Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TEP-0091] change feature flag resource-verification-mode to trusted-resources-verification-no-match-policy #6324

Merged
merged 1 commit into from
Mar 22, 2023
Merged

[TEP-0091] change feature flag resource-verification-mode to trusted-resources-verification-no-match-policy #6324

merged 1 commit into from
Mar 22, 2023

Conversation

Yongxuanzhang
Copy link
Member

@Yongxuanzhang Yongxuanzhang commented Mar 8, 2023
edited
Loading

Changes

🚨BREAKING CHANGES🚨

This commits changes trusted resources feature flag from resource-verification-mode to verification-no-match-policy. This is a backward incompatiable change as discussed in TEP-0091. Before this commit the feature flag is used to skip/enforce the verification. This commit changes this to check the existence of matched VerificationPolicy. So to enable the verification, users just need to apply VerificationPolicy to match the resources. To disable the verification, users need to remove the policies and set the verification-no-match-policy to ignore (by default).

Part of #6356

/kind feature

Signed-off-by: Yongxuan Zhang yongxuanzhang@google.com

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Has Docs included if any changes are user facing
  • Has Tests included if any functionality added or changed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including
    functionality, content, code)
  • Has a kind label. You can add one by adding a comment on this PR that contains /kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tep
  • Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings)
  • Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

[action required] for trusted resources users, please change feature flag resource-verification-mode to trusted-resources-verification-no-match-policy, please refer to https://github.com/tektoncd/pipeline/blob/main/docs/trusted-resources.md#enable-trusted-resources to learn how to config the new  trusted-resources-verification-no-match-policy feature flag

@tekton-robot
Copy link
Collaborator

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@tekton-robot tekton-robot added kind/feature Categorizes issue or PR as related to a new feature. release-note-none Denotes a PR that doesnt merit a release note. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. labels Mar 8, 2023
@tekton-robot tekton-robot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Mar 8, 2023
@Yongxuanzhang
Copy link
Member Author

/test all

@tekton-robot tekton-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 8, 2023
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/feature_flags.go 93.5% 91.8% -1.7
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.8% 91.4% -2.3
pkg/reconciler/taskrun/resources/taskref.go 89.9% 90.6% 0.7
pkg/reconciler/taskrun/taskrun.go 84.9% 84.9% 0.0
pkg/trustedresources/verify.go 93.8% 94.2% 0.5

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/feature_flags.go 93.5% 91.8% -1.7
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.8% 91.4% -2.3
pkg/reconciler/taskrun/resources/taskref.go 89.9% 90.6% 0.7
pkg/reconciler/taskrun/taskrun.go 84.9% 84.9% 0.0
pkg/trustedresources/verify.go 94.4% 94.2% -0.2

@tekton-robot tekton-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 8, 2023
@Yongxuanzhang
Copy link
Member Author

/test all

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/feature_flags.go 93.5% 91.8% -1.7
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.8% 91.4% -2.3
pkg/reconciler/taskrun/resources/taskref.go 89.9% 90.6% 0.7
pkg/reconciler/taskrun/taskrun.go 84.9% 84.9% 0.0
pkg/trustedresources/verify.go 94.4% 94.2% -0.2

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/feature_flags.go 93.5% 91.8% -1.7
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.8% 91.4% -2.3
pkg/reconciler/taskrun/resources/taskref.go 89.9% 90.6% 0.7
pkg/reconciler/taskrun/taskrun.go 84.9% 84.9% 0.0
pkg/trustedresources/verify.go 94.4% 94.2% -0.2

@tekton-robot tekton-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 10, 2023
@Yongxuanzhang
Copy link
Member Author

/test all

@tekton-robot tekton-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 13, 2023
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/feature_flags.go 93.5% 91.8% -1.7
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.8% 91.4% -2.3
pkg/reconciler/taskrun/resources/taskref.go 89.9% 90.6% 0.7
pkg/reconciler/taskrun/taskrun.go 84.9% 84.9% 0.0
pkg/trustedresources/verify.go 94.4% 94.2% -0.2

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/feature_flags.go 93.5% 91.8% -1.7
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.8% 91.4% -2.3
pkg/reconciler/taskrun/resources/taskref.go 89.9% 90.6% 0.7
pkg/reconciler/taskrun/taskrun.go 84.9% 84.9% 0.0
pkg/trustedresources/verify.go 94.4% 94.2% -0.2

@Yongxuanzhang
Copy link
Member Author

/test all

1 similar comment
@Yongxuanzhang
Copy link
Member Author

/test all

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/feature_flags.go 93.5% 91.8% -1.7
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.8% 91.4% -2.3
pkg/reconciler/taskrun/resources/taskref.go 89.9% 90.6% 0.7
pkg/reconciler/taskrun/taskrun.go 84.9% 84.9% 0.0
pkg/trustedresources/verify.go 94.4% 94.2% -0.2

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/feature_flags.go 93.5% 91.8% -1.7
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.8% 91.4% -2.3
pkg/reconciler/taskrun/resources/taskref.go 89.9% 90.6% 0.7
pkg/reconciler/taskrun/taskrun.go 84.9% 84.9% 0.0
pkg/trustedresources/verify.go 94.4% 94.2% -0.2

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/feature_flags.go 93.5% 90.0% -3.5
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.8% 91.4% -2.3
pkg/reconciler/taskrun/resources/taskref.go 89.9% 90.6% 0.7
pkg/reconciler/taskrun/taskrun.go 84.9% 84.9% 0.0
pkg/trustedresources/verify.go 94.4% 94.2% -0.2

@Yongxuanzhang
Copy link
Member Author

/test all

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/feature_flags.go 93.5% 91.8% -1.7
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.8% 91.4% -2.3
pkg/reconciler/taskrun/resources/taskref.go 89.9% 90.6% 0.7
pkg/reconciler/taskrun/taskrun.go 84.9% 84.9% 0.0
pkg/trustedresources/verify.go 94.4% 94.2% -0.2

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/feature_flags.go 93.5% 91.8% -1.7
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.8% 91.4% -2.3
pkg/reconciler/taskrun/resources/taskref.go 89.9% 90.6% 0.7
pkg/reconciler/taskrun/taskrun.go 84.9% 84.9% 0.0
pkg/trustedresources/verify.go 94.4% 94.2% -0.2

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/feature_flags.go 93.5% 93.3% -0.2
pkg/reconciler/pipelinerun/pipelinerun.go 88.4% 88.4% 0.0
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.8% 93.3% -0.4
pkg/reconciler/taskrun/resources/taskref.go 89.9% 89.3% -0.5
pkg/reconciler/taskrun/taskrun.go 84.9% 84.8% -0.1
pkg/trustedresources/errors.go Do not exist 75.0%
pkg/trustedresources/verify.go 94.4% 95.1% 0.7

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/feature_flags.go 93.5% 93.3% -0.2
pkg/reconciler/pipelinerun/pipelinerun.go 88.4% 88.4% 0.0
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.8% 93.3% -0.4
pkg/reconciler/taskrun/resources/taskref.go 89.9% 89.3% -0.5
pkg/reconciler/taskrun/taskrun.go 84.9% 84.8% -0.1
pkg/trustedresources/errors.go Do not exist 75.0%
pkg/trustedresources/verify.go 94.4% 95.1% 0.7

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/feature_flags.go 93.5% 93.3% -0.2
pkg/reconciler/pipelinerun/pipelinerun.go 88.4% 88.4% 0.0
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.8% 93.3% -0.4
pkg/reconciler/taskrun/resources/taskref.go 89.9% 89.3% -0.5
pkg/reconciler/taskrun/taskrun.go 84.9% 84.8% -0.1
pkg/trustedresources/errors.go Do not exist 75.0%
pkg/trustedresources/verify.go 94.4% 95.1% 0.7

@lbernick lbernick self-assigned this Mar 21, 2023
lbernick
lbernick reviewed Mar 21, 2023
View reviewed changes
pkg/trustedresources/verify_test.go
task v1beta1.TaskObject
source string
signer signature.SignerVerifier
verificationNoMatchPolicy string
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see; in that case it would be helpful to create variables matchingSource and mismatchedSource to serve as better "documentation"

pkg/reconciler/pipelinerun/pipelinerun.go Outdated Show resolved Hide resolved
pkg/reconciler/pipelinerun/resources/pipelineref.go Outdated Show resolved Hide resolved
@Yongxuanzhang Yongxuanzhang force-pushed the no-match-policy branch 2 times, most recently from d29a9eb to b781395 Compare March 21, 2023 19:22
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/feature_flags.go 93.5% 93.3% -0.2
pkg/reconciler/pipelinerun/pipelinerun.go 88.4% 88.4% 0.0
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.8% 93.1% -0.6
pkg/reconciler/taskrun/resources/taskref.go 89.9% 89.0% -0.8
pkg/reconciler/taskrun/taskrun.go 85.0% 84.8% -0.1
pkg/trustedresources/verify.go 94.4% 95.1% 0.7

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/feature_flags.go 93.5% 93.3% -0.2
pkg/reconciler/pipelinerun/pipelinerun.go 88.4% 88.4% 0.0
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.8% 93.1% -0.6
pkg/reconciler/taskrun/resources/taskref.go 89.9% 89.0% -0.8
pkg/reconciler/taskrun/taskrun.go 85.0% 84.8% -0.1
pkg/trustedresources/verify.go 94.4% 95.1% 0.7

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/feature_flags.go 93.5% 93.3% -0.2
pkg/reconciler/pipelinerun/pipelinerun.go 88.4% 88.4% 0.0
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.8% 93.1% -0.6
pkg/reconciler/taskrun/resources/taskref.go 89.9% 89.0% -0.8
pkg/reconciler/taskrun/taskrun.go 85.0% 84.8% -0.1
pkg/trustedresources/verify.go 94.4% 95.1% 0.7

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 22, 2023
wlynch
wlynch approved these changes Mar 22, 2023
View reviewed changes
Copy link
Member

@wlynch wlynch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Mar 22, 2023
@tekton-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lbernick, wlynch

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@Yongxuanzhang
Copy link
Member Author

Yongxuanzhang commented Mar 22, 2023
edited
Loading

/hold
I think @lbernick mentioned there are some comments, I need to double check

@tekton-robot tekton-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 22, 2023
@Yongxuanzhang
change resource-verification-mode to verification-no-match-policy
2d0e0ea 
This commits changes trusted resources feature flag from
resource-verification-mode to verification-no-match-policy. This is a
backward imcompatiable change as discussed in TEP--0091. Before this
commit the feature flag is used to skip/enforce the verification. This
commit changes this to check the existence of matched
VerificationPolicy. So to enable the verification, users just need to
apply VerificationPolicy to match the resources. To disable the
verification, users need to remove the policies and set the
verification-no-match-policy to allow (by default).

Signed-off-by: Yongxuan Zhang yongxuanzhang@google.com
@tekton-robot tekton-robot removed the lgtm Indicates that a PR is ready to be merged. label Mar 22, 2023
@Yongxuanzhang
Copy link
Member Author

/hold cancel

@tekton-robot tekton-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 22, 2023
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/feature_flags.go 93.5% 93.3% -0.2
pkg/reconciler/pipelinerun/pipelinerun.go 88.7% 88.7% 0.0
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.8% 93.1% -0.6
pkg/reconciler/taskrun/resources/taskref.go 89.9% 89.0% -0.8
pkg/reconciler/taskrun/taskrun.go 85.0% 84.8% -0.1
pkg/trustedresources/verify.go 94.4% 95.1% 0.7

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/config/feature_flags.go 93.5% 93.3% -0.2
pkg/reconciler/pipelinerun/pipelinerun.go 88.7% 88.7% 0.0
pkg/reconciler/pipelinerun/resources/pipelineref.go 93.8% 93.1% -0.6
pkg/reconciler/taskrun/resources/taskref.go 89.9% 89.0% -0.8
pkg/reconciler/taskrun/taskrun.go 85.0% 84.8% -0.1
pkg/trustedresources/verify.go 94.4% 95.1% 0.7

@QuanZhang-William
Copy link
Member

/assign

@lbernick
Copy link
Member

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Mar 22, 2023
@tekton-robot tekton-robot merged commit 5deea1f into tektoncd:main Mar 22, 2023
@jkandasa jkandasa mentioned this pull request May 9, 2023
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wlynch wlynch wlynch approved these changes

@lbernick lbernick lbernick approved these changes

Assignees

@wlynch wlynch

@jerop jerop

@QuanZhang-William QuanZhang-William

@lbernick lbernick

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. release-note-action-required Denotes a PR that introduces potentially breaking changes that require user action. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@Yongxuanzhang @tekton-robot @QuanZhang-William @lbernick @wlynch @jerop