Adding pipelinerun attestations to e2e tests

examples/pipelineruns/pipeline-output-image.yaml

@@ -0,0 +1,40 @@
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  generateName: image-pipelinerun
+spec:
+  params:
+  - name: CHAINS-GIT_COMMIT
+    value: my-git-commit
+  - name: CHAINS-GIT_URL
+    value: https://my-git-url
+  pipelineSpec:
+    results:
+    - description: ""
+      name: IMAGE_URL
+      value: $(tasks.buildimage.results.IMAGE_URL)
+    - description: ""
+      name: IMAGE_DIGEST
+      value: $(tasks.buildimage.results.IMAGE_DIGEST)
+    tasks:
+    - name: buildimage
+      taskSpec:
+        results:
+        - name: IMAGE_URL
+          type: string
+        - name: IMAGE_DIGEST
+          type: string
+        steps:
+        - image: bash:latest
+          name: create-dockerfile
+          resources: {}
+          script: |-
+            #!/usr/bin/env bash
+            echo 'gcr.io/foo/bar' | tee $(results.IMAGE_URL.path)
+            echo 'sha256:05f95b26ed10668b7183c1e2da98610e91372fa9f510046d4ce5812addad86b5' | tee $(results.IMAGE_DIGEST.path)
+          volumeMounts:
+          - mountPath: /dockerfile
+            name: dockerfile
+        volumes:
+        - emptyDir: {}
+          name: dockerfile

pkg/chains/annotations_test.go

@@ -17,7 +17,7 @@ import (
 	"testing"
 
 	"github.com/tektoncd/chains/pkg/chains/objects"
-	"github.com/tektoncd/chains/pkg/internal/tekton"
+	"github.com/tektoncd/chains/pkg/test/tekton"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
 	fakepipelineclient "github.com/tektoncd/pipeline/pkg/client/injection/client/fake"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -119,9 +119,7 @@ func TestMarkSigned(t *testing.T) {
 			ctx, _ := rtesting.SetupFakeContext(t)
 			c := fakepipelineclient.Get(ctx)
 
-			if err := tekton.CreateObject(t, ctx, c, tt.object); err != nil {
-				t.Fatal(err)
-			}
+			tekton.CreateObject(t, ctx, c, tt.object)
 
 			// Now mark it as signed.
 			if err := MarkSigned(ctx, tt.object, c, nil); err != nil {
@@ -202,9 +200,7 @@ func TestMarkFailed(t *testing.T) {
 			ctx, _ := rtesting.SetupFakeContext(t)
 			// Create a TR for testing
 			c := fakepipelineclient.Get(ctx)
-			if err := tekton.CreateObject(t, ctx, c, tt.object); err != nil {
-				t.Fatal(err)
-			}
+			tekton.CreateObject(t, ctx, c, tt.object)
 
 			// Test HandleRetry, should mark it as failed
 			if err := HandleRetry(ctx, tt.object, c, nil); err != nil {
@@ -302,9 +298,7 @@ func TestAddRetry(t *testing.T) {
 			ctx, _ := rtesting.SetupFakeContext(t)
 			c := fakepipelineclient.Get(ctx)
 
-			if err := tekton.CreateObject(t, ctx, c, tt.object); err != nil {
-				t.Fatal(err)
-			}
+			tekton.CreateObject(t, ctx, c, tt.object)
 
 			// run it through AddRetry, make sure annotation is added
 			if err := AddRetry(ctx, tt.object, c, nil); err != nil {

pkg/chains/objects/objects.go

@@ -15,6 +15,7 @@ package objects
 
 import (
 	"context"
+	"errors"
 
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline/pod"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
@@ -23,6 +24,7 @@ import (
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	"knative.dev/pkg/apis"
 )
 
 // Label added to TaskRuns identifying the associated pipeline Task
@@ -56,6 +58,19 @@ type TektonObject interface {
 	GetResults() []Result
 	GetServiceAccountName() string
 	GetPullSecrets() []string
+	IsDone() bool
+	IsSuccessful() bool
+}
+
+func NewTektonObject(i interface{}) (TektonObject, error) {
+	switch o := i.(type) {
+	case *v1beta1.PipelineRun:
+		return NewPipelineRunObject(o), nil
+	case *v1beta1.TaskRun:
+		return NewTaskRunObject(o), nil
+	default:
+		return nil, errors.New("unrecognized type when attempting to create tekton object")
+	}
 }
 
 // TaskRunObject extends v1beta1.TaskRun with additional functions.
@@ -71,7 +86,9 @@ func NewTaskRunObject(tr *v1beta1.TaskRun) *TaskRunObject {
 
 // Get the TaskRun kind
 func (tro *TaskRunObject) GetKind() string {
-	return tro.GetObjectKind().GroupVersionKind().Kind
+	// TODO: Want to use tro.GetObjectKind().GroupVersionKind().Kind but
+	// never seems to be populated
+	return "taskrun"
 }
 
 // Get the latest annotations on the TaskRun
@@ -130,7 +147,9 @@ func NewPipelineRunObject(pr *v1beta1.PipelineRun) *PipelineRunObject {
 
 // Get the PipelineRun kind
 func (pro *PipelineRunObject) GetKind() string {
-	return pro.GetObjectKind().GroupVersionKind().Kind
+	// TODO: Want to use tro.GetObjectKind().GroupVersionKind().Kind but
+	// never seems to be populated
+	return "pipelinerun"
 }
 
 // Request the current annotations on the PipelineRun object
@@ -171,6 +190,11 @@ func (pro *PipelineRunObject) GetServiceAccountName() string {
 	return pro.Spec.ServiceAccountName
 }
 
+// Get the ServiceAccount declared in the PipelineRun
+func (pro *PipelineRunObject) IsSuccessful() bool {
+	return pro.Status.GetCondition(apis.ConditionSucceeded).IsTrue()
+}
+
 // Append TaskRuns to this PipelineRun
 func (pro *PipelineRunObject) AppendTaskRun(tr *v1beta1.TaskRun) {
 	pro.taskRuns = append(pro.taskRuns, tr)

pkg/chains/signing_test.go

@@ -25,7 +25,7 @@ import (
 	"github.com/tektoncd/chains/pkg/chains/signing"
 	"github.com/tektoncd/chains/pkg/chains/storage"
 	"github.com/tektoncd/chains/pkg/config"
-	"github.com/tektoncd/chains/pkg/internal/tekton"
+	"github.com/tektoncd/chains/pkg/test/tekton"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
 	fakepipelineclient "github.com/tektoncd/pipeline/pkg/client/injection/client/fake"
 	"go.uber.org/zap"
@@ -152,9 +152,8 @@ func TestSigner_Sign(t *testing.T) {
 				Pipelineclientset: ps,
 			}
 
-			if err := tekton.CreateObject(t, ctx, ps, tt.object); err != nil {
-				t.Errorf("error creating fake object: %v", err)
-			}
+			tekton.CreateObject(t, ctx, ps, tt.object)
+
 			if err := ts.Sign(ctx, tt.object); (err != nil) != tt.wantErr {
 				t.Errorf("Signer.Sign() error = %v", err)
 			}
@@ -312,9 +311,9 @@ func TestSigner_Transparency(t *testing.T) {
 			}
 
 			obj := tt.getNewObject("foo")
-			if err := tekton.CreateObject(t, ctx, ps, obj); err != nil {
-				t.Errorf("error creating fake object: %v", err)
-			}
+
+			tekton.CreateObject(t, ctx, ps, obj)
+
 			if err := os.Sign(ctx, obj); err != nil {
 				t.Errorf("Signer.Sign() error = %v", err)
 			}
@@ -328,9 +327,9 @@ func TestSigner_Transparency(t *testing.T) {
 			ctx = config.ToContext(ctx, tt.cfg.DeepCopy())
 
 			obj = tt.getNewObject("foobar")
-			if err := tekton.CreateObject(t, ctx, ps, obj); err != nil {
-				t.Errorf("error creating fake object: %v", err)
-			}
+
+			tekton.CreateObject(t, ctx, ps, obj)
+
 			if err := os.Sign(ctx, obj); err != nil {
 				t.Errorf("Signer.Sign() error = %v", err)
 			}
@@ -344,9 +343,9 @@ func TestSigner_Transparency(t *testing.T) {
 			ctx = config.ToContext(ctx, tt.cfg.DeepCopy())
 
 			obj = tt.getNewObject("mytektonobject")
-			if err := tekton.CreateObject(t, ctx, ps, obj); err != nil {
-				t.Errorf("error creating fake object: %v", err)
-			}
+
+			tekton.CreateObject(t, ctx, ps, obj)
+
 			if err := os.Sign(ctx, obj); err != nil {
 				t.Errorf("Signer.Sign() error = %v", err)
 			}

pkg/chains/storage/tekton/tekton_test.go

@@ -20,7 +20,7 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"github.com/tektoncd/chains/pkg/chains/objects"
 	"github.com/tektoncd/chains/pkg/config"
-	"github.com/tektoncd/chains/pkg/internal/tekton"
+	"github.com/tektoncd/chains/pkg/test/tekton"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
 	fakepipelineclient "github.com/tektoncd/pipeline/pkg/client/injection/client/fake"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -83,9 +83,7 @@ func TestBackend_StorePayload(t *testing.T) {
 			ctx, _ := rtesting.SetupFakeContext(t)
 			c := fakepipelineclient.Get(ctx)
 
-			if err := tekton.CreateObject(t, ctx, c, tt.object); err != nil {
-				t.Errorf("error setting up fake taskrun: %v", err)
-			}
+			tekton.CreateObject(t, ctx, c, tt.object)
 
 			b := &Backend{
 				pipelineclientset: c,

pkg/internal/tekton/tekton.go → pkg/test/tekton/tekton.go

@@ -22,18 +22,23 @@ import (
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
 	pipelineclientset "github.com/tektoncd/pipeline/pkg/client/clientset/versioned"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/watch"
 )
 
