Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Able to start pipelinerun from pipelinerun spec without providing value for workspace and the pipelinerun stays is Running(Started) state #3089

Closed
VeereshAradhya opened this issue Aug 11, 2020 · 11 comments
Closed

Able to start pipelinerun from pipelinerun spec without providing value for workspace and the pipelinerun stays is Running(Started) state #3089

VeereshAradhya opened this issue Aug 11, 2020 · 11 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.

Comments

@VeereshAradhya
Copy link

Expected Behavior

Pipelinerun should fail with some validation error

Actual Behavior

Pipelinerun starts and stays in Running(Started) state

Steps to Reproduce the Problem

  1. Create a task with workspace
  2. Create a pipeline with workspace using the above task
  3. Create pipelinerun spec file to start the pipelinerun for above pipeline and don't provide any value for the workspace
  4. start the pipelinerun using kubectl apply -f

Additional Info

  • Kubernetes version:

    Output of kubectl version:

    Client Version: version.Info{Major:"1", Minor:"10+", GitVersion:"v1.10.0+b3b92b2", GitCommit:"b3b92b2", GitTreeState:"clean", BuildDate:"2020-07-15T09:27:21Z", GoVersion:"go1.14.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"18+", GitVersion:"v1.18.3+012b3ec", GitCommit:"012b3ec", GitTreeState:"clean", BuildDate:"2020-07-24T07:23:10Z", GoVersion:"go1.13.4", Compiler:"gc", Platform:"linux/amd64"}

  • Tekton Pipeline version:

    Output of tkn version or kubectl get pods -n tekton-pipelines -l app=tekton-pipelines-controller -o=jsonpath='{.items[0].metadata.labels.version}'

    $ tkn version
Client version: 0.11.0
Pipeline version: v0.14.3
Triggers version: v0.6.1

Command logs

[varadhya@localhost workspace-testing]$ cat workspace-pipelinerun.yaml 
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  name: test-workspace-pipeline-run-7
spec:
  params:
  - name: first-param
    value: simple value
  pipelineRef:
    name: test-workspace-pipeline
  serviceAccountName: pipeline
  timeout: 1h0m0s
  workspaces:
  - name: shared-workspace
[varadhya@localhost workspace-testing]$ 
[varadhya@localhost workspace-testing]$ oc apply -f workspace-pipelinerun.yaml 
pipelinerun.tekton.dev/test-workspace-pipeline-run-7 created
[varadhya@localhost workspace-testing]$ tkn pr ls --limit 1
NAME                            STARTED          DURATION   STATUS
test-workspace-pipeline-run-7   36 seconds ago   ---        Running(Started)
[varadhya@localhost workspace-testing]$ 
[varadhya@localhost workspace-testing]$ tkn pr describe test-workspace-pipeline-run-7
Name:              test-workspace-pipeline-run-7
Namespace:         veeresh-testing
Pipeline Ref:      test-workspace-pipeline
Service Account:   pipeline
Timeout:           1h0m0s
Labels:
 tekton.dev/pipeline=test-workspace-pipeline

🌡️  Status

STARTED          DURATION   STATUS
49 seconds ago   ---        Running(Started)

