Konflux 归档 PipelineRun 访问指南：检索 Tekton CI/CD 日志与结果

Konflux Archived PipelineRuns by openshift/hypershift

515 GitHub Stars

安装命令

npx skills add https://github.com/openshift/hypershift --skill 'Konflux Archived PipelineRuns'

🇨🇳中文介绍

Konflux 归档 PipelineRun 访问

此技能提供了访问由 kube archiver 归档的 Konflux PipelineRun 的工作流程。PipelineRun 在完成后会迅速被归档，通常无法通过 oc get 命令获取。请使用 KubeArchive REST API 来检索 PipelineRun 详情、TaskRun 结果和 Pod 日志。

何时使用此技能

此技能在以下情况下会自动应用：

检查任何已完成的 Konflux PipelineRun 的结果时
调查 Konflux 企业合约检查失败时
从已完成的 Konflux CI 构建或测试中检索日志时
分析 CI 中的可信任务违规时
查看 GitHub PR 上的 Konflux 检查结果时
在 Konflux 命名空间中通过 oc get 找不到 PipelineRun 时

架构

HyperShift 上的 Konflux CI

命名空间： crt-redhat-acm-tenant
集群： api.stone-prd-rh01.pg1f.p1.openshiftapps.com:6443
PipelineRun 会由 kube archiver 快速归档，通常无法通过 oc get 命令获取

KubeArchive

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

获取归档的 PipelineRun

curl -s -H "Authorization: Bearer $(oc whoami -t)" \
  "${KA_HOST}/apis/tekton.dev/v1/namespaces/crt-redhat-acm-tenant/pipelineruns/<PIPELINERUN_NAME>"

子 TaskRun 的引用位于 status.childReferences 中：

data['status']['childReferences']  # list of {name, kind, apiVersion, pipelineTaskName}

获取归档的 TaskRun

curl -s -H "Authorization: Bearer $(oc whoami -t)" \
  "${KA_HOST}/apis/tekton.dev/v1/namespaces/crt-redhat-acm-tenant/taskruns/<TASKRUN_NAME>"

TaskRun 结果位于 status.results 中。

查找 TaskRun 对应的 Pod

curl -s -H "Authorization: Bearer $(oc whoami -t)" \
  "${KA_HOST}/api/v1/namespaces/crt-redhat-acm-tenant/pods?labelSelector=tekton.dev/taskRun=<TASKRUN_NAME>"

首先从 Pod 规格（spec.initContainers 和 spec.containers）中列出可用的容器，然后获取日志：

curl -s -H "Authorization: Bearer $(oc whoami -t)" \
  "${KA_HOST}/api/v1/namespaces/crt-redhat-acm-tenant/pods/<POD_NAME>/log?container=<CONTAINER_NAME>"

从 GitHub 识别失败的 EC 检查

HEAD_SHA=$(gh pr view <PR> --repo openshift/hypershift --json headRefOid -q .headRefOid)

# 查找失败的 EC 检查运行
gh api repos/openshift/hypershift/commits/${HEAD_SHA}/check-runs --paginate \
  --jq '.check_runs[] | select(.name | test("enterprise-contract")) | select(.conclusion == "failure") | {name: .name, id: .id}'

# 从检查输出中获取 PipelineRun 名称
gh api repos/openshift/hypershift/commits/${HEAD_SHA}/check-runs --paginate \
  --jq '.check_runs[] | select(.name | test("enterprise-contract")) | select(.conclusion == "failure") | .output.text'

PipelineRun 名称会出现在输出文本的 <a href="..."> 标签中。

EC 验证任务 Pod 容器

EC 验证任务 Pod 包含以下具有有用输出的容器：

step-report-json - 包含所有违规的结构化 JSON（推荐）
step-summary - 人类可读的摘要
step-detailed-report - 详细报告

