cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago verified publisher icon tektoncd

Deprecate `chains` command

Open lcarva opened this issue 7 months ago • 3 comments

The tkn chains command provides two subcommands, one to print the signature and one to print the payload, e.g.

🐚 tkn chain signature simple-build-run-zjzmk-image-build
{"level":"info","ts":1746107363.088566,"logger":"fallback","caller":"storage/storage.go:61","msg":"configured backends from config: [oci oci oci]"}
{"level":"info","ts":1746107363.088608,"logger":"fallback","caller":"storage/storage.go:100","msg":"successfully initialized backends: [oci]"}
[MEUCIQDIhVBQJ4ZkOv/DAbk5pSlMkGLuMfTlWutoEpBati++qwIgW9YxydQCAuAbNK9UrdG6bjqWhqrPWHSm9OKvjzKakps=]


🐚 tkn chain payload simple-build-run-zjzmk-image-build
{"level":"info","ts":1746107398.3294013,"logger":"fallback","caller":"storage/storage.go:61","msg":"configured backends from config: [oci oci oci]"}
{"level":"info","ts":1746107398.3294427,"logger":"fallback","caller":"storage/storage.go:100","msg":"successfully initialized backends: [oci]"}
{"_type":"https://in-toto.io/Statement/v0.1","subject":[{"name":"quay.io/lucarval/min","digest":{"sha256":"579f2c8575c5dcf1415100f6c1dc4483b3f90a0c7fa0085b87c04fe4d808aa71"}}],"predicateType":"https://slsa.dev/provenance/v0.2","predicate":{"buildConfig":{"tasks":[{"finishedOn":"2025-05-01T13:46:52Z","invocation":{"configSource":{},"environment":{"annotations":{"pipeline.tekton.dev/affinity-assistant":"aff ...

There are some short-comings and issues with this command:

  1. The user must have access to the in-cluster Chains config. A regular user is unlikely to have this level of access.
  2. There is usually a better way of retrieving such information, e.g. cosign for OCI storage, or whatever client the storage backend supports.
  3. Command doesn't support PipelineRuns, only TaskRuns. Support could be added, of course.
  4. When implementing support for a new backend in Chains, we must also add corresponding Retrieve* functions. These are not always straightforward for different storage backends. They serve no purpose other than fulfill this CLI use case.

Given the above, I believe we should deprecate the tkn chains CLI command and remove it completely once the required deprecation period has passed. (If we proceed here, we should also close https://github.com/tektoncd/cli/issues/1547)

cc @wlynch, @chitrangpatel, @PuneetPunamiya

lcarva avatar May 01 '25 14:05 lcarva

Hi @lcarva , If I understand correctly, we are looking to deprecate only the payload and signature subcommands of chain, not the chain command itself.

pratap0007 avatar May 29 '25 15:05 pratap0007

@pratap0007, I think if we remove payload and signature, we should also remove chains. Otherwise, it will just be an empty command:

$ tkn chains --help
Manage Chains

Usage:
tkn chain [flags]
tkn chain [command]


Aliases:
  chain, chains

Available Commands:
  payload     Print Tekton Chains' payload for a specific taskrun
  signature   Print Tekton Chains' signature for a specific taskrun

lcarva avatar May 29 '25 16:05 lcarva

Thank you for clarifying it.

pratap0007 avatar May 29 '25 16:05 pratap0007