Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chains.tekton.dev/signed failed if TaskRun does not produce image #458

Closed
haf-tech opened this issue Jun 12, 2022 · 2 comments · Fixed by #464
Closed

chains.tekton.dev/signed failed if TaskRun does not produce image #458

haf-tech opened this issue Jun 12, 2022 · 2 comments · Fixed by #464
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@haf-tech
Copy link
Contributor

haf-tech commented Jun 12, 2022
edited
Loading

Expected Behavior

As long a signature is generated and added to the annotation (chains.tekton.dev/signature-taskrun-...) is the annotation chains.tekton.dev/signed: true and not failed for TaskRuns which produce not an image, like git-clone.

Similar too #402
But not sure, if chains.tekton.dev/signed is fixed too in this PR.

Actual Behavior

chains.tekton.dev/signed: failed if artifacts.taskrun.storage contains oci.

Steps to Reproduce the Problem

  1. artifacts.taskrun.storage contains minimum oci
  2. TaskRun produces no image, like git-clone

Additional Info

  • Kubernetes version:

    Output of kubectl version:

    Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.4", GitCommit:"e6c093d87ea4cbb530a7b2ae91e54c0842d8308a", GitTreeState:"clean", BuildDate:"2022-02-16T12:30:48Z", GoVersion:"go1.17.6", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.5+3afdacb", GitCommit:"3c28e7a79b58e78b4c1dc1ab7e5f6c6c2d3aedd3", GitTreeState:"clean", BuildDate:"2022-05-10T16:30:48Z", GoVersion:"go1.17.5", Compiler:"gc", Platform:"linux/amd64"}

    Server Version: 4.10.15
Kubernetes Version: v1.23.5+3afdacb

  • Tekton Pipeline version:

    Output of tkn version or kubectl get pods -n tekton-pipelines -l app=tekton-pipelines-controller -o=jsonpath='{.items[0].metadata.labels.version}'

    kubectl get pods -n openshift-pipelines -l app=tekton-pipelines-controller -o=jsonpath='{.items[0].metadata.labels.version}'
v0.33.2

  • Tekton Chains version

  oc get cm chains-info -o yaml | grep -i 'ConfigMap' -B5
apiVersion: v1
data:
  version: v0.8.0
kind: ConfigMap

Examples

Tested with a git-clone task

storage tekton

$ oc get cm chains-config -o yaml | grep 'kind: Config' -B5
data:
  artifacts.oci.storage: ""
  artifacts.taskrun.format: tekton
  artifacts.taskrun.storage: tekton
  transparency.enabled: "false"
kind: ConfigMap

results in

apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
  annotations:
    pipeline.tekton.dev/release: 6b5710c
    argocd.argoproj.io/sync-wave: '-50'
    chains.tekton.dev/signature-taskrun-9b9c5acc-0f52-46e1-9991-db7b13f2d3c3: >-
      MEYCIQDz/PbuiJzgPdJxz9PjiGfZAMDU6BhsTDWF0tZULpTG/AIhAKKFJPmBbo+KTb0lZcANE6J43FQbgl0xBkICUv/SfD0g
    tekton.dev/tags: git
    tekton.dev/categories: Git
    chains.tekton.dev/signed: 'true'
    chains.tekton.dev/payload-taskrun-9b9c5acc-0f52-46e1-9991-db7b13f2d3c3: >-
      eyJjb25kaXRpb25zIjpbeyJ.....

storage oci

oc get cm chains-config -o yaml | grep 'kind: Config' -B5
data:
  artifacts.oci.storage: ""
  artifacts.taskrun.format: tekton
  artifacts.taskrun.storage: oci
  transparency.enabled: "false"
kind: ConfigMap

results in

apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
  annotations:
    pipeline.tekton.dev/release: 6b5710c
    argocd.argoproj.io/sync-wave: '-50'
    tekton.dev/tags: git
    tekton.dev/categories: Git
    chains.tekton.dev/signed: failed
    tekton.dev/platforms: 'linux/amd64,linux/s390x,linux/ppc64le,linux/arm64'
    tekton.dev/pipelines.minVersion: 0.21.0
    chains.tekton.dev/retries: '3'
    tekton.dev/displayName: git clone

