Skip to content

Commit

Permalink
Allow secure connection to eventlistener pod
Browse files Browse the repository at this point in the history
  • Loading branch information
savitaashture committed Nov 15, 2020
1 parent 58269c7 commit 9af1b9a
Show file tree
Hide file tree
Showing 9 changed files with 820 additions and 416 deletions.
10 changes: 8 additions & 2 deletions cmd/eventlistenersink/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,13 @@ func main() {
Handler: mux,
}

if err := srv.ListenAndServe(); err != nil {
logger.Fatalf("failed to start eventlistener sink: %v", err)
if sinkArgs.Cert == "" && sinkArgs.Key == "" {
if err := srv.ListenAndServe(); err != nil {
logger.Fatalf("failed to start eventlistener sink: %v", err)
}
} else {
if err := srv.ListenAndServeTLS(sinkArgs.Cert, sinkArgs.Key); err != nil {
logger.Fatalf("failed to start eventlistener sink: %v", err)
}
}
}
13 changes: 13 additions & 0 deletions docs/eventlisteners.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ using [Event Interceptors](#Interceptors).
- [Multiple EventListeners (One EventListener Per Namespace)](#multiple-eventlisteners-one-eventlistener-per-namespace)
- [Multiple EventListeners (Multiple EventListeners per Namespace)](#multiple-eventlisteners-multiple-eventlisteners-per-namespace)
- [ServiceAccount per EventListenerTrigger](#serviceaccount-per-eventlistenertrigger)
- [EventListener Secure Connection](#eventlistener-secure-connection)
- [Prerequisites](#prerequisites)

## Syntax

Expand Down Expand Up @@ -273,8 +275,11 @@ Right now the allowed values as part of `podSpec` are
ServiceAccountName
NodeSelector
Tolerations
Volumes
Containers
- Resources
- VolumeMounts
- Env
```

### Logging
Expand Down Expand Up @@ -945,3 +950,11 @@ Except as otherwise noted, the content of this page is licensed under the
[Creative Commons Attribution 4.0 License](https://creativecommons.org/licenses/by/4.0/),
and code samples are licensed under the
[Apache 2.0 License](https://www.apache.org/licenses/LICENSE-2.0).

## EventListener Secure Connection

Triggers now support both `HTTP` and `HTTPS` connection by adding few configurations to eventlistener.

Refer [example detail](../examples/eventlistener-tls-connection/README.md) to know more on how to configure eventlistener to have secure connection.

Refer [TEP-0027](https://github.com/tektoncd/community/blob/master/teps/0027-https-connection-to-triggers-eventlistener.md) for more information on design and user stories.
100 changes: 100 additions & 0 deletions examples/eventlistener-tls-connection/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
## EventListener Secure Connection

Triggers now support both `HTTP` and `HTTPS` connection by adding some configurations to eventlistener.

### Prerequisites
* Certificates with Key and Cert
* Secret which includes those certificates

### Try it out locally:

#### Creating Prerequisites

* #### Certificates with Key and Cert.

##### 1. Steps to generate root key, cert
1. Create Root Key
```text
openssl genrsa -des3 -out rootCA.key 4096
```
2. Create and self sign the Root Certificate
```text
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
```
##### 2. Steps to generate certificate (for each server)
1. Create the certificate key
```text
openssl genrsa -out tls.key 2048
```
2. Create the signing (csr)

* The CSR is where you specify the details for the certificate you want to generate.
This request will be processed by the owner of the root key to generate the certificate.

* **Important:** While creating the csr it is important to specify the `Common Name` providing the IP address or domain name for the service, otherwise the certificate cannot be verified.
```text
openssl req -new -key tls.key -out tls.csr
```
3. Generate the certificate using the tls csr and key along with the CA Root key
```text
openssl x509 -req -in tls.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out tls.crt -days 500 -sha256
```
##### 3. Follow same steps from 2 to generate certificates for client also

* #### Create secret which includes those certificates
```text
kubectl create secret generic tls-secret-key --from-file=tls.crt --from-file=tls.key
```

#### Configuring EventListener for TLS connection
```yaml
apiVersion: triggers.tekton.dev/v1alpha1
kind: EventListener
metadata:
name: github-listener-interceptor
spec:
triggers:
- name: github-listener
interceptors:
- github:
secretRef:
secretName: github-secret
secretKey: secretToken
eventTypes:
- pull_request
- cel:
filter: "body.action in ['opened', 'synchronize', 'reopened']"
bindings:
- ref: github-pr-binding
template:
ref: github-template
resources:
kubernetesResource:
spec:
template:
spec:
serviceAccountName: tekton-triggers-github-sa
containers:
- env:
- name: TLS_SECRET_NAME
value: "tls-secret-key" # Name of the secret which is created above (Mandatory env for TLS connection)
- name: TLS_CERT_NAME
value: "tls.crt" # Name of the cert file (Optional, If not provided tls.crt used)
- name: TLS_KEY_NAME
value: "tls.key" # Name of the key file (Optional, If not provided tls.key used)
```
There are **RESERVED** env to provide `HTTPS` connection to triggers eventlistener
* `TLS_SECRET_NAME` is **mandatory** env key where user specify created secret name.
* `TLS_CERT_NAME` and `TLS_KEY_NAME` are **optional** env where user specify name of the cert and key respectively,
If not provided triggers assume names as `tls.crt` and `tls.key` by default.

1. Test by sending the sample payload.

```bash
curl -v \
-H 'X-GitHub-Event: pull_request' \
-H 'X-Hub-Signature: sha1=ba0cdc263b3492a74b601d240c27efe81c4720cb' \
-H 'Content-Type: application/json' \
-d '{"action": "opened", "pull_request":{"head":{"sha": "28911bbb5a3e2ea034daf1f6be0a822d50e31e73"}},"repository":{"clone_url": "https://github.com/tektoncd/triggers.git"}}' \
https://<el-address> --cacert rootCA.crt --key client.key --cert client.crt
```
8 changes: 8 additions & 0 deletions examples/github/github-eventlistener-interceptor.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,14 @@ spec:
limits:
memory: "128Mi"
cpu: "500m"
env:
- name: TLS_SECRET_NAME
value: "tls-secret-name"
- name: TLS_CERT_NAME
value: "tls.pem"
- name: TLS_KEY_NAME
value: "tls-key.pem"

---
apiVersion: triggers.tekton.dev/v1alpha1
kind: TriggerBinding
Expand Down
2 changes: 1 addition & 1 deletion pkg/apis/triggers/v1alpha1/event_listener_validation.go
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ func validateKubernetesObject(orig *KubernetesResource) (errs *apis.FieldError)
func containerFieldMask(in *corev1.Container) *corev1.Container {
out := new(corev1.Container)
out.Resources = in.Resources
out.Env = in.Env

// Disallowed fields
// This list clarifies which all container attributes are not allowed.
Expand All @@ -90,7 +91,6 @@ func containerFieldMask(in *corev1.Container) *corev1.Container {
out.TTY = false
out.VolumeDevices = nil
out.EnvFrom = nil
out.Env = nil

return out
}
Expand Down
24 changes: 23 additions & 1 deletion pkg/apis/triggers/v1alpha1/event_listener_validation_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -164,7 +164,7 @@ func Test_EventListenerValidate(t *testing.T) {
bldr.EventListenerCELInterceptor("", bldr.EventListenerCELOverlay("body.value", "'testing'")),
))),
}, {
name: "Valid EventListener with kubernetes resource for podspec",
name: "Valid EventListener with kubernetes env for podspec",
el: bldr.EventListener("name", "namespace",
bldr.EventListenerSpec(
bldr.EventListenerTrigger("tt", "v1alpha1"),
Expand Down Expand Up @@ -198,6 +198,28 @@ func Test_EventListenerValidate(t *testing.T) {
}),
)),
)),
}, {
name: "Valid EventListener with env for TLS connection",
el: bldr.EventListener("name", "namespace",
bldr.EventListenerSpec(
bldr.EventListenerTrigger("tt", "v1alpha1"),
bldr.EventListenerResources(
bldr.EventListenerKubernetesResources(
bldr.EventListenerPodSpec(duckv1.WithPodSpec{
Template: duckv1.PodSpecable{
Spec: corev1.PodSpec{
ServiceAccountName: "k8sresource",
Containers: []corev1.Container{{
Env: []corev1.EnvVar{{
Name: "TLS_SECRET_NAME",
Value: "tls-secret-key",
}},
}},
},
},
}),
)),
)),
}}

for _, test := range tests {
Expand Down
Loading

0 comments on commit 9af1b9a

Please sign in to comment.