Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[pipeline/trusted-resources]Add admission webhook #841

Merged
merged 1 commit into from
Mar 7, 2022
Merged

[pipeline/trusted-resources]Add admission webhook #841

merged 1 commit into from
Mar 7, 2022

Conversation

Yongxuanzhang
Copy link
Member

@Yongxuanzhang Yongxuanzhang commented Mar 2, 2022
edited
Loading

Changes

This commit is a followup work for Trust Task.(Forked from tektoncd/community#537)
Prior this commit we have added the verification of taskspec but didn’t include the webhook configuration and setup.
This commit includes the configuration and setup of the admission webhook and related docs.With this commit we can deploy a standalone webhookfor verification.

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

  • Includes docs (if user facing)
  • Commit messages follow commit message best practices
  • Commit messages includes a project tag in the subject - e.g. [OCI], [hub], [results], [task-loops]

See the contribution guide
for more details.

@tekton-robot tekton-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 2, 2022
@tekton-robot tekton-robot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Mar 2, 2022
@Yongxuanzhang Yongxuanzhang marked this pull request as ready for review March 3, 2022 17:05
@tekton-robot tekton-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 3, 2022
@Yongxuanzhang
Copy link
Member Author

/assign @wlynch

@Yongxuanzhang
Copy link
Member Author

/test pull-tekton-experimental-build-tests

wlynch
wlynch reviewed Mar 3, 2022
View reviewed changes
pipeline/trusted-resources/.gitignore Show resolved Hide resolved
pipeline/trusted-resources/cmd/webhook_trusted_resource/main.go Outdated Show resolved Hide resolved
pipeline/trusted-resources/config/200-role.yaml Outdated
Comment on lines 25 to 27
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible to scope down these permissions to particular resources?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if makes sense, I create another role and rolebinding with different names than that in pipeline

pipeline/trusted-resources/config/200-role.yaml Outdated Show resolved Hide resolved
pipeline/trusted-resources/config/200-role.yaml Outdated Show resolved Hide resolved
pipeline/trusted-resources/config/config-feature-flags.yaml Outdated Show resolved Hide resolved
pipeline/trusted-resources/config/webhook-trusted-resources.yaml Outdated Show resolved Hide resolved
pipeline/trusted-resources/config/webhook-trusted-resources.yaml Outdated Show resolved Hide resolved
pipeline/trusted-resources/examples/1-test-taskrun.yaml Outdated
apiVersion: tekton.dev/v1beta1
metadata:
annotations:
tekton.dev/signature: MEYCIQDhKiJpPylEFo5RmBEZV96luADJdhSQcE7EZuOgL7hk8wIhAICKk6o5ldqo2sN0R6GhE7GpuEkblbjeJilNms78E+ap
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How are these generated? (e.g. if I modify this or want to create another, what do I need to do?)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is just an example showing how to use taskrun with this webhook deployed (also for demo and manually tetsting).
I'm not sure if we need to include the signing code just for generating the signatures? I can add them into a folder like etc/...

Copy link
Member Author

@Yongxuanzhang Yongxuanzhang Mar 7, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or should I just comment out these signatures and add some comments?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's fine to have the signatures here - the missing piece is how these were generated.

At minimum, we should have a readme to document how to generate these. If you want to include a tool to make this easier that works to!

pipeline/trusted-resources/cmd/webhook_trusted_resource/main.go
// Set up a signal context with our webhook options
ctx = webhook.WithOptions(ctx, webhook.Options{
ServiceName: serviceName,
Port: 8443,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Part of me wonders how difficult it would be to have a local test that stands up a local instance and verifies this works properly with client-go 🤔 maybe this is just something we save for a kind test though?

If it's easy enough to do, can we add one? Otherwise let's make sure to add a kind test in another PR.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed this should be e2e/integration tests? I will see if I can add them in another pr.

wlynch
wlynch reviewed Mar 7, 2022
View reviewed changes
Copy link
Member

@wlynch wlynch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm! one last thing

pipeline/trusted-resources/config/config-feature-flags.yaml Outdated Show resolved Hide resolved
@Yongxuanzhang
Copy link
Member Author

lgtm! one last thing

lgtm! one last thing

Ah I see! It is just used for the examples testing, I will also comment out and document it.

@wlynch
Copy link
Member

wlynch commented Mar 7, 2022

Ah I see! It is just used for the examples testing, I will also comment out and document it.

Not just for testing! 😄
We're also using the examples in our README for how to get started (which is a great thing to do). Since we aren't going into detail for how the signatures are created, it's hard to follow how I as a user can create a signature for my own Task.
I'd recommend adding this documentation to the readme.

@Yongxuanzhang
Copy link
Member Author

Yongxuanzhang commented Mar 7, 2022
edited
Loading

Ah I see! It is just used for the examples testing, I will also comment out and document it.

Not just for testing! 😄 We're also using the examples in our README for how to get started (which is a great thing to do). Since we aren't going into detail for how the signatures are created, it's hard to follow how I as a user can create a signature for my own Task. I'd recommend adding this documentation to the readme.

adding some code to generate signature from yaml files in another pr

@Yongxuanzhang Yongxuanzhang force-pushed the trusted-resources-webhook branch 5 times, most recently from d29efc4 to 86a312b Compare March 7, 2022 19:56
@Yongxuanzhang
Copy link
Member Author

/test tekton-experimental-unit-tests

@Yongxuanzhang Yongxuanzhang force-pushed the trusted-resources-webhook branch 2 times, most recently from 3234639 to 6e4b1a9 Compare March 7, 2022 22:25
@Yongxuanzhang
[pipeline/trusted-resources]Add admission webhook
fe13351 
This commit is a followup work for Trust Task.(Forked from tektoncd/community#537)
Prior this commit we have added the verification of taskspec but didn’t include the webhook configuration and setup.
This commit includes the configuration and setup of the admission webhook and related docs.With this commit we can deploy a standalone webhookfor verification.
wlynch
wlynch approved these changes Mar 7, 2022
View reviewed changes
Copy link
Member

@wlynch wlynch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Mar 7, 2022
@tekton-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wlynch

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 7, 2022
@tekton-robot tekton-robot merged commit ef53772 into tektoncd:main Mar 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wlynch wlynch wlynch approved these changes

@bobcatfish bobcatfish Awaiting requested review from bobcatfish

Assignees

@wlynch wlynch

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Yongxuanzhang @wlynch @tekton-robot