Skip to content
Snippets Groups Projects
Commit 584b5278 authored by Scott's avatar Scott Committed by tekton-robot
Browse files

Encode scripts as base 64 to avoid k8s mangling "$$" 

Kubernetes replaces instances of "$$" in container args fields with "$". This
can muck up the contents of script fields because scripts are passed into a
TaskRun Pod as an arg to an init container.

Prior to this commit we [tried to prevent the
replacement](https://github.com/tektoncd/pipeline/pull/3888) from happening by:

1. putting scripts into annotations on a pod and projecting them using downward
API
    - con: the max size of the annotations map is capped to ~250kB. The
      aggregate size of all scripts in a single Task therefore becomes
      constrained by this. Any other systems using annotations will reduce the
      available headroom. Backwards incompatible.

2. replacing instances of "$$" in scripts with "$$$$" for k8s to then process
back to "$$"
    - con: k8s doesn't actually process _all_ instances of "$$". For example,
      if you write an arg with format "echo $(eval \$$foo)" then k8s will see
the first "$(", assume it's a variable reference, and pass it through verbatim.
So user's scripts with bash variable become broken by tekton's new replacement.
Backwards incompatible.

This commit takes a third approach, proposed by @MartinKanters, encoding
scripts as base64 in the controller and then having them decoded in the init
container. This bypasses Kubernetes' args processing completely because dollar
signs aren't used in base64 encodings. It also doesn't introduce a
backwards-incompatible limit to the aggregate script size. And it doesn't
mangle existing bash scripts with variable replacements.

The most noticeable trade-offs we now make are:

1. Tiny scripts can be up to 300% bigger, but as scripts get longer the max
increase gets closer to 133%.
2. Also the TaskRun's `initContainer` YAML is a bit less human readable:

```
    initContainers:
    - args:
      - -c
      - |
        tmpfile="/tekton/scripts/script-0-f8fmf"
        touch ${tmpfile} && chmod +x ${tmpfile}
        cat > ${tmpfile} << '_EOF_'
        IyEvYmluL3NoCnNldCAteGUKZWNobyAibm8gc2hlYmFuZyI=
        _EOF_
        /tekton/tools/entrypoint decode-script "${tmpfile}"
```

The entrypoint is extended to decode base64 files so that the `shellImage`
(which is used to write scripts to disk for Step containers) is not required
to package a `base64` binary.
parent ccf723a6
Hide whitespace changes
Inline Side-by-side
Showing
with 642 additions and 101 deletions
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment