Pipeline: Implicit Git & Image authentication contradicts explicit PipelineResource authentication
Expected Behavior
I expect PipelineRun/TaskRun authentication to be consistent throughout the Tekton Pipelines project.
Actual Behavior
Tekton Pipelines has a strange mix of implicit and explicit authentication. As far as I can tell, Git and Image PipelineResources are the only PipelineResources that use the implicit authentication outlined in auth.md. It seems like all of the other PipelineResources use an explicit secrets field for authentication:
secrets:
- fieldName: authToken
secretName: github-secrets
secretKey: token
The example is from the Pull Request Resource, and this explicit design is also used by the Cluster and Storage Resources.
As a user, I think that it is confusing to set up a PipelineRun/TaskRun when I have to use a mix of both explicit and implicit authentication. I think that authentication would be more straightforward if it was either all explicit or all implicit (not a combination of both). Personally, I like explicit over implicit, because it's easier to keep track of what secrets are used in each PipelineRun/TaskRun
ncskier
All 8 comments
Note that PipelineResource are going through a "major" re-design, so… hopefully this is taken into account too, cc @sbwsg
/kind question
/kind api
vdemeester
on 10 Dec 2019
With PipelineResources not being in beta, and the new Tasks in the catalog to replace its use, the auth story is more explicit now I think? Is this still a concern @ncskier ?
dibyom
on 12 Mar 2020
I guess it isn't a concern anymore. Is the implicit authentication pattern with annotations being deprecated?
ncskier
on 12 Mar 2020
Is the implicit authentication pattern with annotations being deprecated?
We're supporting it into the Beta but I have a pretty strong feeling we'll need to revisit it, particularly in light of changes to the $HOME directory in an upcoming release. #2013 for more info on that.
sbwsg
on 12 Mar 2020
Note that the pullrequest Task in the catalog is using a param to identify the name of the key https://github.com/tektoncd/catalog/tree/v1beta1-wip/pullrequest#configuring-the-tasks - not sure we'd want it to be implicit 🤔
bobcatfish
on 13 Mar 2020
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
/close
Send feedback to tektoncd/plumbing.
tekton-robot
on 13 Aug 2020
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
/lifecycle rotten
Send feedback to tektoncd/plumbing.
tekton-robot
on 13 Aug 2020
@tekton-robot: Closing this issue.
In response to this:
Rotten issues close after 30d of inactivity.
Reopen the issue with/reopen.
Mark the issue as fresh with/remove-lifecycle rotten./close
Send feedback to tektoncd/plumbing.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
tekton-robot
on 13 Aug 2020
Related issues
vdemeester
·
3Comments
JCzz
·
3Comments
bobcatfish
·
4Comments
pritidesai
·
4Comments
sbwsg
·
4Comments