-
Notifications
You must be signed in to change notification settings - Fork 420
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Interceptors: Implement new config API aka how to use interceptors in Triggers #869
Comments
The EventListener did not have knowledge of which namespace Triggers was installed in. Instead it always assumed it was `tekton-pipelines` leading to the bug described in tektoncd#923. This commit fixes this by having the Reconciler send the installation namespace as a environment variable set on the EventListener's pod. NOTE: This fix is temporary and should not be necessary once tektoncd#869 is implemented since then we will resolve the Interceptor's address using information from its CRD. Fixes tektoncd#923 Signed-off-by: Dibyo Mukherjee <[email protected]>
The EventListener did not have knowledge of which namespace Triggers was installed in. Instead it always assumed it was `tekton-pipelines` leading to the bug described in tektoncd#923. This commit fixes this by having the Reconciler send the installation namespace as a environment variable set on the EventListener's pod. NOTE: This fix is temporary and should not be necessary once tektoncd#869 is implemented since then we will resolve the Interceptor's address using information from its CRD. Fixes tektoncd#923 Signed-off-by: Dibyo Mukherjee <[email protected]>
/cc @bigkevmcd @wlynch would like to get your thoughts on the ideas above. (I'm currently doing a PoC with options 2 and 3) |
I've been reading through the docs on TEP-0026 and TEP-0022 and would definitely think that option 3 makes sense because params and extensions inherently have a different meaning in the processing of an interceptor. When I think about migrating our current webhook extensions to the format outlined in TEP-0026 (and turning it into an I would think that params can be a generic # Current config
- gitlab:
secretRef:
secretName: foo
secretKey: bar
eventTypes:
- Push Hook becomes - type: gitlab
params:
- name: secretRef
value:
{"secretName":"foo", "secretName":"bar"} # or however you want to get a JSON map into YAML
- name: eventTypes
value:
- Push Hook I'm thinking about a pluggable oauth client config interceptor where you would specify the jwks URL and required # First model where roles are validated in the downstream plugin
- type: jwt
params:
- name: jwks_url
value: https://
- name: roles
value:
- group_1
- group_2
# Second model where roles are passed back up to the chain as extensions:
- type: jwt
params:
- name: jwks_url
value: https://
extensions:
- name: roles Then, the downstream plugin could make a determination on behavior based on the params/extensions passed in. (Apologies for the wall of text I've just been thinking about this project a lot lately) |
@jmcshane Thanks for the feedback and the use case is much appreciated! |
This commit adds new fields (`ref`, `param`, `name`) to refer to a pluggable Interceptor from within a Trigger's spec. Previously a user could either reference one of core interceptors (e.g. `cel`) or use the `webhook` field to refer to webhook interceptors. The new API is a replacement for these old options though the old API will continue to work for now to ensure backwards compatibility. The new fields are: 1. `ref`: This is required and references a ClusterInterceptor 2. `params`: Any optional params to pass on to the Interceptor. The values can be any valid JSON. 3. `name`: Optional name to configure a named interceptor config. Part of tektoncd#869 Signed-off-by: Dibyo Mukherjee <[email protected]>
This commit adds new fields (`ref`, `param`, `name`) to refer to a pluggable Interceptor from within a Trigger's spec. Previously a user could either reference one of core interceptors (e.g. `cel`) or use the `webhook` field to refer to webhook interceptors. The new API is a replacement for these old options though the old API will continue to work for now to ensure backwards compatibility. The new fields are: 1. `ref`: This is required and references a ClusterInterceptor 2. `params`: Any optional params to pass on to the Interceptor. The values can be any valid JSON. 3. `name`: Optional name to configure a named interceptor config. Part of tektoncd#869 Signed-off-by: Dibyo Mukherjee <[email protected]>
This commit adds new fields (`ref`, `param`, `name`) to refer to a pluggable Interceptor from within a Trigger's spec. Previously a user could either reference one of core interceptors (e.g. `cel`) or use the `webhook` field to refer to webhook interceptors. The new API is a replacement for these old options though the old API will continue to work for now to ensure backwards compatibility. The new fields are: 1. `ref`: This is required and references a ClusterInterceptor 2. `params`: Any optional params to pass on to the Interceptor. The values can be any valid JSON. 3. `name`: Optional name to configure a named interceptor config. Part of tektoncd#869 Signed-off-by: Dibyo Mukherjee <[email protected]>
This commit adds new fields (`ref`, `param`, `name`) to refer to a pluggable Interceptor from within a Trigger's spec. Previously a user could either reference one of core interceptors (e.g. `cel`) or use the `webhook` field to refer to webhook interceptors. The new API is a replacement for these old options though the old API will continue to work for now to ensure backwards compatibility. The new fields are: 1. `ref`: This is required and references a ClusterInterceptor 2. `params`: Any optional params to pass on to the Interceptor. The values can be any valid JSON. 3. `name`: Optional name to configure a named interceptor config. Part of tektoncd#869 Signed-off-by: Dibyo Mukherjee <[email protected]>
This commit adds new fields (`ref`, `param`, `name`) to refer to a pluggable Interceptor from within a Trigger's spec. Previously a user could either reference one of core interceptors (e.g. `cel`) or use the `webhook` field to refer to webhook interceptors. The new API is a replacement for these old options though the old API will continue to work for now to ensure backwards compatibility. The new fields are: 1. `ref`: This is required and references a ClusterInterceptor 2. `params`: Any optional params to pass on to the Interceptor. The values can be any valid JSON. 3. `name`: Optional name to configure a named interceptor config. Part of tektoncd#869 Signed-off-by: Dibyo Mukherjee <[email protected]>
This commit adds new fields (`ref`, `param`, `name`) to refer to a pluggable Interceptor from within a Trigger's spec. Previously a user could either reference one of core interceptors (e.g. `cel`) or use the `webhook` field to refer to webhook interceptors. The new API is a replacement for these old options though the old API will continue to work for now to ensure backwards compatibility. The new fields are: 1. `ref`: This is required and references a ClusterInterceptor 2. `params`: Any optional params to pass on to the Interceptor. The values can be any valid JSON. 3. `name`: Optional name to configure a named interceptor config. Part of tektoncd#869 Signed-off-by: Dibyo Mukherjee <[email protected]>
This commit adds new fields (`ref`, `param`, `name`) to refer to a pluggable Interceptor from within a Trigger's spec. Previously a user could either reference one of core interceptors (e.g. `cel`) or use the `webhook` field to refer to webhook interceptors. The new API is a replacement for these old options though the old API will continue to work for now to ensure backwards compatibility. The new fields are: 1. `ref`: This is required and references a ClusterInterceptor 2. `params`: Any optional params to pass on to the Interceptor. The values can be any valid JSON. 3. `name`: Optional name to configure a named interceptor config. Part of tektoncd#869 Signed-off-by: Dibyo Mukherjee <[email protected]>
This commit adds new fields (`ref`, `param`, `name`) to refer to a pluggable Interceptor from within a Trigger's spec. Previously a user could either reference one of core interceptors (e.g. `cel`) or use the `webhook` field to refer to webhook interceptors. The new API is a replacement for these old options though the old API will continue to work for now to ensure backwards compatibility. The new fields are: 1. `ref`: This is required and references a ClusterInterceptor 2. `params`: Any optional params to pass on to the Interceptor. The values can be any valid JSON. 3. `name`: Optional name to configure a named interceptor config. Part of tektoncd#869 Signed-off-by: Dibyo Mukherjee <[email protected]>
This commit adds new fields (`ref`, `param`, `name`) to refer to a pluggable Interceptor from within a Trigger's spec. Previously a user could either reference one of core interceptors (e.g. `cel`) or use the `webhook` field to refer to webhook interceptors. The new API is a replacement for these old options though the old API will continue to work for now to ensure backwards compatibility. The new fields are: 1. `ref`: This is required and references a ClusterInterceptor 2. `params`: Any optional params to pass on to the Interceptor. The values can be any valid JSON. 3. `name`: Optional name to configure a named interceptor config. Part of tektoncd#869 Signed-off-by: Dibyo Mukherjee <[email protected]>
This commit adds new fields (`ref`, `param`, `name`) to refer to a pluggable Interceptor from within a Trigger's spec. Previously a user could either reference one of core interceptors (e.g. `cel`) or use the `webhook` field to refer to webhook interceptors. The new API is a replacement for these old options though the old API will continue to work for now to ensure backwards compatibility. The new fields are: 1. `ref`: This is required and references a ClusterInterceptor 2. `params`: Any optional params to pass on to the Interceptor. The values can be any valid JSON. 3. `name`: Optional name to configure a named interceptor config. Part of tektoncd#869 Signed-off-by: Dibyo Mukherjee <[email protected]>
This commit adds new fields (`ref`, `param`, `name`) to refer to a pluggable Interceptor from within a Trigger's spec. Previously a user could either reference one of core interceptors (e.g. `cel`) or use the `webhook` field to refer to webhook interceptors. The new API is a replacement for these old options though the old API will continue to work for now to ensure backwards compatibility. The new fields are: 1. `ref`: This is required and references a ClusterInterceptor 2. `params`: Any optional params to pass on to the Interceptor. The values can be any valid JSON. 3. `name`: Optional name to configure a named interceptor config. Part of #869 Signed-off-by: Dibyo Mukherjee <[email protected]>
Closed by #1001 |
The work for this issue is to implement changes to how users writing a Trigger configure Interceptors as described in TEP-0026 i.e. how to supply params declared by an Interceptor in a Trigger.
What?
Discuss options for how we should configure interceptors inside a Trigger.
Why?
TEP-009: Since interceptors are pluggabble, we can't make them part of the API spec anymore. We need a pluggable mechanism!
How do we do it today?
Design:
ref
as we do with other resources e.g.name
field to identify what interceptor block we are using. This makes it more descriptive when you have multiple interceptors, and can be useful when using kustomize.Ideas for Params
1. Only allow string values
1b. Only string value params but CEL is split into two interceptors
Basically the same as 1, but we split CEL into two CELFilter and CELOverlay(or CELExtensions)
2. Make params values be any valid JSON
Internally, we would model the
param
type as map[string]interface{}It makes it look like the params are part of the API and is closest to what we do today
Later, we can add validation (OpenAPI) on what exactly is accepted via the API i.e. the Interceptor CRD will declare what param names and values it accepts and the controller/webhook can validate those on creation.
3. Separate out params and extensions explicitly
The params today are combinations of two things -- input values (e.g. secretRef, filters), and output results (overlays).This option splits two explicitly.
This approach makes it explicit which extensions (or results) are accepted.
This approach will require a change to the Interceptor HTTP API (specifically the InterceptorRequest type).
The text was updated successfully, but these errors were encountered: