Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-4497

Chains: empty artifacts.oci.storage is not propagated from TektonConfig to the config map

XMLWordPrintable

    • 1
    • Pipelines Sprint TekShift 5

      Description of problem:

      When user sets the following in tekton config

      artifacts.oci.storage: ""
artifacts.taskrun.format: in-toto
artifacts.taskrun.storage: tekton
transparency.enabled: "false"

      The following is set in chains-config config map

      artifacts.taskrun.format: in-toto
artifacts.taskrun.storage: tekton
transparency.enabled: "false"

      Since the default value for artifacts.oci.storage is "oci", the payload is stored in task run annotations but annotation chains.tekton.dev/signed is set to falied and following appears in logs which is understandable because gcr.io/foo/bar is a fake image URL

      {"level":"error","ts":"2024-04-29T15:19:45.505Z","logger":"watcher","caller":"chains/signing.go:196","msg":"getting signed image: GET https://gcr.io/v2/token?scope=repository%3Afoo%2Fbar%3Apull&service=gcr.io: UNKNOWN: Service 'containerregistry.googleapis.com' is not enabled for consumer 'project:foo'.","commit":"ebcd9c2","knative.dev/controller":"github.com.tektoncd.chains.pkg.reconciler.taskrun.Reconciler","knative.dev/kind":"tekton.dev.TaskRun","knative.dev/traceid":"b88e88d8-c165-433b-9a9d-7b91583cff7b","knative.dev/key":"releasetest-2hdhb/build-push-run-output-image","stacktrace":"github.com/tektoncd/chains/pkg/chains.(*ObjectSigner).Sign\n\t/go/src/github.com/tektoncd/chains/pkg/chains/signing.go:196\ngithub.com/tektoncd/chains/pkg/reconciler/taskrun.(*Reconciler).FinalizeKind\n\t/go/src/github.com/tektoncd/chains/pkg/reconciler/taskrun/taskrun.go:67\ngithub.com/tektoncd/chains/pkg/reconciler/taskrun.(*Reconciler).ReconcileKind\n\t/go/src/github.com/tektoncd/chains/pkg/reconciler/taskrun/taskrun.go:45\ngithub.com/tektoncd/pipeline/pkg/client/injection/reconciler/pipeline/v1/taskrun.(*reconcilerImpl).Reconcile\n\t/go/src/github.com/tektoncd/chains/vendor/github.com/tektoncd/pipeline/pkg/client/injection/reconciler/pipeline/v1/taskrun/reconciler.go:236\nknative.dev/pkg/controller.(*Impl).processNextWorkItem\n\t/go/src/github.com/tektoncd/chains/vendor/knative.dev/pkg/controller/controller.go:542\nknative.dev/pkg/controller.(*Impl).RunContext.func3\n\t/go/src/github.com/tektoncd/chains/vendor/knative.dev/pkg/controller/controller.go:491"}
{"level":"error","ts":"2024-04-29T15:19:45.530Z","logger":"watcher","caller":"taskrun/reconciler.go:295","msg":"Returned an error","commit":"ebcd9c2","knative.dev/controller":"github.com.tektoncd.chains.pkg.reconciler.taskrun.Reconciler","knative.dev/kind":"tekton.dev.TaskRun","knative.dev/traceid":"b88e88d8-c165-433b-9a9d-7b91583cff7b","knative.dev/key":"releasetest-2hdhb/build-push-run-output-image","targetMethod":"ReconcileKind","error":"1 error occurred:\n\t* getting signed image: GET https://gcr.io/v2/token?scope=repository%3Afoo%2Fbar%3Apull&service=gcr.io: UNKNOWN: Service 'containerregistry.googleapis.com' is not enabled for consumer 'project:foo'.\n\n","stacktrace":"github.com/tektoncd/pipeline/pkg/client/injection/reconciler/pipeline/v1/taskrun.(*reconcilerImpl).Reconcile\n\t/go/src/github.com/tektoncd/chains/vendor/github.com/tektoncd/pipeline/pkg/client/injection/reconciler/pipeline/v1/taskrun/reconciler.go:295\nknative.dev/pkg/controller.(*Impl).processNextWorkItem\n\t/go/src/github.com/tektoncd/chains/vendor/knative.dev/pkg/controller/controller.go:542\nknative.dev/pkg/controller.(*Impl).RunContext.func3\n\t/go/src/github.com/tektoncd/chains/vendor/knative.dev/pkg/controller/controller.go:491"}
{"level":"error","ts":"2024-04-29T15:19:45.530Z","logger":"watcher","caller":"controller/controller.go:566","msg":"Reconcile error","commit":"ebcd9c2","knative.dev/controller":"github.com.tektoncd.chains.pkg.reconciler.taskrun.Reconciler","knative.dev/kind":"tekton.dev.TaskRun","knative.dev/traceid":"b88e88d8-c165-433b-9a9d-7b91583cff7b","knative.dev/key":"releasetest-2hdhb/build-push-run-output-image","duration":0.350757201,"error":"1 error occurred:\n\t* getting signed image: GET https://gcr.io/v2/token?scope=repository%3Afoo%2Fbar%3Apull&service=gcr.io: UNKNOWN: Service 'containerregistry.googleapis.com' is not enabled for consumer 'project:foo'.\n\n","stacktrace":"knative.dev/pkg/controller.(*Impl).handleErr\n\t/go/src/github.com/tektoncd/chains/vendor/knative.dev/pkg/controller/controller.go:566\nknative.dev/pkg/controller.(*Impl).processNextWorkItem\n\t/go/src/github.com/tektoncd/chains/vendor/knative.dev/pkg/controller/controller.go:543\nknative.dev/pkg/controller.(*Impl).RunContext.func3\n\t/go/src/github.com/tektoncd/chains/vendor/knative.dev/pkg/controller/controller.go:491"}

      Workaround

      set artifacts.oci.storage="" manually in config map

      Prerequisites (if any, like setup, operators/versions):

      Pipelines 1.14.4 (and probably all 1.14.z)

      Steps to Reproduce

       # install OpenShift 4.12 - 4.16 and Pipelines 1.14

      1. run release tests
      gauge run --log-level=debug --verbose --tags e2e specs/chains/chains.spec:20

       

      Actual results:

      • errors in chains pod
      • payload for task run created
      • annotation chains.tekton.dev/signed set to "failed"
      • test failed

      Expected results:

      • payload and signature created
      • annotation chains.tekton.dev/signed set to "signed"

      Reproducibility (Always/Intermittent/Only Once):

      Always

      Additional info (Such as Logs, Screenshots, etc):

      It was reported that it works as expected with Pipelines 1.13. This might be the root cause https://github.com/tektoncd/operator/pull/1459

              jkandasa-rh Jeeva Kandasamy
              ppitonak Pavol Pitoňák
              Puneet Punamiya Puneet Punamiya
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: