From 1149d51ff6797f0460c070728859b56681a4da8e Mon Sep 17 00:00:00 2001
From: jagathprakash <31057312+jagathprakash@users.noreply.github.com>
Date: Thu, 3 Nov 2022 11:13:28 -0400
Subject: [PATCH] [TEP-0089] Enable SPIRE for signing taskrun results in alpha.
 Breaking down PR #4759 originally proposed by @pxp928 to address TEP-0089
 according @lumjjb suggestions. Plan for breaking down PR is PR 1.1: api PR
 1.2: entrypointer (+cmd line + test/entrypointer) Entrypoint takes results
 and signs the results (termination message). PR 1.3: reconciler + pod +
 cmd/controller + integration tests Controller will verify the signed result.
 This commit corresponds to 1.3 above.

Signed-off-by: jagathprakash <31057312+jagathprakash@users.noreply.github.com>
---
 pkg/apis/config/feature_flags.go |  4 ++--
 pkg/spire/spire_test.go          | 25 +++++++++++++++++++++++++
 2 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/pkg/apis/config/feature_flags.go b/pkg/apis/config/feature_flags.go
index 53d946ffa78..a9e7ce72936 100644
--- a/pkg/apis/config/feature_flags.go
+++ b/pkg/apis/config/feature_flags.go
@@ -80,9 +80,9 @@ const (
 	DefaultSendCloudEventsForRuns = false
 	// DefaultEmbeddedStatus is the default value for "embedded-status".
 	DefaultEmbeddedStatus = FullEmbeddedStatus
-	// EnableNonfalsifiabilityWithSpire is the value used for  "enable-nonfalsifiability" when SPIRE is used to enable non-falsifiability.
+	// EnforceNonfalsifiabilityWithSpire is the value used for  "enable-nonfalsifiability" when SPIRE is used to enable non-falsifiability.
 	EnforceNonfalsifiabilityWithSpire = "spire"
-	// EnableNonfalsifiabilityNone is the value used for  "enable-nonfalsifiability" when non-falsifiability is not enabled.
+	// EnforceNonfalsifiabilityNone is the value used for  "enable-nonfalsifiability" when non-falsifiability is not enabled.
 	EnforceNonfalsifiabilityNone = ""
 	// DefaultEnforceNonfalsifiability is the default value for "enforce-nonfalsifiability".
 	DefaultEnforceNonfalsifiability = EnforceNonfalsifiabilityNone
diff --git a/pkg/spire/spire_test.go b/pkg/spire/spire_test.go
index 2be0b92c551..165feb4de3a 100644
--- a/pkg/spire/spire_test.go
+++ b/pkg/spire/spire_test.go
@@ -23,6 +23,7 @@ import (
 
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"github.com/spiffe/go-spiffe/v2/svid/x509svid"
+	pconf "github.com/tektoncd/pipeline/pkg/apis/config"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
 	ttesting "github.com/tektoncd/pipeline/pkg/reconciler/testing"
 	"github.com/tektoncd/pipeline/pkg/spire/config"
@@ -668,6 +669,30 @@ func TestSpire_TaskRunResultsSignTamper(t *testing.T) {
 	}
 }
 
+func TestOnStore(t *testing.T) {
+	ctx, _ := ttesting.SetupDefaultContext(t)
+	logger := logging.FromContext(ctx)
+	ctx = context.WithValue(ctx, controllerKey{}, &spireControllerAPIClient{
+		config: &config.SpireConfig{
+			TrustDomain:     "before_test_domain",
+			SocketPath:      "before_test_socket_path",
+			ServerAddr:      "before_test_server_path",
+			NodeAliasPrefix: "before_test_node_alias_prefix",
+		},
+	})
+	want := config.SpireConfig{
+		TrustDomain:     "after_test_domain",
+		SocketPath:      "after_test_socket_path",
+		ServerAddr:      "after_test_server_path",
+		NodeAliasPrefix: "after_test_node_alias_prefix",
+	}
+	OnStore(ctx, logger)(pconf.GetSpireConfigName(), &want)
+	got := *GetControllerAPIClient(ctx).(*spireControllerAPIClient).config
+	if got != want {
+		t.Fatalf("test TestOnStore expected %v but got %v", got, want)
+	}
+}
+
 func makeX509SVIDs(ca *test.CA, ids ...spiffeid.ID) []*x509svid.SVID {
 	svids := []*x509svid.SVID{}
 	for _, id := range ids {