Add changes to run clusterinterceptor as HTTPS #1333
Conversation
|
The following is the coverage report on the affected files.
|
ec3c188 to
443197b
Compare
|
The following is the coverage report on the affected files.
|
443197b to
5606bff
Compare
|
The following is the coverage report on the affected files.
|
5606bff to
a306cc4
Compare
|
The following is the coverage report on the affected files.
|
a306cc4 to
666b2b6
Compare
|
The following is the coverage report on the affected files.
|
666b2b6 to
e117c5b
Compare
|
The following is the coverage report on the affected files.
|
e117c5b to
a210326
Compare
|
The following is the coverage report on the affected files.
|
a210326 to
25003f7
Compare
|
The following is the coverage report on the affected files.
|
cmd/interceptors/main.go
Outdated
| @@ -72,8 +89,62 @@ func main() { | |||
| mux.Handle("/", service) | |||
| mux.HandleFunc("/ready", handler) | |||
|
|
|||
| name := os.Getenv("SVC_NAME") | |||
There was a problem hiding this comment.
IMO we should give this a more explicit name than SVC name e.g. INTERCEPTOR_TLS_SECRET or something like that
| @@ -65,7 +65,7 @@ metadata: | |||
| rules: | |||
| - apiGroups: [""] | |||
| resources: ["secrets"] | |||
| verbs: ["get", "list", "watch"] | |||
| verbs: ["get", "list", "watch", "update"] | |||
There was a problem hiding this comment.
I don't think we should change the role to be able to update all secrets. Instead create another rule that can update the specific secret that we need
There was a problem hiding this comment.
I see tekton-triggers-core-interceptors cluster role is only used for tekton-triggers-core-interceptors deployment so i believe this is for specified one only
Let me know if this is your concern or something else
There was a problem hiding this comment.
Right the concern is that this allows the core interceptor server access to update any secret in the cluster which is a bit scary. What we should do is to make sure it can only update the TLS secret for the cluster interceptor.
See the example here where the webhook role can only update the webhook-certs secret using the resourceName field: https://github.com/tektoncd/pipeline/blob/main/config/200-role.yaml#L59-L65
| if svc.Port != nil { | ||
| port = *svc.Port | ||
| } | ||
| url := &apis.URL{ | ||
| Scheme: "http", // TODO: Support HTTPs if caBundle is present | ||
| Scheme: "https", |
There was a problem hiding this comment.
hmm..we'd have to be a bit careful here...if we move this to only support https, anyone who has written a cluster interceptor will not be able use Triggers until they upgrade their code. Should we support both for a release or two?
There was a problem hiding this comment.
Ah i see
Okay so do you mean we need to have support for both HTTP and HTTPS right/
If thats the case we need to take input from deplpyment yaml to know whether they want HTTP or HTTPS
Shall i change implementation that way ?
There was a problem hiding this comment.
we discussed this in the WG - we should take the input for whether it is HTTP/HTTPS from interceptor CRD itself.
d7a6804 to
e6d8bfd
Compare
| createCerts = true | ||
| } | ||
|
|
||
| // TODO: Certification validation and rotation is pending |
There was a problem hiding this comment.
@dibyom will create an issue to handle it in separate PR
There was a problem hiding this comment.
could you open an issue to track?
|
The following is the coverage report on the affected files.
|
pkg/interceptors/interceptors.go
Outdated
| return nil, fmt.Errorf("unable to parse cert from %s", ic.Spec.ClientConfig.CaBundle) | ||
| } | ||
|
|
||
| client = &http.Client{ |
There was a problem hiding this comment.
I think we have to update this - creating a new client here means we will ignore all of the config options that we set in the already passed in HTTP client (such as the timeout values). Creating a new HTTP client per call means we can't reuse the underlying connections so we might be limiting the number of calls from the EL to the interceptor.
I think we'd have to add in the certs in the sinker.Start function - we could pass in a clusterinterceptorlister as an arg to the sinker struct - list all the clusterinterceptors, get the caCert and add it to the certPool. and then create a httpClient with all the certs. (This does mean that if we add a new interceptor in the middle, we'd have to restart each EL.
(Ideally in the future we'd have something that listens for changes to interceptors and updates the httpClient with newCerts on the fly)
There was a problem hiding this comment.
@dibyom Yes i agree with you
It overrides previous given values
Updated code PTAL 🙏
Thank you
| createCerts = true | ||
| } | ||
|
|
||
| // TODO: Certification validation and rotation is pending |
There was a problem hiding this comment.
could you open an issue to track?
cmd/interceptors/main.go
Outdated
| log.Printf("secret %s is missing", interceptorSecretName) | ||
| return "", "", []byte{}, err | ||
| } | ||
| log.Printf("error accessing certificate secret %q: %v", interceptorSecretName, err) |
There was a problem hiding this comment.
can we use logger as we do in the rest of the function vs log.Printf
e6d8bfd to
4f20fd2
Compare
|
The following is the coverage report on the affected files.
|
4f20fd2 to
795717f
Compare
|
The following is the coverage report on the affected files.
|
cmd/interceptors/main.go
Outdated
| } | ||
| // write serverCert to file so that it can be passed while running https server. | ||
| // Expect WriteFile permissions to be 0600 or less (gosec) | ||
| //nolint:gosec |
There was a problem hiding this comment.
if given file permission is more than 600 the its giving security issue during build
cmd/interceptors/main.go:211:11: G306: Expect WriteFile permissions to be 0600 or less (gosec)
if err = ioutil.WriteFile(certFile, serverCert, 0644); err != nil {
^
For now instead of using 644 i m using 600 and removing //nolint:gosec
Updated main.go
Thanks for pointing it out 👍 I forgot to remove it earlier
795717f to
d73798a
Compare
|
The following is the coverage report on the affected files.
|
d73798a to
e21cb18
Compare
|
The following is the coverage report on the affected files.
|
|
/test pull-tekton-triggers-build-tests |
e21cb18 to
47c6a51
Compare
|
The following is the coverage report on the affected files.
|
|
/test pull-tekton-triggers-integration-tests |
|
@dibyom PR is ready for final review Thank You!! |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dibyom The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/lgtm |
Changes
TEP: tektoncd/community#662
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
See the contribution guide for more details.
Release Notes