Allow secure connection to eventlistener pod

cmd/eventlistenersink/main.go

@@ -128,7 +128,13 @@ func main() {
 		Handler:     mux,
 	}
 
-	if err := srv.ListenAndServe(); err != nil {
-		logger.Fatalf("failed to start eventlistener sink: %v", err)
+	if sinkArgs.Cert == "" && sinkArgs.Key == "" {
+		if err := srv.ListenAndServe(); err != nil {
+			logger.Fatalf("failed to start eventlistener sink: %v", err)
+		}
+	} else {
+		if err := srv.ListenAndServeTLS(sinkArgs.Cert, sinkArgs.Key); err != nil {
+			logger.Fatalf("failed to start eventlistener sink: %v", err)
+		}
 	}
 }

docs/eventlisteners.md

@@ -40,6 +40,8 @@ using [Event Interceptors](#Interceptors).
     - [Multiple EventListeners (One EventListener Per Namespace)](#multiple-eventlisteners-one-eventlistener-per-namespace)
     - [Multiple EventListeners (Multiple EventListeners per Namespace)](#multiple-eventlisteners-multiple-eventlisteners-per-namespace)
     - [ServiceAccount per EventListenerTrigger](#serviceaccount-per-eventlistenertrigger)
+  - [EventListener Secure Connection](#eventlistener-secure-connection)
+    - [Prerequisites](#prerequisites)
 
 ## Syntax
 
@@ -273,8 +275,11 @@ Right now the allowed values as part of `podSpec` are
 ServiceAccountName
 NodeSelector
 Tolerations
+Volumes
 Containers
 - Resources
+- VolumeMounts
+- Env
 ```
 
 ### Logging
@@ -945,3 +950,55 @@ Except as otherwise noted, the content of this page is licensed under the
 [Creative Commons Attribution 4.0 License](https://creativecommons.org/licenses/by/4.0/),
 and code samples are licensed under the
 [Apache 2.0 License](https://www.apache.org/licenses/LICENSE-2.0).
+
+## EventListener Secure Connection
+
+Triggers now support both `HTTP` and `HTTPS` connection by adding some configurations in eventlistener. 
+### Prerequisites
+* Certficates.
+* Secret which includes those certificates.
+
+There are two env var reserved for `HTTPS` connection to read certificates
+1. **SSL_CERT_FILE**: specify the location of mounted cert file.
+2. **SSL_KEY_FILE**: specify the location of mounted key file.
+
+As mentioned in the prerequisites users are asked to create their own certificates, secrets and mount as a volume in the 
+`resources` section of eventlistener as shown below.
+
+```yaml
+apiVersion: triggers.tekton.dev/v1alpha1
+kind: EventListener
+metadata:
+  name: github-listener-interceptor
+spec:
+  ...
+  resources:
+    kubernetesResource:
+      spec:
+        template:
+          spec:
+            serviceAccountName: tekton-triggers-github-sa
+            volumes:
+              - name: https-connection
+                secret:
+                  secretName: ssl-key-secret
+            containers:
+            - volumeMounts:
+              - name: https-connection
+                mountPath: "/etc/triggers/ssl/"
+                readOnly: true
+              env:
+              - name: SSL_CERT_FILE
+                value: "/etc/triggers/ssl/tls.crt"
+              - name: SSL_KEY_FILE
+                value: "/etc/triggers/ssl/tls.key"
+```
+Where
+
+**ssl-key-secret** is a secret object created by user which contains certificates.
+
+ex:
+```text
+kubectl create secret generic ssh-key-secret --from-file=tls.crt --from-file=tls.key
+```
+Refer [TEP-0027](https://github.com/tektoncd/community/blob/master/teps/0027-https-connection-to-triggers-eventlistener.md) for more information.

pkg/apis/triggers/v1alpha1/event_listener_validation.go

@@ -67,6 +67,8 @@ func validateKubernetesObject(orig *KubernetesResource) (errs *apis.FieldError)
 func containerFieldMask(in *corev1.Container) *corev1.Container {
 	out := new(corev1.Container)
 	out.Resources = in.Resources
+	out.VolumeMounts = in.VolumeMounts
+	out.Env = in.Env
 
 	// Disallowed fields
 	// This list clarifies which all container attributes are not allowed.
@@ -78,7 +80,6 @@ func containerFieldMask(in *corev1.Container) *corev1.Container {
 	out.ReadinessProbe = nil
 	out.StartupProbe = nil
 	out.Command = nil
-	out.VolumeMounts = nil
 	out.ImagePullPolicy = ""
 	out.Lifecycle = nil
 	out.SecurityContext = nil
@@ -90,7 +91,6 @@ func containerFieldMask(in *corev1.Container) *corev1.Container {
 	out.TTY = false
 	out.VolumeDevices = nil
 	out.EnvFrom = nil
-	out.Env = nil
 
 	return out
 }
@@ -105,10 +105,10 @@ func podSpecMask(in *corev1.PodSpec) *corev1.PodSpec {
 	out.Containers = in.Containers
 	out.Tolerations = in.Tolerations
 	out.NodeSelector = in.NodeSelector
+	out.Volumes = in.Volumes
 
 	// Disallowed fields
 	// This list clarifies which all podspec fields are not allowed.
-	out.Volumes = nil
 	out.ImagePullSecrets = nil
 	out.EnableServiceLinks = nil
 	out.ImagePullSecrets = nil

pkg/apis/triggers/v1alpha1/event_listener_validation_test.go

@@ -181,6 +181,14 @@ func Test_EventListenerValidate(t *testing.T) {
 										Effect:   "NoSchedule",
 									}},
 									NodeSelector: map[string]string{"beta.kubernetes.io/os": "linux"},
+									Volumes: []corev1.Volume{{
+										Name: "https-connection",
+										VolumeSource: corev1.VolumeSource{
+											Secret: &corev1.SecretVolumeSource{
+												SecretName: "ssl-key-secret",
+											},
+										},
+									}},
 									Containers: []corev1.Container{{
 										Resources: corev1.ResourceRequirements{
 											Limits: corev1.ResourceList{
@@ -192,6 +200,14 @@ func Test_EventListenerValidate(t *testing.T) {
 												corev1.ResourceMemory: resource.Quantity{Format: resource.BinarySI},
 											},
 										},
+										VolumeMounts: []corev1.VolumeMount{{
+											Name:      "https-connection",
+											MountPath: "/etc/triggers/ssl",
+										}},
+										Env: []corev1.EnvVar{{
+											Name:  "SSL_CERT_FILE",
+											Value: "/etc/triggers/ssl/tls.crt",
+										}},
 									}},
 								},
 							},