Expected Behavior
An EventListener with no interceptors in its triggers should start successfully, without requiring any ClusterInterceptor resources to exist.
Actual Behavior
The EventListener pod enters CrashLoopBackOff with:
Timed out waiting on CaBundle to available for clusterInterceptor: ...
Timed out waiting on CaBundle to available for Interceptor: ...
empty caBundle in clusterInterceptor spec
This happens even though the EventListener has zero interceptors configured. The binary unconditionally scans all ClusterInterceptors in the cluster and demands at least one with both:
metadata.labels["server/type"] = "https"
spec.clientConfig.caBundle non-empty
Root cause is three interacting problems in the codebase:
-
pkg/adapter/adapter.go:161-174 — getCertFromInterceptor() polls all ClusterInterceptors. If httpsCILen == 0 (no https-labeled ClusterInterceptor found), it returns errors.New("empty caBundle in clusterInterceptor spec") — rejecting startup.
-
pkg/apis/triggers/v1alpha1/cluster_interceptor_defaults.go:27-28 — SetDefaults() returns immediately when IsUpgradeViaDefaulting(ctx) is false (always the case for normal webhook requests), so the server/type label is never defaulted. Users must set it manually.
-
cmd/webhook/main.go:79,104 — Both mutating and validating webhooks have disallowUnknownFields: true. This causes caBundle to be rejected as json: unknown field "caBundle", even though ClientConfig at pkg/apis/triggers/v1alpha1/cluster_interceptor_types.go:68 defines CaBundle []byte with json:"caBundle,omitempty".
Combined: it is impossible to deploy a working EventListener when any ClusterInterceptor exists, unless the separate interceptors server image injects caBundle programmatically via pkg/interceptors/server/server.go:236.
Steps to Reproduce the Problem
- Install Tekton Triggers v0.34.0 or v0.35.0.
- Create a
ClusterInterceptor (any kind, e.g. github) without caBundle and without the server/type label.
- Create an
EventListener with no interceptors in its triggers (e.g. just bindings and a template).
- Observe the EventListener pod crash with the error above.
Additional Info
-
Kubernetes version:
Output of kubectl version:
Client Version: v1.32.0
Kustomize Version: v5.5.0
Server Version: v1.32.0
-
Tekton Pipeline version:
Output of kubectl get pods -n tekton-pipelines -l app=tekton-pipelines-controller -o=jsonpath='{.items[0].metadata.labels.version}'
-
Tekton Triggers version: v0.34.0 (also confirmed on v0.35.0 — adapter.go is identical)
-
Workaround: temporarily delete both triggers webhooks, create the ClusterInterceptor with labels: {server/type: https} and a valid base64-encoded PEM CA cert in spec.clientConfig.caBundle, then restore the webhooks.
Expected Behavior
An EventListener with no interceptors in its triggers should start successfully, without requiring any ClusterInterceptor resources to exist.
Actual Behavior
The EventListener pod enters
CrashLoopBackOffwith:This happens even though the EventListener has zero interceptors configured. The binary unconditionally scans all ClusterInterceptors in the cluster and demands at least one with both:
metadata.labels["server/type"] = "https"spec.clientConfig.caBundlenon-emptyRoot cause is three interacting problems in the codebase:
pkg/adapter/adapter.go:161-174—getCertFromInterceptor()polls all ClusterInterceptors. IfhttpsCILen == 0(no https-labeled ClusterInterceptor found), it returnserrors.New("empty caBundle in clusterInterceptor spec")— rejecting startup.pkg/apis/triggers/v1alpha1/cluster_interceptor_defaults.go:27-28—SetDefaults()returns immediately whenIsUpgradeViaDefaulting(ctx)is false (always the case for normal webhook requests), so theserver/typelabel is never defaulted. Users must set it manually.cmd/webhook/main.go:79,104— Both mutating and validating webhooks havedisallowUnknownFields: true. This causescaBundleto be rejected asjson: unknown field "caBundle", even thoughClientConfigatpkg/apis/triggers/v1alpha1/cluster_interceptor_types.go:68definesCaBundle []bytewithjson:"caBundle,omitempty".Combined: it is impossible to deploy a working EventListener when any ClusterInterceptor exists, unless the separate
interceptorsserver image injects caBundle programmatically viapkg/interceptors/server/server.go:236.Steps to Reproduce the Problem
ClusterInterceptor(any kind, e.g.github) withoutcaBundleand without theserver/typelabel.EventListenerwith no interceptors in its triggers (e.g. just bindings and a template).Additional Info
Kubernetes version:
Output of
kubectl version:Tekton Pipeline version:
Output of
kubectl get pods -n tekton-pipelines -l app=tekton-pipelines-controller -o=jsonpath='{.items[0].metadata.labels.version}'Tekton Triggers version: v0.34.0 (also confirmed on v0.35.0 — adapter.go is identical)
Workaround: temporarily delete both triggers webhooks, create the ClusterInterceptor with
labels: {server/type: https}and a valid base64-encoded PEM CA cert inspec.clientConfig.caBundle, then restore the webhooks.