Add taskRef remote resolution support #4859
Conversation
tekton-robot
added
release-note
tekton-robot
added
the
size/XL
|
/assign @vdemeester |
|
The following is the coverage report on the affected files.
|
|
Thanks for doing this @abayer! Just FYI that Scott is currently on leave until mid-August. /assign |
|
/retest |
1 similar comment
|
/retest |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: vdemeester The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
approved
| @@ -311,14 +311,14 @@ func TestPipelineTask_ValidateRegularTask_Failure(t *testing.T) { | |||
| }, | |||
| expectedError: *apis.ErrDisallowedFields("taskref.bundle"), | |||
| }, { | |||
There was a problem hiding this comment.
Can you please add some test cases for use of resolver and resource with the alpha feature flag set?
| @@ -277,7 +277,19 @@ func (c *Reconciler) resolvePipelineState( | |||
| pst := resources.PipelineRunState{} | |||
| // Resolve each task individually because they each could have a different reference context (remote or local). | |||
| for _, task := range tasks { | |||
| fn, err := tresources.GetTaskFunc(ctx, c.KubeClientSet, c.PipelineClientSet, task.TaskRef, pr.Namespace, pr.Spec.ServiceAccountName) | |||
| // Create a dummy TaskRun for remote resolution. | |||
There was a problem hiding this comment.
Can you help me understand what's going on here? the way I would anticipate this working is that we'd create a TaskRun as normal, but pass the resolver info along to the TaskRun, and have the TaskRun reconciler validate the resolver and resolve the task.
There was a problem hiding this comment.
So this is what I'm most unsure about - we resolve the Task whether or not there's a TaskRun or even if we're creating a TaskRun, I believe for situations like when expressions and conditions. But the code in pkg/remote requires a kmeta.OwnerRefable. It only ever uses that kmeta.OwnerRefable to get its Name and Namespace, but nonetheless. Since we need to pass that kmeta.OwnerRefable in to GetTaskFunc, we don't have the TaskRun, if it exists, at the time we call GetTaskFunc.
So there's two aspects here - first, there's the kmeta.OwnerRefable stuff - that could be refactored to have the resolver code take name and namespace instead, and second, even if we did do that refactor, we'd still need to have the TaskRun name when calling GetTaskFunc, because
TaskRun name before resolving.
The options I see are the dummy TaskRun approach here, refactoring to take name and namespace instead, which still requires generating the TaskRun name at this location, or reworking the PipelineRun reconciler to not resolve the Task until there's already a created TaskRun, deferring all the remote resolution logic to the TaskRun reconciler. The last option definitely feels like the ideal one for this particular change, but I'm not sure what the implications would be if we don't resolve the Task until we have a TaskRun.
There was a problem hiding this comment.
Thanks for the explanation!
I think the middle option (refactoring to take name and namespace instead) is the way to go. I find the dummy TaskRun approach to be confusing, and the last approach sounds like a large refactor that may not be necessary. If you look into buildRequest, it looks like the reason a name is needed is to make sure there are not multiple requests for the same pipeline's pipelineRef, the same task's taskRef, or the same pipeline task's taskRef. Therefore, what's needed here is not actually the name that will be used but some sort of unique identifier. I think a combo of pipelinerun name + pipeline task name should work.
There was a problem hiding this comment.
Ok, I'll poke around briefly to try to better understand (for my own edification, if nothing else!) when exactly we end up with a resolved Task but no TaskRun and what would be impacted by not resolving the Task unless/until we resolve the TaskRun, but so far, it does look like a lot of behavior, particularly around resolving task resources, would barf in that case. Still good to know better. =)
Aaaaah, yeah, you're right re the name. That said, GetTaskRunName is just checking to see if there already is a name defined in pr.Status.ChildReferences or pr.Status.TaskRuns for the pipeline task name, and if not, it returns kmeta.ChildName(prName, fmt.Sprintf("-%s", ptName))...which is just prName-ptName unless that would be longer than 63 characters (in which case it trims down prName and/or ptName and adds an md5 hash of the "full" string to guarantee uniqueness) anyway. So might as well just use GetTaskRunName.
There was a problem hiding this comment.
Aaah - I just checked deeper, and it turns out the kmeta.OwnerRefable ends up being used to add an owner reference to the generated ResolutionRequest:
https://github.com/tektoncd/resolution/blob/52bc1f17d4b6d8477e73a059de4b5808012a0386/pkg/resource/crd_resource.go#L104
So I think things need to be tweaked a bit more so that the ResolutionRequest has the PipelineRun as its owner reference.
There was a problem hiding this comment.
And we should definitely use GetTaskRunName for the remote resource name in buildRequest so that we ensure the resolution request made by the PipelineRun reconciler has the same unique identifier as the one made by the TaskRun reconciler to avoid an unnecessary repeat resolution request being created...yeah, I'd really prefer if we didn't try to resolve the Task from the PipelineRun reconciler at all. Grr.
The PR is not that huge, I don't really see why we would go through the trouble of spliting it into two. |
The reason I suggest splitting it is to logically separate resolution of taskrefs for taskruns vs pipeline tasks. There's some discussion around how best to handle resolution for pipeline tasks, and I think having taskref resolution in place for taskruns before adding it for pipeline tasks might lead to a better solution in the end. This is also just my opinion on a subjective judgment call about what is small/modular enough. |
|
@lbernick @vdemeester @afrittoli 819b9df modifies the remote resolver to take both a |
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
/retest |
3 similar comments
|
/retest |
|
/retest |
|
/retest |
| @@ -1238,6 +1238,114 @@ spec: | |||
| } | |||
| } | |||
|
|
|||
| // TestReconcileWithResolver checks that a PipelineRun with a populated Resolver | |||
There was a problem hiding this comment.
docstring here I think needs to be updated
| @@ -63,14 +69,15 @@ func GetTaskFuncFromTaskRun(ctx context.Context, k8s kubernetes.Interface, tekto | |||
| }, nil | |||
| }, nil | |||
| } | |||
| return GetTaskFunc(ctx, k8s, tekton, taskrun.Spec.TaskRef, taskrun.Namespace, taskrun.Spec.ServiceAccountName) | |||
| return GetTaskFunc(ctx, k8s, tekton, requester, taskrun, taskrun.Spec.TaskRef, "", taskrun.Namespace, taskrun.Spec.ServiceAccountName) | |||
There was a problem hiding this comment.
what's the reason to use "" here instead of taskrun.name?
There was a problem hiding this comment.
In practice in this case, it doesn't really matter - if the targetName is "", then owner.Name (in this case, taskrun.name) is used. I'm not a huge fan of the signature for GetTaskFunc, but can't come up with something cleaner at the moment - I'll try to come back and refactor GetTaskFunc in general if and when I get a good idea. =) That said, I'll change this to use taskrun.Name for now, even though it's unnecessary.
Thanks, I think this approach looks better! |
abayer
force-pushed
the
remote-resolving-tasks
branch
from
d02a360
to
7235d9c
Compare
|
The following is the coverage report on the affected files.
|
|
thanks @abayer! Just squash and I'll LGTM |
Followup to tektoncd#4596, needed for tektoncd#4710. Enables remote resolution of `Task`s, both in explicitly created `TaskRun`s and in `PipelineRun`s' `PipelineTask`s, from public git repositories using tektoncd/resolution. Also modifies `resolution.Resolver` to take both owner and optional name/namespace. This is needed because we don't necessarily have a `TaskRun` yet when calling `GetTaskFunc` in the `PipelineRun` reconciler, but still need to ensure that we only make one remote resolution request for a `PipelineTask` via the `PipelineRun` and `TaskRun` reconcilers. Therefore, we must have the same deterministically-generated resolution request name in both places, using the predictable eventual `TaskRun` name and namespace. We also want to make sure that the created `ResolutionRequest` has the appropriate owner reference, hence still passing a `kmeta.OwnerRefable` to `NewResolver` as well as the name and namespace. This is still in alpha. Signed-off-by: Andrew Bayer <andrew.bayer@gmail.com>
abayer
force-pushed
the
remote-resolving-tasks
branch
from
7235d9c
to
f7d1e04
Compare
|
@lbernick Done! |
|
The following is the coverage report on the affected files.
|
|
/lgtm |
|
/retest |
2 similar comments
|
/retest |
|
/retest |
Changes
Followup to #4596, needed for #4710.
remote resolution, both in explicitly created
TaskRuns and inPipelineRuns'PipelineTasks,from public git repositories using tektoncd/resolution.
To actually see anything happening a dev also needs to deploy
tektoncd/resolutionand thegitresolver.This is still in alpha.
/kind feature
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
functionality, content, code)
(if there are no user facing changes, use release note "NONE")
Release Notes