Add extra display columns for resource resolution

Add start and end time, as well as details about the owner resource to to the resource requests. Example: NAME OWNERKIND OWNER SUCCEEDED REASON STARTTIME ENDTIME git-40e5840171b418bcbd0bfa73defec338 TaskRun git-resolver-p75s8 True 2022-10-05T09:16:08Z 2022-10-05T09:16:10Z git-6ecf81c8e0b418bcbd0c05c1bc3cd0c5 TaskRun git-resolver-tmvqd True 2022-10-05T09:11:20Z 2022-10-05T09:11:22Z git-e97b40047eb418bcbd0be5341ed71802 TaskRun git-resolver-xdq55 False ResolutionFailed 2022-10-05T09:19:51Z 2022-10-05T09:19:52Z Signed-off-by: Andrea Frittoli <andrea.frittoli@uk.ibm.com> Bump google.golang.org/grpc from 1.50.0 to 1.50.1 Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.50.0 to 1.50.1. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.50.0...v1.50.1) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Migrate PipelineRun Reconciler__TestReconcileTaskResolutionError Signed-off-by: xin.li <xin.li@daocloud.io> Remove minimal-release.yaml and resolvers.yaml Closes tektoncd#5607 After discussion, we've decided to get rid of the separate `resolvers.yaml` and the resolver-less `minimal-release.yaml`. Signed-off-by: Andrew Bayer <andrew.bayer@gmail.com> Bump k8s.io/apimachinery from 0.25.2 to 0.25.3 Bumps [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) from 0.25.2 to 0.25.3. - [Release notes](https://github.com/kubernetes/apimachinery/releases) - [Commits](kubernetes/apimachinery@v0.25.2...v0.25.3) --- updated-dependencies: - dependency-name: k8s.io/apimachinery dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Bump k8s.io/api from 0.25.2 to 0.25.3 Bumps [k8s.io/api](https://github.com/kubernetes/api) from 0.25.2 to 0.25.3. - [Release notes](https://github.com/kubernetes/api/releases) - [Commits](kubernetes/api@v0.25.2...v0.25.3) --- updated-dependencies: - dependency-name: k8s.io/api dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Bump k8s.io/client-go from 0.25.2 to 0.25.3 Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.25.2 to 0.25.3. - [Release notes](https://github.com/kubernetes/client-go/releases) - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.25.2...v0.25.3) --- updated-dependencies: - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> resolution/framework : inject the request name in the context Similar to the namespace, it might be of interest for the resolver to get access to its name, as well as the namespace. Today this is only the case for the namespace. On possible use case for this is, if the resolver wants to create another kubernetes object and set owner reference on it. Signed-off-by: Vincent Demeester <vdemeest@redhat.com> CSI workspace to Beta This commit removes the alpha feature gate for the csi workspace so that it becomes a beta feature. Remove PipelineRun cancelation of Runs when Pipeline Task timeout is reached TestWaitCustomTask_PipelineRun/Wait_Task_Retries_on_Timeout has been flaky for a while. This commit stops the PipelineRun reconciler from cancelling Run when it detects that the task-level Timeout configured for the Run has passed, which will address the flake (similar to tektoncd#5134 which addresses TestPipelineRunTimeout). Bump github.com/containerd/containerd from 1.6.8 to 1.6.9 Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.6.8 to 1.6.9. - [Release notes](https://github.com/containerd/containerd/releases) - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) - [Commits](containerd/containerd@v1.6.8...v1.6.9) --- updated-dependencies: - dependency-name: github.com/containerd/containerd dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Bump github.com/google/go-containerregistry from 0.11.0 to 0.12.0 Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.11.0 to 0.12.0. