TEP-0164: Tekton Artifacts Phase 2 — External Storage for Artifacts and Results

[vdemeester]

Summary

This TEP extends TEP-0147 (Tekton Artifacts Phase 1) with external storage backends, unifying two related problems:

1. Larger Results — Overcoming the 4KB/12KB termination message limits and ~1.5MB CRD size constraints
2. Trusted Artifacts — Establishing a chain of trust for data shared between Tasks (TEP-0139)

Approach

Rather than three separate TEPs solving overlapping problems, this TEP unifies TEP-0147's provenance structure + TEP-0139's Artifact API + external storage backends into a single design.

Key design decisions:

• Extends TEP-0147 — adds StorageRef, Size, Inline fields to existing ArtifactValue type
• Adopts TEP-0139's declarative API — spec.artifacts.inputs/outputs on Tasks with $(inputs.name.path) / $(outputs.name.path) variables
• OCI-first backend — OCI registry is the only Phase 1 backend, leveraging existing imagePullSecrets for auth and OCI referrers for PipelineRun grouping
• Entrypoint + init container — transparent upload/download/verify without injected Steps or sidecars
• Reference-based — only URI + digest stored in TaskRun status; content lives in external storage
• Pipeline-level artifact binding — artifacts.inputs[].from: tasks.producer.outputs.foo with implicit DAG edges
• Konflux CI compatible — OCI artifact format aligned with build-trusted-artifacts (ADR-0036)

OCI-First Implementation

Phase 1 focuses exclusively on OCI registry as the storage backend because:

• Every Kubernetes cluster already has access to an OCI registry
• Konflux CI uses OCI for trusted artifacts in production
• Tekton Chains already stores attestations in OCI registries
• Content-addressable storage provides native deduplication and caching
• Auth reuses existing ServiceAccount imagePullSecrets — zero additional credential config in many setups

The TEP specifies the OCI artifact format: manifest structure, media types, multi-file archiving, PipelineRun grouping via OCI referrers, and tagging conventions.

Additional backends (S3, GCS, PVC) are deferred to Phase 2 behind a Provider interface.

Repository Configuration

OCI repository path is configurable at 4 levels (highest priority first):

Priority	Source	Use Case
1	PipelineRun annotations	Caller-controlled, per-invocation
2	Pipeline annotations	Pipeline author default
3	Namespace ConfigMap (TEP-0085)	Team/project isolation
4	Cluster ConfigMap	Cluster default

Use Cases

• Multi-image build pipelines (Konflux) — pass 20+ image references between build and signing Tasks
• SBOM generation — store large SBOMs externally, reference by digest in attestations (solves Rekor size limits)
• ML model passing (Kubeflow Pipelines on Tekton) — pass datasets, models, metrics between pipeline steps
• Test results processing — large JUnit XML output consumed by reporting Tasks

Convergence Vision

The TEP includes a future work section describing the path toward unified spec.inputs/spec.outputs in a future API v2, where params, results, and artifacts converge into a single model.

Related

• Extends: TEP-0147 (Artifacts Phase 1 — implemented, alpha)
• Implements goals of: TEP-0139 (Trusted Artifacts)
• Alternative to: TEP-0127 (Sidecar Logs)
• References: TEP-0085 (Per-namespace config)
• Addresses: Changing the way Result Parameters are stored. pipeline#4012, Results, TerminationMessage and Containers pipeline#4808, Feature: Task provenance output pipeline#6326, Enable larger results without a sidecar on every TaskRun pipeline#8448

/kind tep

[tekton-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please ask for approval from vdemeester after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• teps/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[arewm]

I haven't done a comprehensive review, but some initial comments.

[arewm]

Do you envision that this is a real use case? I wouldn't expect that a SBOM is exposed in a result as text. Instead, I would expect that SBOMs are stored elsewhere and just referenced. This way, SBOM producers have the ability to do additional things like sign the SBOM as a protection against its integrity.

[arewm]

Is this about exposing all arch-specific manifests that are produced in a multi-arch image? If so, I think we can clarify that. Tasks may want to expose results for each related digest produced which can include an OCI Image Index as well as multiple OCI Image Manifests.

[arewm]

Do you envision that this is a real use case? I wouldn't expect that a SBOM is exposed in a result as text. Instead, I would expect that SBOMs are stored elsewhere and just referenced. This way, SBOM producers have the ability to do additional things like sign the SBOM as a protection against its integrity.

This would be one task producing an SBOM and another one signing/attesting it? Would we expect this to happen as separate tasks or would it make more sense to happen as separate steps?

[arewm]

Would you envision that this is most likely to be used for overriding the configuration if an OCI registry is leveraged?

[vdemeester]

Yes, but also maybe switch backend from one namespace to the others.

[arewm]

Reading into this use case a little more, do perceive that this is used strictly for string-like parameters? Or would this be able to be used for passing arbitrary data between tasks (i.e. an implementation of TEP 0139-trusted-artifacts)?

[arewm]

Will this update the status of the CR?

[arewm]

What do you mean by this? How does this differ from the prior behavior of PipelineRun results?

[arewm]

How would this interact with clusters that have caching configured? If an OCI backend is used, for example, would it be possible for a cluster to cache the result that it pushes so that we would be able to get cache-hits when fetching the large result?

[arewm]

Would it be possible to have a per-pipelinerun configuration as well (i.e. based on credentials linked to the Service Accounts)?

[arewm]

Storing a lot of results can be hard to process in an OCI registry if a user might want to go look at it. Do you think it would be reasonable to keep all results "together" for a PipelineRun? This might look like producing a single "reference" OCI artifact for the PipelineRun and then attaching individual results to that? One could even generate recursive referring objects where you have TaskRun "reference" artifacts attached to the PipelineRun upon TaskRun initialization.

[vdemeester]

/wip

[tekton-robot]

The following Tekton test failed:

Test name	Commit	Details	Required	Rerun command
pull-community-teps-lint	3d33001	link	true	/test pull-community-teps-lint