Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make EC verify task timeout infinite #1613

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Make EC verify task timeout infinite #1613

wants to merge 1 commit into from

Conversation

ralphbean
Copy link
Member

@ralphbean ralphbean commented Nov 15, 2024

Before this change, users could use the TIMEOUT param to increase their timeout up from the 5m default, but they would hit a ceiling. If they increased their timeout past 2h, then a tekton default on timeout for the task itself would kick in.

lcarva
lcarva previously approved these changes Nov 18, 2024
@lcarva
Copy link
Contributor

lcarva commented Nov 18, 2024

/retest

2 similar comments
@MartinBasti
Copy link
Contributor

/retest

@MartinBasti
Copy link
Contributor

/retest

@MartinBasti
Copy link
Contributor

step-build-bundles

*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)
Creating Tekton Bundle:
	- Added Pipeline: docker-build-multi-platform-oci-ta to image

Pushed Tekton Bundle to quay.io/konflux-ci/pull-request-builds@sha256:0d7cbafcb3e40339ad245e606ee32e9256874fbd0a64b9e1386ecc718a0e4d01
Created:
quay.io/konflux-ci/pull-request-builds:docker-build-multi-platform-oci-ta-de5ee9a9d078b6a286a67eb352815a4361cc20d2@sha256:0d7cbafcb3e40339ad245e606ee32e9256874fbd0a64b9e1386ecc718a0e4d01
*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)
Creating Tekton Bundle:
	- Added Pipeline: docker-build-oci-ta to image

Pushed Tekton Bundle to quay.io/konflux-ci/pull-request-builds@sha256:d8cbfc8593d6ddf1a31cc78c6b946971d918b814bb02398056af52cee362ef5e
Created:
quay.io/konflux-ci/pull-request-builds:docker-build-oci-ta-de5ee9a9d078b6a286a67eb352815a4361cc20d2@sha256:d8cbfc8593d6ddf1a31cc78c6b946971d918b814bb02398056af52cee362ef5e
*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)
Creating Tekton Bundle:
	- Added Pipeline: docker-build to image

