the same unique identifier as the one made by the TaskRun
reconciler to avoid an unnecessary repeat resolution request being created...yeah, I'd really prefer if we didn't try to resolve the Task
from the PipelineRun
reconciler at all. Grr.
The PR is not that huge, I don't really see why we would go through the trouble of spliting it into two. |
The reason I suggest splitting it is to logically separate resolution of taskrefs for taskruns vs pipeline tasks. There's some discussion around how best to handle resolution for pipeline tasks, and I think having taskref resolution in place for taskruns before adding it for pipeline tasks might lead to a better solution in the end. This is also just my opinion on a subjective judgment call about what is small/modular enough. |
@lbernick @vdemeester @afrittoli 819b9df modifies the remote resolver to take both a |
The following is the coverage report on the affected files.
|
The following is the coverage report on the affected files.
|
/retest |
3 similar comments
/retest |
/retest |
/retest |
@@ -1238,6 +1238,114 @@ spec: | |||
} | |||
} | |||
|
|||
// TestReconcileWithResolver checks that a PipelineRun with a populated Resolver |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
docstring here I think needs to be updated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
@@ -63,14 +69,15 @@ func GetTaskFuncFromTaskRun(ctx context.Context, k8s kubernetes.Interface, tekto | |||
}, nil | |||
}, nil | |||
} | |||
return GetTaskFunc(ctx, k8s, tekton, taskrun.Spec.TaskRef, taskrun.Namespace, taskrun.Spec.ServiceAccountName) | |||
return GetTaskFunc(ctx, k8s, tekton, requester, taskrun, taskrun.Spec.TaskRef, "", taskrun.Namespace, taskrun.Spec.ServiceAccountName) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what's the reason to use "" here instead of taskrun.name?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In practice in this case, it doesn't really matter - if the targetName
is ""
, then owner.Name
(in this case, taskrun.name
) is used. I'm not a huge fan of the signature for GetTaskFunc
, but can't come up with something cleaner at the moment - I'll try to come back and refactor GetTaskFunc
in general if and when I get a good idea. =) That said, I'll change this to use taskrun.Name
for now, even though it's unnecessary.
Thanks, I think this approach looks better! |
d02a360
to
7235d9c
Compare
The following is the coverage report on the affected files.
|
thanks @abayer! Just squash and I'll LGTM |
Followup to tektoncd#4596, needed for tektoncd#4710. Enables remote resolution of `Task`s, both in explicitly created `TaskRun`s and in `PipelineRun`s' `PipelineTask`s, from public git repositories using tektoncd/resolution. Also modifies `resolution.Resolver` to take both owner and optional name/namespace. This is needed because we don't necessarily have a `TaskRun` yet when calling `GetTaskFunc` in the `PipelineRun` reconciler, but still need to ensure that we only make one remote resolution request for a `PipelineTask` via the `PipelineRun` and `TaskRun` reconcilers. Therefore, we must have the same deterministically-generated resolution request name in both places, using the predictable eventual `TaskRun` name and namespace. We also want to make sure that the created `ResolutionRequest` has the appropriate owner reference, hence still passing a `kmeta.OwnerRefable` to `NewResolver` as well as the name and namespace. This is still in alpha. Signed-off-by: Andrew Bayer <andrew.bayer@gmail.com>
7235d9c
to
f7d1e04
Compare
@lbernick Done! |
The following is the coverage report on the affected files.
|
/lgtm |
/retest |
2 similar comments
/retest |
/retest |
Changes
Followup to #4596, needed for #4710.
remote resolution, both in explicitly created
TaskRun
s and inPipelineRun
s'PipelineTask
s,from public git repositories using tektoncd/resolution.
To actually see anything happening a dev also needs to deploy
tektoncd/resolution
and thegitresolver
.This is still in alpha.
/kind feature
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
functionality, content, code)
(if there are no user facing changes, use release note "NONE")
Release Notes