EC JSON 报告结构

{
  "success": false,
  "components": [{
    "name": "component-name",
    "containerImage": "quay.io/...",
    "violations": [{
      "msg": "Human-readable message",
      "metadata": {
        "code": "rule.code.name",
        "title": "Rule title",
        "description": "Rule description",
        "solution": "How to fix"
      }
    }]
  }]
}

按 metadata.code 对违规进行分组，并提供包含计数、规则名称和个别消息的摘要。

常见的 EC 违规类型

`tasks.required_untrusted_task_found`

存在必需的任务，但该任务未从受信任的版本解析。通过更新 .tekton/ 流水线文件中的任务引用来修复。

`trusted_task.trusted`

任务版本不在受信任的任务列表中。违规消息包含需要升级到的 SHA。通过更新 .tekton/ 流水线文件中的任务摘要来修复。

oc whoami -t 失败： 用户必须使用 oc login 登录到 Konflux 集群
KubeArchive /livez 失败： 检查 oc 是否已登录到正确的集群（api.stone-prd-rh01.pg1f.p1.openshiftapps.com:6443）
KubeArchive 对资源返回 404： 可能尚未归档；请直接在命名空间 crt-redhat-acm-tenant 中尝试 oc get
Pod 日志返回 "no logs found"： 日志可能已被清除；回退到 TaskRun 结果以获取摘要
未找到失败的 EC 检查： 报告所有 EC 检查均已通过

🇺🇸English

Konflux Archived PipelineRun Access

This skill provides the workflow for accessing Konflux PipelineRuns that have been archived by the kube archiver. PipelineRuns are archived quickly after completion and are typically NOT available via oc get. Use the KubeArchive REST API to retrieve PipelineRun details, TaskRun results, and pod logs.

When to Use This Skill

This skill automatically applies when:

Checking results of any completed Konflux PipelineRun
Investigating Konflux enterprise contract check failures
Retrieving logs from finished Konflux CI builds or tests
Analyzing trusted task violations in CI
Looking at Konflux check results on GitHub PRs
A PipelineRun is not found via oc get in the Konflux namespace

Architecture

Konflux CI on HyperShift

Namespace: crt-redhat-acm-tenant
Cluster: api.stone-prd-rh01.pg1f.p1.openshiftapps.com:6443
PipelineRuns are archived quickly by kube archiver and are typically NOT available via oc get

KubeArchive

Archived PipelineRuns, TaskRuns, pods, and pod logs are accessible through the KubeArchive REST API:

KA_HOST="https://kubearchive-api-server-product-kubearchive.apps.stone-prd-rh01.pg1f.p1.openshiftapps.com"

Authentication uses the oc token:

curl -s -H "Authorization: Bearer $(oc whoami -t)" "${KA_HOST}/livez"

Accessing Archived Resources

Fetch an Archived PipelineRun

curl -s -H "Authorization: Bearer $(oc whoami -t)" \
  "${KA_HOST}/apis/tekton.dev/v1/namespaces/crt-redhat-acm-tenant/pipelineruns/<PIPELINERUN_NAME>"

Child TaskRun references are in status.childReferences:

data['status']['childReferences']  # list of {name, kind, apiVersion, pipelineTaskName}

Fetch an Archived TaskRun

curl -s -H "Authorization: Bearer $(oc whoami -t)" \
  "${KA_HOST}/apis/tekton.dev/v1/namespaces/crt-redhat-acm-tenant/taskruns/<TASKRUN_NAME>"

TaskRun results are in status.results.

Find Pods for a TaskRun

curl -s -H "Authorization: Bearer $(oc whoami -t)" \
  "${KA_HOST}/api/v1/namespaces/crt-redhat-acm-tenant/pods?labelSelector=tekton.dev/taskRun=<TASKRUN_NAME>"

Fetch Pod Logs

List available containers first from the pod spec (spec.initContainers and spec.containers), then fetch logs:

curl -s -H "Authorization: Bearer $(oc whoami -t)" \
  "${KA_HOST}/api/v1/namespaces/crt-redhat-acm-tenant/pods/<POD_NAME>/log?container=<CONTAINER_NAME>"

Enterprise Contract Violations

Identifying Failing EC Checks from GitHub

HEAD_SHA=$(gh pr view <PR> --repo openshift/hypershift --json headRefOid -q .headRefOid)

# Find failing EC check runs
gh api repos/openshift/hypershift/commits/${HEAD_SHA}/check-runs --paginate \
  --jq '.check_runs[] | select(.name | test("enterprise-contract")) | select(.conclusion == "failure") | {name: .name, id: .id}'

# Get PipelineRun names from check output
gh api repos/openshift/hypershift/commits/${HEAD_SHA}/check-runs --paginate \
  --jq '.check_runs[] | select(.name | test("enterprise-contract")) | select(.conclusion == "failure") | .output.text'

The PipelineRun name appears in an <a href="..."> tag in the output text.

EC Verify Task Pod Containers

The EC verify task pod has these containers with useful output:

step-report-json - Structured JSON with all violations (preferred)
step-summary - Human-readable summary
step-detailed-report - Detailed report

EC JSON Report Structure

{
  "success": false,
  "components": [{
    "name": "component-name",
    "containerImage": "quay.io/...",
    "violations": [{
      "msg": "Human-readable message",
      "metadata": {
        "code": "rule.code.name",
        "title": "Rule title",
        "description": "Rule description",
        "solution": "How to fix"
      }
    }]
  }]
}

Group violations by metadata.code and present a summary with counts, rule names, and individual messages.

Common EC Violation Types

`tasks.required_untrusted_task_found`

A required task is present but not resolved from a trusted version. Fix by updating the task reference in .tekton/ pipeline files.

`trusted_task.trusted`

A task version is not in the trusted task list. The violation message includes the required SHA to upgrade to. Fix by updating task digests in .tekton/ pipeline files.

Error Handling

oc whoami -t fails: User must log in to the Konflux cluster with oc login
KubeArchive/livez fails: Check that oc is logged in to the correct cluster (api.stone-prd-rh01.pg1f.p1.openshiftapps.com:6443)
KubeArchive returns 404 for a resource: May not be archived yet; try oc get directly in namespace crt-redhat-acm-tenant
Pod logs return "no logs found": Logs may have been purged; fall back to TaskRun results for the summary
No failing EC checks found: Report that all EC checks passed

Weekly Installs

–

Repository

openshift/hypershift

GitHub Stars

515

First Seen

–

Security Audits

Gen Agent Trust HubPass SocketPass SnykWarn

Azure Data Explorer (Kusto) 查询技能：KQL数据分析、日志遥测与时间序列处理

107,900 周安装

Konflux 归档 PipelineRun 访问指南：检索 Tekton CI/CD 日志与结果

🇨🇳中文介绍

Konflux 归档 PipelineRun 访问

何时使用此技能

架构

HyperShift 上的 Konflux CI

KubeArchive

相关 Skills

访问归档资源

获取归档的 PipelineRun

获取归档的 TaskRun

查找 TaskRun 对应的 Pod

获取 Pod 日志

企业合约违规

从 GitHub 识别失败的 EC 检查

EC 验证任务 Pod 容器

EC JSON 报告结构

常见的 EC 违规类型

tasks.required_untrusted_task_found

trusted_task.trusted

错误处理

🇺🇸English

Konflux Archived PipelineRun Access

When to Use This Skill

Architecture

Konflux CI on HyperShift

KubeArchive

Accessing Archived Resources

Fetch an Archived PipelineRun

Fetch an Archived TaskRun

Find Pods for a TaskRun

Fetch Pod Logs

Enterprise Contract Violations

Identifying Failing EC Checks from GitHub

EC Verify Task Pod Containers

EC JSON Report Structure

Common EC Violation Types

tasks.required_untrusted_task_found

trusted_task.trusted

Error Handling

最新 Skills

`tasks.required_untrusted_task_found`

`trusted_task.trusted`

`tasks.required_untrusted_task_found`

`trusted_task.trusted`