Add cluster resolver

Relates to #4476 and https://github.com/tektoncd/community/blob/main/teps/0096-pipelines-v1-api.md

This resolver replaces `ClusterTask`s going forward.

Signed-off-by: Andrew Bayer <andrew.bayer@gmail.com>

Author: abayer

cmd/resolvers/main.go

@@ -23,6 +23,7 @@ import (
 
 	"github.com/tektoncd/pipeline/pkg/apis/resolution/v1alpha1"
 	"github.com/tektoncd/pipeline/pkg/resolution/resolver/bundle"
+	"github.com/tektoncd/pipeline/pkg/resolution/resolver/cluster"
 	"github.com/tektoncd/pipeline/pkg/resolution/resolver/framework"
 	"github.com/tektoncd/pipeline/pkg/resolution/resolver/git"
 	"github.com/tektoncd/pipeline/pkg/resolution/resolver/hub"
@@ -49,5 +50,6 @@ func main() {
 	sharedmain.MainWithContext(ctx, "controller",
 		framework.NewController(ctx, &git.Resolver{}),
 		framework.NewController(ctx, &hub.Resolver{HubURL: hubURL}),
-		framework.NewController(ctx, &bundle.Resolver{}))
+		framework.NewController(ctx, &bundle.Resolver{}),
+		framework.NewController(ctx, &cluster.Resolver{}))
 }

config/config-feature-flags.yaml

@@ -93,3 +93,7 @@ data:
   # This is an experimental feature and thus should still be considered
   # an alpha feature.
   enable-git-resolver: "false"
+  # Setting this flag to "true" enables remote resolution of tasks and pipelines from other namespaces within the cluster.
+  # This is an experimental feature and thus should still be considered
+  # an alpha feature.
+  enable-cluster-resolver: "false"

config/resolvers/200-clusterrole.yaml

@@ -25,3 +25,6 @@ rules:
   - apiGroups: ["resolution.tekton.dev"]
     resources: ["resolutionrequests", "resolutionrequests/status"]
     verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: ["tekton.dev"]
+    resources: ["tasks", "pipelines"]
+    verbs: ["get", "list"]

config/resolvers/cluster-resolver-config.yaml

@@ -0,0 +1,32 @@
+# Copyright 2022 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cluster-resolver-config
+  namespace: tekton-pipelines
+  labels:
+    app.kubernetes.io/component: resolvers
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-pipelines
+data:
+  # The default kind to fetch.
+  default-kind: "task"
+  # The default namespace to look for resources in.
+  default-namespace: ""
+  # An optional comma-separated list of namespaces which the resolver is allowed to access. Defaults to empty, meaning all namespaces are allowed.
+  allowed-namespaces: ""
+  # An optional comma-separated list of namespaces which the resolver is blocked from accessing. Defaults to empty, meaning all namespaces are allowed.
+  blocked-namespaces: ""

docs/cluster-resolver.md

@@ -0,0 +1,81 @@
+# Cluster Resolver
+
+## Resolver Type
+
+This Resolver responds to type `cluster`.
+
+## Parameters
+
+| Param Name  | Description                                           | Example Value                |
+|-------------|-------------------------------------------------------|------------------------------|
+| `kind`      | The kind of resource to fetch.                        | `task`, `pipeline`           |
+| `name`      | The name of the resource to fetch.                    | `some-pipeline`, `some-task` |
+| `namespace` | The namespace in the cluster containing the resource. | `default`, `other-namespace` |
+
+## Requirements
+
+- A cluster running Tekton Pipeline v0.40.0 or later, with the `alpha` feature gate enabled.
+- The [built-in remote resolvers installed](./install.md#installing-and-configuring-remote-task-and-pipeline-resolution).
+- The `enable-cluster-resolver` feature flag set to `true`.
+
+## Configuration
+
+This resolver uses a `ConfigMap` for its settings. See
+[`../config/resolvers/cluster-resolver-config.yaml`](../config/resolvers/cluster-resolver-config.yaml)
+for the name, namespace and defaults that the resolver ships with.
+
+### Options
+
+| Option Name          | Description                                                                                                                                         | Example Values                     |
+|----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------|
+| `default-kind`       | The default resource kind to fetch if not specified in parameters.                                                                                  | `task`, `pipeline`                 |
+| `default-namespace`  | The default namespace to fetch resources from if not specified in parameters.                                                                       | `default`, `some-namespace`        |
+| `allowed-namespaces` | An optional comma-separated list of namespaces which the resolver is allowed to access. Defaults to empty, meaning all namespaces are allowed.      | `default,some-namespace`, (empty)  |
+| `blocked-namespaces` | An optional comma-separated list of namespaces which the resolver is blocked from accessing. Defaults to empty, meaning all namespaces are allowed. | `default,other-namespace`, (empty) |       
+
+## Usage
+
+### Task Resolution
+
+```yaml
+apiVersion: tekton.dev/v1beta1
+kind: TaskRun
+metadata:
+  name: remote-task-reference
+spec:
+  taskRef:
+    resolver: cluster
+    params:
+    - name: kind
+      value: task
+    - name: name
+      value: some-task
+    - name: namespace
+      value: namespace-containing-task
+```
+
+### Pipeline resolution
+
+```yaml
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  name: remote-pipeline-reference
+spec:
+  pipelineRef:
+    resolver: cluster
+    params:
+    - name: kind
+      value: pipeline
+    - name: name
+      value: some-pipeline
+    - name: namespace
+      value: namespace-containing-pipeline
+```
+
+---
+
+Except as otherwise noted, the content of this page is licensed under the
+[Creative Commons Attribution 4.0 License](https://creativecommons.org/licenses/by/4.0/),
+and code samples are licensed under the
+[Apache 2.0 License](https://www.apache.org/licenses/LICENSE-2.0).

