The committers listed above are authorized under a signed CLA.

• ✅ login: burigolucas / name: Lucas Burigo (129612b, bc42ec6, a9dac85)

Hi @burigolucas. Thanks for your PR.

I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

/kind documentation

/ok-to-test

Hi @vdemeester, I have identified issues with the CRDs. A few of them were invalid due to recursive fields. Following the fix proposed in this issue Generating CRD manifest for struct with recursive field, I have added the markers

	// +kubebuilder:pruning:PreserveUnknownFields
	// +kubebuilder:validation:Schemaless

in the affected fields and regenerated the CRDs. I have also disabled the embedded object meta as it does not provide useful schema in my opinion and only makes the files more bloated.

AFAIK, there is still one issue to be solved, namely, the CRD for the PipelineRun is too large. We reach the file limit with kubectl create. Any ideas how best to address that?

AFAIK, there is still one issue to be solved, namely, the CRD for the PipelineRun is too large. We reach the file limit with kubectl create. Any ideas how best to address that?

Yeah, that's was the inital problem 😅

@burigolucas could we refer to another schema ? PipelineRun gets too big because of pipelineSpec that is, well the Pipeline.Spec field (and that one also contains Task.Spec with taskSpec). Maybe we should "skip" those "embedded" type in the schema and instead "document" or "refer" to the other schema ?

Error from server (Invalid): error when creating "STDIN": CustomResourceDefinition.apiextensions.k8s.io "pipelines.tekton.dev" is invalid: metadata.annotations: Too long: must have at most 262144 bytes
Error from server (RequestEntityTooLarge): error when creating "STDIN": Request entity too large: limit is 3145728
Error from server (Invalid): error when creating "STDIN": CustomResourceDefinition.apiextensions.k8s.io "tasks.tekton.dev" is invalid: metadata.annotations: Too long: must have at most 262144 bytes
Error from server (Invalid): error when creating "STDIN": CustomResourceDefinition.apiextensions.k8s.io "taskruns.tekton.dev" is invalid: metadata.annotations: Too long: must have at most 262144 bytes

Are you trying kubectl apply? In that case it will fail as it cannot store the changes in the annotations. It should work with kubectl create except for the PipelineRun due to the size. If you remove the older version of the PipelineRun in the CRD, then you can also verify that the CRD is valid. Perhaps we could omit parts of the schema of the PipelineRun for the older CRD version?

Are you trying kubectl apply? In that case it will fail as it cannot store the changes in the annotations. It should work with kubectl create except for the PipelineRun due to the size.

Yeah it's what (kubectl apply) the CI (github workflow) does (and most our users as well 😅 )

If you remove the older version of the PipelineRun in the CRD, then you can also verify that the CRD is valid. Perhaps we could omit parts of the schema of the PipelineRun for the older CRD version?

You mean the v1beta1 part right ?

I would be fine only having the shema for the v1 (or the highest) version available in the CRD to be honest.
@afrittoli @tektoncd/core-maintainers what do you think ?

I have just tried to remove the pipelineSpec from the schema of the pipelineRun and it is now small enough, even with both versions of the CRD. But we might need to reduce other CRDs further if we need to support kubectl apply due to the limits of the annotation field.

Removed also the schema of TaskSpec in TaskRun and added a comment for the user to refer to the schema of Task. This also reduced size but currently Task, TaskRun, Pipeline and PipelineRun are all too large to be stored in the annotations field when using kubectl apply. Any further suggestions what else to remove from the schema to address the length of the files?

Removed also the schema of TaskSpec in TaskRun and added a comment for the user to refer to the schema of Task. This also reduced size but currently Task, TaskRun, Pipeline and PipelineRun are all too large to be stored in the annotations field when using kubectl apply. Any further suggestions what else to remove from the schema to address the length of the files?

