Update TaskRunStatus.ResourcesResult to be more generic.

This commit extends ResourcesResult to work for more than just ImageOutputs,
but moving to a key/value map instead of a fixed key of "digest".

This also updates the image_digest_exporter to write data in both formats
for backwards compatibility, and updates our e2e test to use this mechanism.

Author: dlorenc

cmd/imagedigestexporter/main.go

@@ -59,7 +59,20 @@ func main() {
 		if err != nil {
 			log.Fatalf("Unexpected error getting image digest for %s: %v", imageResource.Name, err)
 		}
-		output = append(output, v1alpha1.PipelineResourceResult{Name: imageResource.Name, Digest: digest.String()})
+		// We need to write both the old Name/Digest style and the new Key/Value styles.
+		output = append(output, v1alpha1.PipelineResourceResult{
+			Name:   imageResource.Name,
+			Digest: digest.String(),
+		})
+
+		output = append(output, v1alpha1.PipelineResourceResult{
+			Key:   "digest",
+			Value: digest.String(),
+			ResourceRef: v1alpha1.PipelineResourceRef{
+				Name: imageResource.Name,
+			},
+		})
+
 	}
 
 	imagesJSON, err := json.Marshal(output)

docs/resources.md

@@ -194,6 +194,23 @@ spec:
       emptyDir: {}
 ```
 
+### Resource Status
+
+When resources are bound inside a TaskRun, they can include extra information in the TaskRun Status.ResourcesResult field.
+This information can be useful for auditing the exact resources used by a TaskRun later.
+Currently the only resource that uses this mechanism is the Image resource, which includes the exact digest
+of an image built by a TaskRun and declared as an output.
+
+For an example of what this output looks like:
+
+```yaml
+resourcesResult:
+- key: digest
+  value: sha256:a08412a4164b85ae521b0c00cf328e3aab30ba94a526821367534b81e51cb1cb
+  resourceRef:
+    name: skaffold-image-leeroy-web
+```
+
 ## Resource Types
 
 The following `PipelineResources` are currently supported:

examples/taskruns/build-push-kaniko.yaml

@@ -43,13 +43,18 @@ spec:
       type: image
   steps:
   - name: build-and-push
-    image: gcr.io/kaniko-project/executor:v0.9.0
+    image: gcr.io/kaniko-project/executor:v0.13.0
+    # specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential
+    env:
+    - name: "DOCKER_CONFIG"
+      value: "/builder/home/.docker/"
     command:
     - /kaniko/executor
     args:
     - --dockerfile=$(inputs.params.pathToDockerFile)
     - --destination=$(outputs.resources.builtImage.url)
     - --context=$(inputs.params.pathToContext)
+    - --oci-layout-path=/builder/home/image-outputs/builtImage    
   sidecars:
     - image: registry
       name: registry

pkg/apis/pipeline/v1alpha1/resource_types.go

@@ -164,8 +164,13 @@ type PipelineResourceBinding struct {
 
 // PipelineResourceResult used to export the image name and digest as json
 type PipelineResourceResult struct {
+	// Name and Digest are deprecated.
 	Name   string `json:"name"`
 	Digest string `json:"digest"`
+	// These will replace Name and Digest (https://github.com/tektoncd/pipeline/issues/1392)
+	Key         string              `json:"key"`
+	Value       string              `json:"value"`
+	ResourceRef PipelineResourceRef `json:"resourceRef,omitempty"`
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

pkg/apis/pipeline/v1alpha1/zz_generated.deepcopy.go

@@ -84,8 +84,7 @@ func AddOutputImageDigestExporter(
 
 // UpdateTaskRunStatusWithResourceResult if there is an update to the outout image resource, add to taskrun status result
 func UpdateTaskRunStatusWithResourceResult(taskRun *v1alpha1.TaskRun, logContent []byte) error {
-	err := json.Unmarshal(logContent, &taskRun.Status.ResourcesResult)
-	if err != nil {
+	if err := json.Unmarshal(logContent, &taskRun.Status.ResourcesResult); err != nil {
 		return xerrors.Errorf("Failed to unmarshal output image exporter JSON output: %w", err)
 	}
 	return nil

pkg/reconciler/taskrun/resources/image_exporter.go

@@ -20,9 +20,6 @@ package test
 
 import (
 	"fmt"
-	"io/ioutil"
-	"regexp"
-	"strings"
 	"testing"
 	"time"
 
@@ -34,32 +31,41 @@ import (
 	"golang.org/x/xerrors"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/kubernetes"
 	knativetest "knative.dev/pkg/test"
 )
 
 const (
-	kanikoTaskName     = "kanikotask"
-	kanikoTaskRunName  = "kanikotask-run"
-	kanikoResourceName = "go-example-git"
+	kanikoTaskName          = "kanikotask"
+	kanikoTaskRunName       = "kanikotask-run"
+	kanikoGitResourceName   = "go-example-git"
+	kanikoImageResourceName = "go-example-image"
 )
 
 func getGitResource(namespace string) *v1alpha1.PipelineResource {
-	return tb.PipelineResource(kanikoResourceName, namespace, tb.PipelineResourceSpec(
+	return tb.PipelineResource(kanikoGitResourceName, namespace, tb.PipelineResourceSpec(
 		v1alpha1.PipelineResourceTypeGit,
 		tb.PipelineResourceSpecParam("Url", "https://github.com/GoogleContainerTools/kaniko"),
 	))
 }
 
+func getImageResource(namespace, repo string) *v1alpha1.PipelineResource {
+	return tb.PipelineResource(kanikoImageResourceName, namespace, tb.PipelineResourceSpec(
+		v1alpha1.PipelineResourceTypeImage,
+		tb.PipelineResourceSpecParam("url", repo),
+	))
+}
+
 func getTask(repo, namespace string, withSecretConfig bool) *v1alpha1.Task {
 	taskSpecOps := []tb.TaskSpecOp{
 		tb.TaskInputs(tb.InputsResource("gitsource", v1alpha1.PipelineResourceTypeGit)),
+		tb.TaskOutputs(tb.OutputsResource("builtImage", v1alpha1.PipelineResourceTypeImage)),
 	}
 	stepOps := []tb.StepOp{
 		tb.StepArgs(
 			"--dockerfile=/workspace/gitsource/integration/dockerfiles/Dockerfile_test_label",
 			fmt.Sprintf("--destination=%s", repo),
 			"--context=/workspace/gitsource",
+			"--oci-layout-path=/builder/home/image-outputs/builtImage",
 		),
 	}
 	if withSecretConfig {
@@ -73,7 +79,7 @@ func getTask(repo, namespace string, withSecretConfig bool) *v1alpha1.Task {
 			},
 		})))
 	}
-	step := tb.Step("kaniko", "gcr.io/kaniko-project/executor:v0.9.0", stepOps...)
+	step := tb.Step("kaniko", "gcr.io/kaniko-project/executor:v0.13.0", stepOps...)
 	taskSpecOps = append(taskSpecOps, step)
 
 	return tb.Task(kanikoTaskName, namespace, tb.TaskSpec(taskSpecOps...))
@@ -83,7 +89,8 @@ func getTaskRun(namespace string) *v1alpha1.TaskRun {
 	return tb.TaskRun(kanikoTaskRunName, namespace, tb.TaskRunSpec(
 		tb.TaskRunTaskRef(kanikoTaskName),
 		tb.TaskRunTimeout(2*time.Minute),
-		tb.TaskRunInputs(tb.TaskRunInputsResource("gitsource", tb.TaskResourceBindingRef(kanikoResourceName))),
+		tb.TaskRunInputs(tb.TaskRunInputsResource("gitsource", tb.TaskResourceBindingRef(kanikoGitResourceName))),
+		tb.TaskRunOutputs(tb.TaskRunOutputsResource("builtImage", tb.TaskResourceBindingRef(kanikoImageResourceName))),
 	))
 }
 
@@ -101,9 +108,14 @@ func TestKanikoTaskRun(t *testing.T) {
 		t.Fatalf("Expected to create kaniko creds: %v", err)
 	}
 
-	t.Logf("Creating Git PipelineResource %s", kanikoResourceName)
+	t.Logf("Creating Git PipelineResource %s", kanikoGitResourceName)
 	if _, err := c.PipelineResourceClient.Create(getGitResource(namespace)); err != nil {
-		t.Fatalf("Failed to create Pipeline Resource `%s`: %s", kanikoResourceName, err)
+		t.Fatalf("Failed to create Pipeline Resource `%s`: %s", kanikoGitResourceName, err)
+	}
+
+	t.Logf("Creating Image PipelineResource %s", repo)
+	if _, err := c.PipelineResourceClient.Create(getImageResource(namespace, repo)); err != nil {
+		t.Fatalf("Failed to create Pipeline Resource `%s`: %s", kanikoGitResourceName, err)
 	}
 
 	t.Logf("Creating Task %s", kanikoTaskName)
@@ -117,32 +129,28 @@ func TestKanikoTaskRun(t *testing.T) {
 	}
 
 	// Verify status of TaskRun (wait for it)
-	var podName string
+
 	if err := WaitForTaskRunState(c, kanikoTaskRunName, func(tr *v1alpha1.TaskRun) (bool, error) {
-		podName = tr.Status.PodName
 		return TaskRunSucceed(kanikoTaskRunName)(tr)
 	}, "TaskRunCompleted"); err != nil {
 		t.Errorf("Error waiting for TaskRun %s to finish: %s", kanikoTaskRunName, err)
 	}
 
-	// There will be a Pod with the expected name.
-	if _, err := c.KubeClient.Kube.CoreV1().Pods(namespace).Get(podName, metav1.GetOptions{}); err != nil {
-		t.Fatalf("Error getting build pod: %v", err)
-	}
-
-	logs, err := getAllLogsFromPod(c.KubeClient.Kube, podName, namespace)
+	tr, err := c.TaskRunClient.Get(kanikoTaskRunName, metav1.GetOptions{})
 	if err != nil {
-		t.Fatalf("Expected to get logs from pod %s: %v", podName, err)
+		t.Errorf("Error retrieving taskrun: %s", err)
+	}
+	digest := ""
+	for _, rr := range tr.Status.ResourcesResult {
+		if rr.Key == "digest" {
+			digest = rr.Value
+		}
 	}
-	// make sure the pushed digest matches the one we pushed
-	re := regexp.MustCompile(`digest: (sha256:\w+)`)
-	match := re.FindStringSubmatch(logs)
-	// make sure we found a match and it has the capture group
-	if len(match) != 2 {
-		t.Fatalf("Expected to find an image digest in the build output: %s", logs)
+	if digest == "" {
+		t.Errorf("Digest not found in TaskRun.Status: %v", tr.Status)
 	}
+
 	// match the local digest, which is first capture group against the remote image
-	digest := match[1]
 	remoteDigest, err := getRemoteDigest(repo)
 	if err != nil {
 		t.Fatalf("Expected to get digest for remote image %s", repo)
@@ -152,40 +160,6 @@ func TestKanikoTaskRun(t *testing.T) {
 	}
 }
 
-func getContainerLogs(c kubernetes.Interface, pod, namespace string, containers ...string) (string, error) {
-	sb := strings.Builder{}
-	for _, container := range containers {
-		req := c.CoreV1().Pods(namespace).GetLogs(pod, &corev1.PodLogOptions{Follow: true, Container: container})
-		rc, err := req.Stream()
-		if err != nil {
-			return "", err
-		}
-		bs, err := ioutil.ReadAll(rc)
-		if err != nil {
-			return "", err
-		}
-		sb.Write(bs)
-	}
-	return sb.String(), nil
-}
-
-func getAllLogsFromPod(c kubernetes.Interface, pod, namespace string) (string, error) {
-	p, err := c.CoreV1().Pods(namespace).Get(pod, metav1.GetOptions{})
-	if err != nil {
-		return "", err
-	}
-
-	var containers []string
-	for _, initContainer := range p.Spec.InitContainers {
-		containers = append(containers, initContainer.Name)
-	}
-	for _, container := range p.Spec.Containers {
-		containers = append(containers, container.Name)
-	}
-
-	return getContainerLogs(c, pod, namespace, containers...)
-}
-
 func getRemoteDigest(image string) (string, error) {
 	ref, err := name.ParseReference(image, name.WeakValidation)
 	if err != nil {

test/kaniko_task_test.go

@@ -70,7 +70,7 @@ func TestPipelineRun(t *testing.T) {
 
 			for _, res := range getFanInFanOutGitResources(namespace) {
 				if _, err := c.PipelineResourceClient.Create(res); err != nil {
-					t.Fatalf("Failed to create Pipeline Resource `%s`: %s", kanikoResourceName, err)
+					t.Fatalf("Failed to create Pipeline Resource `%s`: %s", kanikoGitResourceName, err)
 				}
 			}