-
Bug
-
Resolution: Done
-
Critical
-
Pipelines 1.9.0
-
None
-
1
-
False
-
None
-
False
-
The workload pods (pods of TaskRuns/PipelineRuns) created by PAC didn't have access to the custom certs exposed by the user in the cluster - this has been fixed.
-
-
-
Pipelines Sprint 231, Pipelines Sprint 232
Description of problem:
Pods that runs Tasks created by PaC don't have /tekton-custom-certs mounted. If we create the very same PipelineRun "manually" the Pods have these mount.
Prerequisites (if any, like setup, operators/versions):
Steps to Reproduce
1. config generic PaC (tkn pac generate), we have resource like this:
--- apiVersion: tekton.dev/v1beta1 kind: PipelineRun metadata: name: test-function-pac-push annotations: # The event we are targeting as seen from the webhook payload # this can be an array too, i.e: [pull_request, push] pipelinesascode.tekton.dev/on-event: "[push]" # The branch or tag we are targeting (ie: main, refs/tags/*) pipelinesascode.tekton.dev/on-target-branch: "[main]" # Fetch the git-clone task from hub, we are able to reference later on it # with taskRef and it will automatically be embedded into our pipeline. pipelinesascode.tekton.dev/task: "git-clone" # Task for Nodejs pipelinesascode.tekton.dev/task-1: "[npm]" # You can add more tasks by increasing the suffix number, you can specify them as array to have multiple of them. # browse the tasks you want to include from hub on https://hub.tekton.dev/ # # pipelinesascode.tekton.dev/task-2: "[curl, buildah]" # How many runs we want to keep attached to this event pipelinesascode.tekton.dev/max-keep-runs: "5" spec: params: # The variable with brackets are special to Pipelines as Code # They will automatically be expanded with the events from Github. - name: repo_url value: "{{ repo_url }}" - name: revision value: "{{ revision }}" pipelineSpec: params: - name: repo_url - name: revision workspaces: - name: source - name: basic-auth tasks: - name: fetch-repository taskRef: name: git-clone workspaces: - name: output workspace: source - name: basic-auth workspace: basic-auth params: - name: url value: $(params.repo_url) - name: revision value: $(params.revision) - name: run-test taskRef: name: npm workspaces: - name: source workspace: source params: - name: ARGS value: - test runAfter: - fetch-repository workspaces: - name: source volumeClaimTemplate: spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi # This workspace will inject secret to help the git-clone task to be able to # checkout the private repositories - name: basic-auth secret: secretName: "{{ git_auth_secret }}"
2. commit this change -> run pipeline
3. See that volumes `config-trusted-cabundle-volume` and `config-service-cabundle-volume` aren't mounted.
4. If we generate this Pipeline manually and not via PaC, ie: `kubectl create -f push.yaml` the mounts are present in the Pods.
Actual results:
Pods running Tasks from this pipeline doesn't have `config-trusted-cabundle-volume` and `config-service-cabundle-volume` mounted.
Expected results:
To have this volumes mounted.
Reproducibility (Always/Intermittent/Only Once):
Always