-
Notifications
You must be signed in to change notification settings - Fork 420
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Allow secure connection to eventlistener pod
- Loading branch information
1 parent
58269c7
commit 9af1b9a
Showing
9 changed files
with
820 additions
and
416 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,100 @@ | ||
## EventListener Secure Connection | ||
|
||
Triggers now support both `HTTP` and `HTTPS` connection by adding some configurations to eventlistener. | ||
|
||
### Prerequisites | ||
* Certificates with Key and Cert | ||
* Secret which includes those certificates | ||
|
||
### Try it out locally: | ||
|
||
#### Creating Prerequisites | ||
|
||
* #### Certificates with Key and Cert. | ||
|
||
##### 1. Steps to generate root key, cert | ||
1. Create Root Key | ||
```text | ||
openssl genrsa -des3 -out rootCA.key 4096 | ||
``` | ||
2. Create and self sign the Root Certificate | ||
```text | ||
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt | ||
``` | ||
##### 2. Steps to generate certificate (for each server) | ||
1. Create the certificate key | ||
```text | ||
openssl genrsa -out tls.key 2048 | ||
``` | ||
2. Create the signing (csr) | ||
|
||
* The CSR is where you specify the details for the certificate you want to generate. | ||
This request will be processed by the owner of the root key to generate the certificate. | ||
|
||
* **Important:** While creating the csr it is important to specify the `Common Name` providing the IP address or domain name for the service, otherwise the certificate cannot be verified. | ||
```text | ||
openssl req -new -key tls.key -out tls.csr | ||
``` | ||
3. Generate the certificate using the tls csr and key along with the CA Root key | ||
```text | ||
openssl x509 -req -in tls.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out tls.crt -days 500 -sha256 | ||
``` | ||
##### 3. Follow same steps from 2 to generate certificates for client also | ||
|
||
* #### Create secret which includes those certificates | ||
```text | ||
kubectl create secret generic tls-secret-key --from-file=tls.crt --from-file=tls.key | ||
``` | ||
|
||
#### Configuring EventListener for TLS connection | ||
```yaml | ||
apiVersion: triggers.tekton.dev/v1alpha1 | ||
kind: EventListener | ||
metadata: | ||
name: github-listener-interceptor | ||
spec: | ||
triggers: | ||
- name: github-listener | ||
interceptors: | ||
- github: | ||
secretRef: | ||
secretName: github-secret | ||
secretKey: secretToken | ||
eventTypes: | ||
- pull_request | ||
- cel: | ||
filter: "body.action in ['opened', 'synchronize', 'reopened']" | ||
bindings: | ||
- ref: github-pr-binding | ||
template: | ||
ref: github-template | ||
resources: | ||
kubernetesResource: | ||
spec: | ||
template: | ||
spec: | ||
serviceAccountName: tekton-triggers-github-sa | ||
containers: | ||
- env: | ||
- name: TLS_SECRET_NAME | ||
value: "tls-secret-key" # Name of the secret which is created above (Mandatory env for TLS connection) | ||
- name: TLS_CERT_NAME | ||
value: "tls.crt" # Name of the cert file (Optional, If not provided tls.crt used) | ||
- name: TLS_KEY_NAME | ||
value: "tls.key" # Name of the key file (Optional, If not provided tls.key used) | ||
``` | ||
There are **RESERVED** env to provide `HTTPS` connection to triggers eventlistener | ||
* `TLS_SECRET_NAME` is **mandatory** env key where user specify created secret name. | ||
* `TLS_CERT_NAME` and `TLS_KEY_NAME` are **optional** env where user specify name of the cert and key respectively, | ||
If not provided triggers assume names as `tls.crt` and `tls.key` by default. | ||
|
||
1. Test by sending the sample payload. | ||
|
||
```bash | ||
curl -v \ | ||
-H 'X-GitHub-Event: pull_request' \ | ||
-H 'X-Hub-Signature: sha1=ba0cdc263b3492a74b601d240c27efe81c4720cb' \ | ||
-H 'Content-Type: application/json' \ | ||
-d '{"action": "opened", "pull_request":{"head":{"sha": "28911bbb5a3e2ea034daf1f6be0a822d50e31e73"}},"repository":{"clone_url": "https://github.com/tektoncd/triggers.git"}}' \ | ||
https://<el-address> --cacert rootCA.crt --key client.key --cert client.crt | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.