Pipeline: Tekton Pipelines Integration with Istio

Created on 2 Jun 2020  路  8Comments  路  Source: tektoncd/pipeline

Expected Behavior

To be able to submit a Tekton CR to K8 admission controller through tekton-pipelines-webhook with Istio integrated

Actual Behavior

The certificate on the tekton-pipelines-webhook secure backend has a no CN and only the SAN is populated with the service name. See the error below.
Capture

Steps to Reproduce the Problem

  1. Install Istio v1.5
  2. Install Tekton-Pipelines with sidecars auto-injection enabled
  3. Try to submit a test Taskrun to the controller

Additional Info

  • Kubernetes version:

Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.1", GitCommit:"7879fc12a63337efff607952a323df90cdc7a335", GitTreeState:"clean", BuildDate:"2020-04-08T17:38:50Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.3", GitCommit:"2e7996e3e2712684bc73f0dec0200d64eec7fe40", GitTreeState:"clean", BuildDate:"2020-05-20T12:43:34Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64"}

  • Tekton Pipeline version: v0.11.0-rc2

  • Istio Version: v1.5 - Strict mTLS enabled
kinmisc
Source
picture jpower432

Most helpful comment

@afflom we still need to bump our dependency on knative/pkg :upside_down_face:

picture vdemeester on 8 Jun 2020
🚀1 👍1

All 8 comments

cc @tcnghia

mattmoor picture mattmoor on 2 Jun 2020

Since istio is providing mTLS for tekton in this instance, would it be acceptable for tekton to be deployed plain text comms between services? Is there a flag for that? @mattmoor @tcnghia

afflom picture afflom on 4 Jun 2020

This should be closed by https://github.com/knative/pkg/pull/1384

afflom picture afflom on 8 Jun 2020

@afflom we still need to bump our dependency on knative/pkg :upside_down_face:

vdemeester picture vdemeester on 8 Jun 2020
🚀1 👍1

Understood. I have patience. Thank you.

afflom picture afflom on 8 Jun 2020
1

/kind misc
/assign

vdemeester picture vdemeester on 10 Jun 2020

https://github.com/tektoncd/pipeline/blob/master/go.mod#L39 we now depend on knative 0.16. This should be fixed in 0.15.x (and on master)
/close

vdemeester picture vdemeester on 24 Jul 2020

@vdemeester: Closing this issue.

In response to this:

https://github.com/tektoncd/pipeline/blob/master/go.mod#L39 we now depend on knative 0.16. This should be fixed in 0.15.x (and on master)
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

tekton-robot picture tekton-robot on 24 Jul 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

pritidesai picture pritidesai  路  4Comments
castlemilk picture castlemilk  路  4Comments
sujithjoseph picture sujithjoseph  路  3Comments
chmouel picture chmouel  路  3Comments
sbwsg picture sbwsg  路  4Comments