-
Notifications
You must be signed in to change notification settings - Fork 121
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[pipeline/trusted-resources]Add admission webhook #841
[pipeline/trusted-resources]Add admission webhook #841
Conversation
3565ec7
to
c7ba8d2
Compare
c7ba8d2
to
d0743d4
Compare
/assign @wlynch |
/test pull-tekton-experimental-build-tests |
pipeline/trusted-resources/cmd/webhook_trusted_resource/main.go
Outdated
Show resolved
Hide resolved
- apiGroups: ["coordination.k8s.io"] | ||
resources: ["leases"] | ||
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it possible to scope down these permissions to particular resources?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure if makes sense, I create another role and rolebinding with different names than that in pipeline
pipeline/trusted-resources/config/webhook-trusted-resources.yaml
Outdated
Show resolved
Hide resolved
pipeline/trusted-resources/config/webhook-trusted-resources.yaml
Outdated
Show resolved
Hide resolved
apiVersion: tekton.dev/v1beta1 | ||
metadata: | ||
annotations: | ||
tekton.dev/signature: MEYCIQDhKiJpPylEFo5RmBEZV96luADJdhSQcE7EZuOgL7hk8wIhAICKk6o5ldqo2sN0R6GhE7GpuEkblbjeJilNms78E+ap |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How are these generated? (e.g. if I modify this or want to create another, what do I need to do?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is just an example showing how to use taskrun with this webhook deployed (also for demo and manually tetsting).
I'm not sure if we need to include the signing code just for generating the signatures? I can add them into a folder like etc/...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or should I just comment out these signatures and add some comments?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's fine to have the signatures here - the missing piece is how these were generated.
At minimum, we should have a readme to document how to generate these. If you want to include a tool to make this easier that works to!
// Set up a signal context with our webhook options | ||
ctx = webhook.WithOptions(ctx, webhook.Options{ | ||
ServiceName: serviceName, | ||
Port: 8443, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Part of me wonders how difficult it would be to have a local test that stands up a local instance and verifies this works properly with client-go 🤔 maybe this is just something we save for a kind test though?
If it's easy enough to do, can we add one? Otherwise let's make sure to add a kind test in another PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed this should be e2e/integration tests? I will see if I can add them in another pr.
0c15e99
to
78ecbb3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm! one last thing
Ah I see! It is just used for the examples testing, I will also comment out and document it. |
0709034
to
4c07c10
Compare
Not just for testing! 😄 |
adding some code to generate signature from yaml files in another pr |
d29efc4
to
86a312b
Compare
/test tekton-experimental-unit-tests |
3234639
to
6e4b1a9
Compare
This commit is a followup work for Trust Task.(Forked from tektoncd/community#537) Prior this commit we have added the verification of taskspec but didn’t include the webhook configuration and setup. This commit includes the configuration and setup of the admission webhook and related docs.With this commit we can deploy a standalone webhookfor verification.
6e4b1a9
to
fe13351
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: wlynch The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Changes
This commit is a followup work for Trust Task.(Forked from tektoncd/community#537)
Prior this commit we have added the verification of taskspec but didn’t include the webhook configuration and setup.
This commit includes the configuration and setup of the admission webhook and related docs.With this commit we can deploy a standalone webhookfor verification.
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
See the contribution guide
for more details.