Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[TEP-0089] Modify entrypoint to sign the results. #5676

Merged
merged 1 commit into from
Oct 28, 2022

Conversation

jagathprakash
Copy link
Member

@jagathprakash jagathprakash commented Oct 21, 2022

Breaking down PR #4759 originally proposed by @pxp928 to address TEP-0089 according @lumjjb suggestions.
Plan for breaking down PR is
PR 1.1: api
PR 1.2: entrypointer (+cmd line + test/entrypointer) Entrypoint takes results and signs the results (termination message). PR 1.3: reconciler + pod + cmd/controller + integration tests Controller will verify the signed result.
This commit corresponds to 1.2 above.

Changes

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Has Docs included if any changes are user facing
  • Has Tests included if any functionality added or changed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including
    functionality, content, code)
  • Has a kind label. You can add one by adding a comment on this PR that contains /kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tep
  • Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings)
  • Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

NONE

@tekton-robot tekton-robot added the release-note-none Denotes a PR that doesnt merit a release note. label Oct 21, 2022
@tekton-robot tekton-robot requested review from dibyom and wlynch October 21, 2022 22:45
@tekton-robot tekton-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Oct 21, 2022
@jagathprakash
Copy link
Member Author

/kind feature

@tekton-robot tekton-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Oct 21, 2022
@jagathprakash
Copy link
Member Author

/assign pxp928

@tekton-robot
Copy link
Collaborator

@jagathprakash: GitHub didn't allow me to assign the following users: pxp928.

Note that only tektoncd members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

/assign pxp928

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jagathprakash
Copy link
Member Author

/assign @pxp928

@tekton-robot
Copy link
Collaborator

@jagathprakash: GitHub didn't allow me to assign the following users: pxp928.

Note that only tektoncd members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

/assign @pxp928

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jagathprakash
Copy link
Member Author

/assign @lumjjb

@tekton-robot
Copy link
Collaborator

@jagathprakash: GitHub didn't allow me to assign the following users: lumjjb.

Note that only tektoncd members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

/assign @lumjjb

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jagathprakash
Copy link
Member Author

/assign @afrittoli

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
cmd/entrypoint/main.go 13.6% 12.7% -0.9
pkg/entrypoint/entrypointer.go 84.8% 87.8% 3.0

@pxp928
Copy link
Member

pxp928 commented Oct 21, 2022

Thanks! Will take a look soon.

Copy link
Contributor

@lumjjb lumjjb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Copy link
Member

@pxp928 pxp928 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Member

@wlynch wlynch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! Thanks!

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Oct 24, 2022
@jagathprakash
Copy link
Member Author

/test check-pr-has-kind-label

@tekton-robot
Copy link
Collaborator

@jagathprakash: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

  • /test pull-tekton-pipeline-alpha-integration-tests
  • /test pull-tekton-pipeline-build-tests
  • /test pull-tekton-pipeline-integration-tests
  • /test tekton-pipeline-unit-tests

The following commands are available to trigger optional jobs:

  • /test pull-tekton-pipeline-go-coverage

Use /test all to run all jobs.

In response to this:

/test check-pr-has-kind-label

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jagathprakash
Copy link
Member Author

/test check-pr-has-kind-label

@tekton-robot
Copy link
Collaborator

@jagathprakash: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

  • /test pull-tekton-pipeline-alpha-integration-tests
  • /test pull-tekton-pipeline-build-tests
  • /test pull-tekton-pipeline-integration-tests
  • /test tekton-pipeline-unit-tests

The following commands are available to trigger optional jobs:

  • /test pull-tekton-pipeline-go-coverage

Use /test all to run all jobs.

In response to this:

/test check-pr-has-kind-label

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@bobcatfish
Copy link
Collaborator

/approve

@jagathprakash I noticed you didn't check off the 'docs' item in the checklist but it looks like there are existing docs for the entrypoint binary (https://github.com/tektoncd/pipeline/blob/main/cmd/entrypoint/README.md) does it make sense to add some docs there?

Adding a hold in case there is something to add there, feel free to remove it:

/hold

@tekton-robot tekton-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 27, 2022
@tekton-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bobcatfish, lumjjb, pxp928, wlynch

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 27, 2022
Breaking down PR tektoncd#4759 originally proposed by @pxp928 to address TEP-0089
according @lumjjb suggestions.
Plan for breaking down PR is
PR 1.1: api
PR 1.2: entrypointer (+cmd line + test/entrypointer)
Entrypoint takes results and signs the results (termination message).
PR 1.3: reconciler + pod + cmd/controller + integration tests
Controller will verify the signed result.
This commit corresponds to 1.2 above.
@tekton-robot tekton-robot removed the lgtm Indicates that a PR is ready to be merged. label Oct 27, 2022
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
cmd/entrypoint/main.go 13.6% 12.7% -0.9
pkg/entrypoint/entrypointer.go 84.8% 87.8% 3.0

@jagathprakash
Copy link
Member Author

/approve

@jagathprakash I noticed you didn't check off the 'docs' item in the checklist but it looks like there are existing docs for the entrypoint binary (https://github.com/tektoncd/pipeline/blob/main/cmd/entrypoint/README.md) does it make sense to add some docs there?

Adding a hold in case there is something to add there, feel free to remove it:

/hold

This will be an internal feature.

/approve

@jagathprakash I noticed you didn't check off the 'docs' item in the checklist but it looks like there are existing docs for the entrypoint binary (https://github.com/tektoncd/pipeline/blob/main/cmd/entrypoint/README.md) does it make sense to add some docs there?

Adding a hold in case there is something to add there, feel free to remove it:

/hold

Added documentation at https://github.com/tektoncd/pipeline/blob/main/cmd/entrypoint/README.md.
Thanks!

@jagathprakash
Copy link
Member Author

/hold cancel

@tekton-robot tekton-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 27, 2022
Copy link
Collaborator

@bobcatfish bobcatfish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

tamper the results and go undetected.
- `-spire_socket_path`: This flag makes sense only when enable_spire is set.
When enable_spire is set, spire_socket_path is used to point to the
SPIRE agent socket for SPIFFE workload API.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jagathprakash you mentioned that the list here is incomplete - i wonder in the long run if it would make the most sense to avoid listing the individual commands here and just talk more generally about the features (and rely on the docs for the command itself vs trying to keep this in sync) - e.g. a list of features that the entrypoint binary supports such as signing with spire, etc. vs. specifics about these flags. In that case I could see there being a small section about SPIRE below. Anyway this is a good start in at least having some docs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesnt merit a release note. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants