Windows containers: working dir initializer fails because of missing image for Windows

[lippertmarkus]

Expected Behavior

When specifying a workingDir for a Windows container the working dir initializer should succeed.

Actual Behavior

The working dir initializer container fails because of a missing image gcr.io/distroless/base for Windows.

Steps to Reproduce the Problem

1. Deploy the following pipeline:

apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  name: hello-world
spec:
  pipelineSpec:
    workspaces:
      - name: workdir
    tasks:
      - name: task-win
        workspaces:
          - name: workdir
            workspace: workdir
        taskSpec:
          workspaces:
            - name: workdir
          steps:
            - name: hello-windows
              image: mcr.microsoft.com/windows/nanoserver:1809
              command: ["cmd", "/c"]
              args: ["echo", "Hello from Windows Container!"]
              workingDir: /workspace/workdir/some/example/dir
  
  workspaces:
    - name: workdir
      volumeClaimTemplate:
        spec:
          accessModes: [ "ReadWriteMany" ]
          storageClassName: azurefile-csi
          resources:
            requests:
              storage: 1Gi
  
  taskRunSpecs:
    - pipelineTaskName: task-win
      taskPodTemplate:
        nodeSelector:
          kubernetes.io/os: windows  # runs on Windows
        securityContext:
          windowsOptions:
            runAsUserName: "ContainerAdministrator"

2. Check the events of the Windows Pod:

 Normal   Pulling           2m13s (x4 over 3m40s)  kubelet            Pulling image "gcr.io/distroless/base@sha256:cfdc553400d41b47fd231b028403469811fcdbc0e69d66ea8030c5a0b5fbac2b"
  Warning  Failed            2m13s (x4 over 3m39s)  kubelet            Error: ErrImagePull
  Normal   BackOff           107s (x5 over 3m11s)   kubelet            Error: ImagePullBackOff

Additional Info

• Kubernetes version:

Output of kubectl version:

Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.1", GitCommit:"86ec240af8cbd1b60bcc4c03c20da9b98005b92e", GitTreeState:"clean", BuildDate:"2021-12-16T11:41:01Z", GoVersion:"go1.17.5", Compiler:"gc", Platform:"windows/amd64"}
Server Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.4", GitCommit:"b695d79d4f967c403a96986f1750a35eb75e75f1", GitTreeState:"clean", BuildDate:"2021-11-18T19:30:35Z", GoVersion:"go1.16.10", Compiler:"gc", Platform:"linux/amd64"}

• Tekton Pipeline version: v0.30.0

cc @imjasonh @aiden-deloryn who worked on Windows support :)

[imjasonh]

Thanks for filing this!

It looks like the working-dir-initializer step that Tekton injects to (you guessed it!) initialize the workingDir (here), doesn't include an image for Windows -- this is the --shell-image flag passed to the controller here.

I think we'd probably want to replace this (Unix-specific) shell invocation with a simple Go binary that does the same thing, which we can cross-compile for Windows.

[imjasonh]

Looking into other places where the distroless/base shell image is used inside Tekton, it looks like you'll also have trouble using PVC-backed artifacts (a v1alpha1 feature), which cps and mkdirs using that image to set up PVCs. I don't think it'll be an issue but just in case you wanted to do that I figured I'd give a heads up.

If you need that, we could support it much in the same way I'm proposing we fix it for working-dir-init, just by having a Go binary that cps and is used instead of the full shell image.

[lippertmarkus]

Thank you! PVC-backed artifacts are part of the PipelineResources and deprecated anyway, right? If so, I don't think we need to put effort in that.

[imjasonh]

Yep! I don't plan to do anything there until someone tells me I need to 😄