chains icon indicating copy to clipboard operation
chains copied to clipboard
verified publisher icon tektoncd

Consider renaming `IMAGE_URL`/`IMAGE_DIGEST` type hints to `ARTIFACT_NAME`/`ARTIFACT_DIGEST`

Open priyawadhwa opened this issue 4 years ago • 10 comments

When generating provenance from a TaskRun Chains looks for *IMAGE_URL and *IMAGE_DIGEST results types to figure out what artifact was actually built. This is what goes into the subject section of the provenance. Right now, we assume OCI images were built and only have support for them.

I was thinking that we could rename these results to something more generic, like *ARTIFACT_NAME and *ARTIFACT_DIGEST so that other types of subjects could be included in provenance. We can still infer if something is an OCI image, but now we can also support generic files that may have been built in the TaskRun along with digests for them. This could be useful if something other than an image is being built and published from a TaskRun.

The only thing I'm not sure about is if we should also be signing these ARTIFACTs if they aren't OCI images. If a TaskRun builds and publishes a binary somewhere, should Chains be responsible for signing it somehow if it's being included in provenance?

priyawadhwa avatar Nov 02 '21 16:11 priyawadhwa

This makes sense.

Have you considered where the signature would be pushed, in case of binaries?

sbose78 avatar Nov 03 '21 14:11 sbose78

So if binaries are stored in one of our supported storage backends, (gcs or docdb) then we would need some way of referencing their location in the Task (maybe gcs://mybucket/myfile or firestore://something for docdb. Then, Chains could find the file, sign it and store the signature in the same spot. We could also add this to the config as a new artifact type to configure where signature are stored, so we'd add:

  • artifacts.file.storage
  • artifacts.file.signer

I could see this being useful for something like signing entire release yamls for Tekton/Chains releases, which are stored in GCS.

priyawadhwa avatar Nov 03 '21 14:11 priyawadhwa

Makes sense.

Another comment on this:

Do you think we could make the names IMAGE_URL/IMAGE_DIGEST , ARTIFACT_NAME/ARTIFACT_DIGEST configurable for an instance of Tekton Chains installation ?

sbose78 avatar Nov 10 '21 21:11 sbose78

Do you think we could make the names IMAGE_URL/IMAGE_DIGEST , ARTIFACT_NAME/ARTIFACT_DIGEST configurable for an instance of Tekton Chains installation ?

Yah it's definitely possible, but I'd prefer not to do that so that Tasks could be used across installations and just work.

priyawadhwa avatar Nov 11 '21 14:11 priyawadhwa

Drive by comment: via TEP-0075 we'll hopefully be adding support for richer result types (in this case objects with keys and values) so i wonder if it would be worth making this naming change now, or making it when we can update chains to use these richer types (or maybe chains would always support both?)

bobcatfish avatar Jan 13 '22 18:01 bobcatfish

If there isn't an immediate need for this, I'm happy to wait for richer result types!

priyawadhwa avatar Jan 20 '22 22:01 priyawadhwa

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale with a justification. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

tekton-robot avatar Apr 20 '22 22:04 tekton-robot

/remove-lifecycle stale

priyawadhwa avatar Apr 21 '22 14:04 priyawadhwa

TEP 109 is addressing TEP 76 in Chains

ywluogg avatar Jul 08 '22 14:07 ywluogg

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale with a justification. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

tekton-robot avatar Oct 06 '22 15:10 tekton-robot

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten with a justification. Rotten issues close after an additional 30d of inactivity. If this issue is safe to close now please do so with /close with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

tekton-robot avatar Nov 05 '22 15:11 tekton-robot

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen with a justification. Mark the issue as fresh with /remove-lifecycle rotten with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

tekton-robot avatar Dec 05 '22 15:12 tekton-robot

@tekton-robot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen with a justification. Mark the issue as fresh with /remove-lifecycle rotten with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

tekton-robot avatar Dec 05 '22 15:12 tekton-robot