docs/install.md

@@ -293,6 +293,8 @@ By default, these remote resolvers are disabled. Each resolver is enabled by set
    feature flag to `true`.
 1. [The `hub` resolver](./hub-resolver.md), enabled by setting the `enable-hub-resolver`
    feature flag to `true`.
+1. [The `cluster` resolver](./cluster-resolver.md), enabled by setting the `enable-cluster-resolver`
+   feature flag to `true`.
 
 ## Configuring CloudEvents notifications
 

docs/resolution-getting-started.md

@@ -40,6 +40,7 @@ The feature flags for the built-in resolvers are:
 * The `bundles` resolver: `enable-bundles-resolver`
 * The `git` resolver: `enable-git-resolver`
 * The `hub` resolver: `enable-hub-resolver`
+* The `cluster` resolver: `enable-cluster-resolver`
 
 ## Step 3: Try it out!
 

docs/resolution.md

@@ -13,6 +13,8 @@ For new users getting started with Tekton Pipeilne remote resolution, check out
    feature flag to `true`.
 1. [The `hub` resolver](./hub-resolver.md), enabled by setting the `enable-hub-resolver`
    feature flag to `true`.
+1. [The `cluster` resolver](./cluster-resolver.md), enabled by setting the `enable-cluster-resolver`
+   feature flag to `true`.
 
 ## Developer Howto: Writing a Resolver From Scratch
 

pkg/apis/config/feature_flags.go

@@ -66,6 +66,8 @@ const (
 	DefaultEnableHubResolver = false
 	// DefaultEnableBundlesResolver is the default value for "enable-bundles-resolver".
 	DefaultEnableBundlesResolver = false
+	// DefaultEnableClusterResolver is the default value for "enable-cluster-resolver".
+	DefaultEnableClusterResolver = false
 
 	disableAffinityAssistantKey         = "disable-affinity-assistant"
 	disableCredsInitKey                 = "disable-creds-init"
@@ -84,6 +86,8 @@ const (
 	EnableHubResolver = "enable-hub-resolver"
 	// EnableBundlesResolver is the flag used to enable the bundle remote resolver
 	EnableBundlesResolver = "enable-bundles-resolver"
+	// EnableClusterResolver is the flag used to enable the cluster remote resolver
+	EnableClusterResolver = "enable-cluster-resolver"
 )
 
 // FeatureFlags holds the features configurations
@@ -103,6 +107,7 @@ type FeatureFlags struct {
 	EnableGitResolver                bool
 	EnableHubResolver                bool
 	EnableBundleResolver             bool
+	EnableClusterResolver            bool
 }
 
 // GetFeatureFlagsConfigName returns the name of the configmap containing all
@@ -163,6 +168,9 @@ func NewFeatureFlagsFromMap(cfgMap map[string]string) (*FeatureFlags, error) {
 	if err := setFeature(EnableBundlesResolver, DefaultEnableBundlesResolver, &tc.EnableBundleResolver); err != nil {
 		return nil, err
 	}
+	if err := setFeature(EnableClusterResolver, DefaultEnableClusterResolver, &tc.EnableClusterResolver); err != nil {
+		return nil, err
+	}
 
 	// Given that they are alpha features, Tekton Bundles and Custom Tasks should be switched on if
 	// enable-api-fields is "alpha". If enable-api-fields is not "alpha" then fall back to the value of

pkg/resolution/resolver/cluster/annotations.go

@@ -0,0 +1,25 @@
+/*
+ Copyright 2022 The Tekton Authors
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+package cluster
+
+const (
+	// ResourceNameAnnotation is the annotation key for the fetched resource name
+	ResourceNameAnnotation = "name"
+	// ResourceNamespaceAnnotation is the annotation key for the fetched resource's namespace
+	ResourceNamespaceAnnotation = "namespace"
+)