Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Interceptors: Implement new config API aka how to use interceptors in Triggers #869

Closed
dibyom opened this issue Dec 16, 2020 · 4 comments
Closed
Assignees
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@dibyom
Copy link
Member

dibyom commented Dec 16, 2020

The work for this issue is to implement changes to how users writing a Trigger configure Interceptors as described in TEP-0026 i.e. how to supply params declared by an Interceptor in a Trigger.

What?

Discuss options for how we should configure interceptors inside a Trigger.

Why?

TEP-009: Since interceptors are pluggabble, we can't make them part of the API spec anymore. We need a pluggable mechanism!

How do we do it today?

interceptors:
  - cel:
       filter:  `body.comment == "plz run my test"` # simplest case: string key-val
       overlays:                   # most complex obj that contains array of objs
          - key: "a_new_field"
            value: "2 * 5"
          - key: "another_field"
            value: "bar"
  -  github:
        eventTypes: ["pull_request", "push"]   # val is of type array of strings
        secretRef:                             # complex obj
           name: "github-secret"
           key: "webhook-token"

Design:

  1. We need a way to refer to the Interceptor. The simplest, most consistent way would be to use a ref as we do with other resources e.g.
interceptors:
  - ref:
      apiVersion: interceptors.triggers.tekton.dev/v1alpha1
      kind: cel
  1. (Based on a previous WG discussion) It might also makes sense to add an optional name field to identify what interceptor block we are using. This makes it more descriptive when you have multiple interceptors, and can be useful when using kustomize.
interceptors:
  - name: "payload-validation"
    ref:
      apiVersion: interceptors.triggers.tekton.dev/v1alpha1
      kind: github
  - name: "Cel -filter"
    ref:
      apiVersion: interceptors.triggers.tekton.dev/v1alpha1
      kind: cel
  1. Finally, we need a way to supply parameters. Today, the paramter names are always keys while the values can be strings, array of strings (eventTypes in github), or complex objects (e.g. overlays in CEL, secretRef in github). The following section has some ideas for representing these:

Ideas for Params

1. Only allow string values

  1. This is the simplest option and consistent with how we use params elsewhere.
  2. We'd have to figure out a way to represent the current params that use non string types:
interceptors:
- name: "github-validation"
  ref:
    kind: GitHub
  params:
  - name: "eventTypes"
    value: "pull_request,"push" # part of same string separated by commas
  - name: "secretName"  # we have to split secretRed into two params
    value: "secret-name"
  - name: "secretKey"
    value: "key"

- name: "cel-filters-overlays"
  ref:
    kind: CEL
  params:
  - name: filter # filter is a special field. everything else is overlay?
  - value: `body.comment == "plz run my test"`
  - name: "a_new_field" # overlay fields are implicit
    value: "2 * 5"
  - name: "another_field"
    value: "bar"

1b. Only string value params but CEL is split into two interceptors

Basically the same as 1, but we split CEL into two CELFilter and CELOverlay(or CELExtensions)

interceptors:
- name: "github-validation"
  ref:
    kind: GitHub
  params:
  - name: "eventTypes"
    value: "pull_request,"push" # part of same string separated by commas
  - name: "secretName"  # we have to split secretRed into two params
    value: "secret-name"
  - name: "secretKey"
    value: "key"

- name: "cel-filters-overlays"
  ref:
    kind: CELFilter
  params:
  - name: filter # filter is a special field. everything else is overlay?
  - value: `body.comment == "plz run my test"`

- name: "cel-filters-overlays"
  ref:
    kind: CELOverlay
  params:
  - name: "a_new_field"
    value: "2 * 5"
  - name: "another_field"
    value: "bar"

2. Make params values be any valid JSON

  1. Internally, we would model the param type as map[string]interface{}

  2. It makes it look like the params are part of the API and is closest to what we do today

  3. Later, we can add validation (OpenAPI) on what exactly is accepted via the API i.e. the Interceptor CRD will declare what param names and values it accepts and the controller/webhook can validate those on creation.

interceptors:
- name: "cel"
  ref:
    kind: cel
  params: # param value is no longer an array. It can be any valid JSON
    eventTypes: ["pull_request,"push"]
    overlays:
    - key: "a_new_field"
      value: "2 * 5"

3. Separate out params and extensions explicitly

The params today are combinations of two things -- input values (e.g. secretRef, filters), and output results (overlays).This option splits two explicitly.

  1. This approach makes it explicit which extensions (or results) are accepted.

  2. This approach will require a change to the Interceptor HTTP API (specifically the InterceptorRequest type).

interceptors:
- name: "cel"
  ref:
    kind: cel
  params:
    - name: "eventTypes"
      value: ["pull_request,"push"] # TODO: String or interface{} for the value?
  extensions:
    - name: "a_new_field"
      value: "2 * 5"
@dibyom dibyom added the kind/feature Categorizes issue or PR as related to a new feature. label Dec 16, 2020
@dibyom dibyom added this to the Triggers v0.12 milestone Jan 20, 2021
dibyom added a commit to dibyom/triggers that referenced this issue Jan 25, 2021
The EventListener did not have knowledge of which namespace Triggers was
installed in. Instead it always assumed it was `tekton-pipelines` leading to
the bug described in tektoncd#923.  This commit fixes this by having the Reconciler
send the installation namespace as a environment variable set on the
EventListener's pod.

NOTE: This fix is temporary and should not be necessary once tektoncd#869 is
implemented since then we will resolve the Interceptor's address using
information from its CRD.

Fixes tektoncd#923

Signed-off-by: Dibyo Mukherjee <[email protected]>
dibyom added a commit to dibyom/triggers that referenced this issue Jan 25, 2021
The EventListener did not have knowledge of which namespace Triggers was
installed in. Instead it always assumed it was `tekton-pipelines` leading to
the bug described in tektoncd#923.  This commit fixes this by having the Reconciler
send the installation namespace as a environment variable set on the
EventListener's pod.

NOTE: This fix is temporary and should not be necessary once tektoncd#869 is
implemented since then we will resolve the Interceptor's address using
information from its CRD.

Fixes tektoncd#923

Signed-off-by: Dibyo Mukherjee <[email protected]>
@dibyom dibyom self-assigned this Jan 29, 2021
@dibyom
Copy link
Member Author

dibyom commented Jan 29, 2021

/cc @bigkevmcd @wlynch would like to get your thoughts on the ideas above.

(I'm currently doing a PoC with options 2 and 3)

@jmcshane
Copy link
Contributor

jmcshane commented Feb 9, 2021

I've been reading through the docs on TEP-0026 and TEP-0022 and would definitely think that option 3 makes sense because params and extensions inherently have a different meaning in the processing of an interceptor.

When I think about migrating our current webhook extensions to the format outlined in TEP-0026 (and turning it into an InterceptorConfig CRD kind), I think that each of the webhooks explicitly sets specific extension fields. I would just ask that value be optional on the extension field because the webhook may not need any data from the Trigger itself to determine the value of the extension in the response.

I would think that params can be a generic interface{} type. Even looking at the current git interceptor configurations, this makes sense:

# Current config
- gitlab:
    secretRef:
      secretName: foo
      secretKey: bar
    eventTypes:
      - Push Hook

becomes

- type: gitlab
  params:
  - name: secretRef
    value:
      {"secretName":"foo", "secretName":"bar"} # or however you want to get a JSON map into YAML
  - name: eventTypes
    value:
    - Push Hook

I'm thinking about a pluggable oauth client config interceptor where you would specify the jwks URL and required roles in an JWT token. Now, we could return the roles to the interceptor chain as an extension for further processing or validate the roles in the interceptor by specifying extensions or not and having the downstream API respond appropriately.

# First model where roles are validated in the downstream plugin
- type: jwt
  params:
  - name: jwks_url
     value: https://
  - name: roles
    value:
    - group_1
    - group_2
# Second model where roles are passed back up to the chain as extensions:
- type: jwt
  params:
  - name: jwks_url
     value: https://
  extensions:
  - name: roles

Then, the downstream plugin could make a determination on behavior based on the params/extensions passed in. (Apologies for the wall of text I've just been thinking about this project a lot lately)

@dibyom
Copy link
Member Author

dibyom commented Feb 9, 2021

@jmcshane Thanks for the feedback and the use case is much appreciated!

@dibyom dibyom modified the milestones: Triggers v0.12, Triggers v0.13 Mar 3, 2021
dibyom added a commit to dibyom/triggers that referenced this issue Mar 16, 2021
This commit adds new fields (`ref`, `param`, `name`) to refer to a
pluggable Interceptor from within a Trigger's spec. Previously a user
could either reference one of core interceptors (e.g. `cel`) or use the
`webhook` field to refer to webhook interceptors. The new API is a
replacement for these old options though the old API will continue to
work for now to ensure backwards compatibility.

The new fields are:
1. `ref`: This is required and references a ClusterInterceptor
2. `params`: Any optional params to pass on to the Interceptor. The
values can be any valid JSON.
3. `name`: Optional name to configure a named interceptor config.

Part of tektoncd#869

Signed-off-by: Dibyo Mukherjee <[email protected]>
dibyom added a commit to dibyom/triggers that referenced this issue Mar 16, 2021
This commit adds new fields (`ref`, `param`, `name`) to refer to a
pluggable Interceptor from within a Trigger's spec. Previously a user
could either reference one of core interceptors (e.g. `cel`) or use the
`webhook` field to refer to webhook interceptors. The new API is a
replacement for these old options though the old API will continue to
work for now to ensure backwards compatibility.

The new fields are:
1. `ref`: This is required and references a ClusterInterceptor
2. `params`: Any optional params to pass on to the Interceptor. The
values can be any valid JSON.
3. `name`: Optional name to configure a named interceptor config.

Part of tektoncd#869

Signed-off-by: Dibyo Mukherjee <[email protected]>
dibyom added a commit to dibyom/triggers that referenced this issue Mar 16, 2021
This commit adds new fields (`ref`, `param`, `name`) to refer to a
pluggable Interceptor from within a Trigger's spec. Previously a user
could either reference one of core interceptors (e.g. `cel`) or use the
`webhook` field to refer to webhook interceptors. The new API is a
replacement for these old options though the old API will continue to
work for now to ensure backwards compatibility.

The new fields are:
1. `ref`: This is required and references a ClusterInterceptor
2. `params`: Any optional params to pass on to the Interceptor. The
values can be any valid JSON.
3. `name`: Optional name to configure a named interceptor config.

Part of tektoncd#869

Signed-off-by: Dibyo Mukherjee <[email protected]>
dibyom added a commit to dibyom/triggers that referenced this issue Mar 16, 2021
This commit adds new fields (`ref`, `param`, `name`) to refer to a
pluggable Interceptor from within a Trigger's spec. Previously a user
could either reference one of core interceptors (e.g. `cel`) or use the
`webhook` field to refer to webhook interceptors. The new API is a
replacement for these old options though the old API will continue to
work for now to ensure backwards compatibility.

The new fields are:
1. `ref`: This is required and references a ClusterInterceptor
2. `params`: Any optional params to pass on to the Interceptor. The
values can be any valid JSON.
3. `name`: Optional name to configure a named interceptor config.

Part of tektoncd#869

Signed-off-by: Dibyo Mukherjee <[email protected]>
dibyom added a commit to dibyom/triggers that referenced this issue Mar 16, 2021
This commit adds new fields (`ref`, `param`, `name`) to refer to a
pluggable Interceptor from within a Trigger's spec. Previously a user
could either reference one of core interceptors (e.g. `cel`) or use the
`webhook` field to refer to webhook interceptors. The new API is a
replacement for these old options though the old API will continue to
work for now to ensure backwards compatibility.

The new fields are:
1. `ref`: This is required and references a ClusterInterceptor
2. `params`: Any optional params to pass on to the Interceptor. The
values can be any valid JSON.
3. `name`: Optional name to configure a named interceptor config.

Part of tektoncd#869

Signed-off-by: Dibyo Mukherjee <[email protected]>
dibyom added a commit to dibyom/triggers that referenced this issue Mar 18, 2021
This commit adds new fields (`ref`, `param`, `name`) to refer to a
pluggable Interceptor from within a Trigger's spec. Previously a user
could either reference one of core interceptors (e.g. `cel`) or use the
`webhook` field to refer to webhook interceptors. The new API is a
replacement for these old options though the old API will continue to
work for now to ensure backwards compatibility.

The new fields are:
1. `ref`: This is required and references a ClusterInterceptor
2. `params`: Any optional params to pass on to the Interceptor. The
values can be any valid JSON.
3. `name`: Optional name to configure a named interceptor config.

Part of tektoncd#869

Signed-off-by: Dibyo Mukherjee <[email protected]>
dibyom added a commit to dibyom/triggers that referenced this issue Mar 19, 2021
This commit adds new fields (`ref`, `param`, `name`) to refer to a
pluggable Interceptor from within a Trigger's spec. Previously a user
could either reference one of core interceptors (e.g. `cel`) or use the
`webhook` field to refer to webhook interceptors. The new API is a
replacement for these old options though the old API will continue to
work for now to ensure backwards compatibility.

The new fields are:
1. `ref`: This is required and references a ClusterInterceptor
2. `params`: Any optional params to pass on to the Interceptor. The
values can be any valid JSON.
3. `name`: Optional name to configure a named interceptor config.

Part of tektoncd#869

Signed-off-by: Dibyo Mukherjee <[email protected]>
dibyom added a commit to dibyom/triggers that referenced this issue Mar 19, 2021
This commit adds new fields (`ref`, `param`, `name`) to refer to a
pluggable Interceptor from within a Trigger's spec. Previously a user
could either reference one of core interceptors (e.g. `cel`) or use the
`webhook` field to refer to webhook interceptors. The new API is a
replacement for these old options though the old API will continue to
work for now to ensure backwards compatibility.

The new fields are:
1. `ref`: This is required and references a ClusterInterceptor
2. `params`: Any optional params to pass on to the Interceptor. The
values can be any valid JSON.
3. `name`: Optional name to configure a named interceptor config.

Part of tektoncd#869

Signed-off-by: Dibyo Mukherjee <[email protected]>
dibyom added a commit to dibyom/triggers that referenced this issue Mar 19, 2021
This commit adds new fields (`ref`, `param`, `name`) to refer to a
pluggable Interceptor from within a Trigger's spec. Previously a user
could either reference one of core interceptors (e.g. `cel`) or use the
`webhook` field to refer to webhook interceptors. The new API is a
replacement for these old options though the old API will continue to
work for now to ensure backwards compatibility.

The new fields are:
1. `ref`: This is required and references a ClusterInterceptor
2. `params`: Any optional params to pass on to the Interceptor. The
values can be any valid JSON.
3. `name`: Optional name to configure a named interceptor config.

Part of tektoncd#869

Signed-off-by: Dibyo Mukherjee <[email protected]>
dibyom added a commit to dibyom/triggers that referenced this issue Mar 23, 2021
This commit adds new fields (`ref`, `param`, `name`) to refer to a
pluggable Interceptor from within a Trigger's spec. Previously a user
could either reference one of core interceptors (e.g. `cel`) or use the
`webhook` field to refer to webhook interceptors. The new API is a
replacement for these old options though the old API will continue to
work for now to ensure backwards compatibility.

The new fields are:
1. `ref`: This is required and references a ClusterInterceptor
2. `params`: Any optional params to pass on to the Interceptor. The
values can be any valid JSON.
3. `name`: Optional name to configure a named interceptor config.

Part of tektoncd#869

Signed-off-by: Dibyo Mukherjee <[email protected]>
tekton-robot pushed a commit that referenced this issue Mar 24, 2021
This commit adds new fields (`ref`, `param`, `name`) to refer to a
pluggable Interceptor from within a Trigger's spec. Previously a user
could either reference one of core interceptors (e.g. `cel`) or use the
`webhook` field to refer to webhook interceptors. The new API is a
replacement for these old options though the old API will continue to
work for now to ensure backwards compatibility.

The new fields are:
1. `ref`: This is required and references a ClusterInterceptor
2. `params`: Any optional params to pass on to the Interceptor. The
values can be any valid JSON.
3. `name`: Optional name to configure a named interceptor config.

Part of #869

Signed-off-by: Dibyo Mukherjee <[email protected]>
@dibyom
Copy link
Member Author

dibyom commented Mar 31, 2021

Closed by #1001

@dibyom dibyom closed this as completed Mar 31, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Development

No branches or pull requests

2 participants