Tekton Pipeline release v0.41.0 "Nebelung Nomad"

🎉 First LTS Release, many features promoted to beta and a new Artifact Hub Resolver !🎉

Remote Resolution, Propagated Parameters, CSI and Projected Workspaces promoted to Beta!

-Docs @ v0.41.0
-Examples @ v0.41.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.41.0/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a0f387ec5597ae094fc78efb152ca50f4bc02f99149e5d324261f4fc32d28f92f

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a0f387ec5597ae094fc78efb152ca50f4bc02f99149e5d324261f4fc32d28f92f
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.41.0/release.yaml
REKOR_UUID=24296fb24b8ad77a0f387ec5597ae094fc78efb152ca50f4bc02f99149e5d324261f4fc32d28f92f

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.41.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Upgrade Notices

• Tekton Pipeline v0.41.0 requires Kubernetes version 1.23 or greater.
• Release EOL: Oct 30th, 2023.

Actions Required

• To allow PodSecurityAdmission to take effect, please set PodSecurity flag as Beta in kubernetes 1.23-1.24. See kubernetes feature gates for more information. (#5652)

Deprecation Notices

• 🚨 ClusterTasks are deprecated. Please use the cluster resolver instead. (#5545)

Backwards incompatible changes

• Any resolvers being used other than built-in resolvers will need to be updated to use ResolutionRequest v1beta1 (#5515)
• Starting from this release, Custom Task Runs controllers need to implement the Timeout on their own, PipelineRun reconciler would not set Run.Spec.Status == RunCancelled upon Run timeout. (#5658)

Changes

Features

• ✨ [TEP-0115] Support Artifact Hub in Hub Resolver (#5666)

The Hub Resolver will have a new type field to indicate the type of Hub from where to pull the resource. The default hub type is updated from the Tekton Hub to the Artifact Hub. Please see more details in TEP-0115

• ✨ CSI workspace to Beta (#5628)

CSI workspaces are promoted to beta/stable API

• ✨ Add extra display columns for resource resolution (#5602)

Add more details (start time, end time, owner) in the default view of resource resolutions

• ✨ Propagated Parameters for Finally Tasks (#5593)

Propagated Parameters extended to Finally tasks.

• ✨ Add Provenance field in TaskRun&PipelineRun status (#5580)

Add Provenance field in TaskRun&PipelineRun status that wraps all the information we might need from pipeline side.

It only contains ConfigSource at the moment, but it can be extended to have more subfields in future.

• ✨ Add ConfigSource field in (#5551)

Add provenance-related field in ResolutionRequest.status.

• ✨ Propagated parameters to beta (#5540)

Promote propagated parameters to beta.

• ✨ Remove alpha feature gate from projected workspaces (#5530)

Projected workspaces are promoted to beta/stable API

• ✨ Move remote resolution out of alpha (#5515)

action required: Any resolvers being used other than built-in resolvers will need to be updated to use ResolutionRequest v1beta1. Remote resolution of Pipelines and Tasks promoted to beta, and ResolutionRequest v1beta1 introduced to support array and object parameters for resolvers.

• ✨ resolution/framework : inject the request name in the context (#5678)
• ✨ [TEP-0089] Modify entrypoint to sign the results. (#5676)
• ✨ [TEP-0089] Apis to handle SPIRE signing and verification. (#5647)
• ✨ Propagated Parameters e2e tests (#5599)
• ✨ [TEP-0091] Trusted resources alpha add sigstore packages (#5552)
• ✨ TEP-0114: Tests Wait Custom Task Retries and TimeOut (#5523)

Fixes

• 🐛 Resolve PodSecurityAdmission restrictions on 1.23+ for deprecated PodSecurityPolicy (#5652)

Action required: If using Kubernetes 1.22, set PodSecurity flag to true to enforce a restricted pod security level in Tekton namespaces. See https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-graduated-or-deprecated-features for more information.

• 🐛 Remove webhook validation on delete (#5610)

Bug fix: skip validation of CRDs on deletion

• 🐛 Merge Labels and Annotations instead of override (#5597)

The PipelineRun and TaskRun controller will not override label set by other tools during the reconciler loop, and will merge them instead

• 🐛 Write TaskRun.Status.TaskSpec with replaced spec on every reconcile run (#5576)

Fix TaskRun parameter etc replacement logic to persist in the TaskRun's Status properly

• 🐛 fix 5569 pipelinerun hang on Unknown status due to duplicated task parameters (#5575)

Fix PipelineRun hang on Unknown status when duplicated params are defined in a PipelineTask

• 🐛 Apply replacements to workspace subpath for finally tasks (#5572)

Variable replacement is now properly performed for workspace sub-paths in finally tasks.

• 🐛 Fix taskrun not working with workspace having volumeClaimTemplate (#5559)

Fix taskrun not working with workspace having volumeClaimTemplate

• 🐛 Replace deprecated PodSecurityPolicy with PodSecurityAdmission enforcement (#5536)

action required: To allow PodSecurityAdmission to take effect, please set PodSecurity flag as Beta in 1.23-1.24. See https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-graduated-or-deprecated-features for more information.

• 🐛 Resolve the Flaky Test - TestWaitCustomTask_PipelineRun (#5658)

ACTION REQUIRED: Starting from this release, Custom Task Runs controllers need to implement the Timeout on your own, PipelineRun reconciler would not set Run.Spec.Status == RunCancelled upon Run timeout.

• 🐛 Add Beta feature gate for v1 Projected Workspace (#5640)
• 🐛 Fix paramValue Type for bundle conversion to resolver (#5625)
• 🐛 Fix v1 PipelineRun CRD conversionReviewVersions and conversion typo (#5619)
• 🐛 Revert PSP migration to PSA (#5605)
• 🐛 Fix empty paramValueType conversion (#5506)
• 🐛 Increase timeout for entrypoint waiter tests (#5626)

Misc

• 🔨 Remove minimal-release.yaml and resolvers.yaml (#5671)

Separate resolvers.yaml manifest removed because resolvers are now included in release.yaml

• 🔨 Mark pipelineRef.bundle and taskRef.bundle as deprecated (#5656)

pipelineRef.bundle and taskRef.bundle are deprecated in favor of using the bundles resolver

• 🔨 bump knative.dev/pkg dep to latest (#5643)

Update knative.dev/pkg dependency for support of k8s 1.25.x

• 🔨 tekton: make sure the git workingdir is not dirty… (#5573)

Binary file (standard input) matches

• 🔨 Change image refs: distroless.dev -> cgr.dev/chainguard (#5542)

Images are based on cgr.dev/chainguard/* instead of the exactly equivalent distroless.dev/* image references.

• 🔨 Update ClusterRoles (#5596)

Update aggregate ClusterRoles to include Run resources used for custom tasks and remove references to Condition which was removed in v0.37.0

• 🔨 Deprecate ClusterTasks (#5545)

Action required: ClusterTasks are deprecated. Please use the cluster resolver instead.

• 🔨 TEP-096 - Rename 'resources' to 'computeResources' in v1 taskRun (#5493)

Renames the resources to computeResources of task.spec.steps[].resources, task.spec.stepTemplate.resources, task.spec.sidecars[].resources, taskRun.spec.stepOverrides[].resources, taskrun.spec.sidecarOverrides[].resources. Renames stepOverrides and sidecarOverrides to stepSpecs and sidecarSpecs.

• 🔨 Bump HorizontalPodAutoscaler apiVersion to v2 (#5130)

Webhook HPA uses autoscaling/v2 instead of the deprecated autoscaling/v2beta1. This also brings the minimum kubernetes version to v1.23.0

• 🔨 More places to use kmap.Union to merge maps (#5665)
• 🔨 Use kmap.Union to merge two maps (#5660)
• 🔨 Ensure resource defaulting is always done regardless of ref type. (#5651)
• 🔨 migrate PipelineRun to use YAMLParser Reconciler_TestReconcileTaskResolutionError (#5644)
• 🔨 refactor test Test_storePipelineSpec to use yml parser (#5561)
• 🔨 Refactor ensureConfigurationConfigMapsExist to reduce duplicate code (#5508)
• 🔨 Bump github.com/sigstore/sigstore from 1.4.4 to 1.4.5 (#5686)
• 🔨 Bump github.com/stretchr/testify from 1.8.0 to 1.8.1 (#5685)
• 🔨 Bump github.com/containerd/containerd from 1.6.8 to 1.6.9 (#5680)
• 🔨 Bump github.com/google/go-containerregistry from 0.11.0 to 0.12.0 (#5674)
• 🔨 fix tekton documentation contributor`s guide link (#5669)
• 🔨 Pin knative/pkg to 1.8 (#5661)
• 🔨 Bump k8s.io/client-go from 0.25.2 to 0.25.3 (#5657)
• 🔨 Bump k8s.io/api from 0.25.2 to 0.25.3 (#5655)
• 🔨 Bump k8s.io/apimachinery from 0.25.2 to 0.25.3 (#5654)
• 🔨 Bump google.golang.org/grpc from 1.50.0 to 1.50.1 (#5648)
• 🔨 preallocate memory (#5638)
• 🔨 Bump github.com/sigstore/sigstore from 1.4.3 to 1.4.4 (#5630)
• 🔨 Bump github.com/spiffe/spire-api-sdk from 1.4.2 to 1.4.4 (#5618)
• 🔨 Bump github.com/sigstore/sigstore from 1.4.2 to 1.4.3 (#5617)
• 🔨 Bump google.golang.org/grpc from 1.49.0 to 1.50.0 (#5615)
• 🔨 tekton: using golang 1.18.7 on release publish tasks (#5612)
• 🔨 Minor Fix - There's An Error in The Example of Using Resources in Task (#5609)
• 🔨 Add git-resolver/PipelineTask example to tests (#5604)
• 🔨 tekton: do not fail on git status -s (#5587)
• 🔨 V1: sync v1beta1 changes for pipeline CRDs (#5578)
• 🔨 Bump github.com/jenkins-x/go-scm from 1.11.19 to 1.11.29 (#5577)
• 🔨 OWNERS: move dlorenc to alumni (#5547)
• 🔨 Update ko to v0.12.0 (#5539)
• 🔨 Bump github.com/cloudevents/sdk-go/v2 from 2.11.0 to 2.12.0 (#5535)
• 🔨 Add the ability to mock more SCM data for git resolver tests (#5531)
• 🔨 Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 (#5519)
• 🔨 Bump gopkg.in/square/go-jose.v2 from 2.5.1 to 2.6.0 (#5518)
• 🔨 Bump google.golang.org/grpc from 1.46.0 to 1.49.0 (#5517)
• 🔨 Bump github.com/spiffe/spire-api-sdk from 1.3.1 to 1.4.2 (#5516)
• 🔨 Add "beta" value to enable-api-fields (#5325)
• 🔨 fix PR template (#5308)

Docs

• 📖 Add missing links in releases.md (#5624)
• 📖 Refactor developer documentation (#5622)
• 📖 Clarify API policy for CustomRuns (#5621)
• 📖 Fix kind value type in bundle-resolver docs (#5614)
• 📖 Simplify and consolidate release specific docs (#5608)
• 📖 Fix Hub Resolver doc typo (#5598)
• 📖 Add contacts for security in topical ownership (#5589)
• 📖 Add release documentation for Pipeline (#5586)
• 📖 Add the openssf badge to the main README (#5570)
• 📖 Update how-to-write-a-resolver doc (#5544)
• 📖 Fix gcloud config syntax for e2e test setup (#5543)
• 📖 README.md: update with latest release (v0.40.0) (#5526)
• 📖 Update API spec doc to reflect the new fields introduced from TEP75&76 (#5511)
• 📖 Update alpha features table (#5510)
• 📖 Add developer documentation on k8s controllers (#5503)

Thanks

Thanks to these contributors who contributed to v0.41.0!

• ❤️ @0xFelix
• ❤️ @AlanGreene
• ❤️ @JeromeJu
• ❤️ @QuanZhang-William
• ❤️ @XinruZhang
• ❤️ @Yongxuanzhang
• ❤️ @abayer
• ❤️ @afrittoli
• ❤️ @chengjoey
• ❤️ @chitrangpatel
• ❤️ @chuangw6
• ❤️ @dependabot[bot]
• ❤️ @florianl
• ❤️ @imjasonh
• ❤️ @jagathprakash
• ❤️ @k4leung4
• ❤️ @khrm
• ❤️ @lbernick
• ❤️ @lcarva
• ❤️ @my-git9
• ❤️ @piyush-garg
• ❤️ @pritidesai
• ❤️ @vdemeester
• ❤️ @wlynch

Extra shout-out for awesome release notes:

• 😍 @0xFelix
• 😍 @AlanGreene
• 😍 @JeromeJu
• 😍 @QuanZhang-William
• 😍 @XinruZhang
• 😍 @abayer
• 😍 @afrittoli
• 😍 @chengjoey
• 😍 @chitrangpatel
• 😍 @chuangw6
• 😍 @imjasonh
• 😍 @k4leung4
• 😍 @lbernick
• 😍 @piyush-garg
• 😍 @vdemeester

Many thanks to 🐱 purr programmer Gigi too!

Gigi says "congratulation on the graduation, Tekton!"