📦 Resources

 No resources

⚓ Params

 NAME            VALUE
 ∙ first-param   simple value

🗂  Taskruns

 No taskruns
[varadhya@localhost workspace-testing]$

Spec files

[varadhya@localhost workspace-testing]$ cat workspace-task.yml 
apiVersion: tekton.dev/v1beta1 
kind: ClusterTask 
metadata:
  name: test-workspace-clustetask
spec:
  steps:
  - name: write-message
    image: ubuntu
    script: |
      #!/usr/bin/env bash
      set -xe
      echo hello! > $(workspaces.messages.path)/message
      cat $(workspaces.messages.path)/message
  workspaces:
  - name: messages
    description: The folder where we write the message to
[varadhya@localhost workspace-testing]$ 
[varadhya@localhost workspace-testing]$ cat workspace-pipeline.yaml 
apiVersion: tekton.dev/v1beta1 
kind: Pipeline 
metadata:
  name: test-workspace-pipeline
spec:
  params:
    - name: first-param
      description: this is the first param for Pipeline
  workspaces:
    - name: shared-workspace
      description: this is a shared workspace
  tasks:
    - name: first-task
      taskRef:
        name: test-workspace-clustetask
        kind: ClusterTask
      workspaces:
        - name: messages
          workspace: shared-workspace
[varadhya@localhost workspace-testing]$ 
[varadhya@localhost workspace-testing]$ cat workspace-pipelinerun.yaml 
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  name: test-workspace-pipeline-run-7
spec:
  params:
  - name: first-param
    value: simple value
  pipelineRef:
    name: test-workspace-pipeline
  serviceAccountName: pipeline
  timeout: 1h0m0s
  workspaces:
  - name: shared-workspace
[varadhya@localhost workspace-testing]$
@VeereshAradhya VeereshAradhya added the kind/bug Categorizes issue or PR as related to a bug. label Aug 11, 2020
@bobcatfish
Copy link
Collaborator

Hey @VeereshAradhya we recently added a feature where you can specify a default that is controller wide (https://github.com/tektoncd/pipeline/blob/master/docs/workspaces.md#using-workspaces-in-tasks re default-task-run-workspace-binding), so maybe that default is being used?

(I do wonder @sbwsg @jerop if it would make sense to make it more obvious when the default is being used, e.g. require "defualt" is provided for a workspace vs just allowing it)

@VeereshAradhya you might get more info about what's going on if you look at the pod, e.g. kubectl get pod -l tekton.dev/PipelineRun=test-workspace-pipeline-run-7

@ghost
Copy link

ghost commented Aug 11, 2020
edited by ghost
Loading

Hm. This is odd. I definitely see a problem in the syntax of the PipelineRun:

apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  name: test-workspace-pipeline-run-7
spec:
  params:
  - name: first-param
    value: simple value
  pipelineRef:
    name: test-workspace-pipeline
  serviceAccountName: pipeline
  timeout: 1h0m0s
  workspaces:
  - name: shared-workspace

Here the PipelineRun is "binding" a Workspace with name shared-workspace but isn't actually providing the volume configuration to go with it. We would normally expect something more along the lines of this:

workspaces:
- name: shared-workspace
  persistentVolumeClaim: # ... pvc info ...

Our code does check the number of volume configurations in the binding so I am a bit surprised this isn't erroring out here.

Agree with @bobcatfish that it would be useful to see the pod that was created here. It would also be useful to know the contents of the default configmap (kubectl get configmap -n tekton-pipelines config-defaults).

(I do wonder @sbwsg @jerop if it would make sense to make it more obvious when the default is being used, e.g. require "defualt" is provided for a workspace vs just allowing it)

I'd like to discuss this a bit more before forming an opinion on it. It seems, at least initially to me, to be a bit counter to the purpose of the feature to require it be opt-in at the Task/TaskRun level.

Sneaky edit to add: the Optional Workspaces TEP calls out that any Workspace marked optional will not receive the default taskrun workspace. That's mentioned in this section here.

@VeereshAradhya
Copy link
Author

VeereshAradhya commented Aug 12, 2020
edited
Loading

@sbwsg @bobcatfish I think I have not written the proper heading for the issue. The issue is I am able to create a pipelinerun (with status Running(Started)) without providing volume configuration for the workspace in pipelinerun spec. The pipelinerun does not create any taskruns/pods. When I do kubectl apply -f to a pipelinerun spec which does not provide volume configuration for workspace, it should throw an error instead of creating pipelinerun.
I have reproduced the issue in new namespace, below are the command execution logs and pipeline controller logs, let me know if anything more needs to be added

[varadhya@localhost workspace-testing]$ kubectl get pods
No resources found.
[varadhya@localhost workspace-testing]$ 
[varadhya@localhost workspace-testing]$ tkn t ls
No Tasks found
[varadhya@localhost workspace-testing]$ tkn p ls
No Pipelines found
[varadhya@localhost workspace-testing]$ cat workspace-task.yml 
apiVersion: tekton.dev/v1beta1 
kind: Task 
metadata:
  name: test-workspace-task
spec:
  steps:
  - name: write-message
    image: ubuntu
    script: |
      #!/usr/bin/env bash
      set -xe
      echo hello! > $(workspaces.messages.path)/message
      cat $(workspaces.messages.path)/message
  workspaces:
  - name: messages
    description: The folder where we write the message to
[varadhya@localhost workspace-testing]$ 
[varadhya@localhost workspace-testing]$ cat workspace-pipeline.yaml 
apiVersion: tekton.dev/v1beta1 
kind: Pipeline 
metadata:
  name: test-workspace-pipeline
spec:
  params:
    - name: first-param
      description: this is the first param for Pipeline
  workspaces:
    - name: shared-workspace
      description: this is a shared workspace
  tasks:
    - name: first-task
      taskRef:
        name: test-workspace-task
        kind: Task
      workspaces:
        - name: messages
          workspace: shared-workspace
[varadhya@localhost workspace-testing]$ 
[varadhya@localhost workspace-testing]$ kubectl apply -f workspace-task.yml 
task.tekton.dev/test-workspace-task created
[varadhya@localhost workspace-testing]$ 
[varadhya@localhost workspace-testing]$ kubectl apply -f workspace-pipeline.yaml 
pipeline.tekton.dev/test-workspace-pipeline created
[varadhya@localhost workspace-testing]$ 
[varadhya@localhost workspace-testing]$ tkn t ls
NAME                  DESCRIPTION   AGE
test-workspace-task                 14 seconds ago
[varadhya@localhost workspace-testing]$ 
[varadhya@localhost workspace-testing]$ tkn p ls
NAME                      AGE             LAST RUN   STARTED   DURATION   STATUS
test-workspace-pipeline   6 seconds ago   ---        ---       ---        ---
[varadhya@localhost workspace-testing]$ 
[varadhya@localhost workspace-testing]$ 
[varadhya@localhost workspace-testing]$ cat workspace-pipelinerun.yaml 
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  name: test-workspace-pipeline-run-7
spec:
  params:
  - name: first-param
    value: simple value
  pipelineRef:
    name: test-workspace-pipeline
  serviceAccountName: pipeline
  timeout: 1h0m0s
  workspaces:
  - name: shared-workspace
[varadhya@localhost workspace-testing]$ 
[varadhya@localhost workspace-testing]$ kubectl apply -f workspace-pipelinerun.yaml 
pipelinerun.tekton.dev/test-workspace-pipeline-run-7 created
[varadhya@localhost workspace-testing]$ 
[varadhya@localhost workspace-testing]$ tkn pr ls
NAME                            STARTED         DURATION   STATUS
test-workspace-pipeline-run-7   5 seconds ago   ---        Running(Started)
[varadhya@localhost workspace-testing]$ 
[varadhya@localhost workspace-testing]$ tkn tr ls
No TaskRuns found
[varadhya@localhost workspace-testing]$ 
[varadhya@localhost workspace-testing]$ 
[varadhya@localhost workspace-testing]$ kubectl get pods
No resources found.

[varadhya@localhost workspace-testing]$ kubectl logs tekton-pipelines-controller-6889f6f9c7-649nk -n tekton-pipelines | tail -n4
{"level":"error","logger":"tekton.github.com-tektoncd-pipeline-pkg-reconciler-pipelinerun.Reconciler","caller":"controller/controller.go:480","msg":"Reconcile error","commit":"6d12d1e","error":"1 error occurred:\n\t* error creating TaskRun called test-workspace-pipeline-run-7-first-task-6g8cr for PipelineTask first-task from PipelineRun test-workspace-pipeline-run-7: admission webhook \"validation.webhook.pipeline.tekton.dev\" denied the request: validation failed: expected exactly one, got neither: workspace.configmap, workspace.emptydir, workspace.persistentvolumeclaim, workspace.secret, workspace.volumeclaimtemplate\n\n","stacktrace":"github.com/tektoncd/pipeline/vendor/knative.dev/pkg/controller.(*Impl).handleErr\n\tgithub.com/tektoncd/pipeline/vendor/knative.dev/pkg/controller/controller.go:480\ngithub.com/tektoncd/pipeline/vendor/knative.dev/pkg/controller.(*Impl).processNextWorkItem\n\tgithub.com/tektoncd/pipeline/vendor/knative.dev/pkg/controller/controller.go:466\ngithub.com/tektoncd/pipeline/vendor/knative.dev/pkg/controller.(*Impl).RunContext.func3\n\tgithub.com/tektoncd/pipeline/vendor/knative.dev/pkg/controller/controller.go:403"}
{"level":"info","logger":"tekton.github.com-tektoncd-pipeline-pkg-reconciler-pipelinerun.Reconciler","caller":"controller/controller.go:467","msg":"Reconcile failed. Time taken: 29.753684ms","commit":"6d12d1e","knative.dev/traceid":"9caa610c-ac67-452b-a382-8a2fdf928918","knative.dev/key":"veeresh-pipelinerun-issue/test-workspace-pipeline-run-7"}
{"level":"info","logger":"tekton.event-broadcaster","caller":"record/event.go:281","msg":"Event(v1.ObjectReference{Kind:\"PipelineRun\", Namespace:\"veeresh-pipelinerun-issue\", Name:\"test-workspace-pipeline-run-7\", UID:\"29fd788b-e740-4a2d-9927-dd2f58797889\", APIVersion:\"tekton.dev/v1beta1\", ResourceVersion:\"331447\", FieldPath:\"\"}): type: 'Warning' reason: 'TaskRunCreationFailed' Failed to create TaskRun \"test-workspace-pipeline-run-7-first-task-6g8cr\": admission webhook \"validation.webhook.pipeline.tekton.dev\" denied the request: validation failed: expected exactly one, got neither: workspace.configmap, workspace.emptydir, workspace.persistentvolumeclaim, workspace.secret, workspace.volumeclaimtemplate","commit":"6d12d1e"}
{"level":"info","logger":"tekton.event-broadcaster","caller":"record/event.go:281","msg":"Event(v1.ObjectReference{Kind:\"PipelineRun\", Namespace:\"veeresh-pipelinerun-issue\", Name:\"test-workspace-pipeline-run-7\", UID:\"29fd788b-e740-4a2d-9927-dd2f58797889\", APIVersion:\"tekton.dev/v1beta1\", ResourceVersion:\"331447\", FieldPath:\"\"}): type: 'Warning' reason: 'InternalError' 1 error occurred:\n\t* error creating TaskRun called test-workspace-pipeline-run-7-first-task-6g8cr for PipelineTask first-task from PipelineRun test-workspace-pipeline-run-7: admission webhook \"validation.webhook.pipeline.tekton.dev\" denied the request: validation failed: expected exactly one, got neither: workspace.configmap, workspace.emptydir, workspace.persistentvolumeclaim, workspace.secret, workspace.volumeclaimtemplate\n\n","commit":"6d12d1e"}
[varadhya@localhost workspace-testing]$

@ghost
Copy link

ghost commented Aug 12, 2020

Got it, thanks for clarifying - that'll teach me to rush through reading the original issue >.<

This does indeed appear to be a bug in the validation of the PipelineRun. I'll work on reproducing my side and adding a fix.

@ghost ghost self-assigned this Aug 12, 2020
@ghost ghost mentioned this issue Aug 12, 2020
Merged
3 tasks
@ghost
Copy link

ghost commented Aug 12, 2020

It appears that there are two discrete bugs here. The first is that we're not validating the PipelineRun workspaces. The second is that somehow the PipelineRun reconciler is submitting an invalid TaskRun spec but then not putting the PipelineRun into a failed state when the TaskRun fails due to workspace validation error.

A fix for the PipelineRun validation is here: #3096

@tekton-robot
Copy link
Collaborator

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.

/lifecycle stale

Send feedback to tektoncd/plumbing.

@tekton-robot tekton-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 10, 2020
@tekton-robot
Copy link
Collaborator

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

@tekton-robot tekton-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Dec 10, 2020
@vdemeester
Copy link
Member

@sbwsg @VeereshAradhya should we close this one ?

@ghost
Copy link

ghost commented Jan 8, 2021

sgtm /close

@ghost
Copy link

ghost commented Jan 8, 2021

/close

@tekton-robot
Copy link
Collaborator

@sbwsg: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@vdemeester @bobcatfish @VeereshAradhya @tekton-robot