Error message

{"level":"info","ts":"2022-06-12T07:31:26.529Z","logger":"watcher.event-broadcaster","caller":"record/event.go:282","msg":"Event(v1.ObjectReference{Kind:\"TaskRun\", Namespace:\"demo-quarkus-cicd\", Name:\"quarkus-build-run-xpgj2-clone-source\", UID:\"48cf4bdd-8495-4a8e-b8f5-bc04a112a972\", APIVersion:\"tekton.dev/v1beta1\", ResourceVersion:\"9523044\", FieldPath:\"\"}): type: 'Warning' reason: 'InternalError' 1 error occurred:\n\t* OCI storage backend is only supported for OCI images and in-toto attestations\n\n","commit":"e94c32e"}

storage tekton AND oci

$ oc get cm chains-config -o yaml | grep 'kind: Config' -B5
data:
  artifacts.oci.storage: ""
  artifacts.taskrun.format: tekton
  artifacts.taskrun.storage: tekton,oci
  transparency.enabled: "false"
kind: ConfigMap

results in

apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
  annotations:
    chains.tekton.dev/chain-taskrun-b5871e2f-9391-411f-b2a2-223d5cd139e7: ''
    pipeline.tekton.dev/release: 6b5710c
    argocd.argoproj.io/sync-wave: '-50'
    tekton.dev/tags: git
    tekton.dev/categories: Git
    chains.tekton.dev/signature-taskrun-b5871e2f-9391-411f-b2a2-223d5cd139e7: >-
      MEUCIHdgJ3GYAD703KP8UiW9dIji6XbEuexv/KYBwBCh+1JUAiEAmM8HjI+2u4ua08Eefb9vwVnFXVHk6iJ0ppTGFw0ix+c=
    chains.tekton.dev/signed: failed
    tekton.dev/platforms: 'linux/amd64,linux/s390x,linux/ppc64le,linux/arm64'
    tekton.dev/pipelines.minVersion: 0.21.0
    chains.tekton.dev/retries: '3'
    chains.tekton.dev/payload-taskrun-b5871e2f-9391-411f-b2a2-223d5cd139e7: >-
      eyJjb25kaXRpb25zIjpb.....

Error message

{"level":"info","ts":"2022-06-12T07:35:38.298Z","logger":"watcher.event-broadcaster","caller":"record/event.go:282","msg":"Event(v1.ObjectReference{Kind:\"TaskRun\", Namespace:\"demo-quarkus-cicd\", Name:\"quarkus-build-run-pfglz-clone-source\", UID:\"b5871e2f-9391-411f-b2a2-223d5cd139e7\", APIVersion:\"tekton.dev/v1beta1\", ResourceVersion:\"9526956\", FieldPath:\"\"}): type: 'Warning' reason: 'InternalError' 1 error occurred:\n\t* OCI storage backend is only supported for OCI images and in-toto attestations\n\n","commit":"e94c32e"}
@haf-tech haf-tech added the kind/bug Categorizes issue or PR as related to a bug. label Jun 12, 2022
@priyawadhwa
Copy link
Contributor

Hey @haf-tech thanks for opening this issue! This definitely looks like a bug. Instead of returning this error:

chains/pkg/chains/storage/oci/oci.go

Line 108 in 5b94129

return errors.New("OCI storage backend is only supported for OCI images and in-toto attestations")

I think maybe we should just log it and return nil --

b.logger.Info("Skipping upload to OCI registry, OCI storage backend is only supported for OCI images and in-toto attestations")
return nil

Would you be interested in opening a PR to fix this?

@haf-tech
Copy link
Contributor Author

@priyawadhwa ok thanks for the info. Let me check the source code and the PR possibility

haf-tech added a commit to haf-tech/tekton-chains that referenced this issue Jun 17, 2022
@haf-tech
Fix tektoncd#458 - Change fallback error message for non OCI images/r…
1711617 
…esults
@haf-tech haf-tech mentioned this issue Jun 17, 2022
Merged
tekton-robot pushed a commit that referenced this issue Jun 23, 2022
@haf-tech @tekton-robot
Fix #458 - Change fallback error message for non OCI images/results
faa8d33
@lcarva lcarva mentioned this issue Nov 7, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix error msg in case no image produced haf-tech/tekton-chains
2 participants
@priyawadhwa @haf-tech