feat(runners): implement Tekton Pipeline runner with native metadata discovery#2767
Open
waveywaves wants to merge 2 commits intochainloop-dev:mainfrom
Open
feat(runners): implement Tekton Pipeline runner with native metadata discovery#2767waveywaves wants to merge 2 commits intochainloop-dev:mainfrom
waveywaves wants to merge 2 commits intochainloop-dev:mainfrom
Conversation
waveywaves
force-pushed
the
feat/tekton-runner-native-discovery
branch
from
ef38b88 to
cbcf765
Compare
…discovery Implement the TektonPipeline runner with two-tier native metadata discovery and all SupportedRunner interface methods. Tier 1 (always available): reads HOSTNAME env var and ServiceAccount namespace file from the pod filesystem. Tier 2 (best-effort): queries the K8s API for pod labels with tekton.dev/* prefix, providing rich pipeline context. Gracefully degrades when RBAC is denied or SA token is missing. Interface methods: - RunURI: Tekton Dashboard URL when configured, tekton-pipeline:// identifier URI as fallback - Report: writes attestation summary to /tekton/results/ with 3500-byte truncation for Tekton Results size limits - Environment: detects GKE/EKS/AKS as Managed, plain K8s as SelfHosted - ResolveEnvVars: synthesizes discovered metadata as key-value entries - ListEnvVars: returns HOSTNAME as the only consumed env var Includes 26 unit tests covering discovery success, RBAC denial, missing SA token, all RunURI variants, Report truncation, Environment detection, and ResolveEnvVars with full and minimal label sets. Signed-off-by: Vibhav Bobade <vibhav.bobde@gmail.com>
waveywaves
force-pushed
the
feat/tekton-runner-native-discovery
branch
from
cbcf765 to
229b0c9
Compare
Member
|
@cubic-dev-ai review |
@migmartri I have started the AI code review. It will take a few minutes to complete. |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 3 files
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="pkg/attestation/crafter/runners/tektonpipeline_test.go">
<violation number="1" location="pkg/attestation/crafter/runners/tektonpipeline_test.go:111">
P3: Unused `tmpDir` in test: `t.TempDir()` is called and immediately suppressed with `_ = tmpDir`. The test only exercises `taskRunNameFromHostname()` via a struct literal — no temp directory is needed. Remove both lines to avoid unnecessary filesystem allocations.</violation>
</file>
Since this is your first cubic review, here's how it works:
- cubic automatically reviews your code and comments on bugs and improvements
- Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
- Add one-off context when rerunning by tagging
@cubic-dev-aiwith guidance or docs links (includingllms.txt) - Ask questions if you need clarification on any suggestion
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| t.Setenv("KUBERNETES_SERVICE_PORT", serverURL.Port()) | ||
|
|
||
| // Create temp directory for SA files | ||
| tmpDir := t.TempDir() |
There was a problem hiding this comment.
P3: Unused tmpDir in test: t.TempDir() is called and immediately suppressed with _ = tmpDir. The test only exercises taskRunNameFromHostname() via a struct literal — no temp directory is needed. Remove both lines to avoid unnecessary filesystem allocations.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At pkg/attestation/crafter/runners/tektonpipeline_test.go, line 111:
<comment>Unused `tmpDir` in test: `t.TempDir()` is called and immediately suppressed with `_ = tmpDir`. The test only exercises `taskRunNameFromHostname()` via a struct literal — no temp directory is needed. Remove both lines to avoid unnecessary filesystem allocations.</comment>
<file context>
@@ -0,0 +1,650 @@
+ t.Setenv("KUBERNETES_SERVICE_PORT", serverURL.Port())
+
+ // Create temp directory for SA files
+ tmpDir := t.TempDir()
+
+ // Write SA token file
</file context>
…e:// Shorten the RunURI scheme from tekton-pipeline:// to tekton:// for consistency and brevity. Signed-off-by: Vibhav Bobade <vibhav.bobde@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
TektonPipelinerunner with two-tier native metadata discovery: Tier 1 reads HOSTNAME env var and ServiceAccount namespace file (always available in K8s pods); Tier 2 makes a best-effort K8s API call to discovertekton.dev/*pod labels for rich pipeline contextSupportedRunnerinterface methods:RunURI(Tekton Dashboard URL withtekton-pipeline://fallback),Report(writes to/tekton/results/attestation-reportwith 3500-byte truncation),Environment(detects GKE/EKS/AKS as Managed vs self-hosted),ListEnvVars, andResolveEnvVars(synthesizes discovered metadata as key-value entries)runner.goto pass logger toNewTektonPipelineDesign decisions
$(context.*)variables as env varsWithHTTPClient,WithSATokenPath,WithNamespacePath,WithCACertPath,WithResultsDirallow test injection without polluting the production APITesting