On startup the interceptor looks at the certificate and if the expiration is close, update it, if not leave it as it is.
Actual Behavior
On startup the interceptor checks for the certificate and, seems to me to always update it, and then proceeds to update the certificate on the cluster interceptors.
During the time that it takes for the rest of the interceptors to start accepting the new certificate we get errors like
{"level":"error","ts":"2023-09-08T15:04:15.990Z","logger":"eventlistener","caller":"sink/sink.go:414","msg":"Post \"https://tekton-triggers-core-interceptors.tekton-pipelines.svc:8443/github\": x509: certificate signed by unknown authority (possibly because of \"x509: ECDSA verification failure\" while trying to verify candidate authority certificate \"tekton-triggers-core-interceptors.tekton-pipelines.svc\")","commit":"2ec8bc6-dirty","eventlistener":"listener","namespace":"namespace","/triggers-eventid":"b366a12c-c2ad-4b4b-bec1-8c4a0465e050","eventlistenerUID":"25b5ba7e-8b81-40c7-9582-43db48c0734a","/triggers-eventid":"b366a12c-c2ad-4b4b-bec1-8c4a0465e050","/trigger":"X","stacktrace":"github.com/tektoncd/triggers/pkg/sink.Sink.processTrigger\n\tgithub.com/tektoncd/triggers/pkg/sink/sink.go:414\ngithub.com/tektoncd/triggers/pkg/sink.Sink.HandleEvent.func1\n\tgithub.com/tektoncd/triggers/pkg/sink/sink.go:202"}
This usually makes a few requests fail, and at times, I do not know why, this behaviour is prolonged by some time and we need to manually restart the interceptor pods.
Steps to Reproduce the Problem
Start doing requests to an event listener that uses a cluster interceptor
Kill one interceptor pod
Some calls from the event listener will fail
Additional Info
Kubernetes version:
Output of kubectl version:
Server Version: v1.26.7-eks-2d98532
Tekton Pipeline version:
Output of tkn version or kubectl get pods -n tekton-pipelines -l app=tekton-pipelines-controller -o=jsonpath='{.items[0].metadata.labels.version}'
Expected Behavior
On startup the interceptor looks at the certificate and if the expiration is close, update it, if not leave it as it is.
Actual Behavior
On startup the interceptor checks for the certificate and, seems to me to always update it, and then proceeds to update the certificate on the cluster interceptors. During the time that it takes for the rest of the interceptors to start accepting the new certificate we get errors like
This usually makes a few requests fail, and at times, I do not know why, this behaviour is prolonged by some time and we need to manually restart the interceptor pods.
Steps to Reproduce the Problem
Additional Info
Kubernetes version:
Output of
kubectl version:Tekton Pipeline version:
Output of
tkn versionorkubectl get pods -n tekton-pipelines -l app=tekton-pipelines-controller -o=jsonpath='{.items[0].metadata.labels.version}'Client version: 0.31.2 Pipeline version: v0.50.1 Triggers version: v0.24.1 Dashboard version: v0.38.0