Add variable expansion for params in Projected Volume fields

[jlpettersson]

Changes

A projected volume can mount/project files from Secrets, ConfigMaps and ServiceAccountTokens.

It is good if the end-user can choose the name of Secrets, ConfigMaps and the audience of ServiceAccountTokens. With this commit, the task author can use params for secret.name, configmap.name and serviceaccounttoken.audience in a Projected Volume.

Example usage:

  volumes:
  - name: ssh-auth
    projected:
      defaultMode: 0400
      sources:
      - secret:
          name: $(params.known-hosts-secret) 
      - secret:
          name: $(params.private-key-secret)

See more example use cases in #2597

Fixes #2597
/kind feature

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

• Includes tests (if functionality changed/added)
• Includes docs (if user facing)
• Commit messages follow commit message best practices

See the contribution guide for more details.

Double check this list of stuff that's easy to miss:

• If you are adding a new binary/image to the cmd dir, please update
  the release Task to build and release this image.

Reviewer Notes

If API changes are included, additive changes must be approved by at least two OWNERS and backwards incompatible changes must be approved by more than 50% of the OWNERS, and they must first be added in a backwards compatible way.

Release Notes

Add variable expansion for params in Projected Volume fields

[tekton-robot]

Hi @jlpettersson. Thanks for your PR.

I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[vincent-pli]

/ok-to-test

[vdemeester]

/meow
/cc @sbwsg

[tekton-robot]

@vdemeester:

In response to this:

/meow
/cc @sbwsg

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [vdemeester]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ghost]

/lgtm

I had no idea we already supported substitution for other volume types. Thanks @jlpettersson !

[ghost]

Oh, we should probably also document this!

[jlpettersson]

@sbwsg yes. This is variable expansion for params. This is actually documented already, but we don't document all places where it is possible to use variable expansion for params.

But I think that I instead should document on how to use Projected Volumes since that is usable with Secrets, ConfigMaps and ServiceAccountTokens.

[ghost]

Created #2605 to record all variable expansion locations.

[jlpettersson]

/test pull-tekton-pipeline-integration-tests

[bobcatfish]

Is there a documentation change that would make sense to add with this?

[jlpettersson]

@bobcatfish see #2601 (comment)

[bobcatfish]

ah kk

but we don't document all places where it is possible to use variable expansion for params.

It does seem like something that would make sense to document, but I understand not wanting to take that on when there is no precedent. Documenting projected volumes as well makes sense, but I think it makes sense to be able to refer to docs that show you where you can use the variable replacement

[jlpettersson]

/test tekton-pipeline-unit-tests

[jlpettersson]

Fails on this now

<testsuite tests="1" failures="1" time="0.000" name="pkg/reconciler/taskrun/resources">
<properties>
<property name="go.version" value="go1.14.1"/>
</properties>
<testcase classname="resources" name="[build failed]" time="0.000">
<failure message="Failed" type=""/>
</testcase>
</testsuite>

[vdemeester]

@jlpettersson can you rebase against master ?

[jlpettersson]

Am I hitting this feature gate?

The projection of service account tokens is a feature introduced in Kubernetes 1.11 and promoted to Beta in 1.12. To enable this feature on 1.11, you need to explicitly set the TokenRequestProjection feature gate to True.

level=warning msg="[runner] Can't run linter goanalysis_metalinter: gosec: analysis skipped: errors in package: [/home/prow/go/src/github.com/tektoncd/pipeline/pkg/reconciler/taskrun/resources/apply_test.go:132:5: unknown field Name in struct literal /home/prow/go/src/github.com/tektoncd/pipeline/pkg/reconciler/taskrun/resources/apply_test.go:133:5: unknown field VolumeSource in struct literal]"
level=error msg="Running error: gosec: analysis skipped: errors in package: [/home/prow/go/src/github.com/tektoncd/pipeline/pkg/reconciler/taskrun/resources/apply_test.go:132:5: unknown field Name in struct literal /home/prow/go/src/github.com/tektoncd/pipeline/pkg/reconciler/taskrun/resources/apply_test.go:133:5: unknown field VolumeSource in struct literal]"

Is this test running on a cluster with different configuration/version than earlier tests?

[jlpettersson]

/test tekton-pipeline-unit-tests
/test pull-tekton-pipeline-build-tests

[vdemeester]

Am I hitting this feature gate?

The projection of service account tokens is a feature introduced in Kubernetes 1.11 and promoted to Beta in 1.12. To enable this feature on 1.11, you need to explicitly set the TokenRequestProjection feature gate to True.

level=warning msg="[runner] Can't run linter goanalysis_metalinter: gosec: analysis skipped: errors in package: [/home/prow/go/src/github.com/tektoncd/pipeline/pkg/reconciler/taskrun/resources/apply_test.go:132:5: unknown field Name in struct literal /home/prow/go/src/github.com/tektoncd/pipeline/pkg/reconciler/taskrun/resources/apply_test.go:133:5: unknown field VolumeSource in struct literal]"
level=error msg="Running error: gosec: analysis skipped: errors in package: [/home/prow/go/src/github.com/tektoncd/pipeline/pkg/reconciler/taskrun/resources/apply_test.go:132:5: unknown field Name in struct literal /home/prow/go/src/github.com/tektoncd/pipeline/pkg/reconciler/taskrun/resources/apply_test.go:133:5: unknown field VolumeSource in struct literal]"

Is this test running on a cluster with different configuration/version than earlier tests?

Nah, this is the linter, it shouldn't fail on this (and it doesn't have anything to do with the cluster the build are run into)… This is a weird error…

/retest

[vdemeester]

@jlpettersson actually the error is legit

λ make golangci-lint 
🐱 getting golangci-lint v1.25.0
golangci/golangci-lint info checking GitHub for tag 'v1.25.0'
golangci/golangci-lint info found version: 1.25.0 for v1.25.0/linux/amd64
golangci/golangci-lint info installed /home/vincent/src/github.com/tektoncd/pipeline/.bin/golangci-lint
🐱 running golangci-lint…
WARN [runner] Can't run linter goanalysis_metalinter: gocritic: analysis skipped: errors in package: [/home/vincent/src/github.com/tektoncd/pipeline/pkg/reconciler/taskrun/resources/apply_test.go:132:5: unknown field Name in struct literal /home/vincent/src/github.com/tektoncd/pipeline/pkg/reconciler/taskrun/resources/apply_test.go:133:5: unknown field VolumeSource in struct literal] 
ERRO Running error: gocritic: analysis skipped: errors in package: [/home/vincent/src/github.com/tektoncd/pipeline/pkg/reconciler/taskrun/resources/apply_test.go:132:5: unknown field Name in struct literal /home/vincent/src/github.com/tektoncd/pipeline/pkg/reconciler/taskrun/resources/apply_test.go:133:5: unknown field VolumeSource in struct literal] 
make: *** [Makefile:150: golangci-lint] Error 3

⛄ λ go test ./pkg/reconciler/taskrun/resources/... 
# github.com/tektoncd/pipeline/pkg/reconciler/taskrun/resources_test [github.com/tektoncd/pipeline/pkg/reconciler/taskrun/resources.test]
pkg/reconciler/taskrun/resources/apply_test.go:132:5: unknown field 'Name' in struct literal of type "k8s.io/api/core/v1".EnvFromSource
pkg/reconciler/taskrun/resources/apply_test.go:133:5: unknown field 'VolumeSource' in struct literal of type "k8s.io/api/core/v1".EnvFromSource
FAIL	github.com/tektoncd/pipeline/pkg/reconciler/taskrun/resources [build failed]
ok  	github.com/tektoncd/pipeline/pkg/reconciler/taskrun/resources/cloudevent	0.013s
FAIL

[jlpettersson]

Thank you @vdemeester !

I did not notice this. But a part of the code was actually moved to a similar part. I got the error locally as well now. It must have happened during my git rebase master. This is a good example of how important it is to practice Continuous Integration ;) Tekton is becoming a great product for that :)

[afrittoli]

Nice, thank you!
/lgtm