I am "fine" with requiring things to be done using kubectl create and document this I guess ?
cc @afrittoli

Removed also the schema of TaskSpec in TaskRun and added a comment for the user to refer to the schema of Task. This also reduced size but currently Task, TaskRun, Pipeline and PipelineRun are all too large to be stored in the annotations field when using kubectl apply. Any further suggestions what else to remove from the schema to address the length of the files?

I am "fine" with requiring things to be done using kubectl create and document this I guess ? cc @afrittoli

This would be for the CRDs only, right?
Existing installation scripts and tools may break if we make this change. To provide for a smoother transition, we could add an extra release file to our releases:

• release.yaml: includes sha and tag for images, includes CRDs with schema
• release.notag.yaml: includes CRDs with schema
• release.oldcrds.yaml: includes sha and tag for images, includes CRDs without schema

This way users could point to release.oldcrds.yaml until they migrate to installing via kubectl create.

@afrittoli should it be the other way around for a while. Like next release we have a release-with-schemas.yaml and we announce a given timeline for changing the default and then we do the other way around ?

@afrittoli should it be the other way around for a while. Like next release we have a release-with-schemas.yaml and we announce a given timeline for changing the default and then we do the other way around ?

Sure, we can do that, I was trying to avoid too many changes :D but it's safer the way you proposed

Should we then keep the current CRDs untouched and store the new generated CRDs with schemas in a different path?

Should we then keep the current CRDs untouched and store the new generated CRDs with schemas in a different path?

If possible, I would prefer to have one version of the CRDs in the repos and, at release time:

• copy release.yaml to release.schemas-in-crds.yaml
• strip the schemas from release.yaml

@vdemeester @burigolucas WDYT?

@vdemeester, @afrittoli I have revised all the previously falling e2e tests and made the required changes to fix the issues. I have also rebased the branch to a address a merge conflict and squashed all my commits to a single one as suggested in the documentation for contributors. I do not know to to fix the failing job pull-tekton-pipeline-go-coverage-df though. Could one of you please approve the workflows to check if all tests are now passing? Thanks in advance!

/test pull-tekton-pipeline-go-coverage-df

@afrittoli: No presubmit jobs available for tektoncd/pipeline@main

@burigolucas ah there is one lint issue it seems.

@burigolucas ah there is one lint issue it seems.

It's not in a file changed by this PR though, which should not happen... @vdemeester any idea why this happened?

@burigolucas ah there is one lint issue it seems.

It's not in a file changed by this PR though, which should not happen... @vdemeester any idea why this happened?

I need to check, but I think the github action checks all files by default (not just the changed one).

@afrittoli See #8604 🙃

@burigolucas ah there is one lint issue it seems.

It's not in a file changed by this PR though, which should not happen... @vdemeester any idea why this happened?

I need to check, but I think the github action checks all files by default (not just the changed one).

@vdemeester I removed the unused directive in the latest commit. Should I rather revert it back then?

This looks amazing!

Now, I am sorry for the scope-creep but would it be possible to include the x-kubernetes-patch-strategy and x-kubernetes-patch-merge-key extensions for the same objects that we have x-kubernetes-list-type. This would help enable strategic merge patch using the openapi feature of kustomize.

(It is just a suggestion and I understand that you might prefer to keep it for a separate PR)

This looks amazing!

Now, I am sorry for the scope-creep but would it be possible to include the x-kubernetes-patch-strategy and x-kubernetes-patch-merge-key extensions for the same objects that we have x-kubernetes-list-type. This would help enable strategic merge patch using the openapi feature of kustomize.

(It is just a suggestion and I understand that you might prefer to keep it for a separate PR)

Given the back and forth on the PR, I would suggest we do this in a follow-up PR, but it's up to you @burigolucas.

@vdemeester I removed the unused directive in the latest commit. Should I rather revert it back then?

If the CI is green, I think it's fine to keep as is 😉

This looks amazing!

