service.beta.openshift.io/serving-cert-secret-name=<secret_name>
As an administrator, you can secure webhooks with event listeners. After creating a namespace, you enable HTTPS for the Eventlistener
resource by adding the operator.tekton.dev/enable-annotation=enabled
label to the namespace. Then, you create a Trigger
resource and a secured route using the re-encrypted TLS termination.
Triggers in Red Hat OpenShift Pipelines support insecure HTTP and secure HTTPS connections to the Eventlistener
resource. HTTPS secures connections within and outside the cluster.
Red Hat OpenShift Pipelines runs a tekton-operator-proxy-webhook
pod that watches for the labels in the namespace. When you add the label to the namespace, the webhook sets the service.beta.openshift.io/serving-cert-secret-name=<secret_name>
annotation on the EventListener
object. This, in turn, creates secrets and the required certificates.
service.beta.openshift.io/serving-cert-secret-name=<secret_name>
In addition, you can mount the created secret into the Eventlistener
pod to secure the request.
To create a route with the re-encrypted TLS termination, run:
$ oc create route reencrypt --service=<svc-name> --cert=tls.crt --key=tls.key --ca-cert=ca.crt --hostname=<hostname>
Alternatively, you can create a re-encrypted TLS termination YAML file to create a secure route.
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: route-passthrough-secured (1)
spec:
host: <hostname>
to:
kind: service
name: frontend (1)
tls:
termination: reencrypt (2)
key: [as in edge termination]
certificate: [as in edge termination]
caCertificate: [as in edge termination]
destinationCACertificate: |- (3)
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
1 | The name of the object, which is limited to only 63 characters. |
2 | The termination field is set to reencrypt . This is the only required TLS field. |
3 | This is required for re-encryption. The destinationCACertificate field specifies a CA certificate to validate the endpoint certificate, thus securing the connection from the router to the destination pods. You can omit this field in either of the following scenarios:
|
You can run the oc create route reencrypt --help
command to display more options.
This section uses the pipelines-tutorial example to demonstrate creation of a sample EventListener resource using a secure HTTPS connection.
Create the TriggerBinding
resource from the YAML file available in the pipelines-tutorial repository:
$ oc create -f https://raw.githubusercontent.com/openshift/pipelines-tutorial/master/03_triggers/01_binding.yaml
Create the TriggerTemplate
resource from the YAML file available in the pipelines-tutorial repository:
$ oc create -f https://raw.githubusercontent.com/openshift/pipelines-tutorial/master/03_triggers/02_template.yaml
Create the Trigger
resource directly from the pipelines-tutorial repository:
$ oc create -f https://raw.githubusercontent.com/openshift/pipelines-tutorial/master/03_triggers/03_trigger.yaml
Create an EventListener
resource using a secure HTTPS connection:
Add a label to enable the secure HTTPS connection to the Eventlistener
resource:
$ oc label namespace <ns-name> operator.tekton.dev/enable-annotation=enabled
Create the EventListener
resource from the YAML file available in the pipelines-tutorial repository:
$ oc create -f https://raw.githubusercontent.com/openshift/pipelines-tutorial/master/03_triggers/04_event_listener.yaml
Create a route with the re-encrypted TLS termination:
$ oc create route reencrypt --service=<svc-name> --cert=tls.crt --key=tls.key --ca-cert=ca.crt --hostname=<hostname>