Allow secure connection to eventlistener pod

cmd/eventlistenersink/main.go

@@ -136,7 +136,13 @@ func main() {
 			sinkArgs.ELTimeOutHandler*time.Second, "EventListener Timeout!\n"),
 	}
 
-	if err := srv.ListenAndServe(); err != nil {
-		logger.Fatalf("failed to start eventlistener sink: %v", err)
+	if sinkArgs.Cert == "" && sinkArgs.Key == "" {
+		if err := srv.ListenAndServe(); err != nil {
+			logger.Fatalf("failed to start eventlistener sink: %v", err)
+		}
+	} else {
+		if err := srv.ListenAndServeTLS(sinkArgs.Cert, sinkArgs.Key); err != nil {
+			logger.Fatalf("failed to start eventlistener sink: %v", err)
+		}
 	}
 }

docs/eventlisteners.md

@@ -42,6 +42,8 @@ using [Event Interceptors](#Interceptors).
     - [Multiple EventListeners (One EventListener Per Namespace)](#multiple-eventlisteners-one-eventlistener-per-namespace)
     - [Multiple EventListeners (Multiple EventListeners per Namespace)](#multiple-eventlisteners-multiple-eventlisteners-per-namespace)
     - [ServiceAccount per EventListenerTrigger](#serviceaccount-per-eventlistenertrigger)
+  - [EventListener Secure Connection](#eventlistener-secure-connection)
+    - [Prerequisites](#prerequisites)
 
 ## Syntax
 
@@ -277,8 +279,11 @@ Right now the allowed values as part of `podSpec` are
 ServiceAccountName
 NodeSelector
 Tolerations
+Volumes
 Containers
 - Resources
+- VolumeMounts
+- Env
 ```
 
 ### Logging
@@ -821,3 +826,12 @@ Except as otherwise noted, the content of this page is licensed under the
 [Creative Commons Attribution 4.0 License](https://creativecommons.org/licenses/by/4.0/),
 and code samples are licensed under the
 [Apache 2.0 License](https://www.apache.org/licenses/LICENSE-2.0).
+
+## EventListener Secure Connection
+
+Triggers now support both `HTTP` and `HTTPS` connection by adding few configuration to eventlistener.
+
+To setup TLS connection add two set of reserved environment variables `TLS_CERT` and `TLS_KEY` using `secretKeyRef` env type 
+where we need to specify the `secret` which contains `cert` and `key` files. See the full [example]((../examples/eventlistener-tls-connection/README.md)) for more details.
+
+Refer [TEP-0027](https://github.com/tektoncd/community/blob/master/teps/0027-https-connection-to-triggers-eventlistener.md) for more information on design and user stories.

examples/eventlistener-tls-connection/README.md

@@ -0,0 +1,78 @@
+## EventListener Secure Connection
+
+Triggers now support both `HTTP` and `HTTPS` connection by adding some configurations to eventlistener.
+
+### Prerequisites
+* Certificates with Key and Cert
+* Secret which includes those certificates
+
+### Try it out locally:
+
+#### Creating Prerequisites
+
+* #### Certificates with Key and Cert.
+
+##### 1. Steps to generate root key, cert
+1. Create Root Key
+   ```text
+   openssl genrsa -des3 -out rootCA.key 4096
+   ```
+2. Create and self sign the Root Certificate
+   ```text
+   openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
+   ```
+##### 2. Steps to generate certificate (for each server)
+1. Create the certificate key
+   ```text
+   openssl genrsa -out tls.key 2048
+   ```
+2. Create the signing (csr)
+
+* The CSR is where you specify the details for the certificate you want to generate. 
+This request will be processed by the owner of the root key to generate the certificate.
+
+* **Important:** While creating the csr it is important to specify the `Common Name` providing the IP address or domain name for the service, otherwise the certificate cannot be verified.
+   ```text
+   openssl req -new -key tls.key -out tls.csr
+   ```
+3. Generate the certificate using the tls csr and key along with the CA Root key
+   ```text
+   openssl x509 -req -in tls.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out tls.crt -days 500 -sha256
+   ```
+##### 3. Follow same steps from 2 to generate certificates for client also
+
+* #### Create secret which includes those certificates
+   ```text
+   kubectl create secret generic tls-secret-key --from-file=tls.crt --from-file=tls.key
+   ```
+
+#### Configuring EventListener for TLS connection
+1. To create the TLS connection for EventListener and all related resources, run:
+
+   ```bash
+   kubectl apply -f examples/eventlistener-tls-connection/
+   ```
+
+1. Test by sending the sample payload.
+
+   ```bash
+   curl -v \
+   -H 'X-GitHub-Event: pull_request' \
+   -H 'X-Hub-Signature: sha1=ba0cdc263b3492a74b601d240c27efe81c4720cb' \
+   -H 'Content-Type: application/json' \
+   -d '{"action": "opened", "pull_request":{"head":{"sha": "28911bbb5a3e2ea034daf1f6be0a822d50e31e73"}},"repository":{"clone_url": "https://github.com/tektoncd/triggers.git"}}' \
+   https://<el-address> --cacert rootCA.crt --key client.key --cert client.crt
+   ```
+
+   The response status code should be `201 Created`
+
+   [`HMAC`](https://www.freeformatter.com/hmac-generator.html) tool used to create X-Hub-Signature.
+
+   In [`HMAC`](https://www.freeformatter.com/hmac-generator.html) `string` is the *body payload ex:* `{"action": "opened", "pull_request":{"head":{"sha": "28911bbb5a3e2ea034daf1f6be0a822d50e31e73"}},"repository":{"clone_url": "https://github.com/tektoncd/triggers.git"}}`
+   and `secretKey` is the *given secretToken ex:* `1234567`.
+
+1. You should see a new TaskRun that got created:
+
+   ```bash
+   kubectl get taskruns | grep tls-run-
+   ```

examples/eventlistener-tls-connection/role.yaml

@@ -0,0 +1,62 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tekton-triggers-tls-sa
+secrets:
+  - name: github-secret
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tekton-triggers-tls-binding
+subjects:
+  - kind: ServiceAccount
+    name: tekton-triggers-tls-sa
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: tekton-triggers-tls-minimal
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: tekton-triggers-tls-minimal
+rules:
+  # Permissions for every EventListener deployment to function
+  - apiGroups: ["triggers.tekton.dev"]
+    resources: ["eventlisteners", "triggerbindings", "triggertemplates", "triggers"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    # secrets are only needed for GitHub/GitLab interceptors, serviceaccounts only for per trigger authorization
+    resources: ["configmaps", "secrets", "serviceaccounts"]
+    verbs: ["get", "list", "watch"]
+  # Permissions to create resources in associated TriggerTemplates
+  - apiGroups: ["tekton.dev"]
+    resources: ["pipelineruns", "pipelineresources", "taskruns"]
+    verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: tekton-triggers-tls-binding
+subjects:
+  - kind: ServiceAccount
+    name: tekton-triggers-tls-sa
+    namespace: default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: tekton-triggers-tls-minimal
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: tekton-triggers-tls-minimal
+  labels:
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-triggers
+rules:
+  # Permissions for every EventListener deployment to function
+  - apiGroups: ["triggers.tekton.dev"]
+    resources: ["clustertriggerbindings"]
+    verbs: ["get", "list", "watch"]

examples/eventlistener-tls-connection/secret.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: github-secret
+type: Opaque
+stringData:
+  secretToken: "1234567"

examples/eventlistener-tls-connection/tls-eventlistener-interceptor.yaml

@@ -0,0 +1,86 @@
+---
+apiVersion: triggers.tekton.dev/v1alpha1
+kind: EventListener
+metadata:
+  name: tls-listener-interceptor
+spec:
+  triggers:
+    - name: tls-listener
+      interceptors:
+        - github:
+            secretRef:
+              secretName: github-secret
+              secretKey: secretToken
+            eventTypes:
+              - pull_request
+        - cel:
+            filter: "body.action in ['opened', 'synchronize', 'reopened']"
+      bindings:
+        - ref: tls-pr-binding
+      template:
+        ref: tls-template
+  resources:
+    kubernetesResource:
+      spec:
+        template:
+          spec:
+            serviceAccountName: tekton-triggers-tls-sa
+            containers:
+            - env:
+              - name: TLS_CERT
+                valueFrom:
+                  secretKeyRef:
+                    name: tls-key-secret
+                    key: tls.crt
+              - name: TLS_KEY
+                valueFrom:
+                  secretKeyRef:
+                    name: tls-key-secret
+                    key: tls.key
+---
+apiVersion: triggers.tekton.dev/v1alpha1
+kind: TriggerBinding
+metadata:
+  name: tls-pr-binding
+spec:
+  params:
+    - name: gitrevision
+      value: $(body.pull_request.head.sha)
+    - name: gitrepositoryurl
+      value: $(body.repository.clone_url)
+
+---
+apiVersion: triggers.tekton.dev/v1alpha1
+kind: TriggerTemplate
+metadata:
+  name: tls-template
+spec:
+  params:
+    - name: gitrevision
+    - name: gitrepositoryurl
+  resourcetemplates:
+    - apiVersion: tekton.dev/v1alpha1
+      kind: TaskRun
+      metadata:
+        generateName: tls-run-
+      spec:
+        taskSpec:
+          inputs:
+            resources:
+              - name: source
+                type: git
+          steps:
+            - image: ubuntu
+              script: |
+                #! /bin/bash
+                ls -al $(inputs.resources.source.path)
+        inputs:
+          resources:
+            - name: source
+              resourceSpec:
+                type: git
+                params:
+                  - name: revision
+                    value: $(tt.params.gitrevision)
+                  - name: url
+                    value: $(tt.params.gitrepositoryurl)