Dereference the TaskSpec into TaskRun.Status.

[dlorenc]

Changes

The Task definition used for a TaskRun can change after the TaskRun
has started. This poses problems for auditability post-run. Rather
than chase down every part of a Task that we might like to audit later,
let's just add the entire thing here.

This is a replacement for #2399

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

• Includes tests (if functionality changed/added)
• Includes docs (if user facing)
• Commit messages follow commit message best practices

See the contribution guide for more details.

Double check this list of stuff that's easy to miss:

• If you are adding a new binary/image to the cmd dir, please update
  the release Task to build and release this image.

Reviewer Notes

If API changes are included, additive changes must be approved by at least two OWNERS and backwards incompatible changes must be approved by more than 50% of the OWNERS, and they must first be added in a backwards compatible way.

Release Notes

The TaskRun.Status now contains a TaskSpec field, including the full dereferenced Task used to instantiate the run.

[afrittoli]

Nice, I was going to work on this after I finished #2421 :)
This is both a benefit to auditability, but it also should improve the reconcile performance, since we now fetch the task on every reconcile cycle.
Once we start fetching tasks from an OCI registry, it will be even more relevant.

One though I have is that we should also store resources in the status.

[dlorenc]

/test pull-tekton-pipeline-integration-tests

[afrittoli]

Thanks for this!
I have one comment on this.
Even if only use it for audit for now, I would still add the task to the status when we first obtain the task

[afrittoli]

We might want to store this into the TaskRun status when we first fetch it, i.e.

pipeline/pkg/reconciler/taskrun/taskrun.go

Lines 207 to 208 in 9344e4f

	getTaskFunc, kind := c.getTaskFunc(tr)
	taskMeta, taskSpec, err := resources.GetTaskData(ctx, tr, getTaskFunc)

We could then modify that could to fetch the task only if not available in the status, and else use that from status

[dlorenc]

Whoa, yeah thanks. Do you think it's enough to only set this once, the first time?

[afrittoli]

Yes, I think that would be great! Especially when the task spec is not embedded in the taskrun spec, this avoids issues when the task definition is updated during the run.

The only case where is use the change to the spec for something is cancel, so we would have to find an alternative for that. Perhaps the tkn client could reset the task definition in status to force a reload? @vdemeester what do you think?

[afrittoli]

Oh, actually it would not break cancel since that goes in the spec of the taskrun, not of the task - so fetching the task only once would work just fine!

[vdemeester]

yeah

[dlorenc]

One though I have is that we should also store resources in the status.

I hesitated on this one for now. We get some of the resource info in the status now (under containers):

{
      "container": "step-git-source-skaffold-git-build-push-kaniko-p28nk",
      "imageID": "docker-pullable://gcr.io/dlorenc-vmtest2/git-init-4874978a9786b6625dd8b6ef2a21aa70@sha256:99f410cc098b4300384ad056c8febf5bb79e4749417b5e9621fc529514c4a0c3",
      "name": "git-source-skaffold-git-build-push-kaniko-p28nk",
      "terminated": {
        "containerID": "docker://b96396af17dea856526547ef5e140478148d4d672c8bda8a95e6010380e7cfab",
        "exitCode": 0,
        "finishedAt": "2020-04-20T15:32:20Z",
        "message": "[{\"key\":\"commit\",\"value\":\"6ed7aad5e8a36052ee5f6079fc91368e362121f7\",\"resourceRef\":{\"name\":\"skaffold-git-build-push-kaniko\"}}]",
        "reason": "Completed",
        "startedAt": "2020-04-20T15:32:18Z"
      }
    },

This doesn't include commands/arguments, but it's close. We also get resourcesResults.

Should we add them to the v1beta1 API, given we don't know the future of them yet? #2447

[afrittoli]

/lgtm

[linux-foundation-easycla]

The committers are authorized under a signed CLA.

• ✅ dlorenc (1f9c107)

[afrittoli]

Thanks for this!
We should do the same for pipelines :)
/approve

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: afrittoli

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [afrittoli]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[bobcatfish]

🎉

[dlorenc]

/test pull-tekton-pipeline-build-tests

[dlorenc]

/test pull-tekton-pipeline-integration-tests

[dibyom]

/lgtm

[dlorenc]

/test pull-tekton-pipeline-integration-tests

[skaegi]

Yep. Apart from my own selfish utility concerns ;) size in etcd is the only real concern. This is still fairly safe and not going to break anything for us.

[dlorenc]

/test pull-tekton-pipeline-integration-tests

[dibyom]

/test pull-tekton-pipeline-build-tests

[bobcatfish]

I believe this and #2489 fixed #279