Skip to content

Commit

Permalink
Allow secure connection to eventlistener pod
Browse files Browse the repository at this point in the history
  • Loading branch information
savitaashture committed Nov 13, 2020
1 parent 58269c7 commit 604c8d1
Show file tree
Hide file tree
Showing 7 changed files with 495 additions and 164 deletions.
10 changes: 8 additions & 2 deletions cmd/eventlistenersink/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,13 @@ func main() {
Handler: mux,
}

if err := srv.ListenAndServe(); err != nil {
logger.Fatalf("failed to start eventlistener sink: %v", err)
if sinkArgs.Cert == "" && sinkArgs.Key == "" {
if err := srv.ListenAndServe(); err != nil {
logger.Fatalf("failed to start eventlistener sink: %v", err)
}
} else {
if err := srv.ListenAndServeTLS(sinkArgs.Cert, sinkArgs.Key); err != nil {
logger.Fatalf("failed to start eventlistener sink: %v", err)
}
}
}
57 changes: 57 additions & 0 deletions docs/eventlisteners.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ using [Event Interceptors](#Interceptors).
- [Multiple EventListeners (One EventListener Per Namespace)](#multiple-eventlisteners-one-eventlistener-per-namespace)
- [Multiple EventListeners (Multiple EventListeners per Namespace)](#multiple-eventlisteners-multiple-eventlisteners-per-namespace)
- [ServiceAccount per EventListenerTrigger](#serviceaccount-per-eventlistenertrigger)
- [EventListener Secure Connection](#eventlistener-secure-connection)
- [Prerequisites](#prerequisites)

## Syntax

Expand Down Expand Up @@ -273,8 +275,11 @@ Right now the allowed values as part of `podSpec` are
ServiceAccountName
NodeSelector
Tolerations
Volumes
Containers
- Resources
- VolumeMounts
- Env
```

### Logging
Expand Down Expand Up @@ -945,3 +950,55 @@ Except as otherwise noted, the content of this page is licensed under the
[Creative Commons Attribution 4.0 License](https://creativecommons.org/licenses/by/4.0/),
and code samples are licensed under the
[Apache 2.0 License](https://www.apache.org/licenses/LICENSE-2.0).

## EventListener Secure Connection

Triggers now support both `HTTP` and `HTTPS` connection by adding some configurations in eventlistener.
### Prerequisites
* Certficates.
* Secret which includes those certificates.

There are two env var reserved for `HTTPS` connection to read certificates
1. **SSL_CERT_FILE**: specify the location of mounted cert file.
2. **SSL_KEY_FILE**: specify the location of mounted key file.

As mentioned in the prerequisites users are asked to create their own certificates, secrets and mount as a volume in the
`resources` section of eventlistener as shown below.

```yaml
apiVersion: triggers.tekton.dev/v1alpha1
kind: EventListener
metadata:
name: github-listener-interceptor
spec:
...
resources:
kubernetesResource:
spec:
template:
spec:
serviceAccountName: tekton-triggers-github-sa
volumes:
- name: https-connection
secret:
secretName: ssl-key-secret
containers:
- volumeMounts:
- name: https-connection
mountPath: "/etc/triggers/ssl/"
readOnly: true
env:
- name: SSL_CERT_FILE
value: "/etc/triggers/ssl/tls.crt"
- name: SSL_KEY_FILE
value: "/etc/triggers/ssl/tls.key"
```
Where

**ssl-key-secret** is a secret object created by user which contains certificates.

ex:
```text
kubectl create secret generic ssh-key-secret --from-file=tls.crt --from-file=tls.key
```
Refer [TEP-0027](https://github.com/tektoncd/community/blob/master/teps/0027-https-connection-to-triggers-eventlistener.md) for more information.
6 changes: 3 additions & 3 deletions pkg/apis/triggers/v1alpha1/event_listener_validation.go
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,8 @@ func validateKubernetesObject(orig *KubernetesResource) (errs *apis.FieldError)
func containerFieldMask(in *corev1.Container) *corev1.Container {
out := new(corev1.Container)
out.Resources = in.Resources
out.VolumeMounts = in.VolumeMounts
out.Env = in.Env

// Disallowed fields
// This list clarifies which all container attributes are not allowed.
Expand All @@ -78,7 +80,6 @@ func containerFieldMask(in *corev1.Container) *corev1.Container {
out.ReadinessProbe = nil
out.StartupProbe = nil
out.Command = nil
out.VolumeMounts = nil
out.ImagePullPolicy = ""
out.Lifecycle = nil
out.SecurityContext = nil
Expand All @@ -90,7 +91,6 @@ func containerFieldMask(in *corev1.Container) *corev1.Container {
out.TTY = false
out.VolumeDevices = nil
out.EnvFrom = nil
out.Env = nil

return out
}
Expand All @@ -105,10 +105,10 @@ func podSpecMask(in *corev1.PodSpec) *corev1.PodSpec {
out.Containers = in.Containers
out.Tolerations = in.Tolerations
out.NodeSelector = in.NodeSelector
out.Volumes = in.Volumes

// Disallowed fields
// This list clarifies which all podspec fields are not allowed.
out.Volumes = nil
out.ImagePullSecrets = nil
out.EnableServiceLinks = nil
out.ImagePullSecrets = nil
Expand Down
16 changes: 16 additions & 0 deletions pkg/apis/triggers/v1alpha1/event_listener_validation_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -181,6 +181,14 @@ func Test_EventListenerValidate(t *testing.T) {
Effect: "NoSchedule",
}},
NodeSelector: map[string]string{"beta.kubernetes.io/os": "linux"},
Volumes: []corev1.Volume{{
Name: "https-connection",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: "ssl-key-secret",
},
},
}},
Containers: []corev1.Container{{
Resources: corev1.ResourceRequirements{
Limits: corev1.ResourceList{
Expand All @@ -192,6 +200,14 @@ func Test_EventListenerValidate(t *testing.T) {
corev1.ResourceMemory: resource.Quantity{Format: resource.BinarySI},
},
},
VolumeMounts: []corev1.VolumeMount{{
Name: "https-connection",
MountPath: "/etc/triggers/ssl",
}},
Env: []corev1.EnvVar{{
Name: "SSL_CERT_FILE",
Value: "/etc/triggers/ssl/tls.crt",
}},
}},
},
},
Expand Down
Loading

0 comments on commit 604c8d1

Please sign in to comment.