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](google/go-containerregistry@v0.11.0...v0.12.0) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Bump github.com/stretchr/testify from 1.8.0 to 1.8.1 Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.0 to 1.8.1. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.8.0...v1.8.1) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Bump github.com/sigstore/sigstore from 1.4.4 to 1.4.5 Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.4.4 to 1.4.5. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.4.4...v1.4.5) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> fix tekton documentation contributor`s guide link Add Beta feature gate for projected workspace This commit adds the Beta feature gate for projected workspace in v1. [TEP-0115] Support Artifact Hub in Hub Resolver Part of [issues/667]. This commit adds support to resolve catalog resource from the [Artifact Hub] while keeping current functionality of fetching resources from Tekton Hub. - Change 1: The commit adds a new field `type` to the hub resolver indicating the type of the Hub to pull the resource from. The value can be set to `tekton` or `artifact`. By default, the resolver fetches resources from `https://artifacthub.io/` when setting `type` to `" artifact"`, and fetches resources from user's private instance of Tekton Hub when setting `type` to `"tekton"`. - Change 2: Prior to this change, the hub resolver only supports pulling resources from the Tekton Hub. This commit updates the default hub type to `artifact` since the [Artifact Hub][Artifact Hub] will be the main entrypoint for Tekton Catalogs in the future. - Change 3: Prior to this change, the default Tekton Hub URL is: `https://api.hub.tekton.dev`. This commit removes the default value of the Tekton Hub URL and enforces users to configure their own instance of Tekton Hub since the public instance `https://api.hub.tekton.dev` will be deprecated after the migration to Artifact Hub is done. /kind feature [Artifact Hub]: https://artifacthub.io/ [issues/667]: tektoncd/hub#667 [TEP-0089] Modify entrypoint to sign the results. Breaking down PR tektoncd#4759 originally proposed by @pxp928 to address TEP-0089 according @lumjjb suggestions. Plan for breaking down PR is PR 1.1: api PR 1.2: entrypointer (+cmd line + test/entrypointer) Entrypoint takes results and signs the results (termination message). PR 1.3: reconciler + pod + cmd/controller + integration tests Controller will verify the signed result. This commit corresponds to 1.2 above. Bump HorizontalPodAutoscaler apiVersion to v2 Before this, we get a warning when applying the HPA: Warning: autoscaling/v2beta1 HorizontalPodAutoscaler is deprecated in v1.22+, unavailable in v1.25+; use autoscaling/v2 HorizontalPodAutoscaler This also bumps the min version to 1.23. Signed-off-by: Vincent Demeester <vdemeest@redhat.com> [TEP-0089] Enable SPIRE for signing taskrun results in alpha. Breaking down PR tektoncd#4759 originally proposed by @pxp928 to address TEP-0089 according @lumjjb suggestions. Plan for breaking down PR is PR 1.1: api PR 1.2: entrypointer (+cmd line + test/entrypointer) Entrypoint takes results and signs the results (termination message). PR 1.3: reconciler + pod + cmd/controller + integration tests Controller will verify the signed result. This commit corresponds to 1.3 above.
jagathprakash · Nov 2, 2022 · d41a4e8 · d41a4e8
1 parent 07bf470
commit d41a4e8
Show file tree

Hide file tree

Showing 204 changed files with 19,554 additions and 2,536 deletions.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -36,7 +36,7 @@ For support in contributing to specific areas, contact the relevant [Tekton Pipe
 ## Contributing to Tekton documentation
 
 If you want to contribute to Tekton documentation, see the
-[Tekton Documentation Contributor's Guide](https://github.com/tektoncd/website/blob/main/content/en/doc-con-main.md).
+[Tekton Documentation Contributor's Guide](https://github.com/tektoncd/website/blob/main/content/en/docs/Contribute/_index.md).
 
 This guide describes:
 - The contribution process for documentation

diff --git a/cmd/controller/main.go b/cmd/controller/main.go
@@ -62,12 +62,20 @@ func main() {
 	flag.StringVar(&opts.Images.ImageDigestExporterImage, "imagedigest-exporter-image", "", "The container image containing our image digest exporter binary.")
 	flag.StringVar(&opts.Images.WorkingDirInitImage, "workingdirinit-image", "", "The container image containing our working dir init binary.")
 
+	flag.StringVar(&opts.SpireConfig.TrustDomain, "spire-trust-domain", "example.org", "Experimental: The SPIRE Trust domain to use.")
+	flag.StringVar(&opts.SpireConfig.SocketPath, "spire-socket-path", "unix:///spiffe-workload-api/spire-agent.sock", "Experimental: The SPIRE agent socket for SPIFFE workload API.")
+	flag.StringVar(&opts.SpireConfig.ServerAddr, "spire-server-addr", "spire-server.spire.svc.cluster.local:8081", "Experimental: The SPIRE server address for workload/node registration.")
+	flag.StringVar(&opts.SpireConfig.NodeAliasPrefix, "spire-node-alias-prefix", "/tekton-node/", "Experimental: The SPIRE node alias prefix to use.")
+
 	// This parses flags.
 	cfg := injection.ParseAndGetRESTConfigOrDie()
 
 	if err := opts.Images.Validate(); err != nil {
 		log.Fatal(err)
 	}
+	if err := opts.SpireConfig.Validate(); err != nil {
+		log.Fatal(err)
+	}
 	if cfg.QPS == 0 {
 		cfg.QPS = 2 * rest.DefaultQPS
 	}

diff --git a/cmd/entrypoint/README.md b/cmd/entrypoint/README.md
@@ -30,6 +30,12 @@ The following flags are available:
   same value as `{{stdout_path}}` so both streams are copied to the same
   file. However, there is no ordering guarantee on data copied from both
   streams.
+- `-enable_spire`: If set will enable signing of the results by SPIRE. Signing
+  results by SPIRE ensures that no process other than the current process can
+  tamper the results and go undetected.
+- `-spire_socket_path`: This flag makes sense only when enable_spire is set. 
+  When enable_spire is set, spire_socket_path is used to point to the
+  SPIRE agent socket for SPIFFE workload API.
 
 Any extra positional arguments are passed to the original entrypoint command.
 

diff --git a/cmd/entrypoint/main.go b/cmd/entrypoint/main.go
@@ -34,6 +34,8 @@ import (
 	"github.com/tektoncd/pipeline/pkg/credentials/dockercreds"
 	"github.com/tektoncd/pipeline/pkg/credentials/gitcreds"
 	"github.com/tektoncd/pipeline/pkg/entrypoint"
+	"github.com/tektoncd/pipeline/pkg/spire"
+	"github.com/tektoncd/pipeline/pkg/spire/config"
 	"github.com/tektoncd/pipeline/pkg/termination"
 )
 
@@ -51,6 +53,8 @@ var (
 	onError             = flag.String("on_error", "", "Set to \"continue\" to ignore an error and continue when a container terminates with a non-zero exit code."+
 		" Set to \"stopAndFail\" to declare a failure with a step error and stop executing the rest of the steps.")
 	stepMetadataDir = flag.String("step_metadata_dir", "", "If specified, create directory to store the step metadata e.g. /tekton/steps/<step-name>/")
+	enableSpire     = flag.Bool("enable_spire", false, "If specified by configmap, this enables spire signing and verification")
+	socketPath      = flag.String("spire_socket_path", "unix:///spiffe-workload-api/spire-agent.sock", "Experimental: The SPIRE agent socket for SPIFFE workload API.")
 )
 
 const (
@@ -131,6 +135,14 @@ func main() {
 		}
 	}
 
+	var spireWorkloadAPI spire.EntrypointerAPIClient
+	if enableSpire != nil && *enableSpire && socketPath != nil && *socketPath != "" {
+		spireConfig := config.SpireConfig{
+			SocketPath: *socketPath,
+		}
+		spireWorkloadAPI = spire.NewEntrypointerAPIClient(&spireConfig)
+	}
+
 	e := entrypoint.Entrypointer{
 		Command:         append(cmd, commandArgs...),
 		WaitFiles:       strings.Split(*waitFiles, ","),
@@ -148,6 +160,7 @@ func main() {
 		BreakpointOnFailure: *breakpointOnFailure,
 		OnError:             *onError,
 		StepMetadataDir:     *stepMetadataDir,
+		SpireWorkloadAPI:    spireWorkloadAPI,
 	}
 
 	// Copy any creds injected by the controller into the $HOME directory of the current

diff --git a/cmd/imagedigestexporter/main.go b/cmd/imagedigestexporter/main.go
@@ -17,9 +17,12 @@ limitations under the License.
 package main
 
 import (
+	"context"
 	"encoding/json"
 	"flag"
 
+	"github.com/tektoncd/pipeline/pkg/spire"
+	"github.com/tektoncd/pipeline/pkg/spire/config"
 	"github.com/tektoncd/pipeline/pkg/termination"
 	"knative.dev/pkg/logging"
 
@@ -31,6 +34,8 @@ import (
 var (
 	images                 = flag.String("images", "", "List of images resources built by task in json format")
 	terminationMessagePath = flag.String("terminationMessagePath", "/tekton/termination", "Location of file containing termination message")
+	enableSpire            = flag.Bool("enable_spire", false, "If specified by configmap, this enables spire signing and verification")
+	socketPath             = flag.String("spire_socket_path", "unix:///spiffe-workload-api/spire-agent.sock", "Experimental: The SPIRE agent socket for SPIFFE workload API.")
 )
 
 /* The input of this go program will be a JSON string with all the output PipelineResources of type
@@ -76,6 +81,21 @@ func main() {
 
 	}
 
+	if enableSpire != nil && *enableSpire && socketPath != nil && *socketPath != "" {
+		ctx := context.Background()
+		spireConfig := config.SpireConfig{
+			SocketPath: *socketPath,
+		}
+
+		spireWorkloadAPI := spire.NewEntrypointerAPIClient(&spireConfig)
+		signed, err := spireWorkloadAPI.Sign(ctx, output)
+		if err != nil {
+			logger.Fatal(err)
+		}
+
+		output = append(output, signed...)
+	}
+
 	if err := termination.WriteMessage(*terminationMessagePath, output); err != nil {
 		logger.Fatalf("Unexpected error writing message %s to %s", *terminationMessagePath, err)
 	}

diff --git a/cmd/resolvers/main.go b/cmd/resolvers/main.go
@@ -33,21 +33,26 @@ import (
 
 func main() {
 	ctx := filteredinformerfactory.WithSelectors(signals.NewContext(), v1alpha1.ManagedByLabelKey)
-
-	apiURL := os.Getenv("HUB_API")
-	hubURL := hub.DefaultHubURL
-	if apiURL == "" {
-		hubURL = hub.DefaultHubURL
-	} else {
-		if !strings.HasSuffix(apiURL, "/") {
-			apiURL += "/"
-		}
-		hubURL = apiURL + hub.YamlEndpoint
-	}
+	tektonHubURL := buildHubURL(os.Getenv("TEKTON_HUB_API"), "", hub.TektonHubYamlEndpoint)
+	artifactHubURL := buildHubURL(os.Getenv("ARTIFACT_HUB_API"), hub.DefaultArtifactHubURL, hub.ArtifactHubYamlEndpoint)
 
 	sharedmain.MainWithContext(ctx, "controller",
 		framework.NewController(ctx, &git.Resolver{}),
-		framework.NewController(ctx, &hub.Resolver{HubURL: hubURL}),
+		framework.NewController(ctx, &hub.Resolver{TektonHubURL: tektonHubURL, ArtifactHubURL: artifactHubURL}),
 		framework.NewController(ctx, &bundle.Resolver{}),
 		framework.NewController(ctx, &cluster.Resolver{}))
 }
+
+func buildHubURL(configAPI, defaultURL, yamlEndpoint string) string {
+	var hubURL string
+	if configAPI == "" {
+		hubURL = defaultURL
+	} else {
+		if !strings.HasSuffix(configAPI, "/") {
+			configAPI += "/"
+		}
+		hubURL = configAPI + yamlEndpoint
+	}
+
+	return hubURL
+}
diff --git a/config/300-resolutionrequest.yaml b/config/300-resolutionrequest.yaml
@@ -73,9 +73,21 @@ spec:
           # See issue: https://github.com/knative/serving/issues/912
           x-kubernetes-preserve-unknown-fields: true
       additionalPrinterColumns:
+        - name: OwnerKind
+          type: string
+          jsonPath: ".metadata.ownerReferences[0].kind"
+        - name: Owner
+          type: string
+          jsonPath: ".metadata.ownerReferences[0].name"
         - name: Succeeded
           type: string
           jsonPath: ".status.conditions[?(@.type=='Succeeded')].status"
         - name: Reason
           type: string
           jsonPath: ".status.conditions[?(@.type=='Succeeded')].reason"
+        - name: StartTime
+          type: string
+          jsonPath: .metadata.creationTimestamp
+        - name: EndTime
+          type: string
+          jsonPath: .status.conditions[?(@.type=='Succeeded')].lastTransitionTime
diff --git a/config/config-feature-flags.yaml b/config/config-feature-flags.yaml
@@ -81,3 +81,7 @@ data:
   # Setting this flag to "true" enables CloudEvents for Runs, as long as a
   # CloudEvents sink is configured in the config-defaults config map
   send-cloudevents-for-runs: "false"
+  # Setting this flag to "true" enables spire integration with pipeline.
+  # This is an experimental feature and thus should still be considered
+  # an alpha feature.
+  enable-spire: "false"
diff --git a/config/resolvers/hubresolver-config.yaml b/config/resolvers/hubresolver-config.yaml
@@ -22,7 +22,13 @@ metadata:
     app.kubernetes.io/instance: default
     app.kubernetes.io/part-of: tekton-pipelines
 data:
-  # the default catalog from where to pull the resource.
-  default-catalog: "Tekton"
-  # The default layer kind in the hub image.
+  # the default Tekton Hub catalog from where to pull the resource.
+  default-tekton-hub-catalog: "Tekton"
+  # the default Artifact Hub Task catalog from where to pull the resource.
+  default-artifact-hub-task-catalog: "tekton-catalog-tasks"
+  # the default Artifact Hub Pipeline catalog from where to pull the resource.
+  default-artifact-hub-pipeline-catalog: "tekton-catalog-pipelines"
+  # the default layer kind in the hub image.
   default-kind: "task"
+  # the default hub source to pull the resource from.
+  default-type: "artifact"
diff --git a/config/resolvers/resolvers-deployment.yaml b/config/resolvers/resolvers-deployment.yaml
@@ -93,8 +93,8 @@ spec:
         - name: METRICS_DOMAIN
           value: tekton.dev/resolution
         # Override this env var to set a private hub api endpoint
-        - name: HUB_API
-          value: "https://api.hub.tekton.dev/"
+        - name: ARTIFACT_HUB_API
+          value: "https://artifacthub.io/"
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true

diff --git a/config/webhook-hpa.yaml b/config/webhook-hpa.yaml
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-apiVersion: autoscaling/v2beta1
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   name: tekton-pipelines-webhook
@@ -38,4 +38,6 @@ spec:
     - type: Resource
       resource:
         name: cpu
-        targetAverageUtilization: 100
+        target:
+          type: Utilization
+          averageUtilization: 100
diff --git a/docs/enabling-ha.md b/docs/enabling-ha.md
@@ -86,7 +86,7 @@ kubectl -n tekton-pipelines scale deployment tekton-pipelines-webhook --replicas
 You can also modify the [HorizontalPodAutoscaler](./../config/webhook-hpa.yaml) to set a minimum number of replicas:
 
 ```yaml
-apiVersion: autoscaling/v2beta1
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   name: tekton-pipelines-webhook

diff --git a/docs/hub-resolver.md b/docs/hub-resolver.md
@@ -6,10 +6,13 @@ Use resolver type `hub`.
 
 | Param Name       | Description                                                                   | Example Value                                              |
 |------------------|-------------------------------------------------------------------------------|------------------------------------------------------------|
-| `catalog`        | The catalog from where to pull the resource (Optional)                        | Default:  `Tekton`                                         |
-| `kind`           | Either `task` or `pipeline`                                                   | `task`                                                     |
+| `catalog`        | The catalog from where to pull the resource (Optional)                        | Default:  `tekton-catalog-tasks` (for `task` kind);  `tekton-catalog-pipelines` (for `pipeline` kind)                                        |
+| `type`           | The type of Hub from where to pull the resource (Optional). Either `artifact` or `tekton` | Default:  `artifact`                                         |
+| `kind`           | Either `task` or `pipeline` (Optional)                                        | Default: `task`                                                     |
 | `name`           | The name of the task or pipeline to fetch from the hub                        | `golang-build`                                             |
-| `version`        | Version of task or pipeline to pull in from hub. Wrap the number in quotes!   | `"0.5"`                                                    |
+| `version`        | Version of task or pipeline to pull in from hub. Wrap the number in quotes!   | `"0.5.0"`                                                    |
+
+The Catalogs in the Artifact Hub follows the semVer (i.e.` <major-version>.<minor-version>.0`) and the Catalogs in the Tekton Hub follows the simplified semVer (i.e. `<major-version>.<minor-version>`). Both full and simplified semantic versioning will be accepted by the `version` parameter. The Hub Resolver will map the version to the format expected by the target Hub `type`.
 
 ## Requirements
 
@@ -26,25 +29,44 @@ for the name, namespace and defaults that the resolver ships with.
 
 ### Options
 
-| Option Name       | Description                                          | Example Values     |
-|-------------------|------------------------------------------------------|--------------------|
-| `default-catalog` | The default catalog from where to pull the resource. | `tekton`           |
-| `default-kind`    | The default object kind for references.              | `task`, `pipeline` |
+| Option Name                 | Description                                          | Example Values         |
+|-----------------------------|------------------------------------------------------|------------------------|
+| `default-tekton-hub-catalog`| The default tekton hub catalog from where to pull the resource.| `Tekton`               |
+| `default-artifact-hub-task-catalog`| The default artifact hub catalog from where to pull the resource for task kind.| `tekton-catalog-tasks`               |
+| `default-artifact-hub-pipeline-catalog`| The default artifact hub catalog from where to pull the resource for pipeline kind.  | `tekton-catalog-pipelines`               |
+| `default-kind`              | The default object kind for references.              | `task`, `pipeline`     |
+| `default-type`              | The default hub from where to pull the resource.     | `artifact`, `tekton`   |
 
 
 ### Configuring the Hub API endpoint
 
-By default this resolver will hit the public hub api at https://hub.tekton.dev/
+The Hub Resolver supports to resolve resources from the [Artifact Hub](https://artifacthub.io/) and the [Tekton Hub](https://hub.tekton.dev/),
+which can be configured by setting the `type` field of the resolver. 
+
+*(Please note that the [Tekton Hub](https://hub.tekton.dev/) will be deprecated after [migration to the Artifact Hub](https://github.com/tektoncd/hub/issues/667) is done.)*
+
+When setting the `type` field to `artifact`, the resolver will hit the public hub api at https://artifacthub.io/ by default
 but you can configure your own (for example to use a private hub
-instance) by setting the `HUB_API` environment variable in
+instance) by setting the `ARTIFACT_HUB_API` environment variable in
+[`../config/resolvers/resolvers-deployment.yaml`](../config/resolvers/resolvers-deployment.yaml). Example:
+
+```yaml
+env
+- name: ARTIFACT_HUB_API
+  value: "https://artifacthub.io/"
+```
+
+When setting the `type` field to `tekton`, you **must** configure your own instance of the Tekton Hub by setting the `TEKTON_HUB_API` environment variable in
 [`../config/resolvers/resolvers-deployment.yaml`](../config/resolvers/resolvers-deployment.yaml). Example:
 
 ```yaml
 env
-- name: HUB_API
-  value: "https://api.hub.tekton.dev/"
+- name: TEKTON_HUB_API
+  value: "https://api.private.hub.instance.dev"
 ```
 
+The Tekton Hub deployment guide can be found [here](https://github.com/tektoncd/hub/blob/main/docs/DEPLOYMENT.md).
+
 ## Usage
 
 ### Task Resolution
@@ -59,7 +81,9 @@ spec:
     resolver: hub
     params:
     - name: catalog # optional
-      value: Tekton
+      value: tekton-catalog-tasks
+    - name: type # optional
+      value: artifact 
     - name: kind
       value: task
     - name: name
@@ -80,7 +104,9 @@ spec:
     resolver: hub
     params:
     - name: catalog # optional
-      value: Tekton 
+      value: tekton-catalog-pipelines 
+    - name: type # optional
+      value: artifact
     - name: kind
       value: pipeline
     - name: name