Tekton Webhook does not accept PipelineRun created by operator

[hanzala1234]

I am trying to run pipeline from .tekton directory of gitlab in order to evaluate tool for our platform. however it seems like pipelinerun generated by controller is being rejected by tekton pipeline validating/mutating webhook. On logs of controller, I am getting following error

{"severity":"ERROR","timestamp":"2022-07-07T11:08:39.510768285Z","logger":"pipelinesascode","caller":"pipelineascode/pipelineascode.go:63","message":"PipelineRun pipeline-as-code-on-pull-request- has failed: creating pipelinerun pipeline-as-code-on-pull-request- in gabbar-build has failed: admission webhook \"webhook.pipeline.tekton.dev\" denied the request: mutation failed: cannot decode incoming new object: json: unknown field \"spec\" ","provider":"gitlab","event-id":"","event-sha":"b65621607a667b5acc7dd971272b7f9deb5a9075","event-type":"Push","stacktrace":"github.com/openshift-pipelines/pipelines-as-code/pkg/pipelineascode.(*PacRun).Run.func1\n\t/src/pkg/pipelineascode/pipelineascode.go:63"}

After deleting validating webhook and mutating webhook of tekton pipeline, I found that pipelinerun got created. It seems like pipelinerun generated by controller has some invalid fields.

I have following repository CR created

apiVersion: pipelinesascode.tekton.dev/v1alpha1
kind: Repository
metadata:
  name: gitops-repo
  namespace: gabbar-build
spec:
  git_provider:
    secret:
      key: token
      name: git-auth
    type: gitlab
  url: 'https://gitlab.com/<path-to-repository>'

pipelinerun in .tekton directory looks like this

apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  name: pipeline-as-code-on-pull-request
  annotations:
    pipelinesascode.tekton.dev/on-event: "[push]"
    pipelinesascode.tekton.dev/on-target-branch: "[master]"
    pipelinesascode.tekton.dev/task: "[git-clone]"
    pipelinesascode.tekton.dev/max-keep-runs: "2"
spec:
  workspaces:
    - name: source
      volumeClaimTemplate:
        spec:
          accessModes:
            - ReadWriteOnce
          resources:
            requests:
              storage: 3Gi
  params:
    - name: repo_url
      value: "{{repo_url}}"
    - name: revision
      value: "{{revision}}"
  pipelineSpec:
    workspaces:
      - name: source
    params:
      - name: repo_url
      - name: revision
    tasks:
      - name: fetchit
        params:
          - name: url
            value: $(params.repo_url)
          - name: revision
            value: $(params.revision)
        taskRef:
          name: git-clone
        workspaces:
          - name: output
            workspace: source

[sm43]

@hanzala1234 Thanks for creating the issue. Can you share what version of Pipeines As Code and Tekton Pipelines is installed on the cluster?

[hanzala1234]

@sm43 Here are those versions:

pipeline As Code version: stable tekton versoin: 0.24.3 openshift version: 4.8.29

[hanzala1234]

@sm43 is there any update on that?

[sm43]

@hanzala1234 I will test it and willl let you know. Can you tell when did you installed the stable version? As stable always reference to the latest released version I just wanted to figure out which released version it is

[sm43]

@hanzala1234 I was able to reproduce the issue with latest released pac version too. so the issue seems to be with Tekton Pipelines 0.24.3 when controller creates pipelinerun it looks as below

apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  annotations:
  - ...
  creationTimestamp: null
  generateName: pipeline-as-code-on-pull-request-
  labels:
  -  ....
spec:
  params:
  - name: repo_url
    value: https://gitlab.com/smukhade/pac-test
  - name: revision
    value: fd95e39ea40df73d8bd0f3abf0488b4ec4bc9293
  pipelineSpec:
    params:
    - name: repo_url
    - name: revision
    tasks:
    - name: fetchit
      params:
      - name: url
        value: $(params.repo_url)
      - name: revision
        value: $(params.revision)
      taskSpec:
        spec: null     <<<<<<<------------ spec = null
        steps:
        - env:
          - ...
          image: $(params.gitInitImage)
          name: clone
          resources: {}
          script: |
           ....
        workspaces:
        - ....
      workspaces:
      - name: output
        workspace: source
    workspaces:
    - name: source
  workspaces:
  - name: source
    volumeClaimTemplate:
      metadata:
        creationTimestamp: null
      spec:
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: 1Gi
      status: {}
status: {}

it has a field spec: null which was added after 0.24.3, so the webhook is rejecting the request the pipelineRun you created should work fine with Tekton Pipelines release version >= v0.25.0

cc @chmouel

[hanzala1234]

thanks @sm43 I will upgrade version of tekton pipelines. is it written anywhere what least version will be required to run this controller?

[chmouel]

@hanzala1234 it's not indeed, i think we need to document this. Usually the go.mod file indicate the dependence we use https://github.com/openshift-pipelines/pipelines-as-code/blob/main/go.mod#L25 but that doesn't mean lower version are not compatible.

(we try to follow the latest version of tekton as shipped on openshift pipelines so not bleeding edge but not too old)

[hanzala1234]

thanks for details. This controller will always have external dependency on openshift pipeine. its nice to have such information in released notes about particular version being compatible with particular openshift and tekton pipeline version

[sm43]

https://github.com/openshift-pipelines/pipelines-as-code/pull/752

[chmouel]

@sm43 can we close this?

[sm43]

yep, documented !