Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TEP-0089] - Phase 1 Signed TaskRun Results #4759

Closed
wants to merge 5 commits into from
Closed

[TEP-0089] - Phase 1 Signed TaskRun Results #4759

wants to merge 5 commits into from

Conversation

pxp928
Copy link
Member

@pxp928 pxp928 commented Apr 14, 2022
edited
Loading

Signed-off-by: pxp928 [email protected]

Changes

Authors - @pxp928 and @lumjjb

In association with TEP-0089: Non-falsifiable provenance support

This PR is the implementation of Phase 1 of the TEP-0089: Non-falsifiable provenance support

Phase 2 of the PR. Thats build on top of this to add Signed TaskRun Status can be found here - #4828

Phase 1

  • Add support for Signed Results with SPIRE (this will primarily involve modifications to the entrypointer image)
  • Add support for tekton-pipelines-controller verifying Signed Results

Taking the work that @dlorenc started a while back and adding improvements to get the spire integrated with Tekton pipeline.

The integration of spire k8s workload registrar automatically allows for tekton created pods to be registered into the spire-server.

Currently spire-server and spire-agent needs to be running in your cluster in order for tekton pipelines to integrate. Please follow the Spire documentation that is part of this PR to set up for local testing.

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Docs included if any changes are user facing
  • Tests included if any functionality added or changed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including
    functionality, content, code)
  • Release notes block below has been filled in or deleted (only if no user facing changes)

Release Notes

  • Added Spiffe-CSI driver to the controller and allow for spire workload API communication over CSI driver (not using hostpath)
  • Added in k8s-workload-registrar into the tekton pipeline controller. This will allow pods to be auto registered into the spire server based on pod annotations.
  • Added fetch SVID based on the pod running the TaskRun and use the private key to sign payload and attach the corresponding SVID to the termination messages
  • Add in a RESULT_MANIFEST to register all outputs of the TaskRun
  • Tekton Pipelines verifies the Results against the SPIRE SVID and Trust Bundle and sets the SignedResultsVerified condition to True

Please provide feedback and improvements!

@tekton-robot tekton-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Apr 14, 2022
@tekton-robot tekton-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Apr 14, 2022
@tekton-robot
Copy link
Collaborator

Hi @pxp928. Thanks for your PR.

I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@pxp928 pxp928 mentioned this pull request Apr 14, 2022
Merged
@pxp928 pxp928 force-pushed the spire-phase-1 branch 3 times, most recently from 19380ee to b52c9eb Compare April 14, 2022 14:21
@pxp928
Copy link
Member Author

pxp928 commented Apr 14, 2022

/assign @pritidesai

@tekton-robot tekton-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 20, 2022
@pxp928
Copy link
Member Author

pxp928 commented Apr 21, 2022

@pritidesai Can we get another ok to test?

@tekton-robot tekton-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Apr 21, 2022
@vdemeester
Copy link
Member

/ok-to-test

@tekton-robot tekton-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Apr 26, 2022
@tekton-robot tekton-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 27, 2022
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
cmd/entrypoint/main.go 14.0% 13.3% -0.7
pkg/apis/config/feature_flags.go 88.0% 86.5% -1.5
pkg/apis/pipeline/v1beta1/taskrun_types.go 77.2% 78.3% 1.1
pkg/entrypoint/entrypointer.go 69.7% 87.8% 18.1
pkg/pod/pod.go 88.3% 89.4% 1.1
pkg/pod/status.go 90.8% 90.9% 0.1
pkg/reconciler/taskrun/resources/image_exporter.go 81.8% 83.3% 1.5
pkg/reconciler/taskrun/taskrun.go 79.9% 78.0% -1.9
pkg/spire/controller.go Do not exist 0.0%
pkg/spire/entrypointer.go Do not exist 0.0%
pkg/spire/sign.go Do not exist 19.4%
pkg/spire/spire_mock.go Do not exist 89.8%
pkg/spire/verify.go Do not exist 10.6%

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
cmd/entrypoint/main.go 14.0% 13.3% -0.7
pkg/apis/config/feature_flags.go 88.0% 86.5% -1.5
pkg/apis/pipeline/v1beta1/taskrun_types.go 77.2% 78.3% 1.1
pkg/entrypoint/entrypointer.go 69.7% 87.8% 18.1
pkg/pod/pod.go 88.3% 89.4% 1.1
pkg/pod/status.go 90.8% 90.9% 0.1
pkg/reconciler/taskrun/resources/image_exporter.go 81.8% 83.3% 1.5
pkg/reconciler/taskrun/taskrun.go 79.9% 78.0% -1.9
pkg/spire/controller.go Do not exist 0.0%
pkg/spire/entrypointer.go Do not exist 0.0%
pkg/spire/sign.go Do not exist 19.4%
pkg/spire/spire_mock.go Do not exist 89.8%
pkg/spire/verify.go Do not exist 10.6%

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
cmd/entrypoint/main.go 14.0% 13.3% -0.7
pkg/apis/config/feature_flags.go 88.0% 86.5% -1.5
pkg/apis/pipeline/v1beta1/taskrun_types.go 77.2% 78.3% 1.1
pkg/entrypoint/entrypointer.go 69.7% 87.8% 18.1
pkg/pod/pod.go 88.3% 89.4% 1.1
pkg/pod/status.go 90.8% 90.9% 0.1
pkg/reconciler/taskrun/resources/image_exporter.go 81.8% 83.3% 1.5
pkg/reconciler/taskrun/taskrun.go 79.9% 78.0% -1.9
pkg/spire/controller.go Do not exist 0.0%
pkg/spire/entrypointer.go Do not exist 0.0%
pkg/spire/sign.go Do not exist 19.4%
pkg/spire/spire_mock.go Do not exist 89.8%
pkg/spire/verify.go Do not exist 10.6%

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
cmd/entrypoint/main.go 14.0% 13.3% -0.7
pkg/apis/config/feature_flags.go 88.0% 86.5% -1.5
pkg/apis/pipeline/v1beta1/taskrun_types.go 77.2% 78.3% 1.1
pkg/entrypoint/entrypointer.go 69.7% 87.8% 18.1
pkg/pod/pod.go 88.3% 89.4% 1.1
pkg/pod/status.go 90.8% 90.9% 0.1
pkg/reconciler/taskrun/resources/image_exporter.go 81.8% 83.3% 1.5
pkg/reconciler/taskrun/taskrun.go 79.9% 78.0% -1.9
pkg/spire/controller.go Do not exist 0.0%
pkg/spire/entrypointer.go Do not exist 0.0%
pkg/spire/sign.go Do not exist 19.4%
pkg/spire/spire_mock.go Do not exist 89.8%
pkg/spire/verify.go Do not exist 10.6%

@tekton-robot tekton-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 1, 2022
jagathprakash added a commit to jagathprakash/pipeline that referenced this pull request Nov 2, 2022
@jagathprakash
Breaking down PR tektoncd#4759 originally proposed by @pxp928 to addr…
db10074 
…ess TEP-0089 according @lumjjb suggestions. Plan for breaking down PR is PR 1.1: api PR 1.2: entrypointer (+cmd line + test/entrypointer) Entrypoint takes results and signs the results (termination message). PR 1.3: reconciler + pod + cmd/controller + integration tests Controller will verify the signed result. This commit corresponds to 1.3 above.
@jagathprakash jagathprakash mentioned this pull request Nov 2, 2022
Closed
7 tasks
jagathprakash added a commit to jagathprakash/pipeline that referenced this pull request Nov 2, 2022
@jagathprakash
[TEP-0089] Enable SPIRE for signing taskrun results in alpha.
7b290c2 
Breaking down PR tektoncd#4759 originally proposed by @pxp928 to address TEP-0089 according @lumjjb suggestions. Plan for breaking down PR is PR 1.1: api PR 1.2: entrypointer (+cmd line + test/entrypointer) Entrypoint takes results and signs the results (termination message). PR 1.3: reconciler + pod + cmd/controller + integration tests Controller will verify the signed result. This commit corresponds to 1.3 above.
jagathprakash pushed a commit to jagathprakash/pipeline that referenced this pull request Nov 2, 2022
@afrittoli @jagathprakash
Add extra display columns for resource resolution
d41a4e8 
Add start and end time, as well as details about the owner
resource to to the resource requests. Example:

