| title | authors | creation-date | last-updated | status | |
|---|---|---|---|---|---|
HTTPS Connection to Triggers EventListener |
|
2020-10-19 |
2023-03-21 |
implemented |
This TEP proposes to provide flexibility to configure triggers eventlistener to support
HTTPS connection along with existing HTTP connection.
Providing inbuilt feature to support secure connection to eventlistener helps to avoid usage of any thirdparty solution and also helps trigger users to configure their events securely with few additional configurations.
- Make an additive change to the EventListener API to support
HTTPSconnection.
- Creating and maintaining certificates which are required for
HTTPSconnection.
Triggers support end to end secure HTTPS connection to eventlistener pod along with existing HTTP connections.
-
User want to replace parts of their (Jenkins) build infrastructure with a cloud-native build infrastructure, and their security requirements specify that TLS needs to be used for both communication outside the cluster and inside the cluster then having this solution would help.
-
Users using custom/inbuilt interceptors like Github want their request to have secure connection all the way to the tekton trigger eventlistener pod then that can be solved with this feature.
apiVersion: triggers.tekton.dev/v1alpha1
kind: EventListener
metadata:
name: github-listener-interceptor
spec:
triggers:
- name: github-listener
interceptors:
- github:
secretRef:
secretName: github-secret
secretKey: secretToken
eventTypes:
- pull_request
bindings:
- ref: github-pr-binding
template:
name: github-template
resources:
kubernetesResource:
spec:
template:
spec:
serviceAccountName: tekton-triggers-github-sa
containers:
- env:
- name: TLS_CERT
valueFrom:
secretKeyRef:
name: "tls-key-secret"
key: tls.crt
- name: TLS_KEY
valueFrom:
secretKeyRef:
name: "tls-key-secret"
key: tls.keyThe main goal of this TEP is to make triggers flexible enough to configure both HTTPS and HTTP connections with simple configuration changes to EventListener.
With the help of podtemplate as part of kubernetesResource user specify following env
- TLS_CERT
- TLS_KEY
ex:
env:
- name: TLS_CERT
valueFrom:
secretKeyRef:
name: "tls-key-secret"
key: tls.crt
- name: TLS_KEY
valueFrom:
secretKeyRef:
name: "tls-key-secret"
key: tls.key1 . TLS_CERT is the reserved env where user specify value in the form of valueForm to reference secretKeyRef as
secretKeyRef:
name: "tls-key-secret"
key: tls.crtWhere
nameis the secret name.keyis the file name for certificate cert.
2 . TLS_KEY is the reserved env where user specify value in the form of valueForm to reference secretKeyRef as
secretKeyRef:
name: "tls-key-secret"
key: tls.keyWhere
nameis the secret name.keyis the file name for certificate key.
Note:
- Trigger use
/etc/triggers/tlsas mounting location and this path is not configurable by the user. - Triggers is not responsible for creating and managing certificates.
At high level below are few implementation details
- EventListener reconciler checks for env key
TLS_CERTandTLS_KEYwhere user specify created secret name which contains certificates. - Triggers eventlistener reconciler is responsible to mount provided secret inside container filesystem at particular location called
/etc/triggers/tls(which is constant) usingVolumeandVolumeMount.
- Using thirdparty solutions like service mesh.
- Writing simple sidecar which inject tls certs into the eventlistener pod.
- GitHub issue: tektoncd/triggers#650
- Implementation: tektoncd/triggers#819