chains icon indicating copy to clipboard operation
chains copied to clipboard
verified publisher icon tektoncd

Use cluster issuer as default builder id

Open wlynch opened this issue 2 years ago • 5 comments

Changes

This is probably the most "correct" value for this field - it should uniquely identify the cluster, and will match other signature data included in Fulcio certs, etc.

This is technically a breaking change, but likely one worth making. Users can still override this behavior with the config map as before. If omitted, this field is not populated as an indication that we don't know how to accurately identify this cluster.

Part of #640 - this doesn't resolve the SLSA Build Level aspects of the Builder ID (which I wish it didn't have to be encoded in the Builder ID, but that ship has sailed for SLSA v1 ¯_(ツ)_/¯)

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • [x] Has Docs included if any changes are user facing
  • [x] Has Tests included if any functionality added or changed
  • [x] Follows the commit message standard
  • [x] Meets the Tekton contributor standards (including functionality, content, code)
  • [x] Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings)
  • [ ] Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

BREAKING CHANGE: The default Builder ID for SLSA provenance now defaults to the cluster's OIDC token issuer instead of a static string.

wlynch avatar Nov 24 '23 03:11 wlynch

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: To complete the pull request process, please ask for approval from wlynch after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

tekton-robot avatar Nov 24 '23 03:11 tekton-robot

The following is the coverage report on the affected files. Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/internal/cluster/builder_id.go Do not exist 68.2%

tekton-robot avatar Nov 24 '23 03:11 tekton-robot

The following is the coverage report on the affected files. Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/internal/cluster/builder_id.go Do not exist 68.2%

tekton-robot avatar Nov 24 '23 03:11 tekton-robot

@wlynch: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-tekton-chains-unit-tests b50350b076fe71a6a3bfe19f66d4127937c499ec link true /test pull-tekton-chains-unit-tests
pull-tekton-chains-integration-tests b50350b076fe71a6a3bfe19f66d4127937c499ec link true /test pull-tekton-chains-integration-tests

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

tekton-robot avatar Nov 24 '23 04:11 tekton-robot

@wlynch: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

tekton-robot avatar Nov 29 '23 16:11 tekton-robot