Pushed Tekton Bundle to quay.io/konflux-ci/pull-request-builds@sha256:18a307139219e7c772e972446514f3bee5c6e00869c168db14f5daa48489a372
Created:
quay.io/konflux-ci/pull-request-builds:docker-build-de5ee9a9d078b6a286a67eb352815a4361cc20d2@sha256:18a307139219e7c772e972446514f3bee5c6e00869c168db14f5daa48489a372
*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)
Error: failed to parse string as a Tekton object: "{\"apiVersion\":\"tekton.dev/v1\",\"kind\":\"Pipeline\",\"metadata\":{\"labels\":{\"build.appstudio.redhat.com/pipeline\":\"enterprise-contract\"},\"name\":\"enterprise-contract\"},\"spec\":{\"finally\":[],\"params\":[{\"description\":\"Spec section of an ApplicationSnapshot resource. Not all fields of the\\nresource are required. A minimal example:\\n  {\\n    \\\"components\\\": [\\n      {\\n        \\\"containerImage\\\": \\\"quay.io/example/repo:latest\\\"\\n      }\\n    ]\\n  }\\nEach \\\"containerImage\\\" in the \\\"components\\\" array is validated.\\n\",\"name\":\"SNAPSHOT\",\"type\":\"string\"},{\"default\":\"enterprise-contract-service/default\",\"description\":\"Name of the policy configuration (EnterpriseContractConfiguration\\nobject) to use. `namespace/name` or `name` syntax supported. If\\nnamespace is omitted the namespace where the task runs is used.\\n\",\"name\":\"POLICY_CONFIGURATION\",\"type\":\"string\"},{\"default\":\"\",\"description\":\"Path to a directory containing SSL certs to be used when communicating\\nwith external services. This is useful when using the integrated registry\\nand a local instance of Rekor on a development cluster which may use\\ncertificates issued by a not-commonly trusted root CA. In such cases,\\n\\\"/var/run/secrets/kubernetes.io/serviceaccount\\\" is a good value. Multiple\\npaths can be provided by using the \\\":\\\" separator.\\n\",\"name\":\"SSL_CERT_DIR\",\"type\":\"string\"},{\"default\":\"k8s://openshift-pipelines/public-key\",\"description\":\"Public key used to verify signatures. Must be a valid k8s cosign\\nreference, e.g. k8s://my-space/my-secret where my-secret contains\\nthe expected cosign.pub attribute.\\n\",\"name\":\"PUBLIC_KEY\",\"type\":\"string\"},{\"default\":\"5m0s\",\"description\":\"Timeout setting for `ec validate`.\",\"name\":\"TIMEOUT\",\"type\":\"string\"},{\"default\":\"1\",\"description\":\"Number of parallel workers to use for policy evaluation.\",\"name\":\"WORKERS\",\"type\":\"string\"},{\"default\":\"trusted-ca\",\"description\":\"The name of the ConfigMap to read CA bundle data from.\",\"name\":\"CA_TRUST_CONFIGMAP_NAME\",\"type\":\"string\"},{\"default\":\"ca-bundle.crt\",\"description\":\"The name of the key in the ConfigMap that contains the CA bundle data.\",\"name\":\"CA_TRUST_CONFIG_MAP_KEY\",\"type\":\"string\"},{\"default\":\"false\",\"description\":\"Reduce the Snapshot to only the component whose build caused the Snapshot to be created\",\"name\":\"SINGLE_COMPONENT\",\"type\":\"string\"},{\"default\":\"pr/$(context.pipelineRun.name)\",\"description\":\"PipelineRun ID\",\"name\":\"SINGLE_COMPONENT_CUSTOM_RESOURCE\",\"type\":\"string\"}],\"results\":[{\"name\":\"TEST_OUTPUT\",\"value\":\"$(tasks.verify.results.TEST_OUTPUT)\"}],\"tasks\":[{\"name\":\"verify\",\"params\":[{\"name\":\"POLICY_CONFIGURATION\",\"value\":\"$(params.POLICY_CONFIGURATION)\"},{\"name\":\"IMAGES\",\"value\":\"$(params.SNAPSHOT)\"},{\"name\":\"SSL_CERT_DIR\",\"value\":\"$(params.SSL_CERT_DIR)\"},{\"name\":\"STRICT\",\"value\":\"true\"},{\"name\":\"PUBLIC_KEY\",\"value\":\"$(params.PUBLIC_KEY)\"},{\"name\":\"IGNORE_REKOR\",\"value\":\"true\"},{\"name\":\"TIMEOUT\",\"value\":\"$(params.TIMEOUT)\"},{\"name\":\"WORKERS\",\"value\":\"$(params.WORKERS)\"},{\"name\":\"CA_TRUST_CONFIGMAP_NAME\",\"value\":\"$(params.CA_TRUST_CONFIGMAP_NAME)\"},{\"name\":\"CA_TRUST_CONFIG_MAP_KEY\",\"value\":\"$(params.CA_TRUST_CONFIG_MAP_KEY)\"},{\"name\":\"SINGLE_COMPONENT\",\"value\":\"$(params.SINGLE_COMPONENT)\"},{\"name\":\"SINGLE_COMPONENT_CUSTOM_RESOURCE\",\"value\":\"$(params.SINGLE_COMPONENT_CUSTOM_RESOURCE)\"}],\"taskRef\":{\"params\":[{\"name\":\"bundle\",\"value\":\"quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:978d48e842a3d7060035f8006b43f3aec84eb87deac3ada47a32b19d96417cbc\"},{\"name\":\"name\",\"value\":\"verify-enterprise-contract\"},{\"name\":\"kind\",\"value\":\"task\"}],\"resolver\":\"bundles\"},\"timeout\":\"$(params.TIMEOUT)\"}]}}"
*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)
Error: failed to parse string as a Tekton object: "{\"apiVersion\":\"tekton.dev/v1\",\"kind\":\"Pipeline\",\"metadata\":{\"labels\":{\"build.appstudio.redhat.com/pipeline\":\"enterprise-contract\"},\"name\":\"enterprise-contract\"},\"spec\":{\"finally\":[],\"params\":[{\"description\":\"Spec section of an ApplicationSnapshot resource. Not all fields of the\\nresource are required. A minimal example:\\n  {\\n    \\\"components\\\": [\\n      {\\n        \\\"containerImage\\\": \\\"quay.io/example/repo:latest\\\"\\n      }\\n    ]\\n  }\\nEach \\\"containerImage\\\" in the \\\"components\\\" array is validated.\\n\",\"name\":\"SNAPSHOT\",\"type\":\"string\"},{\"default\":\"enterprise-contract-service/default\",\"description\":\"Name of the policy configuration (EnterpriseContractConfiguration\\nobject) to use. `namespace/name` or `name` syntax supported. If\\nnamespace is omitted the namespace where the task runs is used.\\n\",\"name\":\"POLICY_CONFIGURATION\",\"type\":\"string\"},{\"default\":\"\",\"description\":\"Path to a directory containing SSL certs to be used when communicating\\nwith external services. This is useful when using the integrated registry\\nand a local instance of Rekor on a development cluster which may use\\ncertificates issued by a not-commonly trusted root CA. In such cases,\\n\\\"/var/run/secrets/kubernetes.io/serviceaccount\\\" is a good value. Multiple\\npaths can be provided by using the \\\":\\\" separator.\\n\",\"name\":\"SSL_CERT_DIR\",\"type\":\"string\"},{\"default\":\"k8s://openshift-pipelines/public-key\",\"description\":\"Public key used to verify signatures. Must be a valid k8s cosign\\nreference, e.g. k8s://my-space/my-secret where my-secret contains\\nthe expected cosign.pub attribute.\\n\",\"name\":\"PUBLIC_KEY\",\"type\":\"string\"},{\"default\":\"5m0s\",\"description\":\"Timeout setting for `ec validate`.\",\"name\":\"TIMEOUT\",\"type\":\"string\"},{\"default\":\"1\",\"description\":\"Number of parallel workers to use for policy evaluation.\",\"name\":\"WORKERS\",\"type\":\"string\"},{\"default\":\"trusted-ca\",\"description\":\"The name of the ConfigMap to read CA bundle data from.\",\"name\":\"CA_TRUST_CONFIGMAP_NAME\",\"type\":\"string\"},{\"default\":\"ca-bundle.crt\",\"description\":\"The name of the key in the ConfigMap that contains the CA bundle data.\",\"name\":\"CA_TRUST_CONFIG_MAP_KEY\",\"type\":\"string\"},{\"default\":\"false\",\"description\":\"Reduce the Snapshot to only the component whose build caused the Snapshot to be created\",\"name\":\"SINGLE_COMPONENT\",\"type\":\"string\"},{\"default\":\"pr/$(context.pipelineRun.name)\",\"description\":\"PipelineRun ID\",\"name\":\"SINGLE_COMPONENT_CUSTOM_RESOURCE\",\"type\":\"string\"}],\"results\":[{\"name\":\"TEST_OUTPUT\",\"value\":\"$(tasks.verify.results.TEST_OUTPUT)\"}],\"tasks\":[{\"name\":\"verify\",\"params\":[{\"name\":\"POLICY_CONFIGURATION\",\"value\":\"$(params.POLICY_CONFIGURATION)\"},{\"name\":\"IMAGES\",\"value\":\"$(params.SNAPSHOT)\"},{\"name\":\"SSL_CERT_DIR\",\"value\":\"$(params.SSL_CERT_DIR)\"},{\"name\":\"STRICT\",\"value\":\"true\"},{\"name\":\"PUBLIC_KEY\",\"value\":\"$(params.PUBLIC_KEY)\"},{\"name\":\"IGNORE_REKOR\",\"value\":\"true\"},{\"name\":\"TIMEOUT\",\"value\":\"$(params.TIMEOUT)\"},{\"name\":\"WORKERS\",\"value\":\"$(params.WORKERS)\"},{\"name\":\"CA_TRUST_CONFIGMAP_NAME\",\"value\":\"$(params.CA_TRUST_CONFIGMAP_NAME)\"},{\"name\":\"CA_TRUST_CONFIG_MAP_KEY\",\"value\":\"$(params.CA_TRUST_CONFIG_MAP_KEY)\"},{\"name\":\"SINGLE_COMPONENT\",\"value\":\"$(params.SINGLE_COMPONENT)\"},{\"name\":\"SINGLE_COMPONENT_CUSTOM_RESOURCE\",\"value\":\"$(params.SINGLE_COMPONENT_CUSTOM_RESOURCE)\"}],\"taskRef\":{\"params\":[{\"name\":\"bundle\",\"value\":\"quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:978d48e842a3d7060035f8006b43f3aec84eb87deac3ada47a32b19d96417cbc\"},{\"name\":\"name\",\"value\":\"verify-enterprise-contract\"},{\"name\":\"kind\",\"value\":\"task\"}],\"resolver\":\"bundles\"},\"timeout\":\"$(params.TIMEOUT)\"}]}}"
*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)
Error: failed to parse string as a Tekton object: "{\"apiVersion\":\"tekton.dev/v1\",\"kind\":\"Pipeline\",\"metadata\":{\"labels\":{\"build.appstudio.redhat.com/pipeline\":\"enterprise-contract\"},\"name\":\"enterprise-contract\"},\"spec\":{\"finally\":[],\"params\":[{\"description\":\"Spec section of an ApplicationSnapshot resource. Not all fields of the\\nresource are required. A minimal example:\\n  {\\n    \\\"components\\\": [\\n      {\\n        \\\"containerImage\\\": \\\"quay.io/example/repo:latest\\\"\\n      }\\n    ]\\n  }\\nEach \\\"containerImage\\\" in the \\\"components\\\" array is validated.\\n\",\"name\":\"SNAPSHOT\",\"type\":\"string\"},{\"default\":\"enterprise-contract-service/default\",\"description\":\"Name of the policy configuration (EnterpriseContractConfiguration\\nobject) to use. `namespace/name` or `name` syntax supported. If\\nnamespace is omitted the namespace where the task runs is used.\\n\",\"name\":\"POLICY_CONFIGURATION\",\"type\":\"string\"},{\"default\":\"\",\"description\":\"Path to a directory containing SSL certs to be used when communicating\\nwith external services. This is useful when using the integrated registry\\nand a local instance of Rekor on a development cluster which may use\\ncertificates issued by a not-commonly trusted root CA. In such cases,\\n\\\"/var/run/secrets/kubernetes.io/serviceaccount\\\" is a good value. Multiple\\npaths can be provided by using the \\\":\\\" separator.\\n\",\"name\":\"SSL_CERT_DIR\",\"type\":\"string\"},{\"default\":\"k8s://openshift-pipelines/public-key\",\"description\":\"Public key used to verify signatures. Must be a valid k8s cosign\\nreference, e.g. k8s://my-space/my-secret where my-secret contains\\nthe expected cosign.pub attribute.\\n\",\"name\":\"PUBLIC_KEY\",\"type\":\"string\"},{\"default\":\"5m0s\",\"description\":\"Timeout setting for `ec validate`.\",\"name\":\"TIMEOUT\",\"type\":\"string\"},{\"default\":\"1\",\"description\":\"Number of parallel workers to use for policy evaluation.\",\"name\":\"WORKERS\",\"type\":\"string\"},{\"default\":\"trusted-ca\",\"description\":\"The name of the ConfigMap to read CA bundle data from.\",\"name\":\"CA_TRUST_CONFIGMAP_NAME\",\"type\":\"string\"},{\"default\":\"ca-bundle.crt\",\"description\":\"The name of the key in the ConfigMap that contains the CA bundle data.\",\"name\":\"CA_TRUST_CONFIG_MAP_KEY\",\"type\":\"string\"},{\"default\":\"false\",\"description\":\"Reduce the Snapshot to only the component whose build caused the Snapshot to be created\",\"name\":\"SINGLE_COMPONENT\",\"type\":\"string\"},{\"default\":\"pr/$(context.pipelineRun.name)\",\"description\":\"PipelineRun ID\",\"name\":\"SINGLE_COMPONENT_CUSTOM_RESOURCE\",\"type\":\"string\"}],\"results\":[{\"name\":\"TEST_OUTPUT\",\"value\":\"$(tasks.verify.results.TEST_OUTPUT)\"}],\"tasks\":[{\"name\":\"verify\",\"params\":[{\"name\":\"POLICY_CONFIGURATION\",\"value\":\"$(params.POLICY_CONFIGURATION)\"},{\"name\":\"IMAGES\",\"value\":\"$(params.SNAPSHOT)\"},{\"name\":\"SSL_CERT_DIR\",\"value\":\"$(params.SSL_CERT_DIR)\"},{\"name\":\"STRICT\",\"value\":\"true\"},{\"name\":\"PUBLIC_KEY\",\"value\":\"$(params.PUBLIC_KEY)\"},{\"name\":\"IGNORE_REKOR\",\"value\":\"true\"},{\"name\":\"TIMEOUT\",\"value\":\"$(params.TIMEOUT)\"},{\"name\":\"WORKERS\",\"value\":\"$(params.WORKERS)\"},{\"name\":\"CA_TRUST_CONFIGMAP_NAME\",\"value\":\"$(params.CA_TRUST_CONFIGMAP_NAME)\"},{\"name\":\"CA_TRUST_CONFIG_MAP_KEY\",\"value\":\"$(params.CA_TRUST_CONFIG_MAP_KEY)\"},{\"name\":\"SINGLE_COMPONENT\",\"value\":\"$(params.SINGLE_COMPONENT)\"},{\"name\":\"SINGLE_COMPONENT_CUSTOM_RESOURCE\",\"value\":\"$(params.SINGLE_COMPONENT_CUSTOM_RESOURCE)\"}],\"taskRef\":{\"params\":[{\"name\":\"bundle\",\"value\":\"quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:978d48e842a3d7060035f8006b43f3aec84eb87deac3ada47a32b19d96417cbc\"},{\"name\":\"name\",\"value\":\"verify-enterprise-contract\"},{\"name\":\"kind\",\"value\":\"task\"}],\"resolver\":\"bundles\"},\"timeout\":\"$(params.TIMEOUT)\"}]}}"
*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)
Error: failed to parse string as a Tekton object: "{\"apiVersion\":\"tekton.dev/v1\",\"kind\":\"Pipeline\",\"metadata\":{\"labels\":{\"build.appstudio.redhat.com/pipeline\":\"enterprise-contract\"},\"name\":\"enterprise-contract\"},\"spec\":{\"finally\":[],\"params\":[{\"description\":\"Spec section of an ApplicationSnapshot resource. Not all fields of the\\nresource are required. A minimal example:\\n  {\\n    \\\"components\\\": [\\n      {\\n        \\\"containerImage\\\": \\\"quay.io/example/repo:latest\\\"\\n      }\\n    ]\\n  }\\nEach \\\"containerImage\\\" in the \\\"components\\\" array is validated.\\n\",\"name\":\"SNAPSHOT\",\"type\":\"string\"},{\"default\":\"enterprise-contract-service/default\",\"description\":\"Name of the policy configuration (EnterpriseContractConfiguration\\nobject) to use. `namespace/name` or `name` syntax supported. If\\nnamespace is omitted the namespace where the task runs is used.\\n\",\"name\":\"POLICY_CONFIGURATION\",\"type\":\"string\"},{\"default\":\"\",\"description\":\"Path to a directory containing SSL certs to be used when communicating\\nwith external services. This is useful when using the integrated registry\\nand a local instance of Rekor on a development cluster which may use\\ncertificates issued by a not-commonly trusted root CA. In such cases,\\n\\\"/var/run/secrets/kubernetes.io/serviceaccount\\\" is a good value. Multiple\\npaths can be provided by using the \\\":\\\" separator.\\n\",\"name\":\"SSL_CERT_DIR\",\"type\":\"string\"},{\"default\":\"k8s://openshift-pipelines/public-key\",\"description\":\"Public key used to verify signatures. Must be a valid k8s cosign\\nreference, e.g. k8s://my-space/my-secret where my-secret contains\\nthe expected cosign.pub attribute.\\n\",\"name\":\"PUBLIC_KEY\",\"type\":\"string\"},{\"default\":\"5m0s\",\"description\":\"Timeout setting for `ec validate`.\",\"name\":\"TIMEOUT\",\"type\":\"string\"},{\"default\":\"1\",\"description\":\"Number of parallel workers to use for policy evaluation.\",\"name\":\"WORKERS\",\"type\":\"string\"},{\"default\":\"trusted-ca\",\"description\":\"The name of the ConfigMap to read CA bundle data from.\",\"name\":\"CA_TRUST_CONFIGMAP_NAME\",\"type\":\"string\"},{\"default\":\"ca-bundle.crt\",\"description\":\"The name of the key in the ConfigMap that contains the CA bundle data.\",\"name\":\"CA_TRUST_CONFIG_MAP_KEY\",\"type\":\"string\"},{\"default\":\"false\",\"description\":\"Reduce the Snapshot to only the component whose build caused the Snapshot to be created\",\"name\":\"SINGLE_COMPONENT\",\"type\":\"string\"},{\"default\":\"pr/$(context.pipelineRun.name)\",\"description\":\"PipelineRun ID\",\"name\":\"SINGLE_COMPONENT_CUSTOM_RESOURCE\",\"type\":\"string\"}],\"results\":[{\"name\":\"TEST_OUTPUT\",\"value\":\"$(tasks.verify.results.TEST_OUTPUT)\"}],\"tasks\":[{\"name\":\"verify\",\"params\":[{\"name\":\"POLICY_CONFIGURATION\",\"value\":\"$(params.POLICY_CONFIGURATION)\"},{\"name\":\"IMAGES\",\"value\":\"$(params.SNAPSHOT)\"},{\"name\":\"SSL_CERT_DIR\",\"value\":\"$(params.SSL_CERT_DIR)\"},{\"name\":\"STRICT\",\"value\":\"true\"},{\"name\":\"PUBLIC_KEY\",\"value\":\"$(params.PUBLIC_KEY)\"},{\"name\":\"IGNORE_REKOR\",\"value\":\"true\"},{\"name\":\"TIMEOUT\",\"value\":\"$(params.TIMEOUT)\"},{\"name\":\"WORKERS\",\"value\":\"$(params.WORKERS)\"},{\"name\":\"CA_TRUST_CONFIGMAP_NAME\",\"value\":\"$(params.CA_TRUST_CONFIGMAP_NAME)\"},{\"name\":\"CA_TRUST_CONFIG_MAP_KEY\",\"value\":\"$(params.CA_TRUST_CONFIG_MAP_KEY)\"},{\"name\":\"SINGLE_COMPONENT\",\"value\":\"$(params.SINGLE_COMPONENT)\"},{\"name\":\"SINGLE_COMPONENT_CUSTOM_RESOURCE\",\"value\":\"$(params.SINGLE_COMPONENT_CUSTOM_RESOURCE)\"}],\"taskRef\":{\"params\":[{\"name\":\"bundle\",\"value\":\"quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:978d48e842a3d7060035f8006b43f3aec84eb87deac3ada47a32b19d96417cbc\"},{\"name\":\"name\",\"value\":\"verify-enterprise-contract\"},{\"name\":\"kind\",\"value\":\"task\"}],\"resolver\":\"bundles\"},\"timeout\":\"$(params.TIMEOUT)\"}]}}"
*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)
Error: failed to parse string as a Tekton object: "{\"apiVersion\":\"tekton.dev/v1\",\"kind\":\"Pipeline\",\"metadata\":{\"labels\":{\"build.appstudio.redhat.com/pipeline\":\"enterprise-contract\"},\"name\":\"enterprise-contract\"},\"spec\":{\"finally\":[],\"params\":[{\"description\":\"Spec section of an ApplicationSnapshot resource. Not all fields of the\\nresource are required. A minimal example:\\n  {\\n    \\\"components\\\": [\\n      {\\n        \\\"containerImage\\\": \\\"quay.io/example/repo:latest\\\"\\n      }\\n    ]\\n  }\\nEach \\\"containerImage\\\" in the \\\"components\\\" array is validated.\\n\",\"name\":\"SNAPSHOT\",\"type\":\"string\"},{\"default\":\"enterprise-contract-service/default\",\"description\":\"Name of the policy configuration (EnterpriseContractConfiguration\\nobject) to use. `namespace/name` or `name` syntax supported. If\\nnamespace is omitted the namespace where the task runs is used.\\n\",\"name\":\"POLICY_CONFIGURATION\",\"type\":\"string\"},{\"default\":\"\",\"description\":\"Path to a directory containing SSL certs to be used when communicating\\nwith external services. This is useful when using the integrated registry\\nand a local instance of Rekor on a development cluster which may use\\ncertificates issued by a not-commonly trusted root CA. In such cases,\\n\\\"/var/run/secrets/kubernetes.io/serviceaccount\\\" is a good value. Multiple\\npaths can be provided by using the \\\":\\\" separator.\\n\",\"name\":\"SSL_CERT_DIR\",\"type\":\"string\"},{\"default\":\"k8s://openshift-pipelines/public-key\",\"description\":\"Public key used to verify signatures. Must be a valid k8s cosign\\nreference, e.g. k8s://my-space/my-secret where my-secret contains\\nthe expected cosign.pub attribute.\\n\",\"name\":\"PUBLIC_KEY\",\"type\":\"string\"},{\"default\":\"5m0s\",\"description\":\"Timeout setting for `ec validate`.\",\"name\":\"TIMEOUT\",\"type\":\"string\"},{\"default\":\"1\",\"description\":\"Number of parallel workers to use for policy evaluation.\",\"name\":\"WORKERS\",\"type\":\"string\"},{\"default\":\"trusted-ca\",\"description\":\"The name of the ConfigMap to read CA bundle data from.\",\"name\":\"CA_TRUST_CONFIGMAP_NAME\",\"type\":\"string\"},{\"default\":\"ca-bundle.crt\",\"description\":\"The name of the key in the ConfigMap that contains the CA bundle data.\",\"name\":\"CA_TRUST_CONFIG_MAP_KEY\",\"type\":\"string\"},{\"default\":\"false\",\"description\":\"Reduce the Snapshot to only the component whose build caused the Snapshot to be created\",\"name\":\"SINGLE_COMPONENT\",\"type\":\"string\"},{\"default\":\"pr/$(context.pipelineRun.name)\",\"description\":\"PipelineRun ID\",\"name\":\"SINGLE_COMPONENT_CUSTOM_RESOURCE\",\"type\":\"string\"}],\"results\":[{\"name\":\"TEST_OUTPUT\",\"value\":\"$(tasks.verify.results.TEST_OUTPUT)\"}],\"tasks\":[{\"name\":\"verify\",\"params\":[{\"name\":\"POLICY_CONFIGURATION\",\"value\":\"$(params.POLICY_CONFIGURATION)\"},{\"name\":\"IMAGES\",\"value\":\"$(params.SNAPSHOT)\"},{\"name\":\"SSL_CERT_DIR\",\"value\":\"$(params.SSL_CERT_DIR)\"},{\"name\":\"STRICT\",\"value\":\"true\"},{\"name\":\"PUBLIC_KEY\",\"value\":\"$(params.PUBLIC_KEY)\"},{\"name\":\"IGNORE_REKOR\",\"value\":\"true\"},{\"name\":\"TIMEOUT\",\"value\":\"$(params.TIMEOUT)\"},{\"name\":\"WORKERS\",\"value\":\"$(params.WORKERS)\"},{\"name\":\"CA_TRUST_CONFIGMAP_NAME\",\"value\":\"$(params.CA_TRUST_CONFIGMAP_NAME)\"},{\"name\":\"CA_TRUST_CONFIG_MAP_KEY\",\"value\":\"$(params.CA_TRUST_CONFIG_MAP_KEY)\"},{\"name\":\"SINGLE_COMPONENT\",\"value\":\"$(params.SINGLE_COMPONENT)\"},{\"name\":\"SINGLE_COMPONENT_CUSTOM_RESOURCE\",\"value\":\"$(params.SINGLE_COMPONENT_CUSTOM_RESOURCE)\"}],\"taskRef\":{\"params\":[{\"name\":\"bundle\",\"value\":\"quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:978d48e842a3d7060035f8006b43f3aec84eb87deac3ada47a32b19d96417cbc\"},{\"name\":\"name\",\"value\":\"verify-enterprise-contract\"},{\"name\":\"kind\",\"value\":\"task\"}],\"resolver\":\"bundles\"},\"timeout\":\"$(params.TIMEOUT)\"}]}}"
*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)
Error: failed to parse string as a Tekton object: "{\"apiVersion\":\"tekton.dev/v1\",\"kind\":\"Pipeline\",\"metadata\":{\"labels\":{\"build.appstudio.redhat.com/pipeline\":\"enterprise-contract\"},\"name\":\"enterprise-contract\"},\"spec\":{\"finally\":[],\"params\":[{\"description\":\"Spec section of an ApplicationSnapshot resource. Not all fields of the\\nresource are required. A minimal example:\\n  {\\n    \\\"components\\\": [\\n      {\\n        \\\"containerImage\\\": \\\"quay.io/example/repo:latest\\\"\\n      }\\n    ]\\n  }\\nEach \\\"containerImage\\\" in the \\\"components\\\" array is validated.\\n\",\"name\":\"SNAPSHOT\",\"type\":\"string\"},{\"default\":\"enterprise-contract-service/default\",\"description\":\"Name of the policy configuration (EnterpriseContractConfiguration\\nobject) to use. `namespace/name` or `name` syntax supported. If\\nnamespace is omitted the namespace where the task runs is used.\\n\",\"name\":\"POLICY_CONFIGURATION\",\"type\":\"string\"},{\"default\":\"\",\"description\":\"Path to a directory containing SSL certs to be used when communicating\\nwith external services. This is useful when using the integrated registry\\nand a local instance of Rekor on a development cluster which may use\\ncertificates issued by a not-commonly trusted root CA. In such cases,\\n\\\"/var/run/secrets/kubernetes.io/serviceaccount\\\" is a good value. Multiple\\npaths can be provided by using the \\\":\\\" separator.\\n\",\"name\":\"SSL_CERT_DIR\",\"type\":\"string\"},{\"default\":\"k8s://openshift-pipelines/public-key\",\"description\":\"Public key used to verify signatures. Must be a valid k8s cosign\\nreference, e.g. k8s://my-space/my-secret where my-secret contains\\nthe expected cosign.pub attribute.\\n\",\"name\":\"PUBLIC_KEY\",\"type\":\"string\"},{\"default\":\"5m0s\",\"description\":\"Timeout setting for `ec validate`.\",\"name\":\"TIMEOUT\",\"type\":\"string\"},{\"default\":\"1\",\"description\":\"Number of parallel workers to use for policy evaluation.\",\"name\":\"WORKERS\",\"type\":\"string\"},{\"default\":\"trusted-ca\",\"description\":\"The name of the ConfigMap to read CA bundle data from.\",\"name\":\"CA_TRUST_CONFIGMAP_NAME\",\"type\":\"string\"},{\"default\":\"ca-bundle.crt\",\"description\":\"The name of the key in the ConfigMap that contains the CA bundle data.\",\"name\":\"CA_TRUST_CONFIG_MAP_KEY\",\"type\":\"string\"},{\"default\":\"false\",\"description\":\"Reduce the Snapshot to only the component whose build caused the Snapshot to be created\",\"name\":\"SINGLE_COMPONENT\",\"type\":\"string\"},{\"default\":\"pr/$(context.pipelineRun.name)\",\"description\":\"PipelineRun ID\",\"name\":\"SINGLE_COMPONENT_CUSTOM_RESOURCE\",\"type\":\"string\"}],\"results\":[{\"name\":\"TEST_OUTPUT\",\"value\":\"$(tasks.verify.results.TEST_OUTPUT)\"}],\"tasks\":[{\"name\":\"verify\",\"params\":[{\"name\":\"POLICY_CONFIGURATION\",\"value\":\"$(params.POLICY_CONFIGURATION)\"},{\"name\":\"IMAGES\",\"value\":\"$(params.SNAPSHOT)\"},{\"name\":\"SSL_CERT_DIR\",\"value\":\"$(params.SSL_CERT_DIR)\"},{\"name\":\"STRICT\",\"value\":\"true\"},{\"name\":\"PUBLIC_KEY\",\"value\":\"$(params.PUBLIC_KEY)\"},{\"name\":\"IGNORE_REKOR\",\"value\":\"true\"},{\"name\":\"TIMEOUT\",\"value\":\"$(params.TIMEOUT)\"},{\"name\":\"WORKERS\",\"value\":\"$(params.WORKERS)\"},{\"name\":\"CA_TRUST_CONFIGMAP_NAME\",\"value\":\"$(params.CA_TRUST_CONFIGMAP_NAME)\"},{\"name\":\"CA_TRUST_CONFIG_MAP_KEY\",\"value\":\"$(params.CA_TRUST_CONFIG_MAP_KEY)\"},{\"name\":\"SINGLE_COMPONENT\",\"value\":\"$(params.SINGLE_COMPONENT)\"},{\"name\":\"SINGLE_COMPONENT_CUSTOM_RESOURCE\",\"value\":\"$(params.SINGLE_COMPONENT_CUSTOM_RESOURCE)\"}],\"taskRef\":{\"params\":[{\"name\":\"bundle\",\"value\":\"quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:978d48e842a3d7060035f8006b43f3aec84eb87deac3ada47a32b19d96417cbc\"},{\"name\":\"name\",\"value\":\"verify-enterprise-contract\"},{\"name\":\"kind\",\"value\":\"task\"}],\"resolver\":\"bundles\"},\"timeout\":\"$(params.TIMEOUT)\"}]}}"
Creating Tekton Bundle:
Waiting for a while, then retry the tkn bundle push ...
Creating Tekton Bundle:
Waiting for a while, then retry the tkn bundle push ...
Creating Tekton Bundle:
Waiting for a while, then retry the tkn bundle push ...
Creating Tekton Bundle:
Waiting for a while, then retry the tkn bundle push ...
Creating Tekton Bundle:
Waiting for a while, then retry the tkn bundle push ...
Creating Tekton Bundle:

@lcarva
Copy link
Contributor

lcarva commented Nov 18, 2024

Looking at the list of fields that accept variable substitutions, I don't think spec.tasks[].timeout is one of them 😭

@ralphbean
Copy link
Member Author

Well, what's our alternative. If we can't use variable substitution here, we can hardcode a super long timeout...

@MartinBasti
Copy link
Contributor

we can set timeot 0 as unlimited and rely on pipeline timeout to kill it eventually

@ralphbean ralphbean changed the title Make EC verify task timeout configurable Make EC verify task timeout infinite Dec 4, 2024
@ralphbean
Copy link
Member Author

Good idea @MartinBasti . Updated.

Before this change, users could use the TIMEOUT param to increase their
timeout up from the 5m default, but they would hit a ceiling. If they
increased their timeout past 2h, then a tekton default on timeout for
the task itself would kick in.
@lcarva
Copy link
Contributor

lcarva commented Dec 4, 2024

Also worth mentioning https://issues.redhat.com/browse/EC-1030. The CLI itself has a timeout.

@MartinBasti
Copy link
Contributor

/retest

@MartinBasti
Copy link
Contributor

Pushed Tekton Bundle to quay.io/konflux-ci/pull-request-builds@sha256:2e3bbc383f956099f43b9eea404af25238981074a00f23e8442838c292110546
Created:
quay.io/konflux-ci/pull-request-builds:docker-build-b7e54db75839c0f4d2a749262d2af669c95f2a15@sha256:2e3bbc383f956099f43b9eea404af25238981074a00f23e8442838c292110546
*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)
Error: failed to parse string as a Tekton object: "{\"apiVersion\":\"tekton.dev/v1\",\"kind\":\"Pipeline\",\"metadata\":{\"labels\":{\"build.appstudio.redhat.com/pipeline\":\"enterprise-contract\"},\"name\":\"enterprise-contract\"},\"spec\":{\"finally\":[],\"params\":[{\"description\":\"Spec section of an ApplicationSnapshot resource. Not all fields of the\\nresource are required. A minimal example:\\n  {\\n    \\\"components\\\": [\\n      {\\n        \\\"containerImage\\\": \\\"quay.io/example/repo:latest\\\"\\n      }\\n    ]\\n  }\\nEach \\\"containerImage\\\" in the \\\"components\\\" array is validated.\\n\",\"name\":\"SNAPSHOT\",\"type\":\"string\"},{\"default\":\"enterprise-contract-service/default\",\"description\":\"Name of the policy configuration (EnterpriseContractConfiguration\\nobject) to use. `namespace/name` or `name` syntax supported. If\\nnamespace is omitted the namespace where the task runs is used.\\n\",\"name\":\"POLICY_CONFIGURATION\",\"type\":\"string\"},{\"default\":\"\",\"description\":\"Path to a directory containing SSL certs to be used when communicating\\nwith external services. This is useful when using the integrated registry\\nand a local instance of Rekor on a development cluster which may use\\ncertificates issued by a not-commonly trusted root CA. In such cases,\\n\\\"/var/run/secrets/kubernetes.io/serviceaccount\\\" is a good value. Multiple\\npaths can be provided by using the \\\":\\\" separator.\\n\",\"name\":\"SSL_CERT_DIR\",\"type\":\"string\"},{\"default\":\"k8s://openshift-pipelines/public-key\",\"description\":\"Public key used to verify signatures. Must be a valid k8s cosign\\nreference, e.g. k8s://my-space/my-secret where my-secret contains\\nthe expected cosign.pub attribute.\\n\",\"name\":\"PUBLIC_KEY\",\"type\":\"string\"},{\"default\":\"5m0s\",\"description\":\"Timeout setting for `ec validate`.\",\"name\":\"TIMEOUT\",\"type\":\"string\"},{\"default\":\"1\",\"description\":\"Number of parallel workers to use for policy evaluation.\",\"name\":\"WORKERS\",\"type\":\"string\"},{\"default\":\"trusted-ca\",\"description\":\"The name of the ConfigMap to read CA bundle data from.\",\"name\":\"CA_TRUST_CONFIGMAP_NAME\",\"type\":\"string\"},{\"default\":\"ca-bundle.crt\",\"description\":\"The name of the key in the ConfigMap that contains the CA bundle data.\",\"name\":\"CA_TRUST_CONFIG_MAP_KEY\",\"type\":\"string\"},{\"default\":\"false\",\"description\":\"Reduce the Snapshot to only the component whose build caused the Snapshot to be created\",\"name\":\"SINGLE_COMPONENT\",\"type\":\"string\"},{\"default\":\"pr/$(context.pipelineRun.name)\",\"description\":\"PipelineRun ID\",\"name\":\"SINGLE_COMPONENT_CUSTOM_RESOURCE\",\"type\":\"string\"},{\"default\":\"true\",\"description\":\"A boolean flag that determines whether the result of the test will mark the TaskRun as passing or not.\\nSwap to false to make the IntegrationTestScenario informative.\\n\\nSetting to false is useful on specific conditions but will always mark the integration test as successful and\\nhumans will tend to ignore the test results if they failed. Use with caution.\\n\",\"name\":\"STRICT\",\"type\":\"string\"}],\"results\":[{\"name\":\"TEST_OUTPUT\",\"value\":\"$(tasks.verify.results.TEST_OUTPUT)\"}],\"tasks\":[{\"name\":\"verify\",\"params\":[{\"name\":\"POLICY_CONFIGURATION\",\"value\":\"$(params.POLICY_CONFIGURATION)\"},{\"name\":\"IMAGES\",\"value\":\"$(params.SNAPSHOT)\"},{\"name\":\"SSL_CERT_DIR\",\"value\":\"$(params.SSL_CERT_DIR)\"},{\"name\":\"STRICT\",\"value\":\"$(params.STRICT)\"},{\"name\":\"PUBLIC_KEY\",\"value\":\"$(params.PUBLIC_KEY)\"},{\"name\":\"IGNORE_REKOR\",\"value\":\"true\"},{\"name\":\"TIMEOUT\",\"value\":\"$(params.TIMEOUT)\"},{\"name\":\"WORKERS\",\"value\":\"$(params.WORKERS)\"},{\"name\":\"CA_TRUST_CONFIGMAP_NAME\",\"value\":\"$(params.CA_TRUST_CONFIGMAP_NAME)\"},{\"name\":\"CA_TRUST_CONFIG_MAP_KEY\",\"value\":\"$(params.CA_TRUST_CONFIG_MAP_KEY)\"},{\"name\":\"SINGLE_COMPONENT\",\"value\":\"$(params.SINGLE_COMPONENT)\"},{\"name\":\"SINGLE_COMPONENT_CUSTOM_RESOURCE\",\"value\":\"$(params.SINGLE_COMPONENT_CUSTOM_RESOURCE)\"}],\"taskRef\":{\"params\":[{\"name\":\"bundle\",\"value\":\"quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:f6fb0800d707b7eb6f3ccfc0026c39bb3a5b944aa1ecacc7d8de6cb2fa1a67a6\"},{\"name\":\"name\",\"value\":\"verify-enterprise-contract\"},{\"name\":\"kind\",\"value\":\"task\"}],\"resolver\":\"bundles\"},\"timeout\":0}]}}"
*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)
Error: failed to parse string as a Tekton object: "{\"apiVersion\":\"tekton.dev/v1\",\"kind\":\"Pipeline\",\"metadata\":{\"labels\":{\"build.appstudio.redhat.com/pipeline\":\"enterprise-contract\"},\"name\":\"enterprise-contract\"},\"spec\":{\"finally\":[],\"params\":[{\"description\":\"Spec section of an ApplicationSnapshot resource. Not all fields of the\\nresource are required. A minimal example:\\n  {\\n    \\\"components\\\": [\\n      {\\n        \\\"containerImage\\\": \\\"quay.io/example/repo:latest\\\"\\n      }\\n    ]\\n  }\\nEach \\\"containerImage\\\" in the \\\"components\\\" array is validated.\\n\",\"name\":\"SNAPSHOT\",\"type\":\"string\"},{\"default\":\"enterprise-contract-service/default\",\"description\":\"Name of the policy configuration (EnterpriseContractConfiguration\\nobject) to use. `namespace/name` or `name` syntax supported. If\\nnamespace is omitted the namespace where the task runs is used.\\n\",\"name\":\"POLICY_CONFIGURATION\",\"type\":\"string\"},{\"default\":\"\",\"description\":\"Path to a directory containing SSL certs to be used when communicating\\nwith external services. This is useful when using the integrated registry\\nand a local instance of Rekor on a development cluster which may use\\ncertificates issued by a not-commonly trusted root CA. In such cases,\\n\\\"/var/run/secrets/kubernetes.io/serviceaccount\\\" is a good value. Multiple\\npaths can be provided by using the \\\":\\\" separator.