Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/fluxcd/flux-recv
Webhook receiver for Flux v1
https://github.com/fluxcd/flux-recv
Last synced: 3 months ago
JSON representation
Webhook receiver for Flux v1
- Host: GitHub
- URL: https://github.com/fluxcd/flux-recv
- Owner: fluxcd
- License: apache-2.0
- Archived: true
- Created: 2019-11-12T14:01:28.000Z (about 5 years ago)
- Default Branch: master
- Last Pushed: 2022-01-07T17:37:45.000Z (almost 3 years ago)
- Last Synced: 2024-06-18T23:02:13.914Z (5 months ago)
- Language: Go
- Homepage:
- Size: 167 KB
- Stars: 66
- Watchers: 7
- Forks: 14
- Open Issues: 5
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
[![CircleCI](https://circleci.com/gh/fluxcd/flux-recv.svg?style=svg)](https://circleci.com/gh/fluxcd/flux-recv)
# Flux webhook receiver
The container image built herein acts as a webhook endpoint, that will
notify Flux of git push and image push events.Flux has a `notify` method in its API, but this is unsuitable to
exposing to the internet, because- it handles a payload defined by the Flux API, rather than handling
the events posted by GitHub etc.
- to use it as a webhook endpoint, you would have to expose the Flux
API listener to the internet; and that is terribly, terribly
unsafe.## Supported webhook sources
`flux-recv` understands
- `GitHub` push events (and ping events)
- `DockerHub` image push events
- `Quay` image push events
- `GitLab` push events
- `Bitbucket` push events
- `GoogleContainerRegistry` image push events via pubsub
- `Nexus` image push eventsSome of these have specific configuration options; see
[Source-specific configuration](#source-specific-configuration) below.## How to use it
In short:
- construct a configuration, including shared secrets
- run `fluxcd/flux-recv` as a sidecar in the flux deployment
- expose the flux-recv listener to the internet
- install webhooks at the source provider (e.g., GitHub)
- check if it worksThese are explained in more depth in the following sections.
### Constructing a configuration
Each webhook you want to receive must have its own shared secret,
which is supplied as a file mounted into the container.In addition, there is a config YAML that tells `flux-recv` which
secrets correspond to which kinds of webhook, so it knows what to
expect.Here is how to make a Kubernetes Secret with a shared secret and a
configuration in it:- create the secret -- [GitHub
recommends](https://developer.github.com/webhooks/securing/) 20
bytes of randomness (NB I am using `print` rather than `puts`
because newlines will mess things up):```
$ ruby -rsecurerandom -e 'print SecureRandom.hex(20)' > ./github.key
```- create a configuration that refers to it:
```sh
$ cat >> fluxrecv.yaml <> kustomization.yaml < If you do restrict API access to localhost, make sure you also
>
> - supply `--listen-metrics=:3031`
> - annotate the pod with `prometheus.io/port: "3031"`, so
> Prometheus knows which port to scrape).
> - remove any probes that rely on reaching the API### Expose flux-recv to the internet
To expose the flux-recv listener to the internet so that webhooks can
reach it, you will need to:- make a Kubernetes Service for `flux-recv`; and,
- either
- tell an Ingress to route requests to the service; OR
- use ngrok to tunnel requests through to flux-recv#### Making a service for flux-recv
To be able to route requests to `flux-recv` from anywhere else, it
needs a Kubernetes Service. Here's a suitable definition:```sh
$ cat > flux-recv-service.yaml <`, where
`` is the SHA265 digest of a hook's shared secret,
hex-encoded. flux-recv will print out these endpoints when it
starts, or you can calculate them with e.g., `sha256 -b
./github.key`;- the backend will be the `flux-recv` service created previously,
with the port `8080`.#### Using ngrok
If running locally (e.g., while developing flux-recv itself), it will
be more convenient to use `ngrok` to tunnel requests through to your
cluster.In general, ngrok will create a new hostname each time it runs, and
you will want to run it in its own deployment so it doesn't get
restarted too much.The kustomization in [`./example/ngrok`](./example/ngrok/) contains an
_almost_ complete configuration. You need to obtain an auth token by
signing up for an ngrok.com account, and paste it into the field
indicated in `example/ngrok.yml`, before running```sh
$ kubectl apply -k ./example
```> Alternatively, you can _not_ sign up to ngrok.com, and remove the
> volume mount and `-config` arg from the deployment. In this case,
> you will need to restart ngrok every few hours to get a fresh
> tunnel, and reinstall any webhooks with the new hostname for the
> tunnel.The _host_ part of your webhook URLs will be something like
`https://abcd1234.ngrok.io`, and it will change each time ngrok starts
(which is why we went to some trouble to run it in its own
deployment).The example ngrok configuration includes a Service with a NodePort, so
you can access ngrok's web UI. You may wish to remove the NodePort, or
the service entirely, and use `kubectl port-forward` instead.### Install webhook at the source
Each webhook source has its own user interface or API for installing
webhooks. In general though, you will usually need- a URL for the webhook
- the shared secretYou can get the webhook URL for an endpoint by combining the host --
which will depend on how you exposed `flux-recv` to the internet in
the previous step -- and the path, which is'/hook/' + sha256sum(secret)
You can see the path in the log output of `flux-recv`, or calculate
the digest yourself with, e.g.,```
$ sha256sum -b ./github.key
```The webhook URL in total will look something like
https://abcd1234.ngrok.io/hook/7962c728be656d9580d0ce9bda78320c946d8321a4ba7f31ea15c7f2d471bd26
The path may differ if you are routing through an ingress or load
balancer.GitHub (and others) require the shared secret, which you can take
directly from the file created in the first step (be careful not to
introduce extra characters into the file, if you load it in an
editor).### Check if it works
The easiest way to do this is to watch fluxd's logs, and push a new
commit (or image) to the repo for which you installed the hook.kubectl logs deploy/flux -f
You should see a log message indicating that fluxd has either
* refreshed the git repo
```
ts=2019-11-20T16:29:26.871873132Z caller=loop.go:127 component=sync-loop event=refreshed url=ssh://[email protected]/squaremo/flux-example
```* ignored the notification because it's the wrong branch
```
ts=2019-11-19T15:03:06.477412849Z caller=daemon.go:540 component=daemon msg="notified about unrelated change" [email protected]:squaremo/flux-example.git branch=refs/tags/flux-write-check
```* scheduled an image repo refresh
```
ts=2019-11-20T16:34:30.134889169Z caller=warming.go:95 component=warmer priority=squaremo/helloworld
```Some sources (e.g., GitHub, GitLab) let you test or re-rerun hooks
from their webhook configuration, which can be useful for
debugging. If you are using ngrok, it's also possible to re-run a hook
from its dashboard.It is safe to re-run hooks, because `fluxd` treats notifications as a
trigger to refresh state, rather than as authoritative themselves. For
example, when informed of an image push, fluxd does not add the image
mentioned to its database -- it polls the image registry in question
to determine whether there is a new image.### Source-specific configuration
#### Google Container Registry
The Google Container Registry endpoint expects a [push
subscription](https://cloud.google.com/pubsub/docs/push) to be set
up. If you include a `gcr` field in the endpoint configuration, it
will authenticate and verify the audience for incoming webhook
payloads:```
fluxRecvVersion: 1
endpoints:
- source: GoogleContainerRegistry
keyPath: gcr.key
gcr:
audience: flux-push-notification
```