Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-9199

Chains silently fails due malformed user secret

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • Tekton Chains
    • False
    • Hide

      None

      Show
      None
    • False

      Description of problem:

      Tekton Chains silently fails to sign artifacts or upload provenance attestation when a malformed or unwanted secret is linked to the ServiceAccount associated with the PipelineRun.

      This was confirmed by a user rh-ee-sghadi who resolved their issue by "removing unwanted secrets linked to the service account," after which Chains was able to upload provenance attestation successfully.

      This may be related to an upstream issue: https://github.com/google/go-containerregistry/pull/1834

      Workaround

      Manually inspect the ServiceAccount used by the PipelineRun. Identify and remove any malformed, invalid, or unnecessary secrets linked to it.

      Steps to Reproduce

      1. Configure a PipelineRun to use a ServiceAccount.
      2. Link a malformed or invalid secret to this ServiceAccount (e.g., as an imagePullSecret or other-purpose secret that Chains/go-containerregistry might try to parse).
      3. Trigger the PipelineRun.
      4. Monitor the Tekton Chains controller logs and the PipelineRun's annotations.

      Actual results:

      The PipelineRun completes, but no signature or attestation is generated by Chains.

      The Tekton Chains controller logs show no error or failure message related to the signing process.

      The process fails silently, leaving no clear indication of what went wrong.

      Expected results:

      Tekton Chains should log a clear and descriptive error message.

      The error should ideally point to the ServiceAccount and the problematic secret, indicating that it could not be processed, leading to a signing fa

      Reproducibility (Always/Intermittent/Only Once):

      Always

      Acceptance criteria: 

      When Tekton Chains fails to sign a PipelineRun due to a malformed secret linked to the ServiceAccount, it must log an error.

      The silent failure mode for this condition is eliminated.

      Definition of Done:

      Build Details:

      Additional info (Such as Logs, Screenshots, etc):

      Original Report: This bug was identified during the investigation of https://issues.redhat.com/browse/KFLUXSPRT-5636.

      Key finding: "After removing unwanted secrets linked to the service account, chains is able to upload Provenance attestation and the conforma is passing now."

      Related Upstream PR: https://github.com/google/go-containerregistry/pull/1834

              enatan Emil Natan
              lucarval@redhat.com Luiz Carvalho
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: