Adds resolver to provide task resolution for images #2137
Conversation
tekton-robot
added
the
do-not-merge/work-in-progress
googlebot
added
the
cla: yes
tekton-robot
added
the
size/L
sthaha
changed the title
tekton-robot
removed
the
do-not-merge/work-in-progress
pkg/remote/oci.go
Outdated
| } | ||
|
|
||
| func (o OCIResolver) readImageLayer(kind string, name string) ([]byte, error) { | ||
| // TODO: When this is moved into the Tekton controller, authorize this |
There was a problem hiding this comment.
This will be addressed in a follow up patch as the change seems rather large
There was a problem hiding this comment.
Do worry too much about it, we've seen way larger changes 😉
There was a problem hiding this comment.
So should this be all done in one PR or in multiple?
There was a problem hiding this comment.
depend what you mean by "all". But having a full working pkg/remote/oci.go file (aka at least with the serviceAccount support, the validation too) works, then other PR to start integrating it into the reconcilier would be others.
|
/test tekton-pipeline-unit-tests |
tekton-robot
added
size/XL
pkg/remote/oci.go
Outdated
| } | ||
|
|
||
| func (o OCIResolver) readImageLayer(kind string, name string) ([]byte, error) { | ||
| // TODO: When this is moved into the Tekton controller, authorize this |
There was a problem hiding this comment.
Do worry too much about it, we've seen way larger changes 😉
pkg/remote/oci.go
Outdated
| func init() { | ||
| // Add Tekton's resources to the K8s deserializer | ||
| schemeBuilder := runtime.NewSchemeBuilder(v1beta1.AddToScheme) | ||
| err := schemeBuilder.AddToScheme(scheme.Scheme) | ||
| if err != nil { | ||
| log.Panic(err) | ||
| } | ||
| } |
vdemeester
added
kind/design
pkg/remote/oci.go
Outdated
| // authentication. | ||
| type KeychainProvider func() (authn.Keychain, error) | ||
|
|
||
| // ImageResolver will attempt to fetch Tekton resources from an OCI compliant image repository. |
This partially addresses the desire to fetch tasks from an OCI image artifact. Issue: tektoncd#1839 Signed-off-by: Sunil Thaha <sthaha@redhat.com>
|
/assign vdemeester |
There was a problem hiding this comment.
/meow
We will need to add more to this, most likely in the form of annotation:
- support for multiple api (right now it's
…v1beta1, at some point we will need to support more than one version at the same time) - support for specific version of tekton, or minimum version required
|
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: vdemeester The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
approved
|
|
||
| imgRef, err := name.ParseReference(fmt.Sprintf("%s/test/ociresolver", u.Host)) | ||
| if err != nil { | ||
| t.Errorf("undexpected error producing image reference %s", err.Error()) |
| type KeychainProvider func() (authn.Keychain, error) | ||
|
|
||
| // OCIResolver will attempt to fetch Tekton resources from an OCI compliant image repository. | ||
| type OCIResolver struct { |
There was a problem hiding this comment.
What's a typical usage of this type going to look like? If it's most often going to be instantiated and immediately used like this:
{
myresolver := remote.OCIResolver{imageRef, kp}
mytask := myresolver.GetTask(foo)
}then I suggest simply exposing a GetOCITask func that takes (imageReference string, keychainProvider KeychainProvider, taskName string). WDYT?
There was a problem hiding this comment.
yeah that makes a ton of sense. I guess it comes down to how this evolves when we add a resolver for Git or other remote sources. I could see an argument for either route.
I think the idea here is that it might be easier for a reconciler to use a factory to instantiate a Resolver and call it instead of having to know itself whether it should use an OCIResolver or a GitResolver or whatever else we add. We might even add a "local" resolver and embed the local task resolver into this format. Could be overkill or could be a nice abstraction. Thoughts?
There was a problem hiding this comment.
I can definitely see a factory fitting that use case. I'm not sure it follows that we'd therefore need a remote.Resolver interface and creation of structs like this anywhere outside the factory's internals though.
I think it'll ultimately depend on both the kind of configuration we expect to be available and the signature we want to expose for resolution. Examples of config might be that we allow specific resolvers to be turned on/off/configured via configmap / cli flags. Examples of public signature might be a func like ResolveTaskFromRef(taskRef) that figures out the kind of resolution it needs to make without publicly exposing the Resolver type.
Not to say we need to commit to those kinds of design choices here, more that by introducing the Resolver machinery before we get to that stage we're already kind of leaning towards a design. And as often happens we might end up needing to unwind those kinds of choices based on work discovered as we dig into that stage more thoroughly. And in turn that can lead to a some extra work reviewing in future as well.
None of this is a blocker at all from my POV, just raising it from my read-through. 👍
/lgtm
There was a problem hiding this comment.
Yup. Makes a ton of sense. We can always wrap the resolver in a function like you mention to give a single interface to caller but I guess the next PR that embeds this in the reconciler will show if it makes it more or less "gross" and we can go from there 😄
Question for @vdemeester, do you mean that the user should specify a min-supported version of Tekton when referencing the task as in or do you mean that we should ensure the version of the fetched task is not incompatible with the version of the |
Changes
This partially addresses the desire to fetch tasks
from an OCI image artifact.
Issue: #1839
Signed-off-by: Sunil Thaha sthaha@redhat.com
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
See the contribution guide for more details.
Double check this list of stuff that's easy to miss:
cmddir, please updatethe release Task to build and release this image.
Reviewer Notes
If API changes are included, additive changes must be approved by at least two OWNERS and backwards incompatible changes must be approved by more than 50% of the OWNERS, and they must first be added in a backwards compatible way.
Release Notes