\\n\",\"name\":\"SSL_CERT_DIR\",\"type\":\"string\"},{\"default\":\"k8s://openshift-pipelines/public-key\",\"description\":\"Public key used to verify signatures. Must be a valid k8s cosign\\nreference, e.g. k8s://my-space/my-secret where my-secret contains\\nthe expected cosign.pub attribute.\\n\",\"name\":\"PUBLIC_KEY\",\"type\":\"string\"},{\"default\":\"5m0s\",\"description\":\"Timeout setting for `ec validate`.\",\"name\":\"TIMEOUT\",\"type\":\"string\"},{\"default\":\"1\",\"description\":\"Number of parallel workers to use for policy evaluation.\",\"name\":\"WORKERS\",\"type\":\"string\"},{\"default\":\"trusted-ca\",\"description\":\"The name of the ConfigMap to read CA bundle data from.\",\"name\":\"CA_TRUST_CONFIGMAP_NAME\",\"type\":\"string\"},{\"default\":\"ca-bundle.crt\",\"description\":\"The name of the key in the ConfigMap that contains the CA bundle data.\",\"name\":\"CA_TRUST_CONFIG_MAP_KEY\",\"type\":\"string\"},{\"default\":\"false\",\"description\":\"Reduce the Snapshot to only the component whose build caused the Snapshot to be created\",\"name\":\"SINGLE_COMPONENT\",\"type\":\"string\"},{\"default\":\"pr/$(context.pipelineRun.name)\",\"description\":\"PipelineRun ID\",\"name\":\"SINGLE_COMPONENT_CUSTOM_RESOURCE\",\"type\":\"string\"},{\"default\":\"true\",\"description\":\"A boolean flag that determines whether the result of the test will mark the TaskRun as passing or not.\\nSwap to false to make the IntegrationTestScenario informative.\\n\\nSetting to false is useful on specific conditions but will always mark the integration test as successful and\\nhumans will tend to ignore the test results if they failed. Use with caution.\\n\",\"name\":\"STRICT\",\"type\":\"string\"}],\"results\":[{\"name\":\"TEST_OUTPUT\",\"value\":\"$(tasks.verify.results.TEST_OUTPUT)\"}],\"tasks\":[{\"name\":\"verify\",\"params\":[{\"name\":\"POLICY_CONFIGURATION\",\"value\":\"$(params.POLICY_CONFIGURATION)\"},{\"name\":\"IMAGES\",\"value\":\"$(params.SNAPSHOT)\"},{\"name\":\"SSL_CERT_DIR\",\"value\":\"$(params.SSL_CERT_DIR)\"},{\"name\":\"STRICT\",\"value\":\"$(params.STRICT)\"},{\"name\":\"PUBLIC_KEY\",\"value\":\"$(params.PUBLIC_KEY)\"},{\"name\":\"IGNORE_REKOR\",\"value\":\"true\"},{\"name\":\"TIMEOUT\",\"value\":\"$(params.TIMEOUT)\"},{\"name\":\"WORKERS\",\"value\":\"$(params.WORKERS)\"},{\"name\":\"CA_TRUST_CONFIGMAP_NAME\",\"value\":\"$(params.CA_TRUST_CONFIGMAP_NAME)\"},{\"name\":\"CA_TRUST_CONFIG_MAP_KEY\",\"value\":\"$(params.CA_TRUST_CONFIG_MAP_KEY)\"},{\"name\":\"SINGLE_COMPONENT\",\"value\":\"$(params.SINGLE_COMPONENT)\"},{\"name\":\"SINGLE_COMPONENT_CUSTOM_RESOURCE\",\"value\":\"$(params.SINGLE_COMPONENT_CUSTOM_RESOURCE)\"}],\"taskRef\":{\"params\":[{\"name\":\"bundle\",\"value\":\"quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:f6fb0800d707b7eb6f3ccfc0026c39bb3a5b944aa1ecacc7d8de6cb2fa1a67a6\"},{\"name\":\"name\",\"value\":\"verify-enterprise-contract\"},{\"name\":\"kind\",\"value\":\"task\"}],\"resolver\":\"bundles\"},\"timeout\":0}]}}"
*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)
Error: failed to parse string as a Tekton object: "{\"apiVersion\":\"tekton.dev/v1\",\"kind\":\"Pipeline\",\"metadata\":{\"labels\":{\"build.appstudio.redhat.com/pipeline\":\"enterprise-contract\"},\"name\":\"enterprise-contract\"},\"spec\":{\"finally\":[],\"params\":[{\"description\":\"Spec section of an ApplicationSnapshot resource. Not all fields of the\\nresource are required. A minimal example:\\n  {\\n    \\\"components\\\": [\\n      {\\n        \\\"containerImage\\\": \\\"quay.io/example/repo:latest\\\"\\n      }\\n    ]\\n  }\\nEach \\\"containerImage\\\" in the \\\"components\\\" array is validated.\\n\",\"name\":\"SNAPSHOT\",\"type\":\"string\"},{\"default\":\"enterprise-contract-service/default\",\"description\":\"Name of the policy configuration (EnterpriseContractConfiguration\\nobject) to use. `namespace/name` or `name` syntax supported. If\\nnamespace is omitted the namespace where the task runs is used.\\n\",\"name\":\"POLICY_CONFIGURATION\",\"type\":\"string\"},{\"default\":\"\",\"description\":\"Path to a directory containing SSL certs to be used when communicating\\nwith external services. This is useful when using the integrated registry\\nand a local instance of Rekor on a development cluster which may use\\ncertificates issued by a not-commonly trusted root CA. In such cases,\\n\\\"/var/run/secrets/kubernetes.io/serviceaccount\\\" is a good value. Multiple\\npaths can be provided by using the \\\":\\\" separator.\\n\",\"name\":\"SSL_CERT_DIR\",\"type\":\"string\"},{\"default\":\"k8s://openshift-pipelines/public-key\",\"description\":\"Public key used to verify signatures. Must be a valid k8s cosign\\nreference, e.g. k8s://my-space/my-secret where my-secret contains\\nthe expected cosign.pub attribute.\\n\",\"name\":\"PUBLIC_KEY\",\"type\":\"string\"},{\"default\":\"5m0s\",\"description\":\"Timeout setting for `ec validate`.\",\"name\":\"TIMEOUT\",\"type\":\"string\"},{\"default\":\"1\",\"description\":\"Number of parallel workers to use for policy evaluation.\",\"name\":\"WORKERS\",\"type\":\"string\"},{\"default\":\"trusted-ca\",\"description\":\"The name of the ConfigMap to read CA bundle data from.\",\"name\":\"CA_TRUST_CONFIGMAP_NAME\",\"type\":\"string\"},{\"default\":\"ca-bundle.crt\",\"description\":\"The name of the key in the ConfigMap that contains the CA bundle data.\",\"name\":\"CA_TRUST_CONFIG_MAP_KEY\",\"type\":\"string\"},{\"default\":\"false\",\"description\":\"Reduce the Snapshot to only the component whose build caused the Snapshot to be created\",\"name\":\"SINGLE_COMPONENT\",\"type\":\"string\"},{\"default\":\"pr/$(context.pipelineRun.name)\",\"description\":\"PipelineRun ID\",\"name\":\"SINGLE_COMPONENT_CUSTOM_RESOURCE\",\"type\":\"string\"},{\"default\":\"true\",\"description\":\"A boolean flag that determines whether the result of the test will mark the TaskRun as passing or not.\\nSwap to false to make the IntegrationTestScenario informative.\\n\\nSetting to false is useful on specific conditions but will always mark the integration test as successful and\\nhumans will tend to ignore the test results if they failed. Use with caution.\\n\",\"name\":\"STRICT\",\"type\":\"string\"}],\"results\":[{\"name\":\"TEST_OUTPUT\",\"value\":\"$(tasks.verify.results.TEST_OUTPUT)\"}],\"tasks\":[{\"name\":\"verify\",\"params\":[{\"name\":\"POLICY_CONFIGURATION\",\"value\":\"$(params.POLICY_CONFIGURATION)\"},{\"name\":\"IMAGES\",\"value\":\"$(params.SNAPSHOT)\"},{\"name\":\"SSL_CERT_DIR\",\"value\":\"$(params.SSL_CERT_DIR)\"},{\"name\":\"STRICT\",\"value\":\"$(params.STRICT)\"},{\"name\":\"PUBLIC_KEY\",\"value\":\"$(params.PUBLIC_KEY)\"},{\"name\":\"IGNORE_REKOR\",\"value\":\"true\"},{\"name\":\"TIMEOUT\",\"value\":\"$(params.TIMEOUT)\"},{\"name\":\"WORKERS\",\"value\":\"$(params.WORKERS)\"},{\"name\":\"CA_TRUST_CONFIGMAP_NAME\",\"value\":\"$(params.CA_TRUST_CONFIGMAP_NAME)\"},{\"name\":\"CA_TRUST_CONFIG_MAP_KEY\",\"value\":\"$(params.CA_TRUST_CONFIG_MAP_KEY)\"},{\"name\":\"SINGLE_COMPONENT\",\"value\":\"$(params.SINGLE_COMPONENT)\"},{\"name\":\"SINGLE_COMPONENT_CUSTOM_RESOURCE\",\"value\":\"$(params.SINGLE_COMPONENT_CUSTOM_RESOURCE)\"}],\"taskRef\":{\"params\":[{\"name\":\"bundle\",\"value\":\"quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:f6fb0800d707b7eb6f3ccfc0026c39bb3a5b944aa1ecacc7d8de6cb2fa1a67a6\"},{\"name\":\"name\",\"value\":\"verify-enterprise-contract\"},{\"name\":\"kind\",\"value\":\"task\"}],\"resolver\":\"bundles\"},\"timeout\":0}]}}"
*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)
Error: failed to parse string as a Tekton object: "{\"apiVersion\":\"tekton.dev/v1\",\"kind\":\"Pipeline\",\"metadata\":{\"labels\":{\"build.appstudio.redhat.com/pipeline\":\"enterprise-contract\"},\"name\":\"enterprise-contract\"},\"spec\":{\"finally\":[],\"params\":[{\"description\":\"Spec section of an ApplicationSnapshot resource. Not all fields of the\\nresource are required. A minimal example:\\n  {\\n    \\\"components\\\": [\\n      {\\n        \\\"containerImage\\\": \\\"quay.io/example/repo:latest\\\"\\n      }\\n    ]\\n  }\\nEach \\\"containerImage\\\" in the \\\"components\\\" array is validated.\\n\",\"name\":\"SNAPSHOT\",\"type\":\"string\"},{\"default\":\"enterprise-contract-service/default\",\"description\":\"Name of the policy configuration (EnterpriseContractConfiguration\\nobject) to use. `namespace/name` or `name` syntax supported. If\\nnamespace is omitted the namespace where the task runs is used.\\n\",\"name\":\"POLICY_CONFIGURATION\",\"type\":\"string\"},{\"default\":\"\",\"description\":\"Path to a directory containing SSL certs to be used when communicating\\nwith external services. This is useful when using the integrated registry\\nand a local instance of Rekor on a development cluster which may use\\ncertificates issued by a not-commonly trusted root CA. In such cases,\\n\\\"/var/run/secrets/kubernetes.io/serviceaccount\\\" is a good value. Multiple\\npaths can be provided by using the \\\":\\\" separator.\\n\",\"name\":\"SSL_CERT_DIR\",\"type\":\"string\"},{\"default\":\"k8s://openshift-pipelines/public-key\",\"description\":\"Public key used to verify signatures. Must be a valid k8s cosign\\nreference, e.g. k8s://my-space/my-secret where my-secret contains\\nthe expected cosign.pub attribute.\\n\",\"name\":\"PUBLIC_KEY\",\"type\":\"string\"},{\"default\":\"5m0s\",\"description\":\"Timeout setting for `ec validate`.\",\"name\":\"TIMEOUT\",\"type\":\"string\"},{\"default\":\"1\",\"description\":\"Number of parallel workers to use for policy evaluation.\",\"name\":\"WORKERS\",\"type\":\"string\"},{\"default\":\"trusted-ca\",\"description\":\"The name of the ConfigMap to read CA bundle data from.\",\"name\":\"CA_TRUST_CONFIGMAP_NAME\",\"type\":\"string\"},{\"default\":\"ca-bundle.crt\",\"description\":\"The name of the key in the ConfigMap that contains the CA bundle data.\",\"name\":\"CA_TRUST_CONFIG_MAP_KEY\",\"type\":\"string\"},{\"default\":\"false\",\"description\":\"Reduce the Snapshot to only the component whose build caused the Snapshot to be created\",\"name\":\"SINGLE_COMPONENT\",\"type\":\"string\"},{\"default\":\"pr/$(context.pipelineRun.name)\",\"description\":\"PipelineRun ID\",\"name\":\"SINGLE_COMPONENT_CUSTOM_RESOURCE\",\"type\":\"string\"},{\"default\":\"true\",\"description\":\"A boolean flag that determines whether the result of the test will mark the TaskRun as passing or not.\\nSwap to false to make the IntegrationTestScenario informative.\\n\\nSetting to false is useful on specific conditions but will always mark the integration test as successful and\\nhumans will tend to ignore the test results if they failed. Use with caution.\\n\",\"name\":\"STRICT\",\"type\":\"string\"}],\"results\":[{\"name\":\"TEST_OUTPUT\",\"value\":\"$(tasks.verify.results.TEST_OUTPUT)\"}],\"tasks\":[{\"name\":\"verify\",\"params\":[{\"name\":\"POLICY_CONFIGURATION\",\"value\":\"$(params.POLICY_CONFIGURATION)\"},{\"name\":\"IMAGES\",\"value\":\"$(params.SNAPSHOT)\"},{\"name\":\"SSL_CERT_DIR\",\"value\":\"$(params.SSL_CERT_DIR)\"},{\"name\":\"STRICT\",\"value\":\"$(params.STRICT)\"},{\"name\":\"PUBLIC_KEY\",\"value\":\"$(params.PUBLIC_KEY)\"},{\"name\":\"IGNORE_REKOR\",\"value\":\"true\"},{\"name\":\"TIMEOUT\",\"value\":\"$(params.TIMEOUT)\"},{\"name\":\"WORKERS\",\"value\":\"$(params.WORKERS)\"},{\"name\":\"CA_TRUST_CONFIGMAP_NAME\",\"value\":\"$(params.CA_TRUST_CONFIGMAP_NAME)\"},{\"name\":\"CA_TRUST_CONFIG_MAP_KEY\",\"value\":\"$(params.CA_TRUST_CONFIG_MAP_KEY)\"},{\"name\":\"SINGLE_COMPONENT\",\"value\":\"$(params.SINGLE_COMPONENT)\"},{\"name\":\"SINGLE_COMPONENT_CUSTOM_RESOURCE\",\"value\":\"$(params.SINGLE_COMPONENT_CUSTOM_RESOURCE)\"}],\"taskRef\":{\"params\":[{\"name\":\"bundle\",\"value\":\"quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:f6fb0800d707b7eb6f3ccfc0026c39bb3a5b944aa1ecacc7d8de6cb2fa1a67a6\"},{\"name\":\"name\",\"value\":\"verify-enterprise-contract\"},{\"name\":\"kind\",\"value\":\"task\"}],\"resolver\":\"bundles\"},\"timeout\":0}]}}"
*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)
Error: failed to parse string as a Tekton object: "{\"apiVersion\":\"tekton.dev/v1\",\"kind\":\"Pipeline\",\"metadata\":{\"labels\":{\"build.appstudio.redhat.com/pipeline\":\"enterprise-contract\"},\"name\":\"enterprise-contract\"},\"spec\":{\"finally\":[],\"params\":[{\"description\":\"Spec section of an ApplicationSnapshot resource. Not all fields of the\\nresource are required. A minimal example:\\n  {\\n    \\\"components\\\": [\\n      {\\n        \\\"containerImage\\\": \\\"quay.io/example/repo:latest\\\"\\n      }\\n    ]\\n  }\\nEach \\\"containerImage\\\" in the \\\"components\\\" array is validated.\\n\",\"name\":\"SNAPSHOT\",\"type\":\"string\"},{\"default\":\"enterprise-contract-service/default\",\"description\":\"Name of the policy configuration (EnterpriseContractConfiguration\\nobject) to use. `namespace/name` or `name` syntax supported. If\\nnamespace is omitted the namespace where the task runs is used.\\n\",\"name\":\"POLICY_CONFIGURATION\",\"type\":\"string\"},{\"default\":\"\",\"description\":\"Path to a directory containing SSL certs to be used when communicating\\nwith external services. This is useful when using the integrated registry\\nand a local instance of Rekor on a development cluster which may use\\ncertificates issued by a not-commonly trusted root CA. In such cases,\\n\\\"/var/run/secrets/kubernetes.io/serviceaccount\\\" is a good value. Multiple\\npaths can be provided by using the \\\":\\\" separator.\\n\",\"name\":\"SSL_CERT_DIR\",\"type\":\"string\"},{\"default\":\"k8s://openshift-pipelines/public-key\",\"description\":\"Public key used to verify signatures. Must be a valid k8s cosign\\nreference, e.g. k8s://my-space/my-secret where my-secret contains\\nthe expected cosign.pub attribute.\\n\",\"name\":\"PUBLIC_KEY\",\"type\":\"string\"},{\"default\":\"5m0s\",\"description\":\"Timeout setting for `ec validate`.\",\"name\":\"TIMEOUT\",\"type\":\"string\"},{\"default\":\"1\",\"description\":\"Number of parallel workers to use for policy evaluation.\",\"name\":\"WORKERS\",\"type\":\"string\"},{\"default\":\"trusted-ca\",\"description\":\"The name of the ConfigMap to read CA bundle data from.\",\"name\":\"CA_TRUST_CONFIGMAP_NAME\",\"type\":\"string\"},{\"default\":\"ca-bundle.crt\",\"description\":\"The name of the key in the ConfigMap that contains the CA bundle data.\",\"name\":\"CA_TRUST_CONFIG_MAP_KEY\",\"type\":\"string\"},{\"default\":\"false\",\"description\":\"Reduce the Snapshot to only the component whose build caused the Snapshot to be created\",\"name\":\"SINGLE_COMPONENT\",\"type\":\"string\"},{\"default\":\"pr/$(context.pipelineRun.name)\",\"description\":\"PipelineRun ID\",\"name\":\"SINGLE_COMPONENT_CUSTOM_RESOURCE\",\"type\":\"string\"},{\"default\":\"true\",\"description\":\"A boolean flag that determines whether the result of the test will mark the TaskRun as passing or not.\\nSwap to false to make the IntegrationTestScenario informative.\\n\\nSetting to false is useful on specific conditions but will always mark the integration test as successful and\\nhumans will tend to ignore the test results if they failed. Use with caution.\\n\",\"name\":\"STRICT\",\"type\":\"string\"}],\"results\":[{\"name\":\"TEST_OUTPUT\",\"value\":\"$(tasks.verify.results.TEST_OUTPUT)\"}],\"tasks\":[{\"name\":\"verify\",\"params\":[{\"name\":\"POLICY_CONFIGURATION\",\"value\":\"$(params.POLICY_CONFIGURATION)\"},{\"name\":\"IMAGES\",\"value\":\"$(params.SNAPSHOT)\"},{\"name\":\"SSL_CERT_DIR\",\"value\":\"$(params.SSL_CERT_DIR)\"},{\"name\":\"STRICT\",\"value\":\"$(params.STRICT)\"},{\"name\":\"PUBLIC_KEY\",\"value\":\"$(params.PUBLIC_KEY)\"},{\"name\":\"IGNORE_REKOR\",\"value\":\"true\"},{\"name\":\"TIMEOUT\",\"value\":\"$(params.TIMEOUT)\"},{\"name\":\"WORKERS\",\"value\":\"$(params.WORKERS)\"},{\"name\":\"CA_TRUST_CONFIGMAP_NAME\",\"value\":\"$(params.CA_TRUST_CONFIGMAP_NAME)\"},{\"name\":\"CA_TRUST_CONFIG_MAP_KEY\",\"value\":\"$(params.CA_TRUST_CONFIG_MAP_KEY)\"},{\"name\":\"SINGLE_COMPONENT\",\"value\":\"$(params.SINGLE_COMPONENT)\"},{\"name\":\"SINGLE_COMPONENT_CUSTOM_RESOURCE\",\"value\":\"$(params.SINGLE_COMPONENT_CUSTOM_RESOURCE)\"}],\"taskRef\":{\"params\":[{\"name\":\"bundle\",\"value\":\"quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:f6fb0800d707b7eb6f3ccfc0026c39bb3a5b944aa1ecacc7d8de6cb2fa1a67a6\"},{\"name\":\"name\",\"value\":\"verify-enterprise-contract\"},{\"name\":\"kind\",\"value\":\"task\"}],\"resolver\":\"bundles\"},\"timeout\":0}]}}"
*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)
Error: failed to parse string as a Tekton object: "{\"apiVersion\":\"tekton.dev/v1\",\"kind\":\"Pipeline\",\"metadata\":{\"labels\":{\"build.appstudio.redhat.com/pipeline\":\"enterprise-contract\"},\"name\":\"enterprise-contract\"},\"spec\":{\"finally\":[],\"params\":[{\"description\":\"Spec section of an ApplicationSnapshot resource. Not all fields of the\\nresource are required. A minimal example:\\n  {\\n    \\\"components\\\": [\\n      {\\n        \\\"containerImage\\\": \\\"quay.io/example/repo:latest\\\"\\n      }\\n    ]\\n  }\\nEach \\\"containerImage\\\" in the \\\"components\\\" array is validated.\\n\",\"name\":\"SNAPSHOT\",\"type\":\"string\"},{\"default\":\"enterprise-contract-service/default\",\"description\":\"Name of the policy configuration (EnterpriseContractConfiguration\\nobject) to use. `namespace/name` or `name` syntax supported. If\\nnamespace is omitted the namespace where the task runs is used.\\n\",\"name\":\"POLICY_CONFIGURATION\",\"type\":\"string\"},{\"default\":\"\",\"description\":\"Path to a directory containing SSL certs to be used when communicating\\nwith external services. This is useful when using the integrated registry\\nand a local instance of Rekor on a development cluster which may use\\ncertificates issued by a not-commonly trusted root CA. In such cases,\\n\\\"/var/run/secrets/kubernetes.io/serviceaccount\\\" is a good value. Multiple\\npaths can be provided by using the \\\":\\\" separator.\\n\",\"name\":\"SSL_CERT_DIR\",\"type\":\"string\"},{\"default\":\"k8s://openshift-pipelines/public-key\",\"description\":\"Public key used to verify signatures. Must be a valid k8s cosign\\nreference, e.g. k8s://my-space/my-secret where my-secret contains\\nthe expected cosign.pub attribute.\\n\",\"name\":\"PUBLIC_KEY\",\"type\":\"string\"},{\"default\":\"5m0s\",\"description\":\"Timeout setting for `ec validate`.\",\"name\":\"TIMEOUT\",\"type\":\"string\"},{\"default\":\"1\",\"description\":\"Number of parallel workers to use for policy evaluation.\",\"name\":\"WORKERS\",\"type\":\"string\"},{\"default\":\"trusted-ca\",\"description\":\"The name of the ConfigMap to read CA bundle data from.\",\"name\":\"CA_TRUST_CONFIGMAP_NAME\",\"type\":\"string\"},{\"default\":\"ca-bundle.crt\",\"description\":\"The name of the key in the ConfigMap that contains the CA bundle data.\",\"name\":\"CA_TRUST_CONFIG_MAP_KEY\",\"type\":\"string\"},{\"default\":\"false\",\"description\":\"Reduce the Snapshot to only the component whose build caused the Snapshot to be created\",\"name\":\"SINGLE_COMPONENT\",\"type\":\"string\"},{\"default\":\"pr/$(context.pipelineRun.name)\",\"description\":\"PipelineRun ID\",\"name\":\"SINGLE_COMPONENT_CUSTOM_RESOURCE\",\"type\":\"string\"},{\"default\":\"true\",\"description\":\"A boolean flag that determines whether the result of the test will mark the TaskRun as passing or not.\\nSwap to false to make the IntegrationTestScenario informative.\\n\\nSetting to false is useful on specific conditions but will always mark the integration test as successful and\\nhumans will tend to ignore the test results if they failed. Use with caution.\\n\",\"name\":\"STRICT\",\"type\":\"string\"}],\"results\":[{\"name\":\"TEST_OUTPUT\",\"value\":\"$(tasks.verify.results.TEST_OUTPUT)\"}],\"tasks\":[{\"name\":\"verify\",\"params\":[{\"name\":\"POLICY_CONFIGURATION\",\"value\":\"$(params.POLICY_CONFIGURATION)\"},{\"name\":\"IMAGES\",\"value\":\"$(params.SNAPSHOT)\"},{\"name\":\"SSL_CERT_DIR\",\"value\":\"$(params.SSL_CERT_DIR)\"},{\"name\":\"STRICT\",\"value\":\"$(params.STRICT)\"},{\"name\":\"PUBLIC_KEY\",\"value\":\"$(params.PUBLIC_KEY)\"},{\"name\":\"IGNORE_REKOR\",\"value\":\"true\"},{\"name\":\"TIMEOUT\",\"value\":\"$(params.TIMEOUT)\"},{\"name\":\"WORKERS\",\"value\":\"$(params.WORKERS)\"},{\"name\":\"CA_TRUST_CONFIGMAP_NAME\",\"value\":\"$(params.CA_TRUST_CONFIGMAP_NAME)\"},{\"name\":\"CA_TRUST_CONFIG_MAP_KEY\",\"value\":\"$(params.CA_TRUST_CONFIG_MAP_KEY)\"},{\"name\":\"SINGLE_COMPONENT\",\"value\":\"$(params.SINGLE_COMPONENT)\"},{\"name\":\"SINGLE_COMPONENT_CUSTOM_RESOURCE\",\"value\":\"$(params.SINGLE_COMPONENT_CUSTOM_RESOURCE)\"}],\"taskRef\":{\"params\":[{\"name\":\"bundle\",\"value\":\"quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:f6fb0800d707b7eb6f3ccfc0026c39bb3a5b944aa1ecacc7d8de6cb2fa1a67a6\"},{\"name\":\"name\",\"value\":\"verify-enterprise-contract\"},{\"name\":\"kind\",\"value\":\"task\"}],\"resolver\":\"bundles\"},\"timeout\":0}]}}"
Creating Tekton Bundle:
Waiting for a while, then retry the tkn bundle push ...
Creating Tekton Bundle:
Waiting for a while, then retry the tkn bundle push ...
Creating Tekton Bundle:
Waiting for a while, then retry the tkn bundle push ...
Creating Tekton Bundle:
Waiting for a while, then retry the tkn bundle push ...
Creating Tekton Bundle:
Waiting for a while, then retry the tkn bundle push ...
Creating Tekton Bundle:

@MartinBasti
Copy link
Contributor

Maybe original PR was good and we only need newer version of tekton

RUN curl -L https://github.com/tektoncd/cli/releases/download/v0.32.2/tkn_0.32.2_Linux_x86_64.tar.gz | tar -xz --no-same-owner -C /usr/bin/ tkn
?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants