PipelineResources git sslVerify parameter causing issues

[BostjanBozic]

Expected Behavior

Adding sslVerify parameter to PipelineResource type git does not break TaskRun

Actual Behavior

If sslVerify parameter is added to git type of PipelineResource, TaskRun fails to run, claiming that specific PipeineResource is not availab.e

Steps to Reproduce the Problem

1. Create PipelineResource:

apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
  name: skaffold-git
spec:
  type: git
  params:
    - name: revision
      value: master
    - name: url
      value: https://github.com/GoogleContainerTools/skaffold.git
    - name: sslVerify
      value: true
---
apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
  name: skaffold-image-leeroy-web
spec:
  type: image
  params:
    - name: url
      value: mydockerhub/leeroy-web

2. Create Task:

apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:
  name: build-docker-image-from-git-source
spec:
  inputs:
    resources:
      - name: docker-source
        type: git
    params:
      - name: pathToDockerFile
        type: string
        description: The path to the dockerfile to build
        default: /workspace/docker-source/Dockerfile
      - name: pathToContext
        type: string
        description:
          The build context used by Kaniko
          (https://github.com/GoogleContainerTools/kaniko#kaniko-build-contexts)
        default: /workspace/docker-source
  outputs:
    resources:
      - name: builtImage
        type: image
  steps:
    - name: build-and-push
      image: gcr.io/kaniko-project/executor:v0.15.0
      # specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential
      env:
        - name: "DOCKER_CONFIG"
          value: "/tekton/home/.docker/"
      command:
        - /kaniko/executor
      args:
        - --dockerfile=$(inputs.params.pathToDockerFile)
        - --destination=$(outputs.resources.builtImage.url)
        - --context=$(inputs.params.pathToContext)

3. Create TaskRun

apiVersion: tekton.dev/v1alpha1
kind: TaskRun
metadata:
  name: build-docker-image-from-git-source-task-run
spec:
  taskRef:
    name: build-docker-image-from-git-source
  inputs:
    resources:
      - name: docker-source
        resourceRef:
          name: skaffold-git
    params:
      - name: pathToDockerFile
        value: Dockerfile
      - name: pathToContext
        value: /workspace/docker-source/examples/microservices/leeroy-web #configure: may change according to your source
  outputs:
    resources:
      - name: builtImage
        resourceRef:
          name: skaffold-image-leeroy-web

Additional Info

• Platform: OpenShift v3.11.0+0cbc58b
• Tekton version: v0.10.1

As soon as sslVerify parameter is added to PipelineResource (true or false), TaskRun claims that specific resource does not exit:

Message

couldn't retrieve referenced input PipelineResource: pipelineresource.tekton.dev "skaffold-git" not found

If PipelineResources are checked, they are available:

NAME                        AGE
skaffold-git                4m
skaffold-image-leeroy-web   4m

I also tried to use quotation on parameter ("false"), in which case TaskRun recognizes PipelineResource and runs, but does not consider parameter, as connectivity fails:
Failed to connect to github.com port 443: Connection refused (I checked connectivity and there is no issue there).

[dibyom]

/kind bug

[pritidesai]

🤔 try this:

apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
  name: skaffold-git
spec:
  type: git
  params:
    - name: revision
      value: master
    - name: url
      value: https://github.com/GoogleContainerTools/skaffold.git
    - name: sslVerify
      value: "true"
---

apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
  name: skaffold-image-leeroy-web
spec:
  type: image
  params:
    - name: url
      value: mydockerhub/leeroy-web

---

apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:
  name: build-docker-image-from-git-source
spec:
  params:
    - name: pathToDockerFile
      type: string
      description: The path to the dockerfile to build
      default: /workspace/docker-source/Dockerfile
    - name: pathToContext
      type: string
      description:
        The build context used by Kaniko
        (https://github.com/GoogleContainerTools/kaniko#kaniko-build-contexts)
      default: /workspace/docker-source
  resources:
    inputs:
      - name: docker-source
        type: git
    outputs:
      - name: builtImage
        type: image
  steps:
    - name: build-and-push
      image: gcr.io/kaniko-project/executor:v0.15.0
      # specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential
      env:
        - name: "DOCKER_CONFIG"
          value: "/tekton/home/.docker/"
      command:
        - /kaniko/executor
      args:
        - --dockerfile=$(inputs.params.pathToDockerFile)
        - --destination=$(outputs.resources.builtImage.url)
        - --context=$(inputs.params.pathToContext)

---

apiVersion: tekton.dev/v1alpha1
kind: TaskRun
metadata:
  name: build-docker-image-from-git-source-task-run
spec:
  taskRef:
    name: build-docker-image-from-git-source
  params:
    - name: pathToDockerFile
      value: Dockerfile
    - name: pathToContext
      value: /workspace/docker-source/examples/microservices/leeroy-web #configure: may change according to your source
  resources:
    inputs:
      - name: docker-source
        resourceRef:
          name: skaffold-git
    outputs:
      - name: builtImage
        resourceRef:
          name: skaffold-image-leeroy-web

taking params out of resources ...

[BostjanBozic]

Thanks for feedback. Should not params field be under input (at least based on this)?

In any case, I tried it with getting params out of resources, but now nothing is specified in taskRun (ommited some metadata fields):

apiVersion: tekton.dev/v1alpha1
kind: TaskRun
metadata:
  labels:
    app.kubernetes.io/managed-by: tekton-pipelines
    tekton.dev/task: build-docker-image-from-git-source
  name: build-docker-image-from-git-source-task-run
  namespace: default
spec:
  inputs: {}
  outputs: {}
  serviceAccountName: ""
  taskRef:
    name: build-docker-image-from-git-source

[pritidesai]

Yup, having params under resources should work as well, taking it out simplifies the yaml a little 🤔

Alright, I am running latest tekton-pipeline, with your example as is, pipeline is failing with:

kubectl apply -f troubleshooting/sslverify-as-is.yaml
pipelineresource.tekton.dev/skaffold-image-leeroy-web created
task.tekton.dev/build-docker-image-from-git-source created
taskrun.tekton.dev/build-docker-image-from-git-source-task-run created
Error from server (BadRequest): error when creating "troubleshooting/sslverify-as-is.yaml": admission webhook "webhook.pipeline.tekton.dev" denied the request: mutation failed: cannot decode incoming new object: json: cannot unmarshal bool into Go struct field ResourceParam.spec.params.value of type string

After replacing true with "true":

kubectl apply -f troubleshooting/sslverify-as-is.yaml
pipelineresource.tekton.dev/skaffold-git created
pipelineresource.tekton.dev/skaffold-image-leeroy-web created
task.tekton.dev/build-docker-image-from-git-source created
taskrun.tekton.dev/build-docker-image-from-git-source-task-run created

It does create an image:

 kubectl logs pod/build-docker-image-from-git-source-task-run-pod-l8gc4 --all-containers
{"level":"info","ts":1583517825.701422,"caller":"creds-init/main.go:44","msg":"Credentials initialized."}
{"level":"info","ts":1583517837.1844108,"caller":"git/git.go:102","msg":"Successfully cloned https://github.com/GoogleContainerTools/skaffold.git @ master in path /workspace/docker-source"}
{"level":"warn","ts":1583517837.18455,"caller":"git/git.go:149","msg":"Unexpected error: creating symlink: symlink /tekton/home/.ssh /root/.ssh: file exists"}
{"level":"info","ts":1583517837.2252357,"caller":"git/git.go:130","msg":"Successfully initialized and updated submodules in path /workspace/docker-source"}
INFO[0001] Resolved base name golang:1.12.9-alpine3.10 to golang:1.12.9-alpine3.10
INFO[0001] Resolved base name alpine:3.10 to alpine:3.10
INFO[0001] Resolved base name golang:1.12.9-alpine3.10 to golang:1.12.9-alpine3.10
INFO[0001] Resolved base name alpine:3.10 to alpine:3.10
INFO[0001] Retrieving image manifest golang:1.12.9-alpine3.10
INFO[0002] Image golang:1.12.9-alpine3.10 not found in cache
INFO[0002] Retrieving image manifest golang:1.12.9-alpine3.10
INFO[0003] Retrieving image manifest alpine:3.10
INFO[0004] Image alpine:3.10 not found in cache
INFO[0004] Retrieving image manifest alpine:3.10
INFO[0004] Built cross stage deps: map[0:[/web]]
INFO[0004] Retrieving image manifest golang:1.12.9-alpine3.10
INFO[0005] Image golang:1.12.9-alpine3.10 not found in cache
INFO[0005] Retrieving image manifest golang:1.12.9-alpine3.10
INFO[0006] Unpacking rootfs as cmd COPY web.go . requires it.
INFO[0016] Taking snapshot of full filesystem...
INFO[0017] COPY web.go .
INFO[0017] Taking snapshot of files...
INFO[0017] RUN go build -o /web .
INFO[0017] cmd: /bin/sh
INFO[0017] args: [-c go build -o /web .]
INFO[0018] Taking snapshot of full filesystem...
INFO[0019] Saving file /web for later use.
INFO[0019] Deleting filesystem...
INFO[0019] Retrieving image manifest alpine:3.10
INFO[0020] Image alpine:3.10 not found in cache
INFO[0020] Retrieving image manifest alpine:3.10
INFO[0021] Unpacking rootfs as cmd COPY --from=builder /web . requires it.
INFO[0021] Taking snapshot of full filesystem...
INFO[0022] CMD ["./web"]
INFO[0022] COPY --from=builder /web .
INFO[0022] Taking snapshot of files...
{"level":"info","ts":1583517868.8337047,"logger":"fallback-logger","caller":"imagedigestexporter/main.go:59","msg":"No index.json found for: skaffold-image-leeroy-web","commit":"443cf27"}

inputs and outputs are under resources after taskrun is created:

$ kubectl get tr build-docker-image-from-git-source-task-run -o json 
    "spec": {
        "inputs": {},
        "outputs": {},
        "params": [
            {
                "name": "pathToDockerFile",
                "value": "Dockerfile"
            },
            {
                "name": "pathToContext",
                "value": "/workspace/docker-source/examples/microservices/leeroy-web"
            }
        ],
        "resources": {
            "inputs": [
                {
                    "name": "docker-source",
                    "resourceRef": {
                        "name": "skaffold-git"
                    }
                }
            ],
            "outputs": [
                {
                    "name": "builtImage",
                    "resourceRef": {
                        "name": "skaffold-image-leeroy-web"
                    }
                }
            ]
        },

git resource has the sslverify set to true:

$ tkn resource describe  skaffold-git
Name:                    skaffold-git
Namespace:               default
PipelineResource Type:   git

Params

 NAME          VALUE
 ∙ revision    master
 ∙ url         https://github.com/GoogleContainerTools/skaffold.git
 ∙ sslVerify   true

Secret Params

 No secret params

Which version of tekton are you running? Ideally YAML parser should accept true without quotes since sslverify is a bool field.

[BostjanBozic]

This is what I am currently using:

• Platform: OpenShift v3.11.0+0cbc58b
• Tekton version: v0.10.1

Yeah, it seems that sslVerify needs to be in quotation, since tekton does not recognize it, eventhough resource itself is created. Not sure if this should be threated as issue then or not (as by docs, you need to use quotation.

[centos@bostjanb tekton]$ kubectl get pipelineresources skaffold-git -o yaml
apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"tekton.dev/v1alpha1","kind":"PipelineResource","metadata":{"annotations":{},"name":"skaffold-git","namespace":"default"},"spec":{"params":[{"name":"revision","value":"master"},{"name":"url","value":"https://github.com/GoogleContainerTools/skaffold.git"},{"name":"sslVerify","value":false}],"type":"git"}}
  creationTimestamp: 2020-03-06T10:44:24Z
  generation: 2
  name: skaffold-git
  namespace: default
  resourceVersion: "873613"
  selfLink: /apis/tekton.dev/v1alpha1/namespaces/default/pipelineresources/skaffold-git
  uid: 7226d934-5f97-11ea-8921-06311e0006f5
spec:
  params:
  - name: revision
    value: master
  - name: url
    value: https://github.com/GoogleContainerTools/skaffold.git
  - name: sslVerify
    value: false
  type: git
[centos@bostjanb tekton]$ tkn resources ls
Failed to list pipelineresources from default namespace
Error: v1alpha1.PipelineResourceList.Items: []v1alpha1.PipelineResource: v1alpha1.PipelineResource.Spec: v1alpha1.PipelineResourceSpec.Params: []v1alpha1.ResourceParam: v1alpha1.ResourceParam.Value: ReadString: expects " or n, but found f, error found in #10 byte of ...|,"value":false}],"ty|..., bigger context ...|Tools/skaffold.git"},{"name":"sslVerify","value":false}],"type":"git"}},{"apiVersion":"tekton.dev/v1|...

In case sslVerify is set to true, pipeline starts running, but since I am using self-signed certificates in my OpenShift cluster, there is an issue with connecting toward GitHub, as those self-signed certs can not be checked (as much as I understand how this goes).

Sorry for initial confusion, I just saw I pasted in initial comment as sslVerify parameter true, which is being used by default anyway. My issue is that I think trying to disable this does not take effect.

One thing to mention: I set up Kubernetes cluster (v1.16.7) and tried to deploy same thing above (with Tekton v0.10.1) - this works without any issues. Not sure if it is because sslVerify: "false" is taking effect there or is it because certificates are signed by LetsEncrypt.

[pritidesai]

@BostjanBozic I have added couple of tests on sslVerify in a PR #2215, hoping that its little helpful 🤔

[ghost]

Given that this issue is primarily a problem with YAML interpreting true as boolean/non-string and that we've got testing around the sslVerify param now I'm going to close this issue. Feel free to reopen if you think there's more to do here!