Introduces Tekton bundles: take 2

[pierretasci]

Changes

Introduces Tekton Bundles with docs, apis, examples, and updates to the reconcilers to allow Task and Pipeline references from Tekton Bundles

Note, I had to re-submit this PR to get the CLA to pass

Summary of changes:

• adds docs for how to use Tekton Bundles as refs including a tekton bundle contract
• adds a field to task and pipeline refs to specify a tekton bundle url
• adds validation and tests to the api
• Wires up the OCI remote fetcher to the pipeline ref and task ref handlers
• adds tests into the pipelinerun and taskrun reconcilers to test for remote refs
• requires a change to the way we resolve tasks in the pipelinerun resource handler because we want to decide how to fetch each task ref on a case by case basis instead of using one uniform task fetcher

This is a large change but there are significant side-effects to any one part of this change and it felt half-hearted to only provide the API change to either tasksruns or pipelines and not both at the same time.

Submitter Checklist

• Includes tests (if functionality changed/added)
• Includes docs (if user facing)
• Commit messages follow commit message best practices
• Release notes block has been filled in or deleted (only if no user facing changes)

Release Notes

Task and Pipeline refs now support remote references via Tekton Bundles. Disabled by default. Enable bundles with feature flag.

[linux-foundation-easycla]

The committers are authorized under a signed CLA.

• ✅ Pierre Tasci (99ca8dd, 0d79f7a, 9bf6dc3, 3d1cb16)

[tekton-robot]

Hi @pierretasci. Thanks for your PR.

I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[pritidesai]

/ok-to-test
/kind feature

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
internal/builder/v1beta1/pipeline.go	81.8%	82.4%	0.6
internal/builder/v1beta1/task.go	75.5%	75.7%	0.2
pkg/apis/pipeline/v1beta1/pipelinerun_validation.go	96.4%	97.0%	0.5
pkg/apis/pipeline/v1beta1/taskrun_validation.go	97.4%	97.7%	0.3
pkg/reconciler/pipelinerun/pipelinerun.go	86.3%	85.0%	-1.4
pkg/reconciler/pipelinerun/resources/pipelineref.go	66.7%	61.9%	-4.8
pkg/reconciler/pipelinerun/resources/pipelinerunresolution.go	90.2%	90.3%	0.2
pkg/reconciler/taskrun/resources/taskref.go	75.0%	60.6%	-14.4
pkg/reconciler/taskrun/taskrun.go	78.3%	77.3%	-1.0
pkg/remote/oci/resolver.go	76.3%	76.9%	0.6

[bobcatfish]

Note, I had to re-submit this PR to get the CLA to pass

usually force pushing a slightly modified commit works as well (not that that is a great solution either)

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
internal/builder/v1beta1/pipeline.go	81.8%	82.4%	0.6
internal/builder/v1beta1/task.go	75.5%	75.7%	0.2
pkg/apis/pipeline/v1beta1/pipelinerun_validation.go	96.4%	97.0%	0.5
pkg/apis/pipeline/v1beta1/taskrun_validation.go	97.4%	97.7%	0.3
pkg/reconciler/pipelinerun/pipelinerun.go	86.3%	85.1%	-1.2
pkg/reconciler/pipelinerun/resources/pipelineref.go	66.7%	61.9%	-4.8
pkg/reconciler/pipelinerun/resources/pipelinerunresolution.go	90.2%	90.3%	0.2
pkg/reconciler/taskrun/resources/taskref.go	75.0%	60.6%	-14.4
pkg/reconciler/taskrun/taskrun.go	78.9%	77.9%	-1.0
pkg/remote/oci/resolver.go	76.3%	76.9%	0.6

[pritidesai]

@pierretasci Haven't looked at the changes yet but from the PR policy perspective, we need to squash five commits into one 😞 and fix the release note section, delete extra spaces before "```release-note".

This is very exciting and hoping to review it soon.

[imjasonh]

Lookin' good! Can't wait to see tkn support, especially, looking at the contract docs.

[imjasonh]

We should move this to a Tekton-owned repo, maybe gcr.io/tekton-nightly?

[pierretasci]

Absolutely! I don't think I have push access to that repo but I am happy to figure out how to do that or work with someone who does have push permissions.

[imjasonh]

Yeah what we'll probably end up doing is moving this to a real Go test that pushes a bundle image first then references it, to ensure it's there and up-to-date.

We can stick with this for now, but we should have a TODO to clean it up soon, in case Docker deletes the image or something 😅

[pierretasci]

Will do.

[imjasonh]

Is there some way we could loop and find the right action, instead of pulling out the one we expect to be right by index? This feels really brittle to implementation changes.

[pierretasci]

As someone who had to change all these I am highly inclined to agree so to reduce the brittleness I added two helper functions!

[imjasonh]

I'd prefer not to add new usages of test builders if we can avoid it. I'm (slowly) trying to weed them out in favor of structs.

[pierretasci]

Sure. Happy to change it though I am genuinely curious why we are moving away from builders. As the change shows, it is a bit tedious to write out the whole thing.

[imjasonh]

Nit: you can save some horizontal space by putting both {{s on the same line here.

[pierretasci]

Done.

[imjasonh]

This is going to have so many merge conflicts with #3115 😅

But this is definitely higher priority than that, so let's get this in first and I'll clean up.

[pierretasci]

@pierretasci Haven't looked at the changes yet but from the PR policy perspective, we need to squash five commits into one 😞 and fix the release note section, delete extra spaces before "```release-note".

This is very exciting and hoping to review it soon.

Much appreciated! Done.

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
internal/builder/v1beta1/pipeline.go	81.8%	82.4%	0.6
internal/builder/v1beta1/task.go	75.5%	75.7%	0.2
pkg/apis/pipeline/v1beta1/pipelinerun_validation.go	96.4%	97.0%	0.5
pkg/apis/pipeline/v1beta1/taskrun_validation.go	97.4%	97.7%	0.3
pkg/reconciler/pipelinerun/pipelinerun.go	86.3%	85.1%	-1.2
pkg/reconciler/pipelinerun/resources/pipelineref.go	66.7%	61.9%	-4.8
pkg/reconciler/pipelinerun/resources/pipelinerunresolution.go	90.2%	90.3%	0.2
pkg/reconciler/taskrun/resources/taskref.go	75.0%	60.6%	-14.4
pkg/reconciler/taskrun/taskrun.go	78.9%	77.9%	-1.0
pkg/remote/oci/resolver.go	76.3%	76.9%	0.6

[pierretasci]

Addressed feedback from ImJasonH

[pierretasci]

Absolutely! I don't think I have push access to that repo but I am happy to figure out how to do that or work with someone who does have push permissions.

[pierretasci]

Done.

[pierretasci]

As someone who had to change all these I am highly inclined to agree so to reduce the brittleness I added two helper functions!

[pierretasci]

Sure. Happy to change it though I am genuinely curious why we are moving away from builders. As the change shows, it is a bit tedious to write out the whole thing.

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
internal/builder/v1beta1/pipeline.go	81.8%	82.4%	0.6
internal/builder/v1beta1/task.go	75.5%	75.7%	0.2
pkg/apis/pipeline/v1beta1/pipelinerun_validation.go	96.4%	97.0%	0.5
pkg/apis/pipeline/v1beta1/taskrun_validation.go	97.4%	97.7%	0.3
pkg/reconciler/pipelinerun/pipelinerun.go	86.3%	85.1%	-1.2
pkg/reconciler/pipelinerun/resources/pipelineref.go	66.7%	61.9%	-4.8
pkg/reconciler/pipelinerun/resources/pipelinerunresolution.go	90.2%	90.3%	0.2
pkg/reconciler/taskrun/resources/taskref.go	75.0%	60.6%	-14.4
pkg/reconciler/taskrun/taskrun.go	78.9%	77.9%	-1.0
pkg/remote/oci/resolver.go	76.3%	76.9%	0.6

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
internal/builder/v1beta1/pipeline.go	81.8%	82.4%	0.6
internal/builder/v1beta1/task.go	75.5%	75.7%	0.2
pkg/apis/pipeline/v1beta1/pipelinerun_validation.go	96.4%	97.0%	0.5
pkg/apis/pipeline/v1beta1/taskrun_validation.go	97.4%	97.7%	0.3
pkg/reconciler/pipelinerun/pipelinerun.go	86.3%	85.1%	-1.2
pkg/reconciler/pipelinerun/resources/pipelineref.go	66.7%	61.9%	-4.8
pkg/reconciler/pipelinerun/resources/pipelinerunresolution.go	90.2%	90.3%	0.2
pkg/reconciler/taskrun/resources/taskref.go	75.0%	60.6%	-14.4
pkg/reconciler/taskrun/taskrun.go	78.9%	77.9%	-1.0
pkg/remote/oci/resolver.go	76.3%	76.9%	0.6

[imjasonh]

Sure. Happy to change it though I am genuinely curious why we are moving away from builders. As the change shows, it is a bit tedious to write out the whole thing.