NAME                                   OWNERKIND   OWNER                SUCCEEDED   REASON             STARTTIME              ENDTIME
git-40e5840171b418bcbd0bfa73defec338   TaskRun     git-resolver-p75s8   True                           2022-10-05T09:16:08Z   2022-10-05T09:16:10Z
git-6ecf81c8e0b418bcbd0c05c1bc3cd0c5   TaskRun     git-resolver-tmvqd   True                           2022-10-05T09:11:20Z   2022-10-05T09:11:22Z
git-e97b40047eb418bcbd0be5341ed71802   TaskRun     git-resolver-xdq55   False       ResolutionFailed   2022-10-05T09:19:51Z   2022-10-05T09:19:52Z

Signed-off-by: Andrea Frittoli <[email protected]>

Bump google.golang.org/grpc from 1.50.0 to 1.50.1

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.50.0 to 1.50.1.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.50.0...v1.50.1)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

Migrate PipelineRun Reconciler__TestReconcileTaskResolutionError

Signed-off-by: xin.li <[email protected]>

Remove minimal-release.yaml and resolvers.yaml

Closes tektoncd#5607

After discussion, we've decided to get rid of the separate `resolvers.yaml` and the resolver-less `minimal-release.yaml`.

Signed-off-by: Andrew Bayer <[email protected]>

Bump k8s.io/apimachinery from 0.25.2 to 0.25.3

Bumps [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) from 0.25.2 to 0.25.3.
- [Release notes](https://github.com/kubernetes/apimachinery/releases)
- [Commits](kubernetes/apimachinery@v0.25.2...v0.25.3)

---
updated-dependencies:
- dependency-name: k8s.io/apimachinery
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

Bump k8s.io/api from 0.25.2 to 0.25.3

Bumps [k8s.io/api](https://github.com/kubernetes/api) from 0.25.2 to 0.25.3.
- [Release notes](https://github.com/kubernetes/api/releases)
- [Commits](kubernetes/api@v0.25.2...v0.25.3)

---
updated-dependencies:
- dependency-name: k8s.io/api
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

Bump k8s.io/client-go from 0.25.2 to 0.25.3

Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.25.2 to 0.25.3.
- [Release notes](https://github.com/kubernetes/client-go/releases)
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](kubernetes/client-go@v0.25.2...v0.25.3)

---
updated-dependencies:
- dependency-name: k8s.io/client-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

resolution/framework : inject the request name in the context

Similar to the namespace, it might be of interest for the resolver to
get access to its name, as well as the namespace. Today this is only
the case for the namespace.

On possible use case for this is, if the resolver wants to create
another kubernetes object and set owner reference on it.

Signed-off-by: Vincent Demeester <[email protected]>

CSI workspace to Beta

This commit removes the alpha feature gate for the csi workspace so that it
becomes a beta feature.

Remove PipelineRun cancelation of Runs when Pipeline Task timeout is reached

TestWaitCustomTask_PipelineRun/Wait_Task_Retries_on_Timeout has been
flaky for a while. This commit stops the PipelineRun reconciler from
cancelling Run when it detects that the task-level Timeout configured
for the Run has passed, which will address the flake (similar to tektoncd#5134
which addresses TestPipelineRunTimeout).

Bump github.com/containerd/containerd from 1.6.8 to 1.6.9

Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.6.8 to 1.6.9.
- [Release notes](https://github.com/containerd/containerd/releases)
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- [Commits](containerd/containerd@v1.6.8...v1.6.9)

---
updated-dependencies:
- dependency-name: github.com/containerd/containerd
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

Bump github.com/google/go-containerregistry from 0.11.0 to 0.12.0

Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.11.0 to 0.12.0.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](google/go-containerregistry@v0.11.0...v0.12.0)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Bump github.com/stretchr/testify from 1.8.0 to 1.8.1

Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.0 to 1.8.1.
- [Release notes](https://github.com/stretchr/testify/releases)
- [Commits](stretchr/testify@v1.8.0...v1.8.1)

---
updated-dependencies:
- dependency-name: github.com/stretchr/testify
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

Bump github.com/sigstore/sigstore from 1.4.4 to 1.4.5

Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.4.4 to 1.4.5.
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](sigstore/sigstore@v1.4.4...v1.4.5)

---
updated-dependencies:
- dependency-name: github.com/sigstore/sigstore
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

fix tekton documentation contributor`s guide link

Add Beta feature gate for projected workspace

This commit adds the Beta feature gate for projected workspace in v1.

[TEP-0115] Support Artifact Hub in Hub Resolver

Part of [issues/667].
This commit adds support to resolve catalog resource from the [Artifact Hub] while keeping current functionality of fetching resources from Tekton Hub.

- Change 1:

The commit adds a new field `type` to the hub resolver indicating the type of the Hub to pull the resource from. The value can be set to `tekton` or `artifact`. By default, the resolver fetches resources from `https://artifacthub.io/` when setting `type` to `" artifact"`, and fetches resources from user's private instance of Tekton Hub when setting `type` to `"tekton"`.

- Change 2:

Prior to this change, the hub resolver only supports pulling resources from the Tekton Hub. This commit updates the default hub type to `artifact` since the [Artifact Hub][Artifact Hub] will be the main entrypoint for Tekton Catalogs in the future.

- Change 3:

Prior to this change, the default Tekton Hub URL is: `https://api.hub.tekton.dev`. This commit removes the default value of the Tekton Hub URL and enforces users to configure their own instance of Tekton Hub since the public instance `https://api.hub.tekton.dev` will be deprecated after the migration to Artifact Hub is done.

/kind feature

[Artifact Hub]: https://artifacthub.io/
[issues/667]: tektoncd/hub#667

[TEP-0089] Modify entrypoint to sign the results.
Breaking down PR tektoncd#4759 originally proposed by @pxp928 to address TEP-0089
according @lumjjb suggestions.
Plan for breaking down PR is
PR 1.1: api
PR 1.2: entrypointer (+cmd line + test/entrypointer)
Entrypoint takes results and signs the results (termination message).
PR 1.3: reconciler + pod + cmd/controller + integration tests
Controller will verify the signed result.
This commit corresponds to 1.2 above.

Bump HorizontalPodAutoscaler apiVersion to v2

Before this, we get a warning when applying the HPA:

    Warning: autoscaling/v2beta1 HorizontalPodAutoscaler is deprecated in v1.22+, unavailable in v1.25+; use autoscaling/v2 HorizontalPodAutoscaler

This also bumps the min version to 1.23.

Signed-off-by: Vincent Demeester <[email protected]>

[TEP-0089] Enable SPIRE for signing taskrun results in alpha.
Breaking down PR tektoncd#4759 originally proposed by @pxp928 to address TEP-0089 according @lumjjb suggestions. Plan for breaking down PR is PR 1.1: api PR 1.2: entrypointer (+cmd line + test/entrypointer) Entrypoint takes results and signs the results (termination message). PR 1.3: reconciler + pod + cmd/controller + integration tests Controller will verify the signed result. This commit corresponds to 1.3 above.
jagathprakash added a commit to jagathprakash/pipeline that referenced this pull request Nov 3, 2022
@jagathprakash
[TEP-0089] Enable SPIRE for signing taskrun results in alpha.
ae97acd 
Breaking down PR tektoncd#4759 originally proposed by @pxp928 to address TEP-0089 according @lumjjb suggestions. Plan for breaking down PR is PR 1.1: api PR 1.2: entrypointer (+cmd line + test/entrypointer) Entrypoint takes results and signs the results (termination message). PR 1.3: reconciler + pod + cmd/controller + integration tests Controller will verify the signed result. This commit corresponds to 1.3 above.
@jagathprakash jagathprakash mentioned this pull request Nov 3, 2022
Closed
7 tasks
jagathprakash added a commit to jagathprakash/pipeline that referenced this pull request Nov 3, 2022
@jagathprakash
[TEP-0089] Enable SPIRE for signing taskrun results in alpha.
ef3d769 
Breaking down PR tektoncd#4759 originally proposed by @pxp928 to address TEP-0089 according @lumjjb suggestions. Plan for breaking down PR is PR 1.1: api PR 1.2: entrypointer (+cmd line + test/entrypointer) Entrypoint takes results and signs the results (termination message). PR 1.3: reconciler + pod + cmd/controller + integration tests Controller will verify the signed result. This commit corresponds to 1.3 above.
jagathprakash added a commit to jagathprakash/pipeline that referenced this pull request Nov 7, 2022
@jagathprakash
[TEP-0089] Enable SPIRE for signing taskrun results in alpha.
f57fa26 
Breaking down PR tektoncd#4759 originally proposed by @pxp928 to address TEP-0089 according @lumjjb suggestions. Plan for breaking down PR is PR 1.1: api PR 1.2: entrypointer (+cmd line + test/entrypointer) Entrypoint takes results and signs the results (termination message). PR 1.3: reconciler + pod + cmd/controller + integration tests Controller will verify the signed result. This commit corresponds to 1.3 above.
jagathprakash added a commit to jagathprakash/pipeline that referenced this pull request Nov 7, 2022
@jagathprakash
[TEP-0089] Enable SPIRE for signing taskrun results in alpha.
b0de69e 
Breaking down PR tektoncd#4759 originally proposed by @pxp928 to address TEP-0089 according @lumjjb suggestions. Plan for breaking down PR is PR 1.1: api PR 1.2: entrypointer (+cmd line + test/entrypointer) Entrypoint takes results and signs the results (termination message). PR 1.3: reconciler + pod + cmd/controller + integration tests Controller will verify the signed result. This commit corresponds to 1.3 above.
jagathprakash added a commit to jagathprakash/pipeline that referenced this pull request Nov 18, 2022
@jagathprakash
[TEP-0089] Enable SPIRE for signing taskrun results in alpha.
857dbfc 
Breaking down PR tektoncd#4759 originally proposed by @pxp928 to address TEP-0089 according @lumjjb suggestions. Plan for breaking down PR is PR 1.1: api PR 1.2: entrypointer (+cmd line + test/entrypointer) Entrypoint takes results and signs the results (termination message). PR 1.3: reconciler + pod + cmd/controller + integration tests Controller will verify the signed result. This commit corresponds to 1.3 above.
jagathprakash added a commit to jagathprakash/pipeline that referenced this pull request Nov 18, 2022
@jagathprakash
[TEP-0089] Enable SPIRE for signing taskrun results in alpha.
60f0c94 
Breaking down PR tektoncd#4759 originally proposed by @pxp928 to address TEP-0089 according @lumjjb suggestions. Plan for breaking down PR is PR 1.1: api PR 1.2: entrypointer (+cmd line + test/entrypointer) Entrypoint takes results and signs the results (termination message). PR 1.3: reconciler + pod + cmd/controller + integration tests Controller will verify the signed result. This commit corresponds to 1.3 above.
jagathprakash added a commit to jagathprakash/pipeline that referenced this pull request Nov 18, 2022
@jagathprakash
[TEP-0089] Enable SPIRE for signing taskrun results in alpha.
df0c01d 
Breaking down PR tektoncd#4759 originally proposed by @pxp928 to address TEP-0089 according @lumjjb suggestions. Plan for breaking down PR is PR 1.1: api PR 1.2: entrypointer (+cmd line + test/entrypointer) Entrypoint takes results and signs the results (termination message). PR 1.3: reconciler + pod + cmd/controller + integration tests Controller will verify the signed result. This commit corresponds to 1.3 above.
jagathprakash added a commit to jagathprakash/pipeline that referenced this pull request Dec 2, 2022
@jagathprakash
[TEP-0089] Enable SPIRE for signing taskrun results in alpha.
f3ca804 
Breaking down PR tektoncd#4759 originally proposed by @pxp928 to address TEP-0089 according @lumjjb suggestions. Plan for breaking down PR is PR 1.1: api PR 1.2: entrypointer (+cmd line + test/entrypointer) Entrypoint takes results and signs the results (termination message). PR 1.3: reconciler + pod + cmd/controller + integration tests Controller will verify the signed result. This commit corresponds to 1.3 above.
jagathprakash added a commit to jagathprakash/pipeline that referenced this pull request Dec 2, 2022
@jagathprakash
[TEP-0089] Enable SPIRE for signing taskrun results in alpha.
bad5cc3 
Breaking down PR tektoncd#4759 originally proposed by @pxp928 to address TEP-0089 according @lumjjb suggestions. Plan for breaking down PR is PR 1.1: api PR 1.2: entrypointer (+cmd line + test/entrypointer) Entrypoint takes results and signs the results (termination message). PR 1.3: reconciler + pod + cmd/controller + integration tests Controller will verify the signed result. This commit corresponds to 1.3 above.
jagathprakash added a commit to jagathprakash/pipeline that referenced this pull request Dec 2, 2022
@jagathprakash
[TEP-0089] Enable SPIRE for signing taskrun results in alpha.
a99ba9b 
Breaking down PR tektoncd#4759 originally proposed by @pxp928 to address TEP-0089 according @lumjjb suggestions. Plan for breaking down PR is PR 1.1: api PR 1.2: entrypointer (+cmd line + test/entrypointer) Entrypoint takes results and signs the results (termination message). PR 1.3: reconciler + pod + cmd/controller + integration tests Controller will verify the signed result. This commit corresponds to 1.3 above.
jagathprakash added a commit to jagathprakash/pipeline that referenced this pull request Dec 6, 2022
@jagathprakash
[TEP-0089] Enable SPIRE for signing taskrun results in alpha.
fcf8808 
Breaking down PR tektoncd#4759 originally proposed by @pxp928 to address TEP-0089 according @lumjjb suggestions. Plan for breaking down PR is PR 1.1: api PR 1.2: entrypointer (+cmd line + test/entrypointer) Entrypoint takes results and signs the results (termination message). PR 1.3: reconciler + pod + cmd/controller + integration tests Controller will verify the signed result. This commit corresponds to 1.3 above.
jagathprakash added a commit to jagathprakash/pipeline that referenced this pull request Dec 13, 2022
@jagathprakash
[TEP-0089] Enable SPIRE for signing taskrun results in alpha.
c0a05c2 
Breaking down PR tektoncd#4759 originally proposed by @pxp928 to address TEP-0089 according @lumjjb suggestions. Plan for breaking down PR is PR 1.1: api PR 1.2: entrypointer (+cmd line + test/entrypointer) Entrypoint takes results and signs the results (termination message). PR 1.3: reconciler + pod + cmd/controller + integration tests Controller will verify the signed result. This commit corresponds to 1.3 above.

Signed-off-by: jagathprakash <[email protected]>
jagathprakash added a commit to jagathprakash/pipeline that referenced this pull request Dec 14, 2022
@jagathprakash
[TEP-0089] Enable SPIRE for signing taskrun results in alpha.
1149d51 
Breaking down PR tektoncd#4759 originally proposed by @pxp928 to address TEP-0089 according @lumjjb suggestions. Plan for breaking down PR is PR 1.1: api PR 1.2: entrypointer (+cmd line + test/entrypointer) Entrypoint takes results and signs the results (termination message). PR 1.3: reconciler + pod + cmd/controller + integration tests Controller will verify the signed result. This commit corresponds to 1.3 above.

Signed-off-by: jagathprakash <[email protected]>
jagathprakash added a commit to jagathprakash/pipeline that referenced this pull request Dec 14, 2022
@jagathprakash
[TEP-0089] Enable SPIRE for signing taskrun results in alpha.
3712802 
Breaking down PR tektoncd#4759 originally proposed by @pxp928 to address TEP-0089 according @lumjjb suggestions. Plan for breaking down PR is PR 1.1: api PR 1.2: entrypointer (+cmd line + test/entrypointer) Entrypoint takes results and signs the results (termination message). PR 1.3: reconciler + pod + cmd/controller + integration tests Controller will verify the signed result. This commit corresponds to 1.3 above.

Signed-off-by: jagathprakash <[email protected]>
jagathprakash added a commit to jagathprakash/pipeline that referenced this pull request Dec 14, 2022
@jagathprakash
Breaking down PR tektoncd#4759 originally proposed by @pxp928 to addr…
0b56a52 
…ess TEP-0089 according @lumjjb suggestions. Plan for breaking down PR is PR 1.1: api PR 1.2: entrypointer (+cmd line + test/entrypointer) Entrypoint takes results and signs the results (termination message). PR 1.3: reconciler + pod + cmd/controller + integration tests Controller will verify the signed result. This commit corresponds to 1.3 above.
jagathprakash added a commit to jagathprakash/pipeline that referenced this pull request Dec 14, 2022
@jagathprakash
Breaking down PR tektoncd#4759 originally proposed by @pxp928 to addr…
1cf0dc0 
…ess TEP-0089 according @lumjjb suggestions. Plan for breaking down PR is PR 1.1: api PR 1.2: entrypointer (+cmd line + test/entrypointer) Entrypoint takes results and signs the results (termination message). PR 1.3: reconciler + pod + cmd/controller + integration tests Controller will verify the signed result. This commit corresponds to 1.3 above.
jagathprakash added a commit to jagathprakash/pipeline that referenced this pull request Dec 15, 2022
@jagathprakash
Breaking down PR tektoncd#4759 originally proposed by @pxp928 to addr…
fb1d4f2 
…ess TEP-0089 according @lumjjb suggestions. Plan for breaking down PR is PR 1.1: api PR 1.2: entrypointer (+cmd line + test/entrypointer) Entrypoint takes results and signs the results (termination message). PR 1.3: reconciler + pod + cmd/controller + integration tests Controller will verify the signed result. This commit corresponds to 1.3 above.
jagathprakash added a commit to jagathprakash/pipeline that referenced this pull request Dec 15, 2022
@jagathprakash
Breaking down PR tektoncd#4759 originally proposed by @pxp928 to addr…
4aea376 
…ess TEP-0089 according @lumjjb suggestions. Plan for breaking down PR is PR 1.1: api PR 1.2: entrypointer (+cmd line + test/entrypointer) Entrypoint takes results and signs the results (termination message). PR 1.3: reconciler + pod + cmd/controller + integration tests Controller will verify the signed result. This commit corresponds to 1.3 above.
jagathprakash added a commit to jagathprakash/pipeline that referenced this pull request Dec 15, 2022
@jagathprakash
Breaking down PR tektoncd#4759 originally proposed by @pxp928 to addr…
ac117bb 
…ess TEP-0089 according @lumjjb suggestions. Plan for breaking down PR is PR 1.1: api PR 1.2: entrypointer (+cmd line + test/entrypointer) Entrypoint takes results and signs the results (termination message). PR 1.3: reconciler + pod + cmd/controller + integration tests Controller will verify the signed result. This commit corresponds to 1.3 above.
jagathprakash added a commit to jagathprakash/pipeline that referenced this pull request Dec 15, 2022
@jagathprakash
Breaking down PR tektoncd#4759 originally proposed by @pxp928 to addr…
c671622 
…ess TEP-0089 according @lumjjb suggestions. Plan for breaking down PR is PR 1.1: api PR 1.2: entrypointer (+cmd line + test/entrypointer) Entrypoint takes results and signs the results (termination message). PR 1.3: reconciler + pod + cmd/controller + integration tests Controller will verify the signed result. This commit corresponds to 1.3 above.
@tekton-robot
Copy link
Collaborator

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

@tekton-robot tekton-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 4, 2023
@jerop
Copy link
Member

jerop commented Jan 17, 2023

doing a clean up of stale pull requests - feel free to reopen if needed

smaller pull requests: https://github.com/tektoncd/pipeline/pulls?q=is%3Apr+TEP-0089+

/close

@tekton-robot
Copy link
Collaborator

@jerop: Closed this PR.

In response to this:

doing a clean up of stale pull requests - feel free to reopen if needed

smaller pull requests: https://github.com/tektoncd/pipeline/pulls?q=is%3Apr+TEP-0089+

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlorenc dlorenc dlorenc left review comments

@lumjjb lumjjb lumjjb left review comments

@priyawadhwa priyawadhwa priyawadhwa left review comments

@geriom geriom geriom requested changes

@vdemeester vdemeester Awaiting requested review from vdemeester

@pritidesai pritidesai Awaiting requested review from pritidesai

@afrittoli afrittoli Awaiting requested review from afrittoli

Assignees

@pritidesai pritidesai

Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.