Date: 2024-06-11
Accepted
One of the properties of Konflux is that users should be allowed to include their own Tekton Tasks
in a build Pipeline, e.g. to execute unit tests, without jeopardizing the integrity of the build
process. This is distinct from other build systems where a rigid process prevents users from
applying such customizations. To support this, Konflux build Pipelines use Trusted Artifacts to
securely share files between Tasks. Enterprise Contract is then responsible for verifying that
Trusted Artifacts were properly used in the parts of the build Pipeline that affect the build
outcome, typically the git-clone, prefetch-dependencies, and buildah Tasks.
Trusted Artifacts is inspired by the upcoming work being done by the Tekton Community, TEP-0139. The Konflux version is meant to be a stop-gap until that feature is implemented and ready to be used. When the time comes, the Konflux implementation should align with what is provided by the Tekton Community, requiring a revision of this ADR and likely a new ADR.
In brief, the processes of creating a Trusted Artifact wraps files into an archive. Then, the
location of the archive and its checksum digests are recorded as a Task result. The process of
consuming a Trusted Artifact extracts such an archive, while verifying its checksum digest, into a
volume only accessible to the Task, e.g. emptyDir. The name and the checksum digest of the archive
is provided via Task parameters. This ensures the artifacts produced by one Task are not tampered
with when they are consumed by other Tasks.
Furthermore, Konflux takes the approach of sharing such artifacts between Tasks via an OCI registry, e.g. quay.io, instead of using Tekton Workspaces backed by Persistent Volume Claims. This has several advantages that were previously discussed here.
Sharing files between Tasks is done via Trusted Artifacts backed by OCI storage.
-oci-ta, e.g. git-clone-oci-ta._ARTIFACT, e.g. SOURCE_ARTIFACT._ARTIFACT, e.g. SOURCE_ARTIFACT.