-func CreateObject(t *testing.T, ctx context.Context, ps pipelineclientset.Interface, obj objects.TektonObject) error {
+func CreateObject(t *testing.T, ctx context.Context, ps pipelineclientset.Interface, obj objects.TektonObject) objects.TektonObject {
 	switch o := obj.GetObject().(type) {
 	case *v1beta1.PipelineRun:
-		if _, err := ps.TektonV1beta1().PipelineRuns(obj.GetNamespace()).Create(ctx, o, metav1.CreateOptions{}); err != nil {
-			t.Errorf("error creating pipelinerun: %v", err)
+		pr, err := ps.TektonV1beta1().PipelineRuns(obj.GetNamespace()).Create(ctx, o, metav1.CreateOptions{})
+		if err != nil {
+			t.Fatalf("error creating pipelinerun: %v", err)
 		}
+		return objects.NewPipelineRunObject(pr)
 	case *v1beta1.TaskRun:
-		if _, err := ps.TektonV1beta1().TaskRuns(obj.GetNamespace()).Create(ctx, o, metav1.CreateOptions{}); err != nil {
-			t.Errorf("error creating taskrun: %v", err)
+		tr, err := ps.TektonV1beta1().TaskRuns(obj.GetNamespace()).Create(ctx, o, metav1.CreateOptions{})
+		if err != nil {
+			t.Fatalf("error creating taskrun: %v", err)
 		}
+		return objects.NewTaskRunObject(tr)
 	}
 	return nil
 }
@@ -46,22 +51,38 @@ func GetObject(t *testing.T, ctx context.Context, ps pipelineclientset.Interface
 	case *v1beta1.TaskRun:
 		return GetTaskRun(t, ctx, ps, obj.GetNamespace(), obj.GetName())
 	}
-	t.Errorf("unknown object type %T", obj.GetObject())
+	t.Fatalf("unknown object type %T", obj.GetObject())
 	return nil, fmt.Errorf("unknown object type %T", obj.GetObject())
 }
 
 func GetPipelineRun(t *testing.T, ctx context.Context, ps pipelineclientset.Interface, namespace, name string) (objects.TektonObject, error) {
 	pr, err := ps.TektonV1beta1().PipelineRuns(namespace).Get(ctx, name, metav1.GetOptions{})
 	if err != nil {
-		t.Errorf("error getting pipelinerun: %v", err)
+		t.Fatalf("error getting pipelinerun: %v", err)
 	}
 	return objects.NewPipelineRunObject(pr), nil
 }
 
 func GetTaskRun(t *testing.T, ctx context.Context, ps pipelineclientset.Interface, namespace, name string) (objects.TektonObject, error) {
 	tr, err := ps.TektonV1beta1().TaskRuns(namespace).Get(ctx, name, metav1.GetOptions{})
 	if err != nil {
-		t.Errorf("error getting taskrun: %v", err)
+		t.Fatalf("error getting taskrun: %v", err)
 	}
 	return objects.NewTaskRunObject(tr), nil
 }
+
+func WatchObject(t *testing.T, ctx context.Context, ps pipelineclientset.Interface, obj objects.TektonObject) (watch.Interface, error) {
+	switch o := obj.GetObject().(type) {
+	case *v1beta1.PipelineRun:
+		return ps.TektonV1beta1().PipelineRuns(obj.GetNamespace()).Watch(ctx, metav1.SingleObject(metav1.ObjectMeta{
+			Name:      o.GetName(),
+			Namespace: o.GetNamespace(),
+		}))
+	case *v1beta1.TaskRun:
+		return ps.TektonV1beta1().TaskRuns(obj.GetNamespace()).Watch(ctx, metav1.SingleObject(metav1.ObjectMeta{
+			Name:      o.GetName(),
+			Namespace: o.GetNamespace(),
+		}))
+	}
+	return nil, fmt.Errorf("unknown object type %T", obj.GetObject())
+}

test/clients.go

@@ -89,6 +89,7 @@ func newClients(t *testing.T, configPath, clusterName string) *clients {
 type setupOpts struct {
 	useCosignSigner bool
 	registry        bool
+	kanikoTaskImage string
 	ns              string
 }
 
@@ -107,6 +108,15 @@ func setup(ctx context.Context, t *testing.T, opts setupOpts) (*clients, string,
 		c.internalRegistry = createRegistry(ctx, t, namespace, c.KubeClient)
 	}
 
+	if opts.kanikoTaskImage != "" {
+		imageDest := fmt.Sprintf("%s/%s", c.internalRegistry, opts.kanikoTaskImage)
+		t.Logf("Creating Kaniko task referencing image %s", imageDest)
+		task := kanikoTask(t, namespace, imageDest)
+		if _, err := c.PipelineClient.TektonV1beta1().Tasks(namespace).Create(ctx, task, metav1.CreateOptions{}); err != nil {
+			t.Fatalf("error creating task: %s", err)
+		}
+	}
+
 	var cleanup = func() {
 		if namespace == "default" {
 			return