handler

package module
v0.1.6-rc1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 11, 2020 License: MIT Imports: 28 Imported by: 0

README

k8s-webhook-handler

Create Kubernetes resources in response to (GitHub) webhooks!

How does it work?

When the k8s-webhook-handler receives a webhook, it:

  • Validates the payload's signature by using the WEBHOOK_SECRET as HMAC hexdigest secret
  • Downloads a manifest (.ci/workflow.yaml by default) from the repository.

For push events, it downloads the manifest from the given revision. Otherwise it's checked out from the repository's default branch.

After that, it applies the manifest and adds the following annotations:

  • k8s-webhook-handler.io/ref: Git reference (e.g. refs/heads/master)
  • k8s-webhook-handler.io/revision: The SHA of the most recent commit on ref after the push.
  • k8s-webhook-handler.io/before: The SHA of the most recent commit on ref before the push.
  • k8s-webhook-handler.io/repo_name: Repo name including user (e.g. airbnb/k8s-webhook-handler)
  • k8s-webhook-handler.io/repo_url: git URL (e.g. git://github.com/airbnb/k8s-webhook-handler.git)
  • k8s-webhook-handler.io/repo_ssh: ssh URL (e.g. git@github.com:airbnb/k8s-webhook-handler.git)

Binaries

  • cmd/webhook is the actual webhook handling server

Usage

Beside the manifests and templates in deploy/, a secret 'webhook-handler' with the following fields is expected:

  • GITHUB_TOKEN Personal Access Token for API access
  • WEBHOOK_SECRET Secret for validating the webhook

The value should match the "Secret" field in the GitHub webhook settings and can be created like this:

kubectl create secret generic k8s-ci --from-literal=GITHUB_SECRET=github-secret ...

Security

The WEBHOOK_SECRET is required for secure operation. Running without means not validating the webhooks which effectively grants everyone permission to run arbitrary manifests on your cluster. If you really need to run without validation e.g for testing purposes, you can run the handler with the -insecure flag.

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	ErrEventNotSupported = errors.New("Event not supported")
	ErrEventInvalid      = errors.New("Not a valid event")
)

Functions

func Decode added in v0.1.5

func Decode(r io.Reader) (runtime.Object, error)

Decode reads a reader and parses the stream as runtime.Object.

func NewKubernetesClient added in v0.1.5

func NewKubernetesClient(kubeconfig string) (*kubernetesClient, error)

Types

type Config added in v0.1.5

type Config struct {
	Namespace           string
	ResourcePath        string
	HandlerLivenessPath string
	Secret              []byte
	IgnoreRefRegex      *regexp.Regexp
	DryRun              bool
}

type Event added in v0.1.5

type Event struct {
	Type     string
	Action   string
	Revision string
	Ref      string
	Before   string
	*github.Repository
}

func ParseEvent added in v0.1.5

func ParseEvent(ev interface{}) (*Event, error)

func (*Event) Annotations added in v0.1.5

func (e *Event) Annotations() map[string]string

type GithubLoader added in v0.1.5

type GithubLoader struct {
	*github.Client
}

func NewGithubLoader added in v0.1.5

func NewGithubLoader(token, baseURL, uploadURL string) (*GithubLoader, error)

func (*GithubLoader) Load added in v0.1.5

func (l *GithubLoader) Load(ctx context.Context, repo, path, ref string) (runtime.Object, error)

Apply downloads a manifest from repo specified by owner and name at given ref. Ref and path can be a SHA, branch, or tag.

type Handler added in v0.1.5

type Handler struct {
	log.Logger
	Config *Config
	Loader
	KubernetesClient
	// contains filtered or unexported fields
}

func NewGithubHookHandler added in v0.1.5

func NewGithubHookHandler(logger log.Logger, config *Config, kubernetesClient KubernetesClient, loader Loader, statsdClient *statsd.Statsd) *Handler

func (*Handler) HandleEvent added in v0.1.5

func (h *Handler) HandleEvent(ctx context.Context, ev interface{}) (*handlerResponse, error)

Handler handles a webhook. We have to use interface{} because of https://github.com/google/go-github/issues/1154.

func (*Handler) ServeHTTP added in v0.1.5

func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request)

type KubernetesClient added in v0.1.5

type KubernetesClient interface {
	Apply(obj runtime.Object, namespace string) error
}

type Loader added in v0.1.5

type Loader interface {
	Load(ctx context.Context, repo, path, ref string) (runtime.Object, error)
}

Directories

Path Synopsis
cmd

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL