[celeval] CEL Custom Tasks CRD #784
Conversation
tekton-robot
requested review from
bobcatfish,
imjasonh,
pritidesai,
bigkevmcd and
vdemeester
|
@jerop: GitHub didn't allow me to request PR reviews from the following users: vincent-pli. Note that only tektoncd members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
tekton-robot
added
the
size/XXL
jerop
force-pushed
the
cel-crd
branch
21 times, most recently
from
6b79981
to
eb7268c
Compare
wlynch has reviewed #784 where we introduce cel custom tasks crd -- so adding him as an owner so he has approval permissions
jerop
force-pushed
the
cel-crd
branch
2 times, most recently
from
8f85ec9
to
693e075
Compare
jerop
force-pushed
the
cel-crd
branch
3 times, most recently
from
ee11149
to
150ca7c
Compare
|
/retest |
|
The last thing on my mind is renaming from /approve |
tekton-robot
added
the
approved
cel/config/201-role.yaml
Outdated
| resourceNames: ["config-logging", "config-observability", "config-leader-election"] | ||
| - apiGroups: [""] | ||
| resources: ["secrets"] | ||
| verbs: ["list", "watch"] |
There was a problem hiding this comment.
From https://kubernetes.io/docs/concepts/configuration/secret/#clients-that-use-the-secret-api -
For these reasons watch and list requests for secrets within a namespace are extremely powerful capabilities and should be avoided, since listing secrets allows the clients to inspect the values of all secrets that are in that namespace. The ability to watch and list all secrets in a cluster should be reserved for only the most privileged, system-level components.
Can we scope this down as well? (I assume this also applies to configmaps as well)
cel/pkg/reconciler/celrun/celrun.go
Outdated
| run.ObjectMeta.Labels[key] = value | ||
| } | ||
| run.ObjectMeta.Labels[cel.GroupName+CELLabelKey] = CELMeta.Name | ||
| run.ObjectMeta.Labels[KindLabelKey] = cel.ControllerName |
There was a problem hiding this comment.
"kind" is a bit generic (and might have a confusing meaning w/ Object kind) - should we use app.kubernetes.io/managed-by instead?
cel/pkg/reconciler/celrun/celrun.go
Outdated
|
|
||
| const ( | ||
| // CELLabelKey is the label identifier for a CEL, which is added to the Run | ||
| CELLabelKey = "/CEL" |
There was a problem hiding this comment.
Are labels case sensitive? Double checking since the README.md examples show custom.tekton.dev/cel.
cel/pkg/reconciler/celrun/celrun.go
Outdated
| run.ObjectMeta.Labels[cel.GroupName+CELLabelKey] = CELMeta.Name | ||
| run.ObjectMeta.Labels[KindLabelKey] = cel.ControllerName |
There was a problem hiding this comment.
Let's add a section to the docs to list labels we add to the created object and what they mean.
| // The fake recorder runs in a go routine, so the timeout is here to avoid waiting | ||
| // on the channel forever if fewer than expected events are received. | ||
| // We only hit the timeout in case of failure of the test, so the actual value | ||
| // of the timeout is not so relevant. It's only used when tests are going to fail. |
There was a problem hiding this comment.
You might be able to avoid the timeout altogether if you close the channel before comparing. Since the reconciler.Reconcile call is synchronous, this should be safe.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bobcatfish The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
We introduced CEL Custom Tasks to experiment with using an expression language with Tekton Pipelines. Given feedback from the past several months of usage, we have identified three main current challenges: - CEL custom tasks do not take variables for the CEL environment. As such, users cannot evaluate CEL expressions given specific variables or in specific context. For example, as described in tektoncd#716 and tektoncd/community#403, a user needed to declare runtime storage variables in the CEL environment. - CEL custom tasks are not a CRD thus making them unreusable across different Runs and PipelineRuns. Read more in tektoncd/community#314 (review). - CEL custom tasks take the CEL expressions through Parameters which is misleading to some users. Read more in tektoncd/community#314 (review). To address the above challenges, this change introduces a CRD for CEL Custom Tasks, which takes CEL expressions and CEL environment variables. With this change: - CEL custom tasks now take variables for the CEL environment - CEL custom tasks are reusable across different Runs and PipelineRuns - CEL custom tasks take expressions through its own field Closes tektoncd/community#403 Closes tektoncd#716
tekton-robot
added
the
needs-rebase
|
@jerop: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Issues go stale after 90d of inactivity. /lifecycle stale Send feedback to tektoncd/plumbing. |
tekton-robot
added
the
lifecycle/stale
|
/lifecycle frozen |
tekton-robot
added
lifecycle/frozen
|
hoping to revisit this some time 🤞🏾 closing for now |
Changes
We introduced CEL Custom Tasks to experiment with using an expression language with Tekton Pipelines.
Given feedback from the past several months of usage, we have identified three main current challenges:
To address the above challenges, this change introduces a CRD for CEL Custom Tasks, which takes CEL expressions and CEL environment variables. With this change:
Closes tektoncd/community#403
Closes #716
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
See the contribution guide for more details.
/cc @vincent-pli @bobcatfish @imjasonh @pritidesai @bigkevmcd @vdemeester