Skip to content

Switch to Grafeas v1 API in grafeas storage#453

Merged
tekton-robot merged 1 commit into
tektoncd:mainfrom
chuangw6:grafeas-v1
Jul 6, 2022
Merged

Switch to Grafeas v1 API in grafeas storage#453
tekton-robot merged 1 commit into
tektoncd:mainfrom
chuangw6:grafeas-v1

Conversation

@chuangw6

@chuangw6 chuangw6 commented May 23, 2022

Copy link
Copy Markdown
Member

Background

  • Tekton Chains captures two types of artifacts: OCI artifacts, TaskRun itself.
  • For OCI artifacts: Tekton Chains generates simplesigning attestation for it.
  • For TaskRun artifacts: Tekton Chains generates intoto attestation with SLSA 0.2 predicate for it.
    (Chains also supports tekton format for taskrun artifact, but we want grafeas backend storage to only accept intoto format)

Changes Summary:

  • Switch from Grafeas v1beta1 api to Grafeas v1 api.
  • Store simplesigning attestation in grafeas ATTESTATION occurrence. (see the illustration diagram below)
  • Store intoto attestation in BUILD occurrence. Prior to this, intoto attestation was also stored in the ATTESTATION occurrence. (see the illustration diagram below)
  • If a taskrun generates X images
    • X number of ATTESTATION occurrences will be created to store the X simplesigning payload, and the resourceUri of the ATTESTATION occurrences will be set to the image identifier IMAGE_URL@IMAGE_DIGEST.
    • X number of BUILD occurrence will be created in order to associate the taskrun intoto payload with every single image generated from the taskrun, and the resourceUri will be also set to IMAGE_URL@IMAGE_DIGEST.
  • Grafeas Note:

    since a grafeas occurrence has to be linked to a grafeas note, we need to create two notes (attestation note and build note)

    • create ATTESTATION note to link ATTESTATION occurrence.
    • create BUILD note to link BUILD occurrence.
    • user-configured note name will be added a suffix ('-simplesigning'
      or '-intoto') to differentiate the two note types.

Screen Shot 2022-06-27 at 18 15 36

Screen Shot 2022-06-28 at 17 07 33

@tekton-robot tekton-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 23, 2022
@tekton-robot tekton-robot requested review from dlorenc and mattmoor May 23, 2022 18:53
@tekton-robot tekton-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label May 23, 2022
@tekton-robot

Copy link
Copy Markdown

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/chains/storage/grafeas/grafeas.go 78.6% 0.0% -78.6

@tekton-robot

Copy link
Copy Markdown

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/chains/storage/grafeas/grafeas.go 78.6% 0.0% -78.6

@tekton-robot

Copy link
Copy Markdown

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/chains/storage/grafeas/grafeas.go 78.6% 0.0% -78.6

@tekton-robot

Copy link
Copy Markdown

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/chains/storage/grafeas/grafeas.go 78.6% 0.0% -78.6

@tekton-robot tekton-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 2, 2022
@tekton-robot tekton-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jun 23, 2022
@tekton-robot

Copy link
Copy Markdown

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/chains/storage/grafeas/grafeas.go 78.6% 78.8% 0.1

@chuangw6 chuangw6 marked this pull request as ready for review June 23, 2022 15:15
@tekton-robot tekton-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 23, 2022
@tekton-robot

Copy link
Copy Markdown

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/chains/storage/grafeas/grafeas.go 78.6% 78.8% 0.1

@tekton-robot

Copy link
Copy Markdown

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/chains/storage/grafeas/grafeas.go 78.6% 78.8% 0.1

@tekton-robot

Copy link
Copy Markdown

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/chains/storage/grafeas/grafeas.go 78.6% 78.8% 0.1

@chuangw6

Copy link
Copy Markdown
Member Author

cc @wlynch

@tekton-robot

Copy link
Copy Markdown

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/chains/storage/grafeas/grafeas.go 78.6% 78.8% 0.1

Comment thread pkg/chains/storage/grafeas/grafeas.go Outdated
}
// retrieveOCIURIs returns the uri of a specific OCI artifact and the uris of all the images generated by the taskrun
// If it's taskrun payload & sig (judged from config.StorageOpts), the first returned value will be empty string.
func (b *Backend) retrieveOCIURIs(tr *v1beta1.TaskRun, opts config.StorageOpts) (string, []string) {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't fully understand the difference between the 2 return values here - why not just return []string?

@chuangw6 chuangw6 Jun 23, 2022

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was trying to simplify the way we get the specific image uri when OCI artifact payload (simplesigning) and signatures are passed in, and the way to get the URIs of all images built from a taskrun when Taskrun artifact payload (intoto) are passed in. Basically, unify the retrievals into a single function.

If OCI artifact payload is passed, the first returned value will be the image uri of that image, and the second returned value contains the URIs of all images built by the taskrun.
If taskrun artifact payload is passed, the first returned value will be empty string, and the second returned value also contains the URIs of all images built by the taskrun.

why not just return []string?

we can do this. But when we need to get uri for a specific image artifact, we still need a filtering process somewhere else (either another helper function or just inline).

Let me know what you think. I am happy with both.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Having trouble following why this behavior would change based on the attestation format - wouldn't the URIs be the same in either case?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We only use the attestation format to tell whether the payload&sig are for OCI artifact OR TaskRun artifact.

  • The second returned value - URIs will be the same in either case.
  • But for the first returned value, only the OCI artifact is applicable to have a specific URI associated. TaskRun artifact is not applicable to have a specific URI associated, which is why the first returned value is empty string for taskrun artifact.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discussed with @wlynch offline. We decided to keep separating the uri retrieval for taskrun/oci into two functions for readability. In future, we might want to set storageOpts's key for OCI artifact to be the full representation so that we don't need to have an extra function to get the full digest for it. #476

Comment thread pkg/chains/storage/grafeas/grafeas.go Outdated
Comment thread pkg/chains/storage/grafeas/grafeas.go Outdated
Comment thread pkg/chains/storage/grafeas/grafeas.go Outdated

func (b *Backend) createBuildOccurrence(ctx context.Context, tr *v1beta1.TaskRun, payload []byte, signature string, uri string) (*pb.Occurrence, error) {
in := intoto.ProvenanceStatement{}
if err := json.Unmarshal(payload, &in); err != nil {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It'd be interesting to just pass the intoto struct reference around rather than generating the intoto statement -> serializing it -> de-serializing it -> converting it to grafeas.

Might be worth looking into to simplify things (we can also do this in another PR if needed)

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, agree that for grafeas backend, there are extra steps as you just described.

If we want to simplify that, we might need to change the function StorePayload's signature. But the sacrifice is that other backend options have to serialize when StorePayload is called, right?

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah... I think that's okay though? Seems reasonable to keep it as it's full spec and only serialize when we actually make the request. Fine for this now, but let's look into cleaning this up in another PR.

Comment thread pkg/chains/storage/grafeas/grafeas.go Outdated
@tekton-robot tekton-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 24, 2022
@tekton-robot tekton-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 24, 2022
@tekton-robot

Copy link
Copy Markdown

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/chains/storage/grafeas/grafeas.go 78.6% 78.8% 0.1

@chuangw6 chuangw6 requested a review from wlynch June 27, 2022 14:06
@tekton-robot tekton-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 30, 2022
@tekton-robot tekton-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 4, 2022
@tekton-robot

Copy link
Copy Markdown

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/chains/storage/grafeas/grafeas.go 78.6% 78.6% -0.0

@tekton-robot

Copy link
Copy Markdown

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/chains/storage/grafeas/grafeas.go 78.6% 78.6% -0.0

@wlynch wlynch left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good! Just a few last cleanups.

Comment thread pkg/chains/storage/grafeas/grafeas.go Outdated
Comment thread pkg/config/config.go Outdated
Comment thread config/100-rolebinding.yaml Outdated
Comment thread examples/kaniko/taskrun.yaml Outdated
Main Changes:
1. Grafeas Note
  - create ATTESTATION note to link ATTESTATION occurrence.
  - create BUILD note to link BUILD occurrence.
  - user-configured note name will be added a suffix ('-simplesigning'
    or '-intoto') to differentiate the two note types.

2. Grafeas Occurrence
- For oci artifact
  - create ATTESTATION occurrence per OCI artifact.
  - the ATTESTATION occurrence contains simplesigning attestation.
- For taskrun artifact
  - create BUILD occurrence per container image built by the taskrun.
  - the BUILD occurrence contains intoto statement with SLSA0.2 predicate.
@chuangw6 chuangw6 requested a review from wlynch July 5, 2022 19:53
@tekton-robot

Copy link
Copy Markdown

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/chains/storage/grafeas/grafeas.go 78.6% 78.1% -0.6

@wlynch

wlynch commented Jul 6, 2022

Copy link
Copy Markdown
Member

/lgtm
/approve

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Jul 6, 2022
@tekton-robot

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wlynch

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 6, 2022
@tekton-robot tekton-robot merged commit b1c8b5a into tektoncd:main Jul 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants