Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

change bundle resolver to use secret instead of service account #7331

Merged
merged 1 commit into from
Nov 7, 2023
Merged

change bundle resolver to use secret instead of service account #7331

merged 1 commit into from
Nov 7, 2023

Conversation

Yongxuanzhang
Copy link
Member

@Yongxuanzhang Yongxuanzhang commented Nov 3, 2023
edited
Loading

Changes

This commit fixes #7159. The bundle resolver's service account doesn't have the permission to fetch the service account which contains the credientials to pull bundle, and the error is also omitted. This commit changes to use secret directly, without granting SA read permissions to resolver.

/kind bug

Signed-off-by: Yongxuan Zhang yongxuanzhang@google.com

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Has Docs if any changes are user facing, including updates to minimum requirements e.g. Kubernetes version bumps
  • Has Tests included if any functionality added or changed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including functionality, content, code)
  • Has a kind label. You can add one by adding a comment on this PR that contains /kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tep
  • Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings). See some examples of good release notes.
  • Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

action required: Bundle resolve uses secret to pull bundle Tasks/Pipelines from private registry instead of Service Account. Please update your bundle resolver ref to use secret.

@tekton-robot tekton-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 3, 2023
@tekton-robot
Copy link
Collaborator

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@tekton-robot tekton-robot added kind/bug Categorizes issue or PR as related to a bug. release-note-none Denotes a PR that doesnt merit a release note. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Nov 3, 2023
@tekton-robot tekton-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesnt merit a release note. labels Nov 3, 2023
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/resolution/resolver/bundle/resolver.go 95.5% 91.7% -3.8

@Yongxuanzhang Yongxuanzhang added this to the Pipelines v0.54 milestone Nov 3, 2023
@Yongxuanzhang Yongxuanzhang marked this pull request as ready for review November 3, 2023 19:21
@tekton-robot tekton-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 3, 2023
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/resolution/resolver/bundle/resolver.go 95.5% 91.7% -3.8

@tekton-robot tekton-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Nov 4, 2023
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/resolution/resolver/bundle/resolver.go 95.5% 95.8% 0.4

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/resolution/resolver/bundle/resolver.go 95.5% 95.8% 0.4

@JeromeJu
Copy link
Member

JeromeJu commented Nov 6, 2023

Thanks for the fix @Yongxuanzhang .
I agree with the commit message that this is a bug that might block some of Tekton users. But one question I got is regarding resolver compatibility policy, do we still need to support the previous SA fields 🤔 ?

@Yongxuanzhang
Copy link
Member Author

Yongxuanzhang commented Nov 6, 2023
edited
Loading

Thanks for the fix @Yongxuanzhang . I agree with the commit message that this is a bug that might block some of Tekton users. But one question I got is regarding resolver compatibility policy, do we still need to support the previous SA fields 🤔 ?

It never works, I don't see values here to stick to the policy 🤷‍♂️
And I don't think this is an api change... it is changing the preserved param in resolver

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/resolution/resolver/bundle/params.go 90.6% 92.3% 1.7
pkg/resolution/resolver/bundle/resolver.go 95.5% 95.8% 0.4

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/resolution/resolver/bundle/params.go 90.6% 92.3% 1.7
pkg/resolution/resolver/bundle/resolver.go 95.5% 95.8% 0.4

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/resolution/resolver/bundle/params.go 90.6% 92.3% 1.7
pkg/resolution/resolver/bundle/resolver.go 95.5% 95.8% 0.4

@Yongxuanzhang
change bundle resolver to use secret instead of service account
e664cba 
This commit fixes tektoncd#7159. The bundle resolver's service account doesn't
have the permission to fetch the service account which contains the
credientials to pull bundle, and the error is also omitted. This commit
changes to use secret directly, without granting SA read permissions to
resolver.

Signed-off-by: Yongxuan Zhang yongxuanzhang@google.com
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/resolution/resolver/bundle/params.go 90.6% 92.0% 1.4
pkg/resolution/resolver/bundle/resolver.go 95.5% 96.3% 0.8

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/resolution/resolver/bundle/params.go 90.6% 92.0% 1.4
pkg/resolution/resolver/bundle/resolver.go 95.5% 96.4% 1.0

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/resolution/resolver/bundle/params.go 90.6% 92.0% 1.4
pkg/resolution/resolver/bundle/resolver.go 95.5% 96.3% 0.8

@tekton-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 7, 2023
QuanZhang-William
QuanZhang-William reviewed Nov 7, 2023
View reviewed changes
Copy link
Member

@QuanZhang-William QuanZhang-William left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add action required in the release note. Otherwise lgtm!

@QuanZhang-William
Copy link
Member

/assign

@tekton-robot tekton-robot added release-note-action-required Denotes a PR that introduces potentially breaking changes that require user action. and removed release-note Denotes a PR that will be considered when it comes time to generate release notes. labels Nov 7, 2023
@QuanZhang-William
Copy link
Member

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Nov 7, 2023
@tekton-robot tekton-robot merged commit 0fa076e into tektoncd:main Nov 7, 2023
11 of 12 checks passed
@wilstdu wilstdu mentioned this pull request May 15, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@QuanZhang-William QuanZhang-William QuanZhang-William left review comments

@vdemeester vdemeester vdemeester approved these changes

@afrittoli afrittoli Awaiting requested review from afrittoli

@jerop jerop Awaiting requested review from jerop

@pritidesai pritidesai Awaiting requested review from pritidesai

Assignees

@QuanZhang-William QuanZhang-William

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. release-note-action-required Denotes a PR that introduces potentially breaking changes that require user action. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
Pipelines v0.54
Development

Successfully merging this pull request may close these issues.

Missing permissions while tekton bundle resolver pulls from a private Google Artifact registry repository
5 participants
@Yongxuanzhang @tekton-robot @JeromeJu @QuanZhang-William @vdemeester