There's been some debate about their usefulness, especially compared with the effort it takes to hand-write the builder methods, keep them consistently named with consistent behavior, etc. -- by comparison, simply writing out the structs is natively supported already, and though it might end up being more keystrokes, I think it's actually more readable in the end. So now I'm on a crusade to wipe out test builders everywhere. 😅

[dlorenc]

nit: i think the - name: list can be unindented a bit.

[dlorenc]

same here: unindent.

[dlorenc]

I know this is just an example, but I think this should be "index.docker.io/myrepo/mycatalog..."

[dlorenc]

same as above - I think this needs to be index.docker.io for Dockerhub.

[dlorenc]

Wouldn't the digest be the "fixed repeatable reference"?

[pierretasci]

AFAIK, best practice is to treat tags as fixed elements but that is not an enforced aspect of the spec so I will call out digests as well

[dlorenc]

nit: the file is named "contracts", not "contract"

[dlorenc]

Is the layer still a gzipped tar file, or just the raw YAML?

[pierretasci]

Good point. This is a bit confusing as worded. The intention is that you should inject a single object into each layer in YAML/JSON form and then perform the standard compression/digesting required by the OCI spec. I will reword this to be more clear

[dlorenc]

I looked at the code to see what actually happens, it might be worth specifying a bit more here. Each layer is a raw yaml file, we don't do any "tar-ing". That then gets compressed as it is stored in the registry.

[dlorenc]

I like this approach - but there are some cons to think through:

• Do we ever think we'll want to have multiple files per bundle? We can't do that without a tar.
• "docker pull/docker save" and "crane pull" expect image layers to be tars. The mime type is actually application/vnd.oci.image.layer.v1.tar+gzip - so clients might be expecting a tar here. We could change the mime type, but that might not be supported everywhere.

[pierretasci]

Admittedly my knowledge of the underlying OCI standard is minimal but I will give it a go based on what I think I know. My understanding is that the go-containerregistry tool before uploading the image, performs the necessary compression and tar'ing to make the image conform to the standard expected by the registry. If that is the case, I believe that means that while we store and read YAML bytes, transiently there is some compressing/decompressing happening.

Also, I am able to store multiple files in a bundle by adding each one as a new layer with the experimental tool I have built. I think that semi-validates my half-understanding that there is some compression happening in the background but I am happy to be wrong here.

[dlorenc]

So go-containerregistry will compress, but not archive the layer. The mime type it sets by default is tar+gzip, but it's up to you to actually put these bytes into a tar and extract them from a tar when you call "Uncompressed".

I think we have two choices:

• Keep things the way they are (one object per layer, raw yaml bytes without tar-ing). Change the mime/media type of the layer. You can do this with a PR I just sent to go-containerregistry: google/go-containerregistry@071a121
• Tar files up when you put them in the layer, and keep the mime/media type the same. You can do this with https://golang.org/pkg/archive/tar/#NewReader

cc @jonjohnsonjr, the resident OCI spec expert.

[pierretasci]

This is excellent context that I didn't have so thanks for sharing! Based on your description, to me the latter option makes the most sense because it seems like a waste of space to store uncompressed files in a registry. I will add a note to the contract that the layers must be tar'ed.

[vdemeester]

Is it documented somewhere that we limit to 10 the content of a bundle ?

[pierretasci]

Yup. It is spelled out in the contract: https://github.com/tektoncd/pipeline/pull/3142/files#diff-1dfbd644a9243c47edaba1835ff18e89bde7cb3b25b475356d5827d1bf8bbea9R20

[vdemeester]

Ah right, make sense. We can change this later on if we need 👍

[vdemeester]

/lgtm
/meow

[tekton-robot]

@vdemeester:

In response to this:

/lgtm
/meow

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[pierretasci]

/retest

[pritidesai]

@pierretasci @vdemeester looks like this has been failing with the same error:

TestTektonBundlesUsingRegularImage: init_test.go:131: Create namespace arendelle-rkgds to deploy to
    TestTektonBundlesUsingRegularImage: init_test.go:147: Verify SA "default" is created in namespace "arendelle-rkgds"
    TestTektonBundlesUsingRegularImage: tektonbundles_test.go:378: Failed to create image. Pod logs are: 
        Getting image source signatures
        time="2020-10-15T18:42:36Z" level=fatal msg="Error trying to reuse blob sha256:98899d80a497fc980938a2dfb0fb37f537262aec96201c52d4246619a60af9b8 at destination: error pinging docker registry registry.arendelle-rkgds.svc.cluster.local:5000: Get http://registry.arendelle-rkgds.svc.cluster.local:5000/v2/: dial tcp 10.91.244.92:5000: connect: connection refused"

[pierretasci]

@pierretasci @vdemeester looks like this has been failing with the same error:

TestTektonBundlesUsingRegularImage: init_test.go:131: Create namespace arendelle-rkgds to deploy to
    TestTektonBundlesUsingRegularImage: init_test.go:147: Verify SA "default" is created in namespace "arendelle-rkgds"
    TestTektonBundlesUsingRegularImage: tektonbundles_test.go:378: Failed to create image. Pod logs are: 
        Getting image source signatures
        time="2020-10-15T18:42:36Z" level=fatal msg="Error trying to reuse blob sha256:98899d80a497fc980938a2dfb0fb37f537262aec96201c52d4246619a60af9b8 at destination: error pinging docker registry registry.arendelle-rkgds.svc.cluster.local:5000: Get http://registry.arendelle-rkgds.svc.cluster.local:5000/v2/: dial tcp 10.91.244.92:5000: connect: connection refused"

Yeah I am trying to figure out why this is failing in the GKE cluster but not locally. I think there is a timing issue happening here but I can't be sure. What I do know is that skopeo is not behaving the same locally as it does remotely.

[pierretasci]

@pierretasci @vdemeester looks like this has been failing with the same error:

TestTektonBundlesUsingRegularImage: init_test.go:131: Create namespace arendelle-rkgds to deploy to
    TestTektonBundlesUsingRegularImage: init_test.go:147: Verify SA "default" is created in namespace "arendelle-rkgds"
    TestTektonBundlesUsingRegularImage: tektonbundles_test.go:378: Failed to create image. Pod logs are: 
        Getting image source signatures
        time="2020-10-15T18:42:36Z" level=fatal msg="Error trying to reuse blob sha256:98899d80a497fc980938a2dfb0fb37f537262aec96201c52d4246619a60af9b8 at destination: error pinging docker registry registry.arendelle-rkgds.svc.cluster.local:5000: Get http://registry.arendelle-rkgds.svc.cluster.local:5000/v2/: dial tcp 10.91.244.92:5000: connect: connection refused"

Yeah I am trying to figure out why this is failing in the GKE cluster but not locally. I think there is a timing issue happening here but I can't be sure. What I do know is that skopeo is not behaving the same locally as it does remotely.

Worse yet, it always succeeds the first time but fails the second time.

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
internal/builder/v1beta1/pipeline.go	85.7%	86.1%	0.4

[pierretasci]

/retest

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
internal/builder/v1beta1/pipeline.go	85.7%	86.1%	0.4

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
internal/builder/v1beta1/pipeline.go	85.7%	86.1%	0.4

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
internal/builder/v1beta1/pipeline.go	85.7%	86.1%	0.4

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
internal/builder/v1beta1/pipeline.go	85.7%	86.1%	0.4

[pierretasci]

/test all

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
internal/builder/v1beta1/pipeline.go	85.7%	86.1%	0.4

[vdemeester]

/lgtm
I'll start working on the follow-ups 😉

[pierretasci]

/retest

[pierretasci]

/retest

[mattmoor]

This regressed Tekton's ability to run e2e tests against clusters without the standard .cluster.local suffix.

I opened #3429 to track.