Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add GCR webhook receiver #121

Merged
merged 2 commits into from
Jan 18, 2021
Merged

Add GCR webhook receiver #121

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
07bca13
Adds gcr notification webhook
somtochiama Jan 18, 2021
abef9f5
Add more docs on authenticating post request from GCR
somtochiama Jan 18, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion api/v1beta1/receiver_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ import (
type ReceiverSpec struct {
// Type of webhook sender, used to determine
// the validation procedure and payload deserialization.
// +kubebuilder:validation:Enum=generic;github;gitlab;bitbucket;harbor;dockerhub;quay
// +kubebuilder:validation:Enum=generic;github;gitlab;bitbucket;harbor;dockerhub;quay;gcr
// +required
Type string `json:"type"`

Expand Down Expand Up @@ -70,6 +70,7 @@ const (
HarborReceiver string = "harbor"
DockerHubReceiver string = "dockerhub"
QuayReceiver string = "quay"
GCRReceiver string = "gcr"
)

func ReceiverReady(receiver Receiver, reason, message, url string) Receiver {
Expand Down
1 change: 1 addition & 0 deletions config/crd/bases/notification.toolkit.fluxcd.io_receivers.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,7 @@ spec:
- harbor
- dockerhub
- quay
- gcr
type: string
required:
- resources
Expand Down
21 changes: 21 additions & 0 deletions docs/spec/v1beta1/receiver.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ const (
HarborReceiver string = "harbor"
DockerHubReceiver string = "dockerhub"
QuayReceiver string = "quay"
GCRReceiver string = "gcr"
)
```

Expand Down Expand Up @@ -199,6 +200,26 @@ spec:
name: webapp
```

### GCR receiver

To authenticate `POST` request received when an image is pushed, we verify and decode the JWT in the authorization
header of the push request. For more information, take a look at this [documentation](https://cloud.google.com/pubsub/docs/push?&_ga=2.123897930.-1945316571.1602156486#authentication_and_authorization)

```yaml
apiVersion: notification.toolkit.fluxcd.io/v1beta1
kind: Receiver
metadata:
name: gcr-receiver
namespace: default
spec:
type: gcr
secretRef:
name: webhook-token
resources:
- kind: ImageRepository
name: webapp
```

### Generic receiver

```yaml
Expand Down
75 changes: 75 additions & 0 deletions internal/server/receiver_handlers.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,13 @@ package server

import (
"context"
"encoding/base64"
"encoding/json"
"fmt"
"net/http"
"net/url"
"strings"
"time"

imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1"
"github.com/fluxcd/pkg/apis/meta"
Expand Down Expand Up @@ -215,6 +217,54 @@ func (s *ReceiverServer) validate(ctx context.Context, receiver v1beta1.Receiver
fmt.Sprintf("handling event from %s for tag %s", p.Repository.URL, p.PushData.Tag),
"receiver", receiver.Name)
return nil
case v1beta1.GCRReceiver:
const (
insert = "insert"
tokenIndex = len("Bearer ")
)

type data struct {
Action string `json:"action"`
Digest string `json:"digest"`
Tag string `json:"tag"`
}

type payload struct {
Message struct {
Data string `json:"data"`
MessageID string `json:"messageId"`
PublishTime time.Time `json:"publishTime"`
Subscription string `json:"subscription"`
} `json:"message"`
}

err := authenticateGCRRequest(&http.Client{}, r.Header.Get("Authorization"), tokenIndex)
if err != nil {
return fmt.Errorf("cannot authenticate GCR request: %s", err)
}

var p payload
if err := json.NewDecoder(r.Body).Decode(&p); err != nil {
return fmt.Errorf("cannot decode GCR webhook payload")
}

raw, _ := base64.StdEncoding.DecodeString(p.Message.Data)

var d data
err = json.Unmarshal(raw, &d)
if err != nil {
return fmt.Errorf("cannot decode GCR webhook body")
}

if strings.ToLower(d.Action) != insert {
s.logger.Info("action is not an insert, moving on")
return nil
}

s.logger.Info(
fmt.Sprintf("handling event from %s for tag %s", d.Digest, d.Tag),
"receiver", receiver.Name)
return nil
}

return fmt.Errorf("recevier type '%s' not supported", receiver.Spec.Type)
Expand Down Expand Up @@ -307,3 +357,28 @@ func (s *ReceiverServer) annotate(ctx context.Context, resource v1beta1.CrossNam

return nil
}

func authenticateGCRRequest(c *http.Client, bearer string, tokenIndex int) (err error) {
type auth struct {
Aud string `json:"aud"`
}

if len(bearer) < tokenIndex {
return fmt.Errorf("Authorization header is missing or malformed: %v", bearer)
}

token := bearer[tokenIndex:]
url := fmt.Sprintf("https://oauth2.googleapis.com/tokeninfo?id_token=%s", token)

resp, err := c.Get(url)
if err != nil {
return fmt.Errorf("Cannot verify authenticity of payload: %w", err)
}

var p auth
if err := json.NewDecoder(resp.Body).Decode(&p); err != nil {
return fmt.Errorf("Cannot decode auth payload: %w", err)
}

return nil
}