Dereference the TaskSpec into TaskRun.Status.

The Task definition used for a TaskRun can change after the TaskRun has started. This poses problems for auditability post-run. Rather than chase down every part of a Task that we might like to audit later, let's just add the entire thing here. This is a replacement for tektoncd#2399
dlorenc · Apr 28, 2020 · 6675e3f · 6675e3f
1 parent a7a4c5d
commit 6675e3f
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/docs/taskruns.md b/docs/taskruns.md
@@ -318,6 +318,8 @@ status in the `steps.results` field using the following command, where `<name>`
 
 The exact Task Spec used to instantiate the TaskRun is also included in the Status for full auditability.
 
+The exact Task Spec used to instantiate the TaskRun is also included in the Status for full auditability.
+
 ### Steps
 
 The corresponding statuses appear in the `status.steps` list in the order in which the `Steps` have been

diff --git a/pkg/reconciler/taskrun/taskrun.go b/pkg/reconciler/taskrun/taskrun.go
@@ -260,6 +260,11 @@ func (c *Reconciler) prepare(ctx context.Context, tr *v1alpha1.TaskRun) (*v1alph
 		c.Logger.Errorf("Failed to store TaskSpec on TaskRun.Statusfor taskrun %s: %v", tr.Name, err)
 	}
 
+	// Store the fetched TaskSpec on the TaskRun for auditing
+	if err := storeTaskSpec(ctx, tr, taskSpec); err != nil {
+		c.Logger.Errorf("Failed to store TaskSpec on TaskRun.Statusfor taskrun %s: %v", tr.Name, err)
+	}
+
 	// Propagate labels from Task to TaskRun.
 	if tr.ObjectMeta.Labels == nil {
 		tr.ObjectMeta.Labels = make(map[string]string, len(taskMeta.Labels)+1)