Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 4. Securing webhooks with event listeners

As an administrator, you can secure webhooks with event listeners. After creating a namespace, you enable HTTPS for the Eventlistener resource by adding the operator.tekton.dev/enable-annotation=enabled label to the namespace. Then, you create a Trigger resource and a secured route using the re-encrypted TLS termination.

Triggers in Red Hat OpenShift Pipelines support insecure HTTP and secure HTTPS connections to the Eventlistener resource. HTTPS secures connections within and outside the cluster.

Red Hat OpenShift Pipelines runs a tekton-operator-proxy-webhook pod that watches for the labels in the namespace. When you add the label to the namespace, the webhook sets the service.beta.openshift.io/serving-cert-secret-name=<secret_name> annotation on the EventListener object. This, in turn, creates secrets and the required certificates. 

service.beta.openshift.io/serving-cert-secret-name=<secret_name>
Copy to Clipboard Toggle word wrap

In addition, you can mount the created secret into the Eventlistener pod to secure the request.

4.1. Providing secure connection with OpenShift routes
Copiar enlace

To create a route with the re-encrypted TLS termination, run: 

$ oc create route reencrypt --service=<svc-name> --cert=tls.crt --key=tls.key --ca-cert=ca.crt --hostname=<hostname>
Copy to Clipboard Toggle word wrap

Alternatively, you can create a re-encrypted TLS termination YAML file to create a secure route.

Example re-encrypt TLS termination YAML to create a secure route

apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: route-passthrough-secured
1 

spec:
  host: <hostname>
  to:
    kind: Service
    name: frontend
2 

  tls:
    termination: reencrypt
3 

    key: [as in edge termination]
    certificate: [as in edge termination]
    caCertificate: [as in edge termination]
    destinationCACertificate: |-
4 

      -----BEGIN CERTIFICATE-----
      [...]
      -----END CERTIFICATE-----
Copy to Clipboard Toggle word wrap

1 2
The name of the object, which is limited to only 63 characters.
3
The termination field is set to reencrypt. This is the only required TLS field.
4
This is required for re-encryption. The destinationCACertificate field specifies a CA certificate to validate the endpoint certificate, thus securing the connection from the router to the destination pods. You can omit this field in either of the following scenarios:
  • The service uses a service signing certificate.
  • The administrator specifies a default CA certificate for the router, and the service has a certificate signed by that CA.

You can run the oc create route reencrypt --help command to display more options.

This section uses the pipelines-tutorial example to demonstrate creation of a sample EventListener resource using a secure HTTPS connection.

Procedure

  1. Create the TriggerBinding resource from the YAML file available in the pipelines-tutorial repository: 

    $ oc create -f https://raw.githubusercontent.com/openshift/pipelines-tutorial/master/03_triggers/01_binding.yaml
    Copy to Clipboard Toggle word wrap

  2. Create the TriggerTemplate resource from the YAML file available in the pipelines-tutorial repository: 

    $ oc create -f https://raw.githubusercontent.com/openshift/pipelines-tutorial/master/03_triggers/02_template.yaml
    Copy to Clipboard Toggle word wrap

  3. Create the Trigger resource directly from the pipelines-tutorial repository: 

    $ oc create -f https://raw.githubusercontent.com/openshift/pipelines-tutorial/master/03_triggers/03_trigger.yaml
    Copy to Clipboard Toggle word wrap

  4. Create an EventListener resource using a secure HTTPS connection:

    1. Add a label to enable the secure HTTPS connection to the Eventlistener resource: 

      $ oc label namespace <ns-name> operator.tekton.dev/enable-annotation=enabled
      Copy to Clipboard Toggle word wrap

    2. Create the EventListener resource from the YAML file available in the pipelines-tutorial repository: 

      $ oc create -f https://raw.githubusercontent.com/openshift/pipelines-tutorial/master/03_triggers/04_event_listener.yaml
      Copy to Clipboard Toggle word wrap

    3. Create a route with the re-encrypted TLS termination: 

      $ oc create route reencrypt --service=<svc-name> --cert=tls.crt --key=tls.key --ca-cert=ca.crt --hostname=<hostname>
      Copy to Clipboard Toggle word wrap
Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat