Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow secure connection to eventlistener pod #819

Merged
merged 1 commit into from
Nov 20, 2020
Merged

Allow secure connection to eventlistener pod #819

merged 1 commit into from
Nov 20, 2020

Conversation

savitaashture
Copy link
Contributor

@savitaashture savitaashture commented Oct 31, 2020
edited by khrm
Loading

Changes

Issue: #650

As part of this PR Triggers eventlistener now support end to end secure connection to eventlistener pod.
For more info about the feature refer TEP-0027 .

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

  • Includes tests (if functionality changed/added)
  • Includes docs (if user facing)
  • Commit messages follow commit message best practices
  • Release notes block has been filled in or deleted (only if no user facing changes)

See the contribution guide for more details.

Release Notes

HTTPS connection to eventlistener can be configured by tweaking eventlistener configuration

   apiVersion: triggers.tekton.dev/v1alpha1
   kind: EventListener
   metadata:
     name: github-listener-interceptor
   spec:
     ...
     resources:
       kubernetesResource:
         spec:
           template:
             spec:
               serviceAccountName: tekton-triggers-github-sa
               containers:
               - env:
                 - name: TLS_CERT
                   valueFrom:
                     secretKeyRef:
                       name: tls-key-secret
                       key: tls.crt
                 - name: TLS_KEY
                   valueFrom:
                     secretKeyRef:
                       name: tls-key-secret
                       key: tls.key

Note:
TLS_CERT, TLS_KEY are RESERVED env

@tekton-robot tekton-robot requested review from dibyom and wlynch October 31, 2020 15:12
@tekton-robot tekton-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Oct 31, 2020
@savitaashture savitaashture force-pushed the secure-connection-el branch 3 times, most recently from c81be10 to 6264fb2 Compare October 31, 2020 15:34
@savitaashture savitaashture mentioned this pull request Nov 1, 2020
Merged
@savitaashture savitaashture changed the title Allow secure connection to eventlistener pod [WIP]Allow secure connection to eventlistener pod Nov 2, 2020
@tekton-robot tekton-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 2, 2020
@savitaashture savitaashture force-pushed the secure-connection-el branch 2 times, most recently from 3d73905 to 5668819 Compare November 2, 2020 18:56
@savitaashture savitaashture changed the title [WIP]Allow secure connection to eventlistener pod Allow secure connection to eventlistener pod Nov 3, 2020
@tekton-robot tekton-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 3, 2020
@tekton-robot tekton-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 10, 2020
dibyom
dibyom reviewed Nov 10, 2020
View reviewed changes
Copy link
Member

@dibyom dibyom left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks good. Just some minor comments. Also, how feasible would it be to add an e2e test for this?

(Also noticed some questions on tektoncd/community#244 that we should resolve before merging this)

cmd/eventlistenersink/main.go Outdated Show resolved Hide resolved
docs/eventlisteners.md Show resolved Hide resolved
pkg/apis/triggers/v1alpha1/event_listener_validation_test.go Outdated Show resolved Hide resolved
pkg/reconciler/v1alpha1/eventlistener/eventlistener.go Outdated Show resolved Hide resolved
pkg/reconciler/v1alpha1/eventlistener/eventlistener_test.go Outdated Show resolved Hide resolved
pkg/reconciler/v1alpha1/eventlistener/eventlistener_test.go Outdated Show resolved Hide resolved
pkg/sink/initialization.go Outdated Show resolved Hide resolved
@dibyom dibyom mentioned this pull request Nov 11, 2020
Closed
@tekton-robot tekton-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 13, 2020
@tekton-robot tekton-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Nov 15, 2020
@savitaashture savitaashture force-pushed the secure-connection-el branch 2 times, most recently from 9af1b9a to 94c22a9 Compare November 15, 2020 08:47
@tekton-robot tekton-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Nov 15, 2020
@savitaashture savitaashture force-pushed the secure-connection-el branch 2 times, most recently from 0740e24 to bbd8248 Compare November 15, 2020 09:32
@dibyom
Copy link
Member

dibyom commented Nov 17, 2020

/lgtm

Code looks fine. Pending design discussion on using valueFrom/secretRef instead of value: in tektoncd/community#244

