search

tektoncd / triggers

Event triggering with Tekton!
Apache License 2.0
545 stars 416 forks source link

EventListener cannot see Triggers in other than deployment namespace #1700

Closed wilstdu closed 2 months ago

wilstdu commented 4 months ago

Expected Behavior

EventListener can see Triggers in other than deployment namespaces.

Actual Behavior

EventListener cannot see Triggers in other than deployment namespaces.

Steps to Reproduce the Problem

EventListener running in a "main" namespace. EvenListener oversees Triggers in multiple namespaces. "feature" namespaces have RoleBindings that allow ServiceAccount in the "main" namespace to view resources in the "feature" namespace.

Send a request to the EventListener ingress with a payload that would only match the rule for the "feature" namespace Trigger.

Additional Info

With Triggers version 0.23.1 this still worked, but with any later version this no longer works and EventListener can only see Triggers where the EventListener is deployed. From Kubernetes permission perspective everything looks good and there were no other infrastructure changes than changing Tekton Triggers version.

Example triggers for illustration of how main and feature trigger selection is implemented:

apiVersion: triggers.tekton.dev/v1beta1
kind: Trigger
metadata:
  name: example-feature-branch
spec:
  interceptors:
  - ref:
      name: cel
    params:
    - name: filter
      value: >-
        body.branch=="feature"
  bindings:
  - name: example-variable
    value: example-value
  template:
    ref: example-reference

---
apiVersion: triggers.tekton.dev/v1beta1
kind: Trigger
metadata:
  name: example-main-branch
spec:
  interceptors:
  - ref:
      name: cel
    params:
    - name: filter
      value: >-
        body.branch=="main"
  bindings:
  - name: example-variable
    value: example-value
  template:
    ref: example-reference

---
apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
  name: example-el
  namespace: example-main-namespace
spec:
  namespaceSelector: {}
  resources:
    kubernetesResource:
      replicas: 2
  serviceAccountName: el-service-account-name
  triggerGroups:
    - name: local-trigger-group
      triggerSelector:
        labelSelector:
          matchLabels: {} 
        namespaceSelector:
          matchNames:
            - '*'
realSchoki commented 4 months ago

I think its linked to this: https://github.com/tektoncd/triggers/issues/1652

just add a dummy entry under .spec.namespaceSelector if you need a "hotfix". Fix is on roadmap for 0.27.0.

khrm commented 3 months ago

/assign @khrm