Tekton pipeline validation crashes on script validation in Openshift

[hunter-read]

Expected Behavior

Tekton Pipelines validation should return an error message about validiation error when openshift validates the yaml on save.

Actual Behavior

Tekton pipelines crashes and is returning the response Failed sync attempt to 12c3ea8e1cf1e2e2e76c61b57cad6a712ef3b5a7: one or more objects failed to apply, reason: Internal error occurred: failed calling webhook "validation.webhook.pipeline.tekton.dev": failed to call webhook: Post "[https://tekton-pipelines-webhook.openshift-pipelines.svc:443/resource-validation?timeout=10s":](https://tekton-pipelines-webhook.openshift-pipelines.svc/resource-validation?timeout=10s%22:) EOF

Steps to Reproduce the Problem

1. Create a task that takes in a script: Example:

apiVersion: tekton.dev/v1beta1
kind: Task
spec:
  params:
    - description: The yq script to execute. Can be multiple lines for complex tasks.
      name: SCRIPT
      type: string
    - description: The yq image to use.
      name: image
      type: string
  steps:
    - args:
        - '$(params.files[*])'
      image: $(params.image)
      name: yq-script
      resources: {}
      script: |
        /usr/bin/env sh
        set -e

        # For backwards compatibility with previous versions
        if [ "$(params.SCRIPT)" = "" ]; then
          for var in "$@"
          do
              /usr/bin/yq eval -i "$(params.expression)" "$var"
          done
          exit $?
        fi

        $(params.SCRIPT)
      workingDir: $(workspaces.source.path)
  workspaces:
    - description: A workspace that contains the file which needs to be altered.
      name: source

2. Create a pipeline that uses the task and provides an invalid script

apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: example-pipeline
spec:
  params:
  tasks:
    - name:  example-task
      params:
        - name: SCRIPT
          value: >
            # Do YQ things 
            export env_value_set_from_yq=$(yq '.value' config.yaml)

            echo $(env_value_set_from_yq) # The invalid code. It should be ${env_value_set_from_yq}
      taskRef:
        kind: Task
        name: yq
      workspaces:
        - name: source
          workspace: config
  workspaces:
    - name: config

3. Save the pipeline in Openshift. This will throw an error due to the code echo $(env_value_set_from_yq). It should be ${env_value_set_from_yq} but the validation crashes with an unhelpful error.

Additional Info

• Kubernetes version:

  Output of kubectl version:

clientVersion:
  buildDate: "2023-12-20T05:37:08Z"
  compiler: gc
  gitCommit: d4c9e3c75516a96850ac843d0384f4b1eb4f4957
  gitTreeState: clean
  gitVersion: v1.25.2
  goVersion: go1.19.13 X:strictfipsruntime
  major: "1"
  minor: "25"
  platform: linux/amd64
kustomizeVersion: v4.5.7
serverVersion:
  buildDate: "2024-01-02T19:08:18Z"
  compiler: gc
  gitCommit: f5b7c3e8faedd51935d77828a5fc72c7540236f4
  gitTreeState: clean
  gitVersion: v1.25.16+5c97f5b
  goVersion: go1.19.13 X:strictfipsruntime
  major: "1"
  minor: "25"
  platform: linux/amd64

• Tekton Pipeline version:

  Output of tkn version or kubectl get pods -n tekton-pipelines -l app=tekton-pipelines-controller -o=jsonpath='{.items[0].metadata.labels.version}'

Client version: 0.28.0
Chains version: v0.20.0
Pipeline version: v0.56.1
Triggers version: v0.26.1
Operator version: v0.70.1

[the-it-jaeger]

Thank you for reporting this.