add spire_disabled build tag for entrypoint command

tektoncd · Feb 5, 2025 · e6535ed · e6535ed
1 parent a3ee865
commit e6535ed
Show file tree

Hide file tree

Showing 6 changed files with 159 additions and 23 deletions.
diff --git a/cmd/entrypoint/main.go b/cmd/entrypoint/main.go
@@ -30,15 +30,12 @@ import (
 
 	"github.com/containerd/containerd/platforms"
 	"github.com/tektoncd/pipeline/cmd/entrypoint/subcommands"
-	featureFlags "github.com/tektoncd/pipeline/pkg/apis/config"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline"
 	v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1"
 	"github.com/tektoncd/pipeline/pkg/credentials"
 	"github.com/tektoncd/pipeline/pkg/credentials/dockercreds"
 	"github.com/tektoncd/pipeline/pkg/credentials/gitcreds"
 	"github.com/tektoncd/pipeline/pkg/entrypoint"
-	"github.com/tektoncd/pipeline/pkg/spire"
-	"github.com/tektoncd/pipeline/pkg/spire/config"
 	"github.com/tektoncd/pipeline/pkg/termination"
 )
 
@@ -59,9 +56,7 @@ var (
 	onError             = flag.String("on_error", "", "Set to \"continue\" to ignore an error and continue when a container terminates with a non-zero exit code."+
 		" Set to \"stopAndFail\" to declare a failure with a step error and stop executing the rest of the steps.")
 	stepMetadataDir        = flag.String("step_metadata_dir", "", "If specified, create directory to store the step metadata e.g. /tekton/steps/<step-name>/")
-	enableSpire            = flag.Bool("enable_spire", false, "If specified by configmap, this enables spire signing and verification")
-	socketPath             = flag.String("spire_socket_path", "unix:///spiffe-workload-api/spire-agent.sock", "Experimental: The SPIRE agent socket for SPIFFE workload API.")
-	resultExtractionMethod = flag.String("result_from", featureFlags.ResultExtractionMethodTerminationMessage, "The method using which to extract results from tasks. Default is using the termination message.")
+	resultExtractionMethod = flag.String("result_from", entrypoint.ResultExtractionMethodTerminationMessage, "The method using which to extract results from tasks. Default is using the termination message.")
 )
 
 const (
@@ -130,13 +125,7 @@ func main() {
 		}
 	}
 
-	var spireWorkloadAPI spire.EntrypointerAPIClient
-	if enableSpire != nil && *enableSpire && socketPath != nil && *socketPath != "" {
-		spireConfig := config.SpireConfig{
-			SocketPath: *socketPath,
-		}
-		spireWorkloadAPI = spire.NewEntrypointerAPIClient(&spireConfig)
-	}
+	spireWorkloadAPI := initializeSpireAPI()
 
 	e := entrypoint.Entrypointer{
 		Command:         append(cmd, commandArgs...),

diff --git a/cmd/entrypoint/spire.go b/cmd/entrypoint/spire.go
@@ -0,0 +1,41 @@
+//go:build !disable_spire
+
+/*
+Copyright 2025 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"flag"
+
+	"github.com/tektoncd/pipeline/pkg/spire"
+	"github.com/tektoncd/pipeline/pkg/spire/config"
+)
+
+var (
+	enableSpire = flag.Bool("enable_spire", false, "If specified by configmap, this enables spire signing and verification")
+	socketPath  = flag.String("spire_socket_path", "unix:///spiffe-workload-api/spire-agent.sock", "Experimental: The SPIRE agent socket for SPIFFE workload API.")
+)
+
+func initializeSpireAPI() spire.EntrypointerAPIClient {
+	if enableSpire != nil && *enableSpire && socketPath != nil && *socketPath != "" {
+		spireConfig := config.SpireConfig{
+			SocketPath: *socketPath,
+		}
+		return spire.NewEntrypointerAPIClient(&spireConfig)
+	}
+	return nil
+}
diff --git a/cmd/entrypoint/spire_disable.go b/cmd/entrypoint/spire_disable.go
@@ -0,0 +1,36 @@
+//go:build disable_spire
+
+/*
+Copyright 2025 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+
+	"github.com/tektoncd/pipeline/pkg/result"
+)
+
+// EntrypointerAPIClient interface maps to the spire entrypointer API to interact with spire
+type EntrypointerAPIClient interface {
+	Close() error
+	// Sign returns the signature material to be put in the RunResult to append to the output results
+	Sign(ctx context.Context, results []result.RunResult) ([]result.RunResult, error)
+}
+
+func initializeSpireAPI() EntrypointerAPIClient {
+	return nil
+}
diff --git a/pkg/entrypoint/entrypointer.go b/pkg/entrypoint/entrypointer.go
@@ -38,7 +38,6 @@ import (
 	"github.com/tektoncd/pipeline/pkg/internal/resultref"
 	"github.com/tektoncd/pipeline/pkg/pod"
 	"github.com/tektoncd/pipeline/pkg/result"
-	"github.com/tektoncd/pipeline/pkg/spire"
 	"github.com/tektoncd/pipeline/pkg/termination"
 
 	"github.com/google/cel-go/cel"
@@ -53,8 +52,9 @@ const (
 )
 
 const (
-	breakpointExitSuffix       = ".breakpointexit"
-	breakpointBeforeStepSuffix = ".beforestepexit"
+	breakpointExitSuffix                     = ".breakpointexit"
+	breakpointBeforeStepSuffix               = ".beforestepexit"
+	ResultExtractionMethodTerminationMessage = "termination-message"
 )
 
 // DebugBeforeStepError is an error means mark before step breakpoint failure
@@ -147,7 +147,7 @@ type Entrypointer struct {
 	// StepMetadataDir is the directory for a step where the step related metadata can be stored
 	StepMetadataDir string
 	// SpireWorkloadAPI connects to spire and does obtains SVID based on taskrun
-	SpireWorkloadAPI spire.EntrypointerAPIClient
+	SpireWorkloadAPI EntrypointerAPIClient
 	// ResultsDirectory is the directory to find results, defaults to pipeline.DefaultResultPath
 	ResultsDirectory string
 	// ResultExtractionMethod is the method using which the controller extracts the results from the task pod.
@@ -444,13 +444,11 @@ func (e Entrypointer) readResultsFromDisk(ctx context.Context, resultDir string,
 		})
 	}
 
-	if e.SpireWorkloadAPI != nil {
-		signed, err := e.SpireWorkloadAPI.Sign(ctx, output)
-		if err != nil {
-			return err
-		}
-		output = append(output, signed...)
+	signed, err := signResults(ctx, e.SpireWorkloadAPI, output)
+	if err != nil {
+		return err
 	}
+	output = append(output, signed...)
 
 	// push output to termination path
 	if e.ResultExtractionMethod == config.ResultExtractionMethodTerminationMessage && len(output) != 0 {

diff --git a/pkg/entrypoint/spire.go b/pkg/entrypoint/spire.go
@@ -0,0 +1,38 @@
+//go:build !disable_spire
+
+/*
+Copyright 2025 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package entrypoint
+
+import (
+	"context"
+
+	"github.com/tektoncd/pipeline/pkg/result"
+	"github.com/tektoncd/pipeline/pkg/spire"
+)
+
+// EntrypointerAPIClient defines the interface for SPIRE operations
+type EntrypointerAPIClient interface {
+	spire.EntrypointerAPIClient
+}
+
+func signResults(ctx context.Context, api EntrypointerAPIClient, results []result.RunResult) ([]result.RunResult, error) {
+	if api == nil {
+		return nil, nil
+	}
+	return api.Sign(ctx, results)
+}
diff --git a/pkg/entrypoint/spire_disabled.go b/pkg/entrypoint/spire_disabled.go
@@ -0,0 +1,34 @@
+//go:build disable_spire
+
+/*
+Copyright 2025 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package entrypoint
+
+import (
+	"context"
+
+	"github.com/tektoncd/pipeline/pkg/result"
+)
+
+// EntrypointerAPIClient defines the interface for SPIRE operations
+type EntrypointerAPIClient interface {
+	Sign(ctx context.Context, results []result.RunResult) ([]result.RunResult, error)
+}
+
+func signResults(ctx context.Context, api EntrypointerAPIClient, results []result.RunResult) ([]result.RunResult, error) {
+	return nil, nil
+}