Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TEP-0101 PodTemplate should support environment variables. #5699

Merged
merged 2 commits into from
Dec 21, 2022
Merged

TEP-0101 PodTemplate should support environment variables. #5699

merged 2 commits into from
Dec 21, 2022

Conversation

ScrapCodes
Copy link
Contributor

@ScrapCodes ScrapCodes commented Oct 31, 2022
edited
Loading

Changes

  1. Envs i.e. environment variables specified in podTemplate for PipelineRun and TaskRun, will take precdence over envs defined in step and StepTemplate.
  2. config-defaults' default-pod-template can contain global default envs applicable for all PipelineRun and taskRun. These are overriden by user defined podTemplate.
  3. Support forbidden envs.
    a. A new config-default configuration: forbidden-envs
    b. Envs added in the forbidden-envs are filtered while updating from a podTemplate.

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Has Docs included if any changes are user facing
  • Has Tests included if any functionality added or changed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including
    functionality, content, code)
  • Has a kind label. You can add one by adding a comment on this PR that contains /kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tep
  • Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings)
  • Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

PodTemplate can be used to update environment variables globally as well as PipelineRun and TaskRun level.
Added new configuration option default-forbidden-env to disallow specified environment variables from being updated via podTemplate.

/kind tep

@tekton-robot tekton-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Oct 31, 2022
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/default.go 88.6% 89.4% 0.7
pkg/pod/pod.go 89.5% 90.6% 1.1

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/default.go 88.6% 89.4% 0.7
pkg/pod/pod.go 89.5% 90.6% 1.1

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/default.go 88.6% 89.4% 0.7
pkg/pod/pod.go 89.5% 90.6% 1.1

@ScrapCodes ScrapCodes force-pushed the tep-101 branch 2 times, most recently from eb678f2 to b28f802 Compare November 1, 2022 09:49
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/default.go 88.6% 89.4% 0.7
pkg/pod/pod.go 89.5% 90.6% 1.1

@ScrapCodes
Copy link
Contributor Author

/retest

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/default.go 88.6% 89.4% 0.7
pkg/pod/pod.go 89.5% 90.6% 1.1

ScrapCodes
ScrapCodes commented Nov 3, 2022
View reviewed changes
docs/pipeline-api.md Outdated Show resolved Hide resolved
vdemeester
vdemeester approved these changes Nov 3, 2022
View reviewed changes
Copy link
Member

@vdemeester vdemeester left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/cc @piyush-garg

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 3, 2022
@Tomcli
Copy link
Contributor

Tomcli commented Nov 10, 2022

/cc @afrittoli

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/default.go 88.6% 89.4% 0.7
pkg/pod/pod.go 89.5% 90.6% 1.1

@ScrapCodes
Copy link
Contributor Author

Hi @JeromeJu, @vdemeester and @afrittoli Running codegen after updating to latest main branch adds a whole bunch of stuff not related to this commit.

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/default.go 88.6% 89.4% 0.7
pkg/pod/pod.go 89.5% 90.6% 1.1

@pritidesai
Copy link
Member

/kind feature

@tekton-robot tekton-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Nov 15, 2022
@ScrapCodes
Copy link
Contributor Author

opened #5764 to fix codegen out of sync issue.

XinruZhang
XinruZhang reviewed Nov 21, 2022
View reviewed changes
Copy link
Member

@XinruZhang XinruZhang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly LGTM, just some minor nits. Thanks for the PR ❤️

pkg/pod/pod.go Outdated Show resolved Hide resolved
pkg/apis/config/default.go Outdated Show resolved Hide resolved
@ScrapCodes
Copy link
Contributor Author

Thank you @XinruZhang ! for taking a look, please take a look again

@imjasonh imjasonh removed their request for review December 3, 2022 19:49
chitrangpatel
chitrangpatel reviewed Dec 7, 2022
View reviewed changes
docs/install.md
value: "false"
```

_In the above example the environment variable `TEST_TEKTON` will not be overriden by value specified in podTemplate, because the `config-default` option `default-forbidden-env` is configured with value `TEST_TEKTON`._
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should a webhook validation error be thrown if a user is trying to update a forbidden env? Might be better user experience this way instead of allowing a user to provide it and silently rejecting it?

chitrangpatel
chitrangpatel approved these changes Dec 7, 2022
View reviewed changes
Copy link
Contributor

@chitrangpatel chitrangpatel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apart from the behaviour of how to deal with podTemplate that try to update forbidden-env, it looks good!

@jerop
Copy link
Member

jerop commented Dec 19, 2022

@ScrapCodes - it seems there's an unaddressed feedback from @afrittoli and @chitrangpatel, do you think they'd be resolved soon? wondering if I should move this PR to the next milestone - hoping to cut v0.43 tomorrow

@afrittoli
Copy link
Member

It looks like the TEP for this feature is not implementable

Good catch @lbernick , thank you. It is implementable now

@afrittoli
Copy link
Member

/hold cancel

@tekton-robot tekton-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 20, 2022
@ScrapCodes
Copy link
Contributor Author

Hi @chitrangpatel, do you think - we can add the webhook validations in a separate pull request?

@chitrangpatel
Copy link
Contributor

Hi @chitrangpatel, do you think - we can add the webhook validations in a separate pull request?

Yes, that's completely fine.

@ScrapCodes
Copy link
Contributor Author

Thank you @chitrangpatel !

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/default.go 88.6% 90.0% 1.4
pkg/apis/pipeline/v1/pipelinerun_validation.go 88.1% 88.3% 0.2
pkg/apis/pipeline/v1/taskrun_validation.go 98.4% 97.7% -0.6
pkg/apis/pipeline/v1beta1/pipelinerun_validation.go 97.4% 96.8% -0.6
pkg/apis/pipeline/v1beta1/taskrun_validation.go 98.4% 97.8% -0.6
pkg/pod/pod.go 91.3% 91.8% 0.5

chitrangpatel
chitrangpatel reviewed Dec 20, 2022
View reviewed changes
pkg/apis/pipeline/v1beta1/pipelinerun_validation.go
@@ -334,5 +337,8 @@ func validateTaskRunSpec(ctx context.Context, trs PipelineTaskRunSpec) (errs *ap
errs = errs.Also(version.ValidateEnabledAPIFields(ctx, "computeResources", config.AlphaAPIFields).ViaField("computeResources"))
errs = errs.Also(validateTaskRunComputeResources(trs.ComputeResources, trs.StepOverrides))
}
if trs.TaskPodTemplate != nil {
errs = errs.Also(validatePodTemplateEnv(ctx, *trs.TaskPodTemplate))
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't there be a similar update to v1/pipelinerun_validation.go?

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/default.go 88.6% 90.0% 1.4
pkg/apis/pipeline/v1/pipelinerun_validation.go 88.1% 88.3% 0.2
pkg/apis/pipeline/v1/taskrun_validation.go 98.4% 97.7% -0.6
pkg/apis/pipeline/v1beta1/pipelinerun_validation.go 97.4% 96.8% -0.6
pkg/apis/pipeline/v1beta1/taskrun_validation.go 98.4% 97.8% -0.6
pkg/pod/pod.go 91.3% 91.8% 0.5

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-using-tekton to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/default.go 88.6% 90.0% 1.4
pkg/apis/pipeline/v1/pipelinerun_validation.go 88.1% 88.3% 0.2
pkg/apis/pipeline/v1/taskrun_validation.go 98.4% 97.7% -0.6
pkg/apis/pipeline/v1beta1/pipelinerun_validation.go 97.4% 96.8% -0.6
pkg/apis/pipeline/v1beta1/taskrun_validation.go 98.4% 97.8% -0.6
pkg/pod/pod.go 91.3% 91.8% 0.5

@ScrapCodes
TEP-101 Add new field envs to PodTemplate.
9b1648c 
1. Envs i.e. environment variables specified in podTemplate for
   PipelineRun and TaskRun, will take precdence over envs defined in
   step and StepTemplate.
2. config-defaults' default-pod-template can contain global default
   envs applicable for all PipelineRun and taskRun. These are overriden
   by user defined podTemplate.

TEP-101 Support forbidden envs.

1. A new config-default configuration: default-forbidden-envs
2. Envs added in the default-forbidden-envs are filtered while updating
   from a podTemplate.
@ScrapCodes
Added validation for forbidden env.
3160f18
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/default.go 88.6% 90.0% 1.4
pkg/apis/pipeline/v1/pipelinerun_validation.go 88.1% 88.3% 0.2
pkg/apis/pipeline/v1/taskrun_validation.go 98.4% 97.7% -0.6
pkg/apis/pipeline/v1beta1/pipelinerun_validation.go 97.4% 96.8% -0.6
pkg/apis/pipeline/v1beta1/taskrun_validation.go 98.4% 97.8% -0.6
pkg/pod/pod.go 91.3% 91.8% 0.5

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-using-tekton to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/default.go 88.6% 90.0% 1.4
pkg/apis/pipeline/v1/pipelinerun_validation.go 88.1% 88.3% 0.2
pkg/apis/pipeline/v1/taskrun_validation.go 98.4% 97.7% -0.6
pkg/apis/pipeline/v1beta1/pipelinerun_validation.go 97.4% 96.8% -0.6
pkg/apis/pipeline/v1beta1/taskrun_validation.go 98.4% 97.8% -0.6
pkg/pod/pod.go 91.3% 91.8% 0.5

afrittoli
afrittoli reviewed Dec 21, 2022
View reviewed changes
Copy link
Member

@afrittoli afrittoli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the update @ScrapCodes !
/approve

@tekton-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: afrittoli, chitrangpatel, vdemeester, XinruZhang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [afrittoli,vdemeester]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@afrittoli
Copy link
Member

@chitrangpatel ok to merge this? @ScrapCodes implemented both v1beta1 and v1 validation.

@afrittoli
Copy link
Member

@jerop this should be ready to merge and be included in v0.43

@chitrangpatel
Copy link
Contributor

@chitrangpatel ok to merge this? @ScrapCodes implemented both v1beta1 and v1 validation.

Yes! All good!

@afrittoli afrittoli self-assigned this Dec 21, 2022
@afrittoli
Copy link
Member

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Dec 21, 2022
@tekton-robot tekton-robot merged commit 49fdbfb into tektoncd:main Dec 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JeromeJu JeromeJu JeromeJu left review comments

@chitrangpatel chitrangpatel chitrangpatel approved these changes

@afrittoli afrittoli afrittoli left review comments

@pritidesai pritidesai pritidesai left review comments

@XinruZhang XinruZhang XinruZhang approved these changes

@vdemeester vdemeester vdemeester approved these changes

@piyush-garg piyush-garg Awaiting requested review from piyush-garg

Assignees

@afrittoli afrittoli

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
Pipelines v0.43
Development

Successfully merging this pull request may close these issues.