diff --git a/Makefile b/Makefile
index 2fbc186f1..2502071f8 100644
--- a/Makefile
+++ b/Makefile
@@ -87,7 +87,8 @@ manifests: controller-gen
# Generate API reference documentation
api-docs: gen-crd-api-reference-docs
- $(GEN_CRD_API_REFERENCE_DOCS) -api-dir=./api/v1beta2 -config=./hack/api-docs/config.json -template-dir=./hack/api-docs/template -out-file=./docs/api/notification.md
+ $(GEN_CRD_API_REFERENCE_DOCS) -api-dir=./api/v1beta2 -config=./hack/api-docs/config.json -template-dir=./hack/api-docs/template -out-file=./docs/api/v1beta2/notification.md
+ $(GEN_CRD_API_REFERENCE_DOCS) -api-dir=./api/v1 -config=./hack/api-docs/config.json -template-dir=./hack/api-docs/template -out-file=./docs/api/v1/notification.md
# Run go mod tidy
tidy:
diff --git a/api/v1/doc.go b/api/v1/doc.go
new file mode 100644
index 000000000..3eb81cb22
--- /dev/null
+++ b/api/v1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1 contains API Schema definitions for the notification v1 API group.
+// +kubebuilder:object:generate=true
+// +groupName=notification.toolkit.fluxcd.io
+package v1
diff --git a/api/v1/groupversion_info.go b/api/v1/groupversion_info.go
new file mode 100644
index 000000000..20a8a0bb4
--- /dev/null
+++ b/api/v1/groupversion_info.go
@@ -0,0 +1,33 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+ "k8s.io/apimachinery/pkg/runtime/schema"
+ "sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+ // GroupVersion is group version used to register these objects.
+ GroupVersion = schema.GroupVersion{Group: "notification.toolkit.fluxcd.io", Version: "v1"}
+
+ // SchemeBuilder is used to add go types to the GroupVersionKind scheme.
+ SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+
+ // AddToScheme adds the types in this group-version to the given scheme.
+ AddToScheme = SchemeBuilder.AddToScheme
+)
diff --git a/api/v1/receiver_types.go b/api/v1/receiver_types.go
new file mode 100644
index 000000000..89a4679df
--- /dev/null
+++ b/api/v1/receiver_types.go
@@ -0,0 +1,159 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+ "crypto/sha256"
+ "fmt"
+ "time"
+
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+ "github.com/fluxcd/pkg/apis/meta"
+)
+
+const (
+ ReceiverKind string = "Receiver"
+ ReceiverWebhookPath string = "/hook/"
+ GenericReceiver string = "generic"
+ GenericHMACReceiver string = "generic-hmac"
+ GitHubReceiver string = "github"
+ GitLabReceiver string = "gitlab"
+ BitbucketReceiver string = "bitbucket"
+ HarborReceiver string = "harbor"
+ DockerHubReceiver string = "dockerhub"
+ QuayReceiver string = "quay"
+ GCRReceiver string = "gcr"
+ NexusReceiver string = "nexus"
+ ACRReceiver string = "acr"
+)
+
+// ReceiverSpec defines the desired state of the Receiver.
+type ReceiverSpec struct {
+ // Type of webhook sender, used to determine
+ // the validation procedure and payload deserialization.
+ // +kubebuilder:validation:Enum=generic;generic-hmac;github;gitlab;bitbucket;harbor;dockerhub;quay;gcr;nexus;acr
+ // +required
+ Type string `json:"type"`
+
+ // Interval at which to reconcile the Receiver with its Secret references.
+ // +kubebuilder:validation:Type=string
+ // +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+ // +optional
+ Interval *metav1.Duration `json:"interval,omitempty"`
+
+ // Events specifies the list of event types to handle,
+ // e.g. 'push' for GitHub or 'Push Hook' for GitLab.
+ // +optional
+ Events []string `json:"events"`
+
+ // A list of resources to be notified about changes.
+ // +required
+ Resources []CrossNamespaceObjectReference `json:"resources"`
+
+ // SecretRef specifies the Secret containing the token used
+ // to validate the payload authenticity.
+ // +required
+ SecretRef meta.LocalObjectReference `json:"secretRef,omitempty"`
+
+ // Suspend tells the controller to suspend subsequent
+ // events handling for this receiver.
+ // +optional
+ Suspend bool `json:"suspend,omitempty"`
+}
+
+// ReceiverStatus defines the observed state of the Receiver.
+type ReceiverStatus struct {
+ meta.ReconcileRequestStatus `json:",inline"`
+
+ // Conditions holds the conditions for the Receiver.
+ // +optional
+ Conditions []metav1.Condition `json:"conditions,omitempty"`
+
+ // URL is the generated incoming webhook address in the format
+ // of '/hook/sha256sum(token+name+namespace)'.
+ // Deprecated: Replaced by WebhookPath.
+ // +optional
+ URL string `json:"url,omitempty"`
+
+ // WebhookPath is the generated incoming webhook address in the format
+ // of '/hook/sha256sum(token+name+namespace)'.
+ // +optional
+ WebhookPath string `json:"webhookPath,omitempty"`
+
+ // ObservedGeneration is the last observed generation of the Receiver object.
+ // +optional
+ ObservedGeneration int64 `json:"observedGeneration,omitempty"`
+}
+
+// GetConditions returns the status conditions of the object.
+func (in *Receiver) GetConditions() []metav1.Condition {
+ return in.Status.Conditions
+}
+
+// SetConditions sets the status conditions on the object.
+func (in *Receiver) SetConditions(conditions []metav1.Condition) {
+ in.Status.Conditions = conditions
+}
+
+// GetWebhookPath returns the incoming webhook path for the given token.
+func (in *Receiver) GetWebhookPath(token string) string {
+ digest := sha256.Sum256([]byte(token + in.GetName() + in.GetNamespace()))
+ return fmt.Sprintf("%s%x", ReceiverWebhookPath, digest)
+}
+
+// GetInterval returns the interval value with a default of 10m for this Receiver.
+func (in *Receiver) GetInterval() time.Duration {
+ duration := 10 * time.Minute
+ if in.Spec.Interval != nil {
+ duration = in.Spec.Interval.Duration
+ }
+
+ return duration
+}
+
+// +genclient
+// +genclient:Namespaced
+// +kubebuilder:storageversion
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description=""
+// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description=""
+
+// Receiver is the Schema for the receivers API.
+type Receiver struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ObjectMeta `json:"metadata,omitempty"`
+
+ Spec ReceiverSpec `json:"spec,omitempty"`
+ // +kubebuilder:default:={"observedGeneration":-1}
+ Status ReceiverStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// ReceiverList contains a list of Receivers.
+type ReceiverList struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ListMeta `json:"metadata,omitempty"`
+ Items []Receiver `json:"items"`
+}
+
+func init() {
+ SchemeBuilder.Register(&Receiver{}, &ReceiverList{})
+}
diff --git a/api/v1/reference_types.go b/api/v1/reference_types.go
new file mode 100644
index 000000000..de1d42224
--- /dev/null
+++ b/api/v1/reference_types.go
@@ -0,0 +1,49 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+// CrossNamespaceObjectReference contains enough information to let you locate the
+// typed referenced object at cluster level
+type CrossNamespaceObjectReference struct {
+ // API version of the referent
+ // +optional
+ APIVersion string `json:"apiVersion,omitempty"`
+
+ // Kind of the referent
+ // +kubebuilder:validation:Enum=Bucket;GitRepository;Kustomization;HelmRelease;HelmChart;HelmRepository;ImageRepository;ImagePolicy;ImageUpdateAutomation;OCIRepository
+ // +required
+ Kind string `json:"kind,omitempty"`
+
+ // Name of the referent
+ // +kubebuilder:validation:MinLength=1
+ // +kubebuilder:validation:MaxLength=53
+ // +required
+ Name string `json:"name"`
+
+ // Namespace of the referent
+ // +kubebuilder:validation:MinLength=1
+ // +kubebuilder:validation:MaxLength=53
+ // +kubebuilder:validation:Optional
+ // +optional
+ Namespace string `json:"namespace,omitempty"`
+
+ // MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ // map is equivalent to an element of matchExpressions, whose key field is "key", the
+ // operator is "In", and the values array contains only "value". The requirements are ANDed.
+ // +optional
+ MatchLabels map[string]string `json:"matchLabels,omitempty"`
+}
diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go
new file mode 100644
index 000000000..15861e955
--- /dev/null
+++ b/api/v1/zz_generated.deepcopy.go
@@ -0,0 +1,164 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by controller-gen. DO NOT EDIT.
+
+package v1
+
+import (
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CrossNamespaceObjectReference) DeepCopyInto(out *CrossNamespaceObjectReference) {
+ *out = *in
+ if in.MatchLabels != nil {
+ in, out := &in.MatchLabels, &out.MatchLabels
+ *out = make(map[string]string, len(*in))
+ for key, val := range *in {
+ (*out)[key] = val
+ }
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CrossNamespaceObjectReference.
+func (in *CrossNamespaceObjectReference) DeepCopy() *CrossNamespaceObjectReference {
+ if in == nil {
+ return nil
+ }
+ out := new(CrossNamespaceObjectReference)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Receiver) DeepCopyInto(out *Receiver) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+ in.Spec.DeepCopyInto(&out.Spec)
+ in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Receiver.
+func (in *Receiver) DeepCopy() *Receiver {
+ if in == nil {
+ return nil
+ }
+ out := new(Receiver)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Receiver) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReceiverList) DeepCopyInto(out *ReceiverList) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ListMeta.DeepCopyInto(&out.ListMeta)
+ if in.Items != nil {
+ in, out := &in.Items, &out.Items
+ *out = make([]Receiver, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReceiverList.
+func (in *ReceiverList) DeepCopy() *ReceiverList {
+ if in == nil {
+ return nil
+ }
+ out := new(ReceiverList)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ReceiverList) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReceiverSpec) DeepCopyInto(out *ReceiverSpec) {
+ *out = *in
+ if in.Interval != nil {
+ in, out := &in.Interval, &out.Interval
+ *out = new(metav1.Duration)
+ **out = **in
+ }
+ if in.Events != nil {
+ in, out := &in.Events, &out.Events
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
+ if in.Resources != nil {
+ in, out := &in.Resources, &out.Resources
+ *out = make([]CrossNamespaceObjectReference, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+ out.SecretRef = in.SecretRef
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReceiverSpec.
+func (in *ReceiverSpec) DeepCopy() *ReceiverSpec {
+ if in == nil {
+ return nil
+ }
+ out := new(ReceiverSpec)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReceiverStatus) DeepCopyInto(out *ReceiverStatus) {
+ *out = *in
+ out.ReconcileRequestStatus = in.ReconcileRequestStatus
+ if in.Conditions != nil {
+ in, out := &in.Conditions, &out.Conditions
+ *out = make([]metav1.Condition, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReceiverStatus.
+func (in *ReceiverStatus) DeepCopy() *ReceiverStatus {
+ if in == nil {
+ return nil
+ }
+ out := new(ReceiverStatus)
+ in.DeepCopyInto(out)
+ return out
+}
diff --git a/api/v1beta2/receiver_types.go b/api/v1beta2/receiver_types.go
index d52a49969..a29808749 100644
--- a/api/v1beta2/receiver_types.go
+++ b/api/v1beta2/receiver_types.go
@@ -128,7 +128,6 @@ func (in *Receiver) GetInterval() time.Duration {
// +genclient
// +genclient:Namespaced
-// +kubebuilder:storageversion
// +kubebuilder:object:root=true
// +kubebuilder:subresource:status
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description=""
diff --git a/config/crd/bases/notification.toolkit.fluxcd.io_alerts.yaml b/config/crd/bases/notification.toolkit.fluxcd.io_alerts.yaml
index fbf395bca..233112377 100644
--- a/config/crd/bases/notification.toolkit.fluxcd.io_alerts.yaml
+++ b/config/crd/bases/notification.toolkit.fluxcd.io_alerts.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.11.1
+ controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
name: alerts.notification.toolkit.fluxcd.io
spec:
@@ -414,3 +414,9 @@ spec:
storage: true
subresources:
status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
diff --git a/config/crd/bases/notification.toolkit.fluxcd.io_providers.yaml b/config/crd/bases/notification.toolkit.fluxcd.io_providers.yaml
index 3b0da5645..5ca7a49ef 100644
--- a/config/crd/bases/notification.toolkit.fluxcd.io_providers.yaml
+++ b/config/crd/bases/notification.toolkit.fluxcd.io_providers.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.11.1
+ controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
name: providers.notification.toolkit.fluxcd.io
spec:
@@ -399,3 +399,9 @@ spec:
storage: true
subresources:
status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
diff --git a/config/crd/bases/notification.toolkit.fluxcd.io_receivers.yaml b/config/crd/bases/notification.toolkit.fluxcd.io_receivers.yaml
index 021d1882b..43d20211f 100644
--- a/config/crd/bases/notification.toolkit.fluxcd.io_receivers.yaml
+++ b/config/crd/bases/notification.toolkit.fluxcd.io_receivers.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.11.1
+ controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
name: receivers.notification.toolkit.fluxcd.io
spec:
@@ -15,6 +15,226 @@ spec:
singular: receiver
scope: Namespaced
versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - jsonPath: .status.conditions[?(@.type=="Ready")].status
+ name: Ready
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Ready")].message
+ name: Status
+ type: string
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: Receiver is the Schema for the receivers API.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: ReceiverSpec defines the desired state of the Receiver.
+ properties:
+ events:
+ description: Events specifies the list of event types to handle, e.g.
+ 'push' for GitHub or 'Push Hook' for GitLab.
+ items:
+ type: string
+ type: array
+ interval:
+ description: Interval at which to reconcile the Receiver with its
+ Secret references.
+ pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
+ type: string
+ resources:
+ description: A list of resources to be notified about changes.
+ items:
+ description: CrossNamespaceObjectReference contains enough information
+ to let you locate the typed referenced object at cluster level
+ properties:
+ apiVersion:
+ description: API version of the referent
+ type: string
+ kind:
+ description: Kind of the referent
+ enum:
+ - Bucket
+ - GitRepository
+ - Kustomization
+ - HelmRelease
+ - HelmChart
+ - HelmRepository
+ - ImageRepository
+ - ImagePolicy
+ - ImageUpdateAutomation
+ - OCIRepository
+ type: string
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: MatchLabels is a map of {key,value} pairs. A single
+ {key,value} in the matchLabels map is equivalent to an element
+ of matchExpressions, whose key field is "key", the operator
+ is "In", and the values array contains only "value". The requirements
+ are ANDed.
+ type: object
+ name:
+ description: Name of the referent
+ maxLength: 53
+ minLength: 1
+ type: string
+ namespace:
+ description: Namespace of the referent
+ maxLength: 53
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ secretRef:
+ description: SecretRef specifies the Secret containing the token used
+ to validate the payload authenticity.
+ properties:
+ name:
+ description: Name of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ suspend:
+ description: Suspend tells the controller to suspend subsequent events
+ handling for this receiver.
+ type: boolean
+ type:
+ description: Type of webhook sender, used to determine the validation
+ procedure and payload deserialization.
+ enum:
+ - generic
+ - generic-hmac
+ - github
+ - gitlab
+ - bitbucket
+ - harbor
+ - dockerhub
+ - quay
+ - gcr
+ - nexus
+ - acr
+ type: string
+ required:
+ - resources
+ - type
+ type: object
+ status:
+ default:
+ observedGeneration: -1
+ description: ReceiverStatus defines the observed state of the Receiver.
+ properties:
+ conditions:
+ description: Conditions holds the conditions for the Receiver.
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource. --- This struct is intended for direct
+ use as an array at the field path .status.conditions. For example,
+ \n type FooStatus struct{ // Represents the observations of a
+ foo's current state. // Known .status.conditions.type are: \"Available\",
+ \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+ // +listType=map // +listMapKey=type Conditions []metav1.Condition
+ `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+ protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ properties:
+ lastTransitionTime:
+ description: lastTransitionTime is the last time the condition
+ transitioned from one status to another. This should be when
+ the underlying condition changed. If that is not known, then
+ using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: message is a human readable message indicating
+ details about the transition. This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: observedGeneration represents the .metadata.generation
+ that the condition was set based upon. For instance, if .metadata.generation
+ is currently 12, but the .status.conditions[x].observedGeneration
+ is 9, the condition is out of date with respect to the current
+ state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: reason contains a programmatic identifier indicating
+ the reason for the condition's last transition. Producers
+ of specific condition types may define expected values and
+ meanings for this field, and whether the values are considered
+ a guaranteed API. The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ --- Many .condition.type values are consistent across resources
+ like Available, but because arbitrary conditions can be useful
+ (see .node.status.conditions), the ability to deconflict is
+ important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ lastHandledReconcileAt:
+ description: LastHandledReconcileAt holds the value of the most recent
+ reconcile request value, so a change of the annotation value can
+ be detected.
+ type: string
+ observedGeneration:
+ description: ObservedGeneration is the last observed generation of
+ the Receiver object.
+ format: int64
+ type: integer
+ url:
+ description: 'URL is the generated incoming webhook address in the
+ format of ''/hook/sha256sum(token+name+namespace)''. Deprecated:
+ Replaced by WebhookPath.'
+ type: string
+ webhookPath:
+ description: WebhookPath is the generated incoming webhook address
+ in the format of '/hook/sha256sum(token+name+namespace)'.
+ type: string
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
@@ -435,6 +655,12 @@ spec:
type: object
type: object
served: true
- storage: true
+ storage: false
subresources:
status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
diff --git a/config/testdata/status-defaults/receiver.yaml b/config/testdata/status-defaults/receiver.yaml
index 254f51afb..fbba61a78 100644
--- a/config/testdata/status-defaults/receiver.yaml
+++ b/config/testdata/status-defaults/receiver.yaml
@@ -1,4 +1,4 @@
-apiVersion: notification.toolkit.fluxcd.io/v1beta1
+apiVersion: notification.toolkit.fluxcd.io/v1
kind: Receiver
metadata:
name: status-defaults
diff --git a/controllers/receiver_controller.go b/controllers/receiver_controller.go
index f441fc1cc..5d2af0125 100644
--- a/controllers/receiver_controller.go
+++ b/controllers/receiver_controller.go
@@ -40,7 +40,8 @@ import (
"github.com/fluxcd/pkg/runtime/patch"
"github.com/fluxcd/pkg/runtime/predicates"
- apiv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+ apiv1 "github.com/fluxcd/notification-controller/api/v1"
+ apiv1b2 "github.com/fluxcd/notification-controller/api/v1beta2"
)
// ReceiverReconciler reconciles a Receiver object
@@ -126,14 +127,14 @@ func (r *ReceiverReconciler) Reconcile(ctx context.Context, req ctrl.Request) (r
}
}()
- if !controllerutil.ContainsFinalizer(obj, apiv1.NotificationFinalizer) {
- controllerutil.AddFinalizer(obj, apiv1.NotificationFinalizer)
+ if !controllerutil.ContainsFinalizer(obj, apiv1b2.NotificationFinalizer) {
+ controllerutil.AddFinalizer(obj, apiv1b2.NotificationFinalizer)
result = ctrl.Result{Requeue: true}
return
}
if !obj.ObjectMeta.DeletionTimestamp.IsZero() {
- controllerutil.RemoveFinalizer(obj, apiv1.NotificationFinalizer)
+ controllerutil.RemoveFinalizer(obj, apiv1b2.NotificationFinalizer)
result = ctrl.Result{}
return
}
@@ -155,7 +156,7 @@ func (r *ReceiverReconciler) reconcile(ctx context.Context, obj *apiv1.Receiver)
token, err := r.token(ctx, obj)
if err != nil {
- conditions.MarkFalse(obj, meta.ReadyCondition, apiv1.TokenNotFoundReason, err.Error())
+ conditions.MarkFalse(obj, meta.ReadyCondition, apiv1b2.TokenNotFoundReason, err.Error())
obj.Status.URL = ""
obj.Status.WebhookPath = ""
return ctrl.Result{Requeue: true}, err
diff --git a/controllers/receiver_controller_test.go b/controllers/receiver_controller_test.go
index 0f123469f..b57b40b98 100644
--- a/controllers/receiver_controller_test.go
+++ b/controllers/receiver_controller_test.go
@@ -39,7 +39,8 @@ import (
"github.com/fluxcd/pkg/runtime/conditions"
"github.com/fluxcd/pkg/ssa"
- apiv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+ apiv1 "github.com/fluxcd/notification-controller/api/v1"
+ apiv1b2 "github.com/fluxcd/notification-controller/api/v1beta2"
"github.com/fluxcd/notification-controller/internal/server"
)
@@ -101,7 +102,7 @@ func TestReceiverReconciler_Reconcile(t *testing.T) {
g.Expect(conditions.GetReason(resultR, meta.ReadyCondition)).To(BeIdenticalTo(meta.SucceededReason))
g.Expect(conditions.Has(resultR, meta.ReconcilingCondition)).To(BeFalse())
- g.Expect(controllerutil.ContainsFinalizer(resultR, apiv1.NotificationFinalizer)).To(BeTrue())
+ g.Expect(controllerutil.ContainsFinalizer(resultR, apiv1b2.NotificationFinalizer)).To(BeTrue())
})
t.Run("fails with secret not found error", func(t *testing.T) {
@@ -122,7 +123,7 @@ func TestReceiverReconciler_Reconcile(t *testing.T) {
return !conditions.IsReady(resultR)
}, timeout, time.Second).Should(BeTrue())
- g.Expect(conditions.GetReason(resultR, meta.ReadyCondition)).To(BeIdenticalTo(apiv1.TokenNotFoundReason))
+ g.Expect(conditions.GetReason(resultR, meta.ReadyCondition)).To(BeIdenticalTo(apiv1b2.TokenNotFoundReason))
g.Expect(conditions.GetMessage(resultR, meta.ReadyCondition)).To(ContainSubstring(secretName))
g.Expect(conditions.Has(resultR, meta.ReconcilingCondition)).To(BeTrue())
diff --git a/controllers/suite_test.go b/controllers/suite_test.go
index 4ab956a5c..9c2302d3a 100644
--- a/controllers/suite_test.go
+++ b/controllers/suite_test.go
@@ -40,7 +40,8 @@ import (
"github.com/fluxcd/pkg/runtime/testenv"
"github.com/fluxcd/pkg/ssa"
- apiv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+ apiv1 "github.com/fluxcd/notification-controller/api/v1"
+ apiv1b2 "github.com/fluxcd/notification-controller/api/v1beta2"
// +kubebuilder:scaffold:imports
)
@@ -54,6 +55,7 @@ var (
func TestMain(m *testing.M) {
var err error
utilruntime.Must(apiv1.AddToScheme(scheme.Scheme))
+ utilruntime.Must(apiv1b2.AddToScheme(scheme.Scheme))
testEnv = testenv.New(testenv.WithCRDPath(
filepath.Join("..", "config", "crd", "bases"),
diff --git a/docs/api/v1/notification.md b/docs/api/v1/notification.md
new file mode 100644
index 000000000..a124fee16
--- /dev/null
+++ b/docs/api/v1/notification.md
@@ -0,0 +1,442 @@
+Notification API reference v1
+Packages:
+
+
+Package v1 contains API Schema definitions for the notification v1 API group.
+Resource Types:
+
+
+Receiver is the Schema for the receivers API.
+
+
+
+(Appears on:
+ReceiverSpec)
+
+CrossNamespaceObjectReference contains enough information to let you locate the
+typed referenced object at cluster level
+
+
+
+(Appears on:
+Receiver)
+
+ReceiverSpec defines the desired state of the Receiver.
+
+
+
+(Appears on:
+Receiver)
+
+ReceiverStatus defines the observed state of the Receiver.
+
+
+
This page was automatically generated with gen-crd-api-reference-docs
+
Notification API reference
+Notification API reference v1beta2
Packages:
-
diff --git a/docs/spec/v1/receivers.md b/docs/spec/v1/receivers.md
new file mode 100644
index 000000000..a014caf4c
--- /dev/null
+++ b/docs/spec/v1/receivers.md
@@ -0,0 +1,912 @@
+# Incoming Webhook Receivers
+
+The `Receiver` API defines an incoming webhook receiver that triggers the
+reconciliation for a group of Flux Custom Resources.
+
+## Example
+
+The following is an example of how to configure an incoming webhook for the
+GitHub repository where Flux was bootstrapped with `flux bootstrap github`.
+After a Git push, GitHub will send a push event to notification-controller,
+which in turn tells Flux to pull and apply the latest changes from upstream.
+
+**Note:** The following assumes an Ingress exposes the controller's
+`webhook-receiver` Kubernetes Service. How to configure the Ingress is out of
+scope for this example.
+
+```yaml
+---
+apiVersion: notification.toolkit.fluxcd.io/v1
+kind: Receiver
+metadata:
+ name: github-receiver
+ namespace: flux-system
+spec:
+ type: github
+ events:
+ - "ping"
+ - "push"
+ secretRef:
+ name: receiver-token
+ resources:
+ - apiVersion: source.toolkit.fluxcd.io/v1beta2
+ kind: GitRepository
+ name: flux-system
+```
+
+In the above example:
+
+- A Receiver named `github-receiver` is created, indicated by the
+ `.metadata.name` field.
+- The notification-controller generates a unique webhook path using the
+ Receiver name, namespace and the token from the referenced
+ `.spec.secretRef.name` secret.
+- The incoming webhook path is reported in the `.status.webhookPath` field.
+- When a GitHub push event is received, the controller verifies the payload's
+ integrity and authenticity, using [HMAC][] and the `X-Hub-Signature` HTTP
+ header.
+- If the event type matches `.spec.events` and the payload is verified, then
+ the controller triggers a reconciliation for the `flux-system` GitRepository
+ which is listed under `.spec.resources`.
+
+You can run this example by saving the manifest into `github-receiver.yaml`.
+
+1. Generate a random string and create a Secret with a `token` field:
+
+ ```sh
+ TOKEN=$(head -c 12 /dev/urandom | shasum | cut -d ' ' -f1)
+
+ kubectl -n flux-system create secret generic receiver-token \
+ --from-literal=token=$TOKEN
+ ```
+
+2. Apply the resource on the cluster:
+
+ ```sh
+ kubectl -n flux-system apply -f github-receiver.yaml
+ ```
+
+3. Run `kubectl -n flux-system describe receiver github-receiver` to see its status:
+
+ ```console
+ ...
+ Status:
+ Conditions:
+ Last Transition Time: 2022-11-16T23:43:38Z
+ Message: Receiver initialised for path: /hook/bed6d00b5555b1603e1f59b94d7fdbca58089cb5663633fb83f2815dc626d92b
+ Observed Generation: 1
+ Reason: Succeeded
+ Status: True
+ Type: Ready
+ Observed Generation: 1
+ Webhook Path: /hook/bed6d00b5555b1603e1f59b94d7fdbca58089cb5663633fb83f2815dc626d92b
+ Events:
+ Type Reason Age From Message
+ ---- ------ ---- ---- -------
+ Normal Succeeded 82s notification-controller Reconciliation finished, next run in 10m
+ ```
+
+4. Run `kubectl -n flux-system get receivers` to see the generated webhook path:
+
+ ```console
+ NAME READY STATUS
+ github-receiver True Receiver initialised for path: /hook/bed6d00b5555b1603e1f59b94d7fdbca58089cb5663633fb83f2815dc626d92b
+ ```
+
+5. On GitHub, navigate to your repository and click on the "Add webhook" button
+ under "Settings/Webhooks". Fill the form with:
+
+ - **Payload URL**: The composed address, consisting of the Ingress' hostname
+ exposing the controller's `webhook-receiver` Kubernetes Service, and the
+ generated path for the Receiver. For this example:
+ `https:///hook/bed6d00b5555b1603e1f59b94d7fdbca58089cb5663633fb83f2815dc626d92b`
+ - **Secret**: The `token` string generated in step 1.
+
+## Writing a Receiver spec
+
+As with all other Kubernetes config, a Receiver needs `apiVersion`,
+`kind`, and `metadata` fields. The name of a Receiver object must be a
+valid [DNS subdomain name](https://kubernetes.io/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
+
+A Receiver also needs a
+[`.spec` section](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status).
+
+### Type
+
+`.spec.type` is a required field that specifies how the controller should
+handle the incoming webhook request.
+
+#### Supported Receiver types
+
+| Receiver | Type | Supports filtering using [Events](#events) |
+| ------------------------------------------ | -------------- | ------------------------------------------ |
+| [Generic webhook](#generic) | `generic` | ❌ |
+| [Generic webhook with HMAC](#generic-hmac) | `generic-hmac` | ❌ |
+| [GitHub](#github) | `github` | ✅ |
+| [Gitea](#github) | `github` | ✅ |
+| [GitLab](#gitlab) | `gitlab` | ✅ |
+| [Bitbucket server](#bitbucket-server) | `bitbucket` | ✅ |
+| [Harbor](#harbor) | `harbor` | ❌ |
+| [DockerHub](#dockerhub) | `dockerhub` | ❌ |
+| [Quay](#quay) | `quay` | ❌ |
+| [Nexus](#nexus) | `nexus` | ❌ |
+| [Azure Container Registry](#acr) | `acr` | ❌ |
+| [Google Container Registry](#gcr) | `gcr` | ❌ |
+
+#### Generic
+
+When a Receiver's `.spec.type` is set to `generic`, the controller will respond
+to any HTTP request to the generated [`.status.webhookPath` path](#webhook-path),
+and request a reconciliation for all listed [Resources](#resources).
+
+**Note:** This type of Receiver does not perform any validation on the incoming
+request, and it does not support filtering using [Events](#events).
+
+##### Generic example
+
+```yaml
+---
+apiVersion: notification.toolkit.fluxcd.io/v1
+kind: Receiver
+metadata:
+ name: generic-receiver
+ namespace: default
+spec:
+ type: generic
+ secretRef:
+ name: webhook-token
+ resources:
+ - apiVersion: source.toolkit.fluxcd.io/v1beta2
+ kind: GitRepository
+ name: webapp
+ namespace: default
+```
+
+#### Generic HMAC
+
+When a Receiver's `.spec.type` is set to `generic-hmac`, the controller will
+respond to any HTTP request to the generated [`.status.webhookPath` path](#webhook-path),
+while verifying the request's payload integrity and authenticity using [HMAC][].
+
+The controller uses the `X-Signature` header to get the hash signature. This
+signature should be prefixed with the hash function (`sha1`, `sha256` or
+`sha512`) used to generate the signature, in the following format:
+`=`.
+
+To validate the HMAC signature, the controller will use the `token` string
+from the [Secret reference](#secret-reference) to generate a hash signature
+using the same hash function as the one specified in the `X-Signature` header.
+
+If the generated hash signature matches the one specified in the `X-Signature`
+header, the controller will request a reconciliation for all listed
+[Resources](#resources).
+
+**Note:** This type of Receiver does not support filtering using
+[Events](#events).
+
+##### Generic HMAC example
+
+```yaml
+---
+apiVersion: notification.toolkit.fluxcd.io/v1
+kind: Receiver
+metadata:
+ name: generic-hmac-receiver
+ namespace: default
+spec:
+ type: generic-hmac
+ secretRef:
+ name: webhook-token
+ resources:
+ - apiVersion: source.toolkit.fluxcd.io/v1beta2
+ kind: GitRepository
+ name: webapp
+ namespace: default
+```
+
+##### HMAC signature generation example
+
+1. Generate the HMAC hash for the request body using OpenSSL:
+
+ ```sh
+ printf '' | openssl dgst -sha1 -r -hmac "" | awk '{print $1}'
+ ```
+
+ You can replace the `-sha1` flag with `-sha256` or `-sha512` to use a
+ different hash function.
+
+2. Send an HTTP POST request with the body and the HMAC hash to the webhook URL:
+
+ ```sh
+ curl -X POST -H "X-Signature: =" -d ''
+ ```
+
+#### GitHub
+
+When a Receiver's `.spec.type` is set to `github`, the controller will respond
+to an [HTTP webhook event payload](https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads)
+from GitHub to the generated [`.status.webhookPath` path](#webhook-path),
+while verifying the payload using [HMAC][].
+
+The controller uses the [`X-Hub-Signature` header](https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#delivery-headers)
+from the request made by GitHub to get the hash signature. To enable the
+inclusion of this header, the `token` string from the [Secret reference](#secret-reference)
+must be configured as the [secret token for the
+webhook](https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks#setting-your-secret-token).
+
+The controller will calculate the HMAC hash signature for the received request
+payload using the same `token` string, and compare it with the one specified in
+the header. If the two signatures match, the controller will request a
+reconciliation for all listed [Resources](#resources).
+
+This type of Receiver offers the ability to filter incoming events by comparing
+the `X-GitHub-Event` header to the list of [Events](#events).
+For a list of available events, see the [GitHub
+documentation](https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads).
+
+##### GitHub example
+
+```yaml
+---
+apiVersion: notification.toolkit.fluxcd.io/v1
+kind: Receiver
+metadata:
+ name: github-receiver
+ namespace: default
+spec:
+ type: github
+ events:
+ - "ping"
+ - "push"
+ secretRef:
+ name: webhook-token
+ resources:
+ - apiVersion: source.toolkit.fluxcd.io/v1beta2
+ kind: GitRepository
+ name: webapp
+```
+
+The above example makes use of the [`.spec.events` field](#events) to filter
+incoming events from GitHub, instructing the controller to only respond to
+[`ping`](https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#ping)
+and [`push`](https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#push)
+events.
+
+#### Gitea
+
+For Gitea, the `.spec.type` field can be set to `github` as it produces [GitHub
+type](#github) compatible [webhook event payloads](https://docs.gitea.io/en-us/webhooks/).
+
+**Note:** While the payloads are compatible with the GitHub type, the number of
+available events may be limited and/or different from the ones available in
+GitHub. Refer to the [Gitea source code](https://github.com/go-gitea/gitea/blob/main/models/webhook/hooktask.go#L28)
+to see the list of available [events](#events).
+
+#### GitLab
+
+When a Receiver's `.spec.type` is set to `gitlab`, the controller will respond
+to an [HTTP webhook event payload](https://docs.gitlab.com/ee/user/project/integrations/webhooks.html#events)
+from GitLab to the generated [`.status.webhookPath` path](#webhook-path).
+
+The controller validates the payload's authenticity by comparing the
+[`X-Gitlab-Token` header](https://docs.gitlab.com/ee/user/project/integrations/webhooks.html#validate-payloads-by-using-a-secret-token)
+from the request made by GitLab to the `token` string from the [Secret
+reference](#secret-reference). To enable the inclusion of this header, the
+`token` string must be configured as the "Secret token" while [configuring a
+webhook in GitLab](https://docs.gitlab.com/ee/user/project/integrations/webhooks.html#configure-a-webhook-in-gitlab).
+
+If the two tokens match, the controller will request a reconciliation for all
+listed [Resources](#resources).
+
+This type of Receiver offers the ability to filter incoming events by comparing
+the `X-Gitlab-Event` header to the list of [Events](#events). For a list of
+available webhook types, refer to the [GitLab
+documentation](https://docs.gitlab.com/ee/user/project/integrations/webhook_events.html).
+
+##### GitLab example
+
+```yaml
+---
+apiVersion: notification.toolkit.fluxcd.io/v1
+kind: Receiver
+metadata:
+ name: gitlab-receiver
+ namespace: default
+spec:
+ type: gitlab
+ events:
+ - "Push Hook"
+ - "Tag Push Hook"
+ secretRef:
+ name: webhook-token
+ resources:
+ - apiVersion: source.toolkit.fluxcd.io/v1beta2
+ kind: GitRepository
+ name: webapp-frontend
+ - apiVersion: source.toolkit.fluxcd.io/v1beta2
+ kind: GitRepository
+ name: webapp-backend
+```
+
+The above example makes use of the [`.spec.events` field](#events) to filter
+incoming events from GitLab, instructing the controller to only respond to
+[`Push Hook`](https://docs.gitlab.com/ee/user/project/integrations/webhook_events.html#push-events)
+and [`Tag Push Hook`](https://docs.gitlab.com/ee/user/project/integrations/webhook_events.html#tag-events)
+events.
+
+#### Bitbucket Server
+
+When a Receiver's `.spec.type` is set to `bitbucket`, the controller will
+respond to an [HTTP webhook event payload](https://confluence.atlassian.com/bitbucketserver/event-payload-938025882.html)
+from Bitbucket Server to the generated [`.status.webhookPath` path](#webhook-path),
+while verifying the payload's integrity and authenticity using [HMAC][].
+
+The controller uses the [`X-Hub-Signature` header](https://confluence.atlassian.com/bitbucketserver/manage-webhooks-938025878.html#Managewebhooks-webhooksecrets)
+from the request made by BitBucket Server to get the hash signature. To enable
+the inclusion of this header, the `token` string from the [Secret
+reference](#secret-reference) must be configured as the "Secret" while creating
+a webhook in Bitbucket Server.
+
+The controller will calculate the HMAC hash signature for the received request
+payload using the same `token` string, and compare it with the one specified in
+the header. If the two signatures match, the controller will request a
+reconciliation for all listed [Resources](#resources).
+
+This type of Receiver offers the ability to filter incoming events by comparing
+the `X-Event-Key` header to the list of [Events](#events). For a list of
+available event keys, refer to the [Bitbucket Server
+documentation](https://confluence.atlassian.com/bitbucketserver/event-payload-938025882.html#Eventpayload-Repositoryevents).
+
+**Note:** Bitbucket Cloud does not support signing webhook requests
+([BCLOUD-14683](https://jira.atlassian.com/browse/BCLOUD-14683),
+[BCLOUD-12195](https://jira.atlassian.com/browse/BCLOUD-12195)). If your
+repositories are on Bitbucket Cloud, you will need to use a [Generic
+Receiver](#generic) instead.
+
+##### Bitbucket Server example
+
+```yaml
+---
+apiVersion: notification.toolkit.fluxcd.io/v1
+kind: Receiver
+metadata:
+ name: bitbucket-receiver
+ namespace: default
+spec:
+ type: bitbucket
+ events:
+ - "repo:refs_changed"
+ secretRef:
+ name: webhook-token
+ resources:
+ - apiVersion: source.toolkit.fluxcd.io/v1beta2
+ kind: GitRepository
+ name: webapp
+```
+
+The above example makes use of the [`.spec.events` field](#events) to filter
+incoming events from Bitbucket Server, instructing the controller to only
+respond to [`repo:refs_changed` (Push)](https://confluence.atlassian.com/bitbucketserver/event-payload-938025882.html#Eventpayload-Push)
+events.
+
+#### Harbor
+
+When a Receiver's `.spec.type` is set to `harbor`, the controller will respond
+to an [HTTP webhook event payload](https://goharbor.io/docs/latest/working-with-projects/project-configuration/configure-webhooks/#payload-format)
+from Harbor to the generated [`.status.webhookPath` path](#webhook-path).
+
+The controller validates the payload's authenticity by comparing the
+`Authorization` header from the request made by Harbor to the `token` string
+from the [Secret reference](#secret-reference). To enable the inclusion of this
+header, the `token` string must be configured as the "Auth Header" while
+[configuring a webhook in
+Harbor](https://goharbor.io/docs/latest/working-with-projects/project-configuration/configure-webhooks/#configure-webhooks).
+
+If the two tokens match, the controller will request a reconciliation for all
+listed [Resources](#resources).
+
+**Note:** This type of Receiver does not support filtering using
+[Events](#events). However, Harbor does support configuring event types for
+which a webhook will be triggered.
+
+##### Harbor example
+
+```yaml
+---
+apiVersion: notification.toolkit.fluxcd.io/v1
+kind: Receiver
+metadata:
+ name: harbor-receiver
+ namespace: default
+spec:
+ type: harbor
+ secretRef:
+ name: webhook-token
+ resources:
+ - apiVersion: image.toolkit.fluxcd.io/v1beta1
+ kind: ImageRepository
+ name: webapp
+```
+
+#### DockerHub
+
+When a Receiver's `.spec.type` is set to `dockerhub`, the controller will
+respond to an [HTTP webhook event payload](https://docs.docker.com/docker-hub/webhooks/)
+from DockerHub to the generated [`.status.webhookPath` path](#webhook-path).
+
+The controller performs minimal validation of the payload by attempting to
+unmarshal the [JSON request body](https://docs.docker.com/docker-hub/webhooks/#example-webhook-payload).
+If the unmarshalling is successful, the controller will request a reconciliation
+for all listed [Resources](#resources).
+
+**Note:** This type of Receiver does not support filtering using
+[Events](#events).
+
+##### DockerHub example
+
+```yaml
+---
+apiVersion: notification.toolkit.fluxcd.io/v1
+kind: Receiver
+metadata:
+ name: dockerhub-receiver
+ namespace: default
+spec:
+ type: dockerhub
+ secretRef:
+ name: webhook-token
+ resources:
+ - apiVersion: image.toolkit.fluxcd.io/v1beta1
+ kind: ImageRepository
+ name: webapp
+```
+
+#### Quay
+
+When a Receiver's `.spec.type` is set to `quay`, the controller will respond to
+an HTTP [Repository Push Notification payload](https://docs.quay.io/guides/notifications.html#repository-push)
+from Quay to the generated [`.status.webhookPath` path](#webhook-path).
+
+The controller performs minimal validation of the payload by attempting to
+unmarshal the JSON request body to the expected format. If the unmarshalling is
+successful, the controller will request a reconciliation for all listed
+[Resources](#resources).
+
+**Note:** This type of Receiver does not support filtering using
+[Events](#events). In addition, it does not support any "Repository
+Notification" other than "Repository Push".
+
+##### Quay example
+
+```yaml
+---
+apiVersion: notification.toolkit.fluxcd.io/v1
+kind: Receiver
+metadata:
+ name: quay-receiver
+ namespace: default
+spec:
+ type: quay
+ secretRef:
+ name: webhook-token
+ resources:
+ - apiVersion: image.toolkit.fluxcd.io/v1beta1
+ kind: ImageRepository
+ name: webapp
+```
+
+#### Nexus
+
+When a Receiver's `.spec.type` is set to `nexus`, the controller will respond
+to an [HTTP webhook event payload](https://help.sonatype.com/repomanager3/integrations/webhooks/example-headers-and-payloads)
+from Nexus Repository Manager 3 to the generated [`.status.webhookPath`
+path](#webhook-path), while verifying the payload's integrity and
+authenticity using [HMAC][].
+
+The controller validates the payload by comparing the
+[`X-Nexus-Webhook-Signature` header](https://help.sonatype.com/repomanager3/integrations/webhooks/working-with-hmac-payloads)
+from the request made by Nexus to the `token` string from the [Secret
+reference](#secret-reference). To enable the inclusion of this header, the
+`token` string must be configured as the "Secret Key" while [enabling a
+repository webhook capability](https://help.sonatype.com/repomanager3/integrations/webhooks/enabling-a-repository-webhook-capability).
+
+The controller will calculate the HMAC hash signature for the received request
+payload using the same `token` string, and compare it with the one specified in
+the header. If the two signatures match, the controller will attempt to
+unmarshal the request body to the expected format. If the unmarshalling is
+successful, the controller will request a reconciliation for all listed
+[Resources](#resources).
+
+**Note:** This type of Receiver does not support filtering using
+[Events](#events).
+
+##### Nexus example
+
+```yaml
+---
+apiVersion: notification.toolkit.fluxcd.io/v1
+kind: Receiver
+metadata:
+ name: nexus-receiver
+ namespace: default
+spec:
+ type: nexus
+ secretRef:
+ name: webhook-token
+ resources:
+ - apiVersion: image.toolkit.fluxcd.io/v1beta1
+ kind: ImageRepository
+ name: webapp
+```
+
+#### GCR
+
+When a Receiver's `.spec.type` is set to `gcr`, the controller will respond to
+an [HTTP webhook event payload](https://cloud.google.com/container-registry/docs/configuring-notifications#notification_examples)
+from Google Cloud Registry to the generated [`.status.webhookPath`](#webhook-path),
+while verifying the payload is legitimate using [JWT](https://cloud.google.com/pubsub/docs/push#authentication).
+
+The controller verifies the request originates from Google by validating the
+token from the [`Authorization` header](https://cloud.google.com/pubsub/docs/push#validate_tokens).
+For this to work, authentication must be enabled for the Pub/Sub subscription,
+refer to the [Google Cloud documentation](https://cloud.google.com/pubsub/docs/push#configure_for_push_authentication)
+for more information.
+
+When the verification succeeds, the request payload is unmarshalled to the
+expected format. If this is successful, the controller will request a
+reconciliation for all listed [Resources](#resources).
+
+**Note:** This type of Receiver does not support filtering using
+[Events](#events).
+
+##### GCR example
+
+```yaml
+---
+apiVersion: notification.toolkit.fluxcd.io/v1
+kind: Receiver
+metadata:
+ name: gcr-receiver
+ namespace: default
+spec:
+ type: gcr
+ secretRef:
+ name: webhook-token
+ resources:
+ - apiVersion: image.toolkit.fluxcd.io/v1beta1
+ kind: ImageRepository
+ name: webapp
+ namespace: default
+```
+
+#### ACR
+
+When a Receiver's `.spec.type` is set to `acr`, the controller will respond to
+an [HTTP webhook event payload](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-webhook-reference),
+from Azure Container Registry to the generated [`.status.webhookPath`](#webhook-path).
+
+The controller performs minimal validation of the payload by attempting to
+unmarshal the JSON request body. If the unmarshalling is successful, the
+controller will request a reconciliation for all listed [Resources](#resources).
+
+**Note:** This type of Receiver does not support filtering using
+[Events](#events). However, Azure Container Registry does [support configuring
+webhooks to only send events for specific actions](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-webhook#create-webhook---azure-portal).
+
+##### ACR example
+
+```yaml
+---
+apiVersion: notification.toolkit.fluxcd.io/v1
+kind: Receiver
+metadata:
+ name: acr-receiver
+ namespace: default
+spec:
+ type: acr
+ secretRef:
+ name: webhook-token
+ resources:
+ - kind: ImageRepository
+ name: webapp
+```
+
+### Events
+
+`.spec.events` is an optional field to specify a list of webhook payload event
+types this Receiver should act on. If left empty, no filtering is applied and
+any (valid) payload is handled.
+
+**Note:** Support for this field, and the entries in it, is dependent on the
+Receiver type. See the [supported Receiver types](#supported-receiver-types)
+section for more information.
+
+### Resources
+
+`.spec.resources` is a required field to specify which Flux Custom Resources
+should be reconciled when the Receiver's [webhook path](#webhook-path) is
+called.
+
+A resource entry contains the following fields:
+
+- `apiVersion` (Optional): The Flux Custom Resource API group and version, such as
+ `source.toolkit.fluxcd.io/v1beta2`.
+- `kind`: The Flux Custom Resource kind, supported values are `Bucket`,
+ `GitRepository`, `Kustomization`, `HelmRelease`, `HelmChart`,
+ `HelmRepository`, `ImageRepository`, `ImagePolicy`, `ImageUpdateAutomation`
+ and `OCIRepository`.
+- `name`: The Flux Custom Resource `.metadata.name`.
+- `namespace` (Optional): The Flux Custom Resource `.metadata.namespace`.
+ When not specified, the Receiver's `.metadata.namespace` is used instead.
+
+
+**Note:** Cross-namespace references [can be disabled for security
+reasons](#disabling-cross-namespace-selectors).
+
+### Secret reference
+
+`.spec.secretRef.name` is a required field to specify a name reference to a
+Secret in the same namespace as the Receiver. The Secret must contain a `token`
+key, whose value is a string containing a (random) secret token.
+
+This token is used to salt the generated [webhook path](#webhook-path), and
+depending on the Receiver [type](#supported-receiver-types), to verify the
+authenticity of a request.
+
+#### Secret example
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: webhook-token
+ namespace: default
+type: Opaque
+stringData:
+ token:
+```
+
+### Interval
+
+`.spec.interval` is an optional field with a default of ten minutes that specifies
+the time interval at which the controller reconciles the provider with its Secret
+reference.
+
+### Suspend
+
+`.spec.suspend` is an optional field to suspend the Receiver.
+When set to `true`, the controller will stop processing events for this Receiver.
+When the field is set to `false` or removed, it will resume.
+
+## Working with Receivers
+
+### Disabling cross-namespace selectors
+
+On multi-tenant clusters, platform admins can disable cross-namespace
+references with the `--no-cross-namespace-refs=true` flag. When this flag is
+set, Receivers can only refer to [Resources](#resources) in the same namespace
+as the [Alert](alerts.md) object, preventing tenants from triggering
+reconciliations to another tenant's resources.
+
+### Public Ingress considerations
+
+Considerations should be made when exposing the controller's `webhook-receiver`
+Kubernetes Service to the public internet. Each request to a Receiver [webhook
+path](#webhook-path) will result in request to the Kubernetes API, as the
+controller needs to fetch information about the resource. This endpoint may be
+protected with a token, but this does not defend against a situation where a
+legitimate webhook caller starts sending large amounts of requests, or the
+token is somehow leaked. This may result in the controller, as it may get rate
+limited by the Kubernetes API, degrading its functionality.
+
+It is therefore a good idea to set rate limits on the Ingress which exposes
+the Kubernetes Service. If you are using ingress-nginx, this can be done by
+[adding annotations](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#rate-limiting).
+
+### Triggering a reconcile
+
+To manually tell the notification-controller to reconcile a Receiver outside
+of the [specified interval window](#interval), a Receiver can be annotated with
+`reconcile.fluxcd.io/requestedAt: `. Annotating the resource
+queues the Receiver for reconciliation if the `` differs from
+the last value the controller acted on, as reported in
+[`.status.lastHandledReconcileAt`](#last-handled-reconcile-at).
+
+Using `kubectl`:
+
+```sh
+kubectl annotate --field-manager=flux-client-side-apply --overwrite receiver/ reconcile.fluxcd.io/requestedAt="$(date +%s)"
+```
+
+Using `flux`:
+
+```sh
+flux reconcile source receiver
+```
+
+### Waiting for `Ready`
+
+When a change is applied, it is possible to wait for the Receiver to reach a
+[ready state](#ready-receiver) using `kubectl`:
+
+```sh
+kubectl wait receiver/ --for=condition=ready --timeout=1m
+```
+
+### Suspending and resuming
+
+When you find yourself in a situation where you temporarily want to pause the
+reconciliation of a Receiver and the handling of requests, you can suspend it
+using the [`.spec.suspend` field](#suspend).
+
+#### Suspend a Receiver
+
+In your YAML declaration:
+
+```yaml
+---
+apiVersion: notification.toolkit.fluxcd.io/v1
+kind: Receiver
+metadata:
+ name:
+spec:
+ suspend: true
+```
+
+Using `kubectl`:
+
+```sh
+kubectl patch receiver --field-manager=flux-client-side-apply -p '{\"spec\": {\"suspend\" : true }}'
+```
+
+Using `flux`:
+
+```sh
+flux suspend receiver
+```
+
+#### Resume a Receiver
+
+In your YAML declaration, comment out (or remove) the field:
+
+```yaml
+---
+apiVersion: notification.toolkit.fluxcd.io/v1
+kind: Receiver
+metadata:
+ name:
+spec:
+ # suspend: true
+```
+
+**Note:** Setting the field value to `false` has the same effect as removing
+it, but does not allow for "hot patching" using e.g. `kubectl` while practicing
+GitOps; as the manually applied patch would be overwritten by the declared
+state in Git.
+
+Using `kubectl`:
+
+```sh
+kubectl patch receiver --field-manager=flux-client-side-apply -p '{\"spec\" : {\"suspend\" : false }}'
+```
+
+Using `flux`:
+
+```sh
+flux resume receiver
+```
+
+### Debugging a Receiver
+
+There are several ways to gather information about a Receiver for debugging
+purposes.
+
+#### Describe the Receiver
+
+Describing a Receiver using `kubectl describe receiver ` displays
+the latest recorded information for the resource in the Status and Events
+sections:
+
+```console
+...
+Status:
+...
+Status:
+ Conditions:
+ Last Transition Time: 2022-11-21T12:41:48Z
+ Message: Reconciliation in progress
+ Observed Generation: 1
+ Reason: ProgressingWithRetry
+ Status: True
+ Type: Reconciling
+ Last Transition Time: 2022-11-21T12:41:48Z
+ Message: unable to read token from secret 'default/webhook-token' error: Secret "webhook-token" not found
+ Observed Generation: 1
+ Reason: TokenNotFound
+ Status: False
+ Type: Ready
+ Observed Generation: -1
+Events:
+ Type Reason Age From Message
+ ---- ------ ---- ---- -------
+ Warning Failed 5s (x4 over 16s) notification-controller unable to read token from secret 'default/webhook-token' error: Secret "webhook-token" not found
+```
+
+#### Trace emitted Events
+
+To view events for specific Receiver(s), `kubectl get events` can be used in
+combination with `--field-sector` to list the Events for specific objects.
+For example, running
+
+```sh
+kubectl get events --field-selector involvedObject.kind=Receiver,involvedObject.name=
+```
+
+lists
+
+```console
+LAST SEEN TYPE REASON OBJECT MESSAGE
+3m44s Warning Failed receiver/ unable to read token from secret 'default/webhook-token' error: Secret "webhook-token" not found
+```
+
+## Receiver Status
+
+### Conditions
+
+A Receiver enters various states during its lifecycle, reflected as
+[Kubernetes Conditions][typical-status-properties].
+It can be [ready](#ready-receiver), or it can [fail during
+reconciliation](#failed-receiver).
+
+The Receiver API is compatible with the [kstatus specification][kstatus-spec],
+and reports the `Reconciling` condition where applicable.
+
+#### Ready Receiver
+
+The notification-controller marks a Receiver as _ready_ when it has the following
+characteristics:
+
+- The Receiver's Secret referenced in `.spec.secretRef.name` is found on the cluster.
+- The Receiver's Secret contains a `token` key.
+
+When the Receiver is "ready", the controller sets a Condition with the following
+attributes in the Alert's `.status.conditions`:
+
+- `type: Ready`
+- `status: "True"`
+- `reason: Succeeded`
+
+#### Failed Receiver
+
+The notification-controller may get stuck trying to reconcile a Receiver if its
+secret token can not be found.
+
+When this happens, the controller sets the `Ready` Condition status to `False`,
+and adds a Condition with the following attributes:
+
+- `type: Reconciling`
+- `status: "True"`
+- `reason: ProgressingWithRetry`
+
+### Observed Generation
+
+The notification-controller reports an
+[observed generation][typical-status-properties]
+in the Receiver's `.status.observedGeneration`. The observed generation is the
+latest `.metadata.generation` which resulted in a [ready state](#ready-receiver).
+
+### Last Handled Reconcile At
+
+The notification-controller reports the last `reconcile.fluxcd.io/requestedAt`
+annotation value it acted on in the `.status.lastHandledReconcileAt` field.
+
+### Webhook Path
+
+When a Receiver becomes [ready](#ready-receiver), the controller reports the
+generated incoming webhook path under `.status.webhookPath`. The path format is
+`/hook/sha256sum(token+name+namespace)`.
+
+[typical-status-properties]: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
+[kstatus-spec]: https://github.com/kubernetes-sigs/cli-utils/tree/master/pkg/kstatus
+[HMAC]: https://en.wikipedia.org/wiki/HMAC
diff --git a/hack/api-docs/template/pkg.tpl b/hack/api-docs/template/pkg.tpl
index 380a56dc1..cfcca1a92 100644
--- a/hack/api-docs/template/pkg.tpl
+++ b/hack/api-docs/template/pkg.tpl
@@ -1,5 +1,10 @@
{{ define "packages" }}
-
Notification API reference
+ Notification API reference
+ {{- with (index .packages 0) -}}
+ {{ with (index .GoPackages 0 ) -}}
+ {{ printf " %s" .Name -}}
+ {{ end -}}
+ {{ end }}
{{ with .packages}}
Packages:
diff --git a/internal/server/receiver_handler_test.go b/internal/server/receiver_handler_test.go
index c134b04d6..de3d00381 100644
--- a/internal/server/receiver_handler_test.go
+++ b/internal/server/receiver_handler_test.go
@@ -38,7 +38,7 @@ import (
"github.com/fluxcd/pkg/apis/meta"
"github.com/fluxcd/pkg/runtime/logger"
- apiv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+ apiv1 "github.com/fluxcd/notification-controller/api/v1"
)
func Test_handlePayload(t *testing.T) {
diff --git a/internal/server/receiver_handlers.go b/internal/server/receiver_handlers.go
index 7ebc2cc50..f6059cf91 100644
--- a/internal/server/receiver_handlers.go
+++ b/internal/server/receiver_handlers.go
@@ -40,7 +40,7 @@ import (
"k8s.io/apimachinery/pkg/types"
"sigs.k8s.io/controller-runtime/pkg/client"
- apiv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+ apiv1 "github.com/fluxcd/notification-controller/api/v1"
)
// defaultFluxAPIVersions is a map of Flux API kinds to their API versions.
diff --git a/main.go b/main.go
index 4f68abfb3..017d91b82 100644
--- a/main.go
+++ b/main.go
@@ -42,7 +42,8 @@ import (
"github.com/fluxcd/pkg/runtime/pprof"
"github.com/fluxcd/pkg/runtime/probes"
- apiv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+ apiv1 "github.com/fluxcd/notification-controller/api/v1"
+ apiv1b2 "github.com/fluxcd/notification-controller/api/v1beta2"
"github.com/fluxcd/notification-controller/controllers"
"github.com/fluxcd/notification-controller/internal/features"
"github.com/fluxcd/notification-controller/internal/server"
@@ -60,6 +61,7 @@ func init() {
_ = clientgoscheme.AