tektoncd
chains annotations missing from `pod`
When a taskRun is created as part of a pipelineRun, chains adds some annotations to the taskRun.
https://github.com/tektoncd/chains/blob/70c8c7de563ba3d6c1e65a1e4e21c83335fa432a/pkg/chains/annotations.go#L68
Should these annotations be added to the pod as well?
The annotations are missing from the pod with latest Tekton Pipelines and chains release.
k describe pod pipelinerun-buildpack-ssmtx-build-trusted-pod
Name: pipelinerun-buildpack-ssmtx-build-trusted-pod
Namespace: default
Priority: 0
Service Account: default
Node: tekton-control-plane/172.18.0.3
Start Time: Mon, 11 Sep 2023 14:27:14 -0700
Labels: app.kubernetes.io/managed-by=tekton-pipelines
app.kubernetes.io/version=0.1
tekton.dev/memberOf=tasks
tekton.dev/pipeline=buildpacks
tekton.dev/pipelineRun=pipelinerun-buildpack-ssmtx
tekton.dev/pipelineTask=build-trusted
tekton.dev/task=buildpacks
tekton.dev/taskRun=pipelinerun-buildpack-ssmtx-build-trusted
Annotations: pipeline.tekton.dev/affinity-assistant: affinity-assistant-05f43c43b3
pipeline.tekton.dev/release: 82a405a
tekton.dev/categories: Image Build
tekton.dev/displayName: Buildpacks
tekton.dev/pipelines.minVersion: 0.17.0
tekton.dev/platforms: linux/amd64
tekton.dev/ready: READY
tekton.dev/tags: image-build
k describe tr pipelinerun-buildpack-ssmtx-build-trusted
Name: pipelinerun-buildpack-ssmtx-build-trusted
Namespace: default
Labels: app.kubernetes.io/managed-by=tekton-pipelines
app.kubernetes.io/version=0.1
tekton.dev/memberOf=tasks
tekton.dev/pipeline=buildpacks
tekton.dev/pipelineRun=pipelinerun-buildpack-ssmtx
tekton.dev/pipelineTask=build-trusted
tekton.dev/task=buildpacks
Annotations: chains.tekton.dev/cert-taskrun-2ba30c4d-f9ee-4160-a273-3557aac94e0e:
chains.tekton.dev/chain-taskrun-2ba30c4d-f9ee-4160-a273-3557aac94e0e:
chains.tekton.dev/payload-taskrun-2ba30c4d-f9ee-4160-a273-3557aac94e0e:
eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3...
chains.tekton.dev/signature-taskrun-2ba30c4d-f9ee-4160-a273-3557aac94e0e:
eyJwYXlsb2FkVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5pbi10b3RvK2pzb24iLCJwYXlsb2FkIjoiZXlKZmRIbHdaU0k2SW1oMGRIQnpPaTh2YVc0dGRHOTBieTVwYnk5VGRHRjBaVz...
chains.tekton.dev/signed: true
pipeline.tekton.dev/affinity-assistant: affinity-assistant-05f43c43b3
pipeline.tekton.dev/release: 82a405a
tekton.dev/categories: Image Build
tekton.dev/displayName: Buildpacks
tekton.dev/pipelines.minVersion: 0.17.0
tekton.dev/platforms: linux/amd64
tekton.dev/tags: image-build
I don't think they should be added. Usually, those annotations are added "after" the execution, and thus, the taskrun itself is not reconciled, and we do not need to update the labels/annotation on them.
In general, there is no rules for having all annotations attached to the TaskRun to be available on the Pod itself.
right, they are added after the pod execution is complete.
What is the best way to identify a taskRun was signed by chains in dashboard?
Dashboard lists the taskRuns and each taskRun tab has Parameters, Status, and Pod.
The annotations on a taskRun are not listed on the taskRun.Status section in the dashboard. The Pod section all the details of a pod but the chains annotations are missing since it was added to the taskRun after it was complete.
@pritidesai I would assume this should be a feature request for the dashboard then π (to display taskrun annotations β same for pipelinerun at least)
Had some discussion with @pritidesai and this would be a feature request for the dashboard as @vdemeester mentioned.
We need to add an indication (tekton chains logo) when a task is signed by tekton chains and produces two additional results: image_url and image_digest.
Do we have to open the issue (or feature request) on the other repository?
Do we have to open the issue (or feature request) on the other repository?
Yes, tektoncd/dashboard πΌπΌ