Skip to content

chore(runner): First cut on Tekton pipeline detection #2581

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
javirln wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

chore(runner): First cut on Tekton pipeline detection #2581

javirln wants to merge 1 commit into from

Conversation

@javirln
Copy link
Member

@javirln javirln commented Nov 25, 2025
edited
Loading

This PR adds automatic detection and metadata collection for Tekton Pipelines CI/CD environment.

Changes

  • Added TEKTON_PIPELINE runner type to the protobuf schema
  • Implemented Tekton runner with filesystem-based detection via /tekton/results directory
  • Registered runner in factory for automatic environment discovery

Detection Strategy

The Tekton runner detects execution environments by checking for the presence of Tekton's /tekton/results directory, which is mounted in all TaskRun and PipelineRun containers. This approach works reliably for both standalone TaskRuns and tasks within Pipelines.

Metadata Collection via Kubernetes Downward API

The runner collects Tekton execution metadata by reading pod labels from the Kubernetes Downward API mounted at /etc/podinfo/labels. Users must configure the Downward API volume mount in their Task/Pipeline definitions:

apiVersion: tekton.dev/v1
kind: Task
metadata:
  name: chainloop-attestation
spec:
  stepTemplate:
    volumeMounts:
      - name: podinfo
        mountPath: /etc/podinfo
  volumes:
    - name: podinfo
      downwardAPI:
        items:
          - path: "labels"
            fieldRef:
              fieldPath: metadata.labels
  steps:
    - name: attest
      image: ghcr.io/chainloop-dev/chainloop/cli:latest
      script: |
        chainloop attestation init

Tekton Labels Collected

The runner reads the following Tekton-specific labels from pod metadata:

PipelineRun context:

  • tekton.dev/pipelineRun - PipelineRun name
  • tekton.dev/pipelineRunUID - PipelineRun UID
  • tekton.dev/pipeline - Pipeline name

TaskRun context:

  • tekton.dev/taskRun - TaskRun name
  • tekton.dev/taskRunUID - TaskRun UID
  • tekton.dev/task - Task name

Namespace: Automatically read from /var/run/secrets/kubernetes.io/serviceaccount/namespace

Run URI Construction

The runner constructs dashboard URLs with priority: PipelineRun URL > TaskRun URL, defaulting to https://dashboard.tekton.dev. Users can customize the dashboard URL by setting the TEKTON_DASHBOARD_URL environment variable.

The runner works in minimal mode with just filesystem detection when Downward API is not configured. Pod labels are only collected when the volume mount is present, allowing basic runner detection without requiring template modifications.

Tackles issue #2545

@javirln javirln self-assigned this Nov 25, 2025
@javirln javirln requested review from jiparis and migmartri November 25, 2025 11:46
migmartri
migmartri reviewed Nov 25, 2025
View reviewed changes
Copy link
Member

@migmartri migmartri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ptal at the test error, and the spurious descriptor.ts

So in the end we have access to env vars and dashboards or am I understanding this incorrectly? Do you have a demo of the env?

pkg/attestation/crafter/runners/tektonpipeline.go Outdated
func (r *TektonPipeline) ListEnvVars() []*EnvVarDefinition {
return []*EnvVarDefinition{
// PipelineRun context (optional - only present when running in a Pipeline)
{"TEKTON_PIPELINE_RUN", true},
Copy link
Member

@migmartri migmartri Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so these env vars are available then?

@javirln javirln marked this pull request as draft November 26, 2025 07:08
@javirln
chore(runner): First cut on Tekton pipeline detection
ce9caa4 
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
waveywaves
waveywaves reviewed Dec 8, 2025
View reviewed changes
Copy link

@waveywaves waveywaves left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tekton doesn't add labels through downward API, so it might be good to use the service account directly.

pkg/attestation/crafter/runners/tektonpipeline.go

const (
// Default path for Downward API labels
defaultLabelsPath = "/etc/podinfo/labels"
Copy link

@waveywaves waveywaves Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The downward api is /tekton/downward and tekton only exposes annotations and not labels.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@migmartri migmartri migmartri left review comments

@jiparis jiparis Awaiting requested review from jiparis

+1 more reviewer

@waveywaves waveywaves waveywaves left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@javirln javirln

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@javirln @migmartri @waveywaves