Add webhook validator to tekton event listener

d43caa07 · Jason Zaman · 7e2b07aa · d43caa07 · d43caa07 · d43caa07
Commit d43caa07 authored Jan 13, 2020 by Jason Zaman
--- a/tekton/build-triggers.yaml
+++ b/tekton/build-triggers.yaml
@@ -114,3 +114,33 @@ spec:
        name: build-pipelinebinding
      template:
        name: build-triggertemplate
+      interceptor:
+        objectRef:
+          kind: Service
+          name: webhook-validator
+          apiVersion: v1
+          namespace: sig-build
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: build-listener
+  namespace: sig-build
+  labels:
+    app: build-listener
+  annotations:
+    kubernetes.io/ingress.global-static-ip-name: tf-build-event
+spec:
+  rules:
+  - http:
+      paths:
+      - path: /webhook/*
+        backend:
+          serviceName: el-build-listener
+          servicePort: 8080
+---
--- a/tekton/submit.py
+++ b/tekton/submit.py
@@ -6,11 +6,17 @@ import hmac
 import os
 import sys
+from pprint import pprint
 # forward to listener with:
 # kubectl port-forward svc/el-build-listener 7070:8080 --namespace=sig-build
 HOOKURL = 'http://localhost:7070/'
+HEADERS = {
+    'X-GitHub-Event': 'push',
+}
 DATA = {
    "head_commit":
    {
@@ -32,12 +38,20 @@ if len(secret) < 1:
    print('Set env var GITHUB_SECRET')
    sys.exit(1)
-request = requests.Request('POST', HOOKURL, data=DATA)
+secret = secret.encode('utf-8')
+request = requests.Request('POST', HOOKURL, headers=HEADERS, json=DATA)
 prepped = request.prepare()
 sig = hmac.new(secret, prepped.body, hashlib.sha1)
 prepped.headers['X-Hub-Signature'] = "sha1=%s" % sig.hexdigest()
 with requests.Session() as session:
-    response = session.send(prepped)
+    r = session.send(prepped)
+print("Response status code:", r.status_code)
+print("Response headers:")
+pprint(r.headers)
+print("\nResponse text:")
+print(r.text)
--- a/tekton/webhook-deployment.yaml
+++ b/tekton/webhook-deployment.yaml
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: webhook-validator
+  namespace: sig-build
+  labels:
+    app: webhook-validator
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: webhook-validator
+  template:
+    metadata:
+      name: webhook-validator
+      namespace: sig-build
+      labels:
+        app: webhook-validator
+    spec:
+      containers:
+        - name: webhook-validator
+          image: gcr.io/perfinion/tensorflow-build/webhook:latest
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 5001
+              protocol: TCP
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /
+              port: 5001
+              scheme: HTTP
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /
+              port: 5001
+              scheme: HTTP
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          resources:
+            requests:
+              memory: 64Mi
+            limits:
+              memory: 128Mi
+          env:
+            - name: GITHUB_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: github-webhook-secret
+                  key: webhook-secret
+            - name: PORT
+              value: "5001"
+            - name: DEBUG_MODE
+              value: "0"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: webhook-validator
+  namespace: sig-build
+  labels:
+    app: webhook-validator
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    protocol: TCP
+    targetPort: 5001
+  selector:
+    app: webhook-validator
+---