Implement TriggerResourceTemplate Spec as []byte blob #51
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: vtereso The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
approved
|
This is a small playground example program that would use this. |
|
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. ℹ️ Googlers: Go here for more info. |
vtereso
force-pushed
the
Issue32-TriggerResourceTemplateSpec
branch
from
7cd66dd
to
180cf76
Compare
|
CLAs look good, thanks! ℹ️ Googlers: Go here for more info. |
vtereso
force-pushed
the
Issue32-TriggerResourceTemplateSpec
branch
from
180cf76
to
5ae009f
Compare
tekton-robot
added
size/M
There was a problem hiding this comment.
Two minor requests:
- Looking at the commit message for this one, it would be great to include some more context about why we want to "Implement TriggerResourceTemplate Spec as []byte blob" (e.g. explainging the kinds of functionality we want to support in the future, why this has to be a
[]byte blobfor that, if there are any alternatives considered. - Could we add a bit of data about this to our docs (https://github.com/tektoncd/triggers/blob/master/docs/triggertemplates.md), e.g. explaining that the body of the
resourcetemplatesis raw json, and no/little validation will be applied to it (I assume we probably want to do some validation of the${params....}usage? maybe that should be a follow up issue?)
vtereso
force-pushed
the
Issue32-TriggerResourceTemplateSpec
branch
from
ed5db5e
to
640dada
Compare
…urce templates need to be stored arbitrarily and this coincides with the event parsing.
vtereso
force-pushed
the
Issue32-TriggerResourceTemplateSpec
branch
from
640dada
to
e243475
Compare
| Also, any parameters defined a [`TriggerBinding`](triggerbindings.md) are passed into to the `TriggerTemplate` before resource creation. | ||
| Any parameters defined in the [`TriggerBinding`](triggerbindings.md) are passed into to the `TriggerTemplate` before resource creation. | ||
|
|
||
| To enable support for any resource type, the resource templates are internally resolved as byte blobs. |
|
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@bobcatfish @vtereso Any reason for not using |
|
@vdemeester in my case I just didn't know about it! Sounds like it's better than the approach we took? Maybe you can give us some pointers? ❤️ 🙏 |
|
Noting the relative age of this PR, I perhaps may need to register this comment elsewhere (perhaps as a new issue, perhaps in the Tekton Dynamic File Resource proposal ?). But full disclosure I discovered this PR when researching why raw JSON was currently being used. Please do direct me to other locations to register this if that is more appropriate. But minimally one advantage of switching TriggerResourceTemplate to https://godoc.org/k8s.io/apimachinery/pkg/runtime#RawExtension as @vdemeester notes is that it gets us on the path to using the k8s dynamic rest mapper APIs, which in turn will allow the trigger controller to employ k8s subject access reviews for the k8s objects to be created. And if the associated user in question wanting to trigger something in tekton does not have permission to create such object, abort their creation. Imagine a user creating a TriggerTemplate whose raw json attempts to create a a privileged object that can do nasty things. I do see from Anyway I've got some cycles, and can start crafting a PR for consideration, at least for simply switching to RawExtension, if folks are amenable. I can throw some temporary commits on what the SAR flow might look like as well if the discussion goes that way. thanks |
|
quick update - I do see some use of unstructured as I've started to prep for my PR ... as I move forward, I'll add comments in the PR around if/how the move to runtime.RawExtension impacts the use of unstructured and ultimately SARs thanks |
|
Hey @gabemontero Thanks for writing this up! I think a new issue would be a great place to discuss this. I think #77 related to SAR checks. @wlynch also added a Dynamic Client which maybe be related: #238 |
will do @dibyom thanks ... and looking at #77 I probably should have caught the presence of that (as I work with @pmorie ;-) ) I'll respond to the latest comments there ... that said, again to some degree, to leverage runtime.RawExtension vs. what there today is simply best practice, regardless if it helps us get to SARs
OK cool yes that could help the move to SARs along ... I'll take a close look |
Yes! I agree :) |
Changes
Implement the
TriggerResourceTemplateusing []byte blob. Since any field may have a binding, it is impossible to guarantee validation on any. Since arbitrary resources can be templated, this evaluates to arbitrary json. Since we are already parsing json bytes, storing the message in this form is easy and better than an internalmap[string]string.Another option was to disallow interpolation on certain fields to get some form of validation, but I think we can revisit this one we are able to create resources. This way, we can determine if the flexibility of templating any field is worthwhile and if this validation is necessary.
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
_See the contribution guide for more details.