@tekton-robot tekton-robot added lgtm Indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Nov 17, 2020
@tekton-robot tekton-robot removed lgtm Indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Nov 18, 2020
@tekton-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-tekton-triggers-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/triggers/v1alpha1/event_listener_validation.go 100.0% 98.2% -1.8
pkg/reconciler/v1alpha1/eventlistener/eventlistener.go 78.2% 79.1% 0.9

savitaashture
savitaashture commented Nov 18, 2020
View reviewed changes
pkg/apis/triggers/v1alpha1/event_listener_validation.go
Comment on lines +113 to +124
func envVarSourceMask(in *corev1.EnvVarSource) *corev1.EnvVarSource {
if in == nil {
return nil
}
out := new(corev1.EnvVarSource)
// Allowed fields
out.SecretKeyRef = in.SecretKeyRef

// Disallowed fields
out.ConfigMapKeyRef = nil
out.FieldRef = nil
out.ResourceFieldRef = nil

return out
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I own to refactor changes related to masking fields in a follow up PR by creating separate file so that _validation.go will have changes related to validation

@tekton-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-tekton-triggers-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/triggers/v1alpha1/event_listener_validation.go 100.0% 98.2% -1.8
pkg/reconciler/v1alpha1/eventlistener/eventlistener.go 78.2% 79.1% 0.9

dibyom
dibyom reviewed Nov 19, 2020
View reviewed changes
Copy link
Member

@dibyom dibyom left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One small nit about docs otherwise LGTM!

/approve

docs/eventlisteners.md Outdated

## EventListener Secure Connection

Triggers now support both `HTTP` and `HTTPS` connection by adding few configurations to eventlistener.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we add a little bit more detail here? e.g. :

even a like like -- To setup TLS, add set two environment variables TLS_CERT, and TLS_KEY with values set to a Secret. See the full example(LINK) for details`

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 19, 2020
@tekton-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-tekton-triggers-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/triggers/v1alpha1/event_listener_validation.go 100.0% 98.2% -1.8
pkg/reconciler/v1alpha1/eventlistener/eventlistener.go 78.2% 79.1% 0.9

khrm
khrm reviewed Nov 20, 2020
View reviewed changes
examples/eventlistener-tls-connection/README.md Outdated
```

#### Configuring EventListener for TLS connection
```yaml
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: Why not put this in yaml file like other examples? It make it faster to test out examples. Otherwise, lgtm.

Copy link
Contributor Author

@savitaashture savitaashture Nov 20, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The dependency is on secret which is given by user and which contains cert and key files so just added sample example in README so that user can refer

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can probably assume tls-key-secret as secretKeyRef.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if we assume then we should create that before hand and for that we also need to create cert n keys

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's OK to not create key beforehand because those command will do it anyway.

@tekton-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-tekton-triggers-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/triggers/v1alpha1/event_listener_validation.go 98.8% 97.3% -1.5
pkg/reconciler/v1alpha1/eventlistener/eventlistener.go 78.5% 79.4% 0.9

@tekton-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-tekton-triggers-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/triggers/v1alpha1/event_listener_validation.go 98.8% 97.3% -1.5
pkg/reconciler/v1alpha1/eventlistener/eventlistener.go 78.5% 79.4% 0.9

@tekton-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-tekton-triggers-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/triggers/v1alpha1/event_listener_validation.go 98.8% 97.3% -1.5
pkg/reconciler/v1alpha1/eventlistener/eventlistener.go 78.5% 79.4% 0.9

khrm
khrm approved these changes Nov 20, 2020
View reviewed changes
Copy link
Contributor

@khrm khrm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Nov 20, 2020
@tekton-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dibyom, khrm

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot merged commit e1e7d18 into tektoncd:master Nov 20, 2020
jerop added a commit to jerop/community that referenced this pull request Mar 21, 2023
@jerop
TEP-0027: HTTPS Connection To Triggers EventListener - Mark as Implem…
f465cd5 
…ented

TEP-0027 was implemented in tektoncd/triggers#819.
This change updates the TEP state from `implementable` to `implemented`.
@jerop jerop mentioned this pull request Mar 21, 2023
Merged
tekton-robot pushed a commit to tektoncd/community that referenced this pull request Mar 21, 2023
@jerop @tekton-robot
TEP-0027: HTTPS Connection To Triggers EventListener - Mark as Implem…
ca0cd65 
…ented

TEP-0027 was implemented in tektoncd/triggers#819.
This change updates the TEP state from `implementable` to `implemented`.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dibyom dibyom dibyom left review comments

@khrm khrm khrm approved these changes

@wlynch wlynch Awaiting requested review from wlynch

Assignees

@khrm khrm

@dibyom dibyom

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@savitaashture @dibyom @tekton-robot @khrm