-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Chains adds chains.tekton.dev/signed=true
annotation even if no keys supplied
#858
Comments
chains.tekton.dev/signed=true
annotation even if no keys supplied
Hi @PuneetPunamiya! Thanks for reporting this. An empty config value means the default value is loaded. The config values are documented here. The default configuration does require that the Chains uses the mentioned annotation to indicate that it is done processing the resource. So if it sees a resource with that annotation, then it just ignores it. Otherwise, it may constantly keep retrying. I think the question here is how should Chains behave if it is misconfigured. Should it stay out of the way, or should it make this obvious to users creating TaskRun and PipelineRun resources? Or maybe, the Chains controller should have some sort of config validation at start up, making it obvious to whoever is administrating the controller. |
Thanks @lcarva for the response 👍🏻
Yep agreed, I think in that case we should add those fields in the config map, so that user is aware which config values are set by default. wdyt ?
So if I'm not getting you wrong, we do have
Yes exactly, I purposely added no config values from whic are documented here assuming the signing should fail
Yeah, so if user doesn't provide any config values, validation returns a warning sort of and doesn't reconcile to take further actions. wdyt ? |
Do you mean here? If so, +1.
A warning may be easy to miss. Is preventing the controller from starting (by crashing it?) too heavy handed? |
Yeah, I meant here only
How about erroring out in the controller logs and controller not proceeding further steps instead of crashing it ? |
@lcarva i agree the what's the downside of setting |
Setting it to "failed" is probably the right behavior. It will be challenging to get it right as we need to distinguish from use cases where there's just nothing to sign, e.g. #458. |
wdyt about specifying a list of values that accurately describe the state? e.g.:
|
while i agree that one data point to support this is #979 where we're already seeing slowness from chains controller due to needing to process a large number of tekton workloads - while that issue will be fixed differently, the chains controller should try to not watch workloads if not required, wdyt? |
I agree with @concaf here. Another way to look at it is the different personas that rely on Chains. There's the user who is running Pipelines/Tasks, and the admin who is responsible for configuring Tekton Chains. In some cases, these may be the same person, but think we should assume that they are separate people with different access levels. If Chains is misconfigured, there's nothing the user can do. The admin is the one responsible. With this premise, if Chains is misconfigured, we should make that obvious to the admin, while also minimizing the impact to the user. This is why I suggested earlier on that if Chains is misconfigured, it should just crash. This should effectively allow the admin to fix things and delay Chains from processing any *Run resources. Once the issue is resolved, Chains will catch up processing the *Run resources. |
We discussed this in today's meeting. The overall consensus is to not proceed with the An approach that makes it obvious the controller is misconfigured is ideal, e.g. performing a basic config check at start up and crash if anything seems wrong (missing cosign key for example). This won't catch all the cases, but it's a starting point. Additionally, we could create a mechanism that propagates errors back to the user. This could be done by using a new annotation or by adding a new status condition on the resource. This should bridge the gap of issues which are within the user's control to fix, e.g. malformatted linked secret. |
signed: true
annotation to the taskruns even though the controller is filled with logs around not being able to configure a signer and not having any configured keys.For example :
I create this simple taskrun which is mentioned in the getting-started tutorial
Now even if no field is provided in the the
chain-config
configMap it adds annotationchains.tekton.dev/signed=true
in the taskrunThe text was updated successfully, but these errors were encountered: