[TEP-0102] HTTPS Connection to Triggers ClusterInterceptor

teps/0102-https-connection-to-triggers-interceptor.md

@@ -0,0 +1,78 @@
+---
+title: HTTPS Connection to Triggers ClusterInterceptor
+authors:
+  - "@savitaashture"
+creation-date: 2022-03-21
+last-updated: 2022-03-21
+status: proposed
+---
+
+# TEP-0102: HTTPS Connection to Triggers ClusterInterceptor
+
+<!-- toc -->
+- [Summary](#summary)
+- [Motivation](#motivation)
+  - [Goals](#goals)
+  - [Non-Goals](#non-goals)
+- [Proposal](#proposal)
+  - [User Stories](#user-stories)
+- [Design Details](#design-details)
+- [Implementation Details](#implementation-details)
+- [A look into the future](#a-look-into-the-future)
+- [References](#references)
+<!-- /toc -->
+
+## Summary
+
+This TEP proposes to run ClusterInterceptor server as HTTPS and to provide a secure connection between 
+EventListener and ClusterInterceptor. 
+
+## Motivation
+
+Running ClusterInterceptor server as HTTPS provide a secure connection to eventlistener
+and also helps triggers users where there is a hard requirement to handle all connections securely.
+
+### Goals
+
+* Running ClusterInterceptor as `HTTPS` and making sure a secure connection between Eventlistener and ClusterInterceptor.
+* No configuration changes asked from user.
+
+### Non-Goals
+
+* Requiring inputs from end user
+
+## Proposal
+
+Triggers now have full support of end to end secure connection by Running ClusterInterceptor as `HTTPS`.
+
+### User Stories
+
+* ClusterInterceptor calls are done using `HTTP` instead of `HTTPS` which is considered a security problem because
+in many environments(like OpenShift Container Platform 4) there is a hard requirement to have all traffic using `HTTPS`. 
+Meaning all traffic needs to be secured. Since ClusterInterceptor are not offering HTTPS, they can't be used unless they are offering HTTPS.
+Hence the goal is to make sure that all ClusterInterceptor calls are using HTTPS instead, to comply with security regulation/requirements.
+
+## Design Details
+
+* By default ClusterInterceptor run as `HTTPS`.
+* There won't be a support for `HTTP`.
+* Triggers make use of [Knative pkg](https://github.com/knative/pkg/blob/main/webhook/certificates/resources/certs.go#L144) to generate `cert` and `key` internally to run ClusterInterceptor server as `HTTPS`.
+* While installing `Triggers Interceptor` an empty secret `tekton-triggers-core-interceptors` will be created and later ClusterInterceptor server will update secret with `cert`, `key` and `cacert`.
+* Connection between ClusterInterceptor and Eventlistener is secured using `cacert` from `tekton-triggers-core-interceptors` secret.
+
+**Note:**
+* No inputs required from user to run ClusterInterceptor server as `HTTPS` as everything is handled internally by Triggers.
+
+## Implementation Details
+At high level below are few implementation details
+* Port and ENV changes in [core-interceptors-deployment.yaml](https://github.com/tektoncd/triggers/blob/main/config/interceptors/core-interceptors-deployment.yaml).
+* Add new secret file to [config/interceptors](https://github.com/tektoncd/triggers/tree/main/config/interceptors) folder.
+* Update roles, clusterroles.
+* Changes to ClusterInterceptor server to run as `HTTPS`.
+* Changes to EventListener in order to connect with ClusterInterceptor securely.  
+
+## A look into the future
+* Providing a way to user to pass their own certificate to run ClusterInterceptor server.
+
+## References 
+1. GitHub issue: [#871](https://github.com/tektoncd/triggers/issues/871)

teps/README.md

@@ -239,3 +239,4 @@ This is the complete list of Tekton teps:
 |[TEP-0096](0096-pipelines-v1-api.md) | Pipelines V1 API | proposed | 2022-02-07 |
 |[TEP-0098](0098-workflows.md) | Workflows | proposed | 2021-12-06 |
 |[TEP-0100](0100-embedded-taskruns-and-runs-status-in-pipelineruns.md) | Embedded TaskRuns and Runs Status in PipelineRuns | implementable | 2022-02-14 |
+|[TEP-0102](0102-https-connection-to-triggers-interceptor.md) | HTTPS Connection to Triggers ClusterInterceptor | proposed | 2022-03-21 |