Now, I am sorry for the scope-creep but would it be possible to include the x-kubernetes-patch-strategy and x-kubernetes-patch-merge-key extensions for the same objects that we have x-kubernetes-list-type. This would help enable strategic merge patch using the openapi feature of kustomize.

(It is just a suggestion and I understand that you might prefer to keep it for a separate PR)

Thanks for the great suggestion. I will be implementing this in a separate PR as soon we merge this one.

@112358fn, would you mind creating a dedicated issue for this request with the explanation why this should be implemented? Perhaps not all lists should support strategic merge patch. The dedicated issue would help to keep all the related discussions in a dedicated thread.

@vdemeester it looks like we are having rate limiting issues with DockerHub (See the extracts of the logs below for each of the 4 failed tests). Is this something new? Could we simply retry the failed set of tests to check for flaky results?

• TestExamples/v1/taskruns/dind-sidecar

message: 'the sidecar "server" in TaskRun "dind-sidecar-882ss" failed to pull
              the image "". The pod errored with the message: "Back-off pulling image "docker@sha256:74e78208fc18da48ddf8b569abe21563730845c312130bd0f0b059746a7e10f5"."'

• TestExamples/v1/pipelineruns/pipelinerun

2025-03-06T16:45:05.2945141Z         >>> Pod demo-pipeline-run-1-build-image-pod Container step-build-and-push:
2025-03-06T16:45:05.2945967Z         �[36mINFO�[0m[0000] Resolved base name golang:1.18 to builder    
2025-03-06T16:45:05.2946570Z         �[36mINFO�[0m[0000] Retrieving image manifest golang:1.18        
2025-03-06T16:45:05.2947300Z         �[36mINFO�[0m[0000] Retrieving image golang:1.18 from registry index.docker.io 
2025-03-06T16:45:05.2949243Z         error building image: GET https://index.docker.io/v2/library/golang/manifests/1.18: TOOMANYREQUESTS: You have reached your unauthenticated pull rate limit. https://www.docker.com/increase-rate-limit

• TestExamples/v1/taskruns/step-by-digest

-03-06T16:45:14.6943112Z           - lastTransitionTime: "2025-03-06T16:45:14Z"
2025-03-06T16:45:14.6944275Z             message: 'failed to create task run pod "step-by-digest-2c4dw": translating TaskSpec
2025-03-06T16:45:14.6947703Z               to Pod: GET https://index.docker.io/v2/library/busybox/manifests/sha256:1303dbf110c57f3edf68d9f5a16c082ec06c4cf7604831669faf2c712260b5a0:
2025-03-06T16:45:14.6950438Z               TOOMANYREQUESTS: You have reached your unauthenticated pull rate limit. https://www.docker.com/increase-rate-limit.
2025-03-06T16:45:14.6952083Z               Maybe invalid TaskSpec'
2025-03-06T16:45:14.6952909Z             reason: PodCreationFailed
2025-03-06T16:45:14.6953425Z             status: "False"
2025-03-06T16:45:14.6953886Z             type: Succeeded

• TestExamples/v1/taskruns/entrypoint-resolution

2025-03-06T16:46:58.1804050Z           - lastTransitionTime: "2025-03-06T16:46:57Z"
2025-03-06T16:46:58.1805171Z             message: 'failed to create task run pod "entrypoint-resolution": translating TaskSpec
2025-03-06T16:46:58.1806162Z               to Pod: GET https://index.docker.io/v2/amd64/ubuntu/manifests/latest: TOOMANYREQUESTS:
2025-03-06T16:46:58.1807221Z               You have reached your unauthenticated pull rate limit. https://www.docker.com/increase-rate-limit.
2025-03-06T16:46:58.1808371Z               Maybe invalid TaskSpec'
2025-03-06T16:46:58.1808760Z             reason: PodCreationFailed
2025-03-06T16:46:58.1809364Z             status: "False"
2025-03-06T16:46:58.1809680Z             type: Succeeded

/retest

@burigolucas does this issue description looks ok?

/retest

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

/lgtm