Add apiVersion to trustedResources helper

This commit adds the apiVersion to the trustedResources helper which now allows the getSignedTask and etc helpers to return verified CRDs with the accepted apiVersions. This could help avoid confusions when we are adding v1 CRDs to be verified in the test cases.
tektoncd · Jun 15, 2023 · 34889b0 · 34889b0
1 parent 4def9ac
commit 34889b0
Show file tree

Hide file tree

Showing 9 changed files with 222 additions and 168 deletions.
diff --git a/pkg/reconciler/pipelinerun/pipelinerun_test.go b/pkg/reconciler/pipelinerun/pipelinerun_test.go
@@ -36,6 +36,7 @@ import (
 	"github.com/tektoncd/pipeline/pkg/apis/config"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline"
 	pipelinev1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1"
+	v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
 	resolutionv1beta1 "github.com/tektoncd/pipeline/pkg/apis/resolution/v1beta1"
@@ -78,7 +79,9 @@ import (
 )
 
 var (
-	images = pipeline.Images{
+	v1Version      = "v1"
+	v1beta1Version = "v1beta1"
+	images         = pipeline.Images{
 		EntrypointImage: "override-with-entrypoint:latest",
 		NopImage:        "override-with-nop:latest",
 		ShellImage:      "busybox",
@@ -11628,7 +11631,7 @@ spec:
 `)
 
 	signer, _, vps := test.SetupMatchAllVerificationPolicies(t, ts.Namespace)
-	signedTask, err := test.GetSignedV1beta1Task(ts, signer, "test-task")
+	signedTask, err := test.GetSignedTask(ts, signer, "test-task", v1beta1Version)
 	if err != nil {
 		t.Fatal("fail to sign task", err)
 	}
@@ -11648,7 +11651,7 @@ spec:
         resolver: %s
 `, resolverName))
 
-	signedPipeline, err := test.GetSignedV1beta1Pipeline(ps, signer, "test-pipeline")
+	signedPipeline, err := test.GetSignedPipeline(ps, signer, "test-pipeline", v1beta1Version)
 	if err != nil {
 		t.Fatal("fail to sign pipeline", err)
 	}
@@ -11765,7 +11768,7 @@ func TestReconcile_verifyResolved_V1beta1Pipeline_Error(t *testing.T) {
 	resolverName := "foobar"
 
 	// Case1: unsigned Pipeline refers to unsigned Task
-	unsignedTask := parse.MustParseV1beta1Task(t, `
+	unsignedV1beta1Task := parse.MustParseV1beta1Task(t, `
 metadata:
   name: test-task
   namespace: foo
@@ -11778,12 +11781,12 @@ spec:
        - name: foo
          value: bar
 `)
-	unsignedTaskBytes, err := yaml.Marshal(unsignedTask)
+	unsignedV1beta1TaskBytes, err := yaml.Marshal(unsignedV1beta1Task)
 	if err != nil {
 		t.Fatal("fail to marshal task", err)
 	}
 
-	unsignedPipeline := parse.MustParseV1beta1Pipeline(t, fmt.Sprintf(`
+	unsignedV1beta1Pipeline := parse.MustParseV1beta1Pipeline(t, fmt.Sprintf(`
 metadata:
   name: test-pipeline
   namespace: foo
@@ -11793,32 +11796,33 @@ spec:
       taskRef:
         resolver: %s
 `, resolverName))
-	unsignedPipelineBytes, err := yaml.Marshal(unsignedPipeline)
+	unsignedPipelineBytes, err := yaml.Marshal(unsignedV1beta1Pipeline)
 	if err != nil {
 		t.Fatal("fail to marshal task", err)
 	}
 
 	// Case2: signed Pipeline refers to unsigned Task
-	signer, _, vps := test.SetupMatchAllVerificationPolicies(t, unsignedTask.Namespace)
-	signedPipelineWithUnsignedTask, err := test.GetSignedV1beta1Pipeline(unsignedPipeline, signer, "test-pipeline")
+	signer, _, vps := test.SetupMatchAllVerificationPolicies(t, unsignedV1beta1Task.Namespace)
+	signedV1beta1PipelineWithUnsignedTask, err := test.GetSignedPipeline(unsignedV1beta1Pipeline, signer, "test-pipeline", v1beta1Version)
 	if err != nil {
 		t.Fatal("fail to sign pipeline", err)
 	}
-	signedPipelineWithUnsignedTaskBytes, err := yaml.Marshal(signedPipelineWithUnsignedTask)
+	signedPipelineWithUnsignedTaskBytes, err := yaml.Marshal(signedV1beta1PipelineWithUnsignedTask)
 	if err != nil {
 		t.Fatal("fail to marshal task", err)
 	}
 
 	// Case3: signed Pipeline refers to modified Task
-	signedTask, err := test.GetSignedV1beta1Task(unsignedTask, signer, "test-task")
+	signedTask, err := test.GetSignedTask(unsignedV1beta1Task, signer, "test-task", v1beta1Version)
 	if err != nil {
 		t.Fatal("fail to sign task", err)
 	}
+	signedV1beta1Task := signedTask.(*v1beta1.Task)
 	signedTaskBytes, err := yaml.Marshal(signedTask)
 	if err != nil {
 		t.Fatal("fail to marshal task", err)
 	}
-	modifiedTask := signedTask.DeepCopy()
+	modifiedTask := signedV1beta1Task.DeepCopy()
 	if modifiedTask.Annotations == nil {
 		modifiedTask.Annotations = make(map[string]string)
 	}
@@ -11838,11 +11842,11 @@ spec:
       taskRef:
         resolver: %s
 `, resolverName))
-	signedPipelineWithModifiedTask, err := test.GetSignedV1beta1Pipeline(ps, signer, "test-pipeline")
+	signedV1beta1PipelineWithModifiedTask, err := test.GetSignedPipeline(ps, signer, "test-pipeline", v1beta1Version)
 	if err != nil {
 		t.Fatal("fail to sign pipeline", err)
 	}
-	signedPipelineWithModifiedTaskBytes, err := yaml.Marshal(signedPipelineWithModifiedTask)
+	signedPipelineWithModifiedTaskBytes, err := yaml.Marshal(signedV1beta1PipelineWithModifiedTask)
 	if err != nil {
 		t.Fatal("fail to marshal task", err)
 	}
@@ -11858,11 +11862,11 @@ spec:
       taskRef:
         resolver: %s
 `, resolverName))
-	signedPipeline, err := test.GetSignedV1beta1Pipeline(ps, signer, "test-pipeline")
+	signedPipeline, err := test.GetSignedPipeline(ps, signer, "test-pipeline", v1beta1Version)
 	if err != nil {
 		t.Fatal("fail to sign pipeline", err)
 	}
-	modifiedPipeline := signedPipeline.DeepCopy()
+	modifiedPipeline := signedPipeline.(*v1beta1.Pipeline).DeepCopy()
 	if modifiedPipeline.Annotations == nil {
 		modifiedPipeline.Annotations = make(map[string]string)
 	}
@@ -11902,12 +11906,12 @@ spec:
 		{
 			name:          "unsigned pipeline fails verification",
 			pipelineBytes: unsignedPipelineBytes,
-			taskBytes:     unsignedTaskBytes,
+			taskBytes:     unsignedV1beta1TaskBytes,
 		},
 		{
 			name:          "signed pipeline with unsigned task fails verification",
 			pipelineBytes: signedPipelineWithUnsignedTaskBytes,
-			taskBytes:     unsignedTaskBytes,
+			taskBytes:     unsignedV1beta1TaskBytes,
 		},
 		{
 			name:          "signed pipeline with modified task fails verification",
@@ -12100,7 +12104,7 @@ func TestReconcile_verifyResolved_V1Pipeline_Error(t *testing.T) {
 	resolverName := "foobar"
 
 	// Case1: unsigned Pipeline refers to unsigned Task
-	unsignedTask := parse.MustParseV1beta1Task(t, `
+	unsignedV1Task := parse.MustParseV1Task(t, `
 metadata:
   name: test-task
   namespace: foo
@@ -12113,12 +12117,12 @@ spec:
        - name: foo
          value: bar
 `)
-	unsignedTaskBytes, err := yaml.Marshal(unsignedTask)
+	unsignedV1TaskBytes, err := yaml.Marshal(unsignedV1Task)
 	if err != nil {
 		t.Fatal("fail to marshal task", err)
 	}
 
-	unsignedPipeline := parse.MustParseV1beta1Pipeline(t, fmt.Sprintf(`
+	unsignedV1Pipeline := parse.MustParseV1Pipeline(t, fmt.Sprintf(`
 metadata:
   name: test-pipeline
   namespace: foo
@@ -12128,32 +12132,33 @@ spec:
       taskRef:
         resolver: %s
 `, resolverName))
-	unsignedPipelineBytes, err := yaml.Marshal(unsignedPipeline)
+	unsignedPipelineBytes, err := yaml.Marshal(unsignedV1Pipeline)
 	if err != nil {
 		t.Fatal("fail to marshal task", err)
 	}
 
 	// Case2: signed Pipeline refers to unsigned Task
-	signer, _, vps := test.SetupMatchAllVerificationPolicies(t, unsignedTask.Namespace)
-	signedPipelineWithUnsignedTask, err := test.GetSignedV1beta1Pipeline(unsignedPipeline, signer, "test-pipeline")
+	signer, _, vps := test.SetupMatchAllVerificationPolicies(t, unsignedV1Task.Namespace)
+	signedV1PipelineWithUnsignedTask, err := test.GetSignedPipeline(unsignedV1Pipeline, signer, "test-pipeline", v1Version)
 	if err != nil {
 		t.Fatal("fail to sign pipeline", err)
 	}
-	signedPipelineWithUnsignedTaskBytes, err := yaml.Marshal(signedPipelineWithUnsignedTask)
+	signedPipelineWithUnsignedTaskBytes, err := yaml.Marshal(signedV1PipelineWithUnsignedTask)
 	if err != nil {
 		t.Fatal("fail to marshal task", err)
 	}
 
 	// Case3: signed Pipeline refers to modified Task
-	signedTask, err := test.GetSignedV1beta1Task(unsignedTask, signer, "test-task")
+	signedTask, err := test.GetSignedTask(unsignedV1Task, signer, "test-task", v1Version)
 	if err != nil {
 		t.Fatal("fail to sign task", err)
 	}
+	signedV1Task := signedTask.(*v1.Task)
 	signedTaskBytes, err := yaml.Marshal(signedTask)
 	if err != nil {
 		t.Fatal("fail to marshal task", err)
 	}
-	modifiedTask := signedTask.DeepCopy()
+	modifiedTask := signedV1Task.DeepCopy()
 	if modifiedTask.Annotations == nil {
 		modifiedTask.Annotations = make(map[string]string)
 	}
@@ -12163,7 +12168,7 @@ spec:
 		t.Fatal("fail to marshal task", err)
 	}
 
-	ps := parse.MustParseV1beta1Pipeline(t, fmt.Sprintf(`
+	ps := parse.MustParseV1Pipeline(t, fmt.Sprintf(`
 metadata:
   name: test-pipeline
   namespace: foo
@@ -12173,17 +12178,17 @@ spec:
       taskRef:
         resolver: %s
 `, resolverName))
-	signedPipelineWithModifiedTask, err := test.GetSignedV1beta1Pipeline(ps, signer, "test-pipeline")
+	signedV1PipelineWithModifiedTask, err := test.GetSignedPipeline(ps, signer, "test-pipeline", v1Version)
 	if err != nil {
 		t.Fatal("fail to sign pipeline", err)
 	}
-	signedPipelineWithModifiedTaskBytes, err := yaml.Marshal(signedPipelineWithModifiedTask)
+	signedPipelineWithModifiedTaskBytes, err := yaml.Marshal(signedV1PipelineWithModifiedTask)
 	if err != nil {
 		t.Fatal("fail to marshal task", err)
 	}
 
 	// Case4: modified Pipeline refers to signed Task
-	ps = parse.MustParseV1beta1Pipeline(t, fmt.Sprintf(`
+	ps = parse.MustParseV1Pipeline(t, fmt.Sprintf(`
 metadata:
   name: test-pipeline
   namespace: foo
@@ -12193,11 +12198,11 @@ spec:
       taskRef:
         resolver: %s
 `, resolverName))
-	signedPipeline, err := test.GetSignedV1beta1Pipeline(ps, signer, "test-pipeline")
+	signedPipeline, err := test.GetSignedPipeline(ps, signer, "test-pipeline", v1Version)
 	if err != nil {
 		t.Fatal("fail to sign pipeline", err)
 	}
-	modifiedPipeline := signedPipeline.DeepCopy()
+	modifiedPipeline := signedPipeline.(*v1.Pipeline).DeepCopy()
 	if modifiedPipeline.Annotations == nil {
 		modifiedPipeline.Annotations = make(map[string]string)
 	}
@@ -12237,12 +12242,12 @@ spec:
 		{
 			name:          "unsigned pipeline fails verification",
 			pipelineBytes: unsignedPipelineBytes,
-			taskBytes:     unsignedTaskBytes,
+			taskBytes:     unsignedV1TaskBytes,
 		},
 		{
 			name:          "signed pipeline with unsigned task fails verification",
 			pipelineBytes: signedPipelineWithUnsignedTaskBytes,
-			taskBytes:     unsignedTaskBytes,
+			taskBytes:     unsignedV1TaskBytes,
 		},
 		{
 			name:          "signed pipeline with modified task fails verification",