Skip to content

Interceptors should warn when signature verification is disabled (no secretRef) #2030

Description

@vdemeester

The GitHub, GitLab, and Bitbucket interceptors skip all signature verification when secretRef is not set in interceptor params. The interceptor silently accepts all requests as authentic. This is by design (to support testing and internal-only use cases), but the silent behavior is a configuration footgun.

Users who omit secretRef — for example by copying a manifest without the auth parameters — get no indication that their interceptor is running without webhook authentication.

Proposed changes

1. Runtime warning log

When Process() runs with SecretRef == nil, log a warning:

WARN: GitHub interceptor running without signature verification. Set params.secretRef to enable webhook authentication.

2. Admission webhook warning

Return a Kubernetes admission warning (non-blocking) when an EventListener or Trigger references a github/gitlab/bitbucket interceptor without secretRef in params. This surfaces the issue at deploy time without breaking existing configurations.

3. Documentation

Add a security note to docs/interceptors.md under each interceptor section stating that omitting secretRef disables signature verification.

Non-goals

  • Making secretRef mandatory (breaking change, needs deprecation cycle)
  • Changing default behavior to fail-closed (breaking change)

Future consideration

A future release could introduce an explicit skipSignatureCheck: true param for intentional no-auth mode, then require either secretRef or skipSignatureCheck.

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/featureCategorizes issue or PR as related to a new feature.

    Fields

    No fields configured for Feature.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions