Comments (8)
afrittoli
commented on July 24, 2024
Thanks @wilstdu for reporting this.
I looked for changes in v0.55 that could have caused this change in behaviour, but nothing stood out for me.
@vdemeester @imjasonh do you have any idea about what might have broken this behaviour?
from pipeline.
vdemeester
commented on July 24, 2024
Essentially, the pipeline controller pod doesn't have the rights to fetch the images β really the image configuration β not the entrypoint.
@wilstdu what previous version was it working ? 0.54, or even previously ? Also, does it still not work with 0.56 or 0.57 ?
from pipeline.
wilstdu
commented on July 24, 2024
@vdemeester, I was upgrading Tekton pipelines from v0.44.0 to v0.56.1.
I checked multiple Tekton Pipeline versions in between, and the last working one was 0.54, with 0.55 entry point retrieval no longer works. The only different thing in my setup was tekton-pipelines pod running different version - everything else stayed the same.
It doesn't work with 0.56, nor with 0.57.
from pipeline.
vdemeester
commented on July 24, 2024
@wilstdu interesting π€
So, they way the pipeline controller work (in that part) is that it's taking we are taking the imagePullSecrets from the service account attached to the pipelinerun and the imagePullSecrets from the podTemplate (taskRun.Spec.ServiceAccountName, podTemplate.ImagePullSecrets in code) as well as some amazon (or other cloud) specifics (the "cloud-specific" part comes from go-containerregistry really β and I am not familiar at all of what it does). Nothing in that part of the code changed synced 2022, so either something changed in go-containerregistry, or something else weird is happening π€
from pipeline.
afrittoli
commented on July 24, 2024
I also thought that maybe it was go-containerregistry, but there was no version change between v0.54 and v0.55:
β git diff v0.54.0..v0.55.0 -- go.mod | grep containerreg
github.com/google/go-containerregistry v0.16.1
github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20230625233257-b8504803389b
github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20230516205744-dbecb1de8cfa
from pipeline.
vdemeester
commented on July 24, 2024
@afrittoli yeah, that's what make me wonder what the hell is happening here π There is changes in the "indirect" dependencies from aws/ecr.
Ξ» git diff v0.54.0..v0.55.0 -- go.mod | grep aws
- github.com/sigstore/sigstore/pkg/signature/kms/aws v1.7.5
+ github.com/sigstore/sigstore/pkg/signature/kms/aws v1.7.6
- github.com/aws/aws-sdk-go-v2/service/kms v1.24.7 // indirect
- github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3 // indirect
+ github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.3 // indirect
+ github.com/aws/aws-sdk-go-v2/service/kms v1.27.2 // indirect
+ github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.2 // indirect
- github.com/aws/aws-sdk-go-v2 v1.21.2 // indirect
- github.com/aws/aws-sdk-go-v2/config v1.19.1 // indirect
- github.com/aws/aws-sdk-go-v2/credentials v1.13.43 // indirect
- github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 // indirect
- github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 // indirect
- github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37 // indirect
- github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45 // indirect
+ github.com/aws/aws-sdk-go-v2 v1.23.5 // indirect
+ github.com/aws/aws-sdk-go-v2/config v1.25.11 // indirect
+ github.com/aws/aws-sdk-go-v2/credentials v1.16.9 // indirect
+ github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.9 // indirect
+ github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.8 // indirect
+ github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.8 // indirect
+ github.com/aws/aws-sdk-go-v2/internal/ini v1.7.1 // indirect
github.com/aws/aws-sdk-go-v2/service/ecr v1.18.11 // indirect
github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.16.2 // indirect
- github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37 // indirect
- github.com/aws/aws-sdk-go-v2/service/sso v1.15.2 // indirect
- github.com/aws/aws-sdk-go-v2/service/sts v1.23.2 // indirect
- github.com/aws/smithy-go v1.15.0 // indirect
+ github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.8 // indirect
+ github.com/aws/aws-sdk-go-v2/service/sso v1.18.2 // indirect
+ github.com/aws/aws-sdk-go-v2/service/sts v1.26.2 // indirect
+ github.com/aws/smithy-go v1.18.1 // indirect
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20230510185313-f5e39e5f34c7 // indirect
But not on github.com/awslabs/amazon-ecr-credential-helper/ecr-login, so I am not sure if it as any impactβ¦
from pipeline.
afrittoli
commented on July 24, 2024
@wilstdu if you're familiar with the process of building Tekton, you could try building a v0.55 with github.com/sigstore/sigstore/pkg/signature/kms/aws== v1.7.5 - I imagine that's what's pulling in all the new aws packages, and see if that works. If not I could try and build that for you on some public artifact repo.
from pipeline.
wilstdu
commented on July 24, 2024
@afrittoli if I did no mistakes when building the controller image - result is the same.
from pipeline.
Related Issues (20)
- Add the ability to override the `timeout` value for individual pipeline tasks via taskRunSpecs in a pipelineRun
- The params in step are passed to `stdoutConfig.path`. HOT 1
- [StepAction] taskSpec.results in Pipeline not works with workspaces HOT 5
- Tekton pipeline validation crashes on script validation in Openshift HOT 1
- Tekton upgrade to v0.56.2 is broken HOT 7
- TaskRun Fails to Create Pod When ServiceAccount References Non-Existent Secret HOT 3
- Unexpected Default βkindβ in taskRef When Using Resolver in Tekton Pipelines HOT 1
- multiple interpolations in stepResult substitution should be allowed HOT 1
- Pipeline fails with default array params when type is not specified in remote resource HOT 1
- Action Button not visible HOT 2
- Is the `retries` count for Task without validation by design?
- Support full podtemplate spec for affinity assistant pod HOT 1
- When debug is not turned on correctly, redundant volumes appear HOT 1
- Add support for integer in params of pipeline HOT 1
- Timeout not working on Pipeline run HOT 4
- [0.56.x] stepaction isn't configured for conversion webhook HOT 1
- Workingdir does not give write access to the group HOT 2
- TEP-0142 Promote StepActions to Beta HOT 3
- WIP: TaskRun recoverable error, `CreateContainerConfigError` neither resumes PipelineRun on fix, nor times out
- Pipelinerun and Taskrun Count metrics should have less cardinality HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pipeline.