-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhancement on Pipeline level provenance #850
Comments
Looking for feedback and thoughts! Thanks everyone. |
Thanks for filing this feature request! I do disagree with it for various reasons that I have outlined below. First, I do agree with the current stance that everything in the pipeline contributes to the making of the software artifact, even tasks that have occurred after a binary was built. Consider a pipeline like this: Second, the main reason we added PipelineRun attestations is to provide the full picture of how the artifact was created. Removing parts of the PipelineRun is dangerous. What if a TaskRun deemed unimportant ran in parallel and modified the contents of the local git clone? I wouldn't want users to be responsible for determining which tasks are important - in fact, I wouldn't trust them to do so. I would also be concerned if we tried to do this automatically in Chains. Tekton Pipelines is quite flexible and there's a high chance Chains would get it wrong, if not initially then eventually. Third, I don't think it's within the scope of Chains to slice and dice a PipelineRun. If the user truly wants their artifacts to be treated separately, they should use separate constructs. I don't know the status of Pipelines in Pipelines but that might be worth looking into. I'd prefer to add whatever construct is needed in Tekton Pipelines instead of implementing something that is Chains specific. |
Thanks for starting this thread @chuangw6! I agree PipelineRun provenance is far from perfect. That said, general +1 to @lcarva!
Long term I'd like for tektoncd/pipeline#6326 to be the answer here. I agree it's annoying and brittle today to need to force users to have to propagate these values back up. I don't think results are the right medium for this, they just happen to be an easy way we could hook into without upstream Pipeline changes.
Few things here:
I do think the idea of trying to better model the actual used inputs/outputs is interesting, but probably needs some more exploration / experimentation before we agree to accept. I agree with @lcarva that this is probably a fairly tricky problem due to the flexibility of Pipelines (but don't let that deter you from experimenting!) This sounds like a graph reachability problem based on provenance inputs/outputs. While I don't think we could/should strip out config information about the Task/Pipeline specs, using something like this to inform what provenance we publish to what subjects seems interesting. 🤔 Thoughts off the top of my head:
|
Thanks all for sharing the thoughts here!! Agree that there are so much ambiguities in feature 2 & 3. It's worth noting that feature 3 is sort of derived from feature 2 to address the question: what amount of information we should include when we generate provenance as soon as an artifact was built. (So for feature 3, we might need to rethink what amount of information we should/need to include if we want to pursue 2). But for feature 1, RE @wlynch point
IMHO, it would be still beneficial and would be a plus to Chains v1 release to have Chains to dive into task level results to find type hinting instead of expecting authors to manually surface results to pipeline level. 2 reasons:
|
Got it, so the idea is we would just take a union of all the Task provenance and promote that up as the Pipeline provenance? 🤔 |
I am not sure if I perceive the term The idea is to take the
|
When we implemented PipelineRun attestations, this was the initial idea. But we decided against it to keep things simpler on the implementation side. Also, the argument was that Tasks are likely to be reused way more often than Pipelines. So adding a specially named result to a Pipeline could make pretty much any Task compatible with Chains. +1 to revisit this. Not having to "promote" the result from the Task to the Pipeline is a nice feature. I think it also makes it easier to reduce some blind spots in the SLSA Provenance. |
/assign |
Related feature 1 in tektoncd#850 Prior, Chains only looks for pipeline results to understand what artifacts were generated in a pipeline. That means pipeline authors need to name pipeline results in the type hinting way and propagate its value with individual TaskRun results. Now, Chains is able to dive into individual TaskRun results to understand what artifacts were generated throughout a pipeline. This way, pipeline authors no longer need to worry about the rules when writting a pipeline as long as they pull in right tasks that produce type hinting results. Signed-off-by: Chuang Wang <chuangw@google.com>
Related feature 1 in tektoncd#850 Prior, Chains only looks for pipeline results to understand what artifacts were generated in a pipeline. That means pipeline authors need to name pipeline results in the type hinting way and propagate its value with individual TaskRun results. Now, Chains is able to dive into individual TaskRun results to understand what artifacts were generated throughout a pipeline. This way, pipeline authors no longer need to worry about the rules when writting a pipeline as long as they pull in right tasks that produce type hinting results. Signed-off-by: Chuang Wang <chuangw@google.com>
Related feature 1 in tektoncd#850 Prior, Chains only looks for pipeline results to understand what artifacts were generated in a pipeline. That means pipeline authors need to name pipeline results in the type hinting way and propagate its value with individual TaskRun results. Now, Chains is able to dive into individual TaskRun results to understand what artifacts were generated throughout a pipeline. This way, pipeline authors no longer need to worry about the rules when writting a pipeline as long as they pull in right tasks that produce type hinting results. Signed-off-by: Chuang Wang <chuangw@google.com>
Related feature 1 in tektoncd#850 Prior, Chains only looks for pipeline results to understand what artifacts were generated in a pipeline. That means pipeline authors need to name pipeline results in the type hinting way and propagate its value with individual TaskRun results. Now, Chains is able to dive into individual TaskRun results to understand what artifacts were generated throughout a pipeline. This way, pipeline authors no longer need to worry about the rules when writting a pipeline as long as they pull in right tasks that produce type hinting results. Signed-off-by: Chuang Wang <chuangw@google.com>
Step 1/2 of tektoncd#850 Prior, Chains only looks for pipeline results to understand what artifacts were generated in a pipeline. That means pipeline authors need to name pipeline results in the type hinting way and propagate its value with individual TaskRun results. Now, Chains is able to dive into individual TaskRun results to understand what artifacts were generated throughout a pipeline. This way, pipeline authors no longer need to worry about the rules when writting a pipeline as long as they pull in right tasks that produce type hinting results. That said, the old behaviour - observing pipeline level results is reserved by introducing a configmap field `artifacts.pipelinerun.observe-mode` which allows configuring how chains observes the outputs. Signed-off-by: Chuang Wang <chuangw@google.com>
Step 1/2 of tektoncd#850 Prior, Chains only looks for pipeline results to understand what artifacts were generated in a pipeline. That means pipeline authors need to name pipeline results in the type hinting way and propagate its value with individual TaskRun results. Now, Chains is able to dive into individual TaskRun results to understand what artifacts were generated throughout a pipeline. This way, pipeline authors no longer need to worry about the rules when writting a pipeline as long as they pull in right tasks that produce type hinting results. That said, the old behaviour - observing pipeline level results is reserved by introducing a configmap field `artifacts.pipelinerun.observe-mode` which allows configuring how chains observes the outputs. Signed-off-by: Chuang Wang <chuangw@google.com>
Step 1/2 of tektoncd#850 Prior, Chains only looks for pipeline results to understand what artifacts were generated in a pipeline. That means pipeline authors need to name pipeline results in the type hinting way and propagate its value with individual TaskRun results. Now, Chains is able to dive into individual TaskRun results to understand what artifacts were generated throughout a pipeline. This way, pipeline authors no longer need to worry about the rules when writting a pipeline as long as they pull in right tasks that produce type hinting results. That said, the old behaviour - observing pipeline level results is reserved by introducing a configmap field `artifacts.pipelinerun.observe-mode` which allows configuring how chains observes the outputs. Signed-off-by: Chuang Wang <chuangw@google.com>
Step 1/2 of tektoncd#850 Prior, Chains only looks for pipeline results to understand what artifacts were generated in a pipeline. That means pipeline authors need to name pipeline results in the type hinting way and propagate its value with individual TaskRun results. Now, Chains is able to dive into individual TaskRun results to understand what artifacts were generated throughout a pipeline. This way, pipeline authors no longer need to worry about the rules when writting a pipeline as long as they pull in right tasks that produce type hinting results. That said, the old behaviour - observing pipeline level results is reserved by introducing a configmap field `artifacts.pipelinerun.observe-mode` which allows configuring how chains observes the outputs. Signed-off-by: Chuang Wang <chuangw@google.com>
Step 1/2 of tektoncd#850 Prior, Chains only looks for pipeline results to understand what artifacts were generated in a pipeline. That means pipeline authors need to propagate child TaskRun results to pipeline level and name the pipeline results in type hinting way even though the pulled tasks already produce type hinting results. Now, we introduced a new configmap field `artifacts.pipelinerun.enable-deep-inspection` to allow Chains to inspect both pipeline results and child task results to understand what artifacts were generated throughout a pipeline. This way, pipeline authors no longer need to worry about the rules when writting a pipeline as long as they pull in right tasks that produce type hinting results. Meantime, this also gives users ability to propagate task results to pipeline level if the tasks they referenced do not produce type hinting results. Signed-off-by: Chuang Wang <chuangw@google.com>
Step 1/2 of tektoncd#850 Prior, Chains only looks for pipeline results to understand what artifacts were generated in a pipeline. That means pipeline authors need to propagate child TaskRun results to pipeline level and name the pipeline results in type hinting way even though the pulled tasks already produce type hinting results. Now, we introduced a new configmap field `artifacts.pipelinerun.enable-deep-inspection` to allow Chains to inspect both pipeline results and child task results to understand what artifacts were generated throughout a pipeline. This way, pipeline authors no longer need to worry about the rules when writting a pipeline as long as they pull in right tasks that produce type hinting results. That said, users still have ability to propagate task results to pipeline level if the tasks they referenced do not produce type hinting results. Signed-off-by: Chuang Wang <chuangw@google.com>
Step 1/2 of tektoncd#850 Prior, Chains only looks for pipeline results to understand what artifacts were generated in a pipeline. That means pipeline authors need to propagate child TaskRun results to pipeline level and name the pipeline results in type hinting way even though the pulled tasks already produce type hinting results. Now, we introduced a new configmap field `artifacts.pipelinerun.enable-deep-inspection` to allow Chains to inspect both pipeline results and child task results to understand what artifacts were generated throughout a pipeline. This way, pipeline authors no longer need to worry about the rules when writting a pipeline as long as they pull in right tasks that produce type hinting results. That said, users still have ability to propagate task results to pipeline level if the tasks they referenced do not produce type hinting results. Signed-off-by: Chuang Wang <chuangw@google.com>
Step 1/2 of tektoncd#850 Prior, Chains only looks for pipeline results to understand what artifacts were generated in a pipeline. That means pipeline authors need to propagate child TaskRun results to pipeline level and name the pipeline results in type hinting way even though the pulled tasks already produce type hinting results. Now, we introduced a new configmap field `artifacts.pipelinerun.enable-deep-inspection` to allow Chains to inspect both pipeline results and child task results to understand what artifacts were generated throughout a pipeline. This way, pipeline authors no longer need to worry about the rules when writting a pipeline as long as they pull in right tasks that produce type hinting results. That said, users still have ability to propagate task results to pipeline level if the tasks they referenced do not produce type hinting results. Signed-off-by: Chuang Wang <chuangw@google.com>
Step 1/2 of tektoncd#850 Prior, Chains only looks for pipeline results to understand what artifacts were generated in a pipeline. That means pipeline authors need to propagate child TaskRun results to pipeline level and name the pipeline results in type hinting way even though the pulled tasks already produce type hinting results. Now, we introduced a new configmap field `artifacts.pipelinerun.enable-deep-inspection` to allow Chains to inspect both pipeline results and child task results to understand what artifacts were generated throughout a pipeline. This way, pipeline authors no longer need to worry about the rules when writting a pipeline as long as they pull in right tasks that produce type hinting results. That said, users still have ability to propagate task results to pipeline level if the tasks they referenced do not produce type hinting results. Signed-off-by: Chuang Wang <chuangw@google.com>
Step 1/2 of #850 Prior, Chains only looks for pipeline results to understand what artifacts were generated in a pipeline. That means pipeline authors need to propagate child TaskRun results to pipeline level and name the pipeline results in type hinting way even though the pulled tasks already produce type hinting results. Now, we introduced a new configmap field `artifacts.pipelinerun.enable-deep-inspection` to allow Chains to inspect both pipeline results and child task results to understand what artifacts were generated throughout a pipeline. This way, pipeline authors no longer need to worry about the rules when writting a pipeline as long as they pull in right tasks that produce type hinting results. That said, users still have ability to propagate task results to pipeline level if the tasks they referenced do not produce type hinting results. Signed-off-by: Chuang Wang <chuangw@google.com>
Step 2/2 of tektoncd#850 Add deep inspection for materials, which will be applied to both slsa v0.2 and slsa v1.0 provenance. Signed-off-by: Chuang Wang <chuangw@google.com>
Step 2/2 of tektoncd#850 Add deep inspection for materials, which will be applied to both slsa v0.2 and slsa v1.0 provenance. Signed-off-by: Chuang Wang <chuangw@google.com>
Step 2/2 of tektoncd#850 Add deep inspection for materials, which will be applied to both slsa v0.2 and slsa v1.0 provenance. Signed-off-by: Chuang Wang <chuangw@google.com>
Step 2/2 of #850 Add deep inspection for materials, which will be applied to both slsa v0.2 and slsa v1.0 provenance. Signed-off-by: Chuang Wang <chuangw@google.com>
/close Close this ticket as the feature 1 (type hinting improvement) described in the original description was done, and feature 2&3 may or may not be considered in the future, but not at the moment. Specifically, feature 1 was completed by the 2 main PRs and some other related/derivative PRs |
@chuangw6: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Feature request
For a PipelineRun, Chains is able to dive into individual taskruns' type hinting results without pipeline author having to surface task results to pipeline results.
(Current Chains: only recognize pipeline-level type hinting results for a PipelineRun.)
Within a pipelinerun, Chains should generate a provenance as soon as it sees an artifact is generated by a task even though some tasks post artifact generation fail, which as a result fails the whole pipelinerun.
(Current Chains: will not generate a provenance until individual taskruns and the pipelinerun succeed.)
Per-artifact Provenance instead of Per-run Provenance
(Current Chains: generate multiple provenances with the exact same content, and those provenances are associated with different artifacts being generated from that Run)
Examples:
clone -> build-push -> slack-notify
, the provenance associated with the artifact should only contain the info of the tasks that contribute to the build process of the artifact, which would beclone
andbuild-push
in this case. In the 2nd feature request mentioned above, whenslack-notify
fails, the provenance should still be available for that artifact.clone1 -> build-push-go
(producing go artifact) andclone 2 -> build-push-oci
(producing oci artifact), the provenance associated with "go artifact" should only contain information of tasksclone1
andbuild-push-go
, whereas the provenance associated with "oci artifact" should only contain information of tasksclone2
andbuild-push-oci
Use case
The text was updated successfully, but these errors were encountered: