Skip to content

EventListener crashes on startup when any ClusterInterceptor exists without server/type: https label + caBundle #2034

Description

@sim-wangyan

Expected Behavior

An EventListener with no interceptors in its triggers should start successfully, without requiring any ClusterInterceptor resources to exist.

Actual Behavior

The EventListener pod enters CrashLoopBackOff with:

Timed out waiting on CaBundle to available for clusterInterceptor: ...
Timed out waiting on CaBundle to available for Interceptor: ...
empty caBundle in clusterInterceptor spec

This happens even though the EventListener has zero interceptors configured. The binary unconditionally scans all ClusterInterceptors in the cluster and demands at least one with both:

  • metadata.labels["server/type"] = "https"
  • spec.clientConfig.caBundle non-empty

Root cause is three interacting problems in the codebase:

  1. pkg/adapter/adapter.go:161-174getCertFromInterceptor() polls all ClusterInterceptors. If httpsCILen == 0 (no https-labeled ClusterInterceptor found), it returns errors.New("empty caBundle in clusterInterceptor spec") — rejecting startup.

  2. pkg/apis/triggers/v1alpha1/cluster_interceptor_defaults.go:27-28SetDefaults() returns immediately when IsUpgradeViaDefaulting(ctx) is false (always the case for normal webhook requests), so the server/type label is never defaulted. Users must set it manually.

  3. cmd/webhook/main.go:79,104 — Both mutating and validating webhooks have disallowUnknownFields: true. This causes caBundle to be rejected as json: unknown field "caBundle", even though ClientConfig at pkg/apis/triggers/v1alpha1/cluster_interceptor_types.go:68 defines CaBundle []byte with json:"caBundle,omitempty".

Combined: it is impossible to deploy a working EventListener when any ClusterInterceptor exists, unless the separate interceptors server image injects caBundle programmatically via pkg/interceptors/server/server.go:236.

Steps to Reproduce the Problem

  1. Install Tekton Triggers v0.34.0 or v0.35.0.
  2. Create a ClusterInterceptor (any kind, e.g. github) without caBundle and without the server/type label.
  3. Create an EventListener with no interceptors in its triggers (e.g. just bindings and a template).
  4. Observe the EventListener pod crash with the error above.

Additional Info

  • Kubernetes version:

    Output of kubectl version:

    Client Version: v1.32.0
    Kustomize Version: v5.5.0
    Server Version: v1.32.0
    
  • Tekton Pipeline version:

    Output of kubectl get pods -n tekton-pipelines -l app=tekton-pipelines-controller -o=jsonpath='{.items[0].metadata.labels.version}'

    v1.6.0
    
  • Tekton Triggers version: v0.34.0 (also confirmed on v0.35.0 — adapter.go is identical)

  • Workaround: temporarily delete both triggers webhooks, create the ClusterInterceptor with labels: {server/type: https} and a valid base64-encoded PEM CA cert in spec.clientConfig.caBundle, then restore the webhooks.

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.

    Type

    Fields

    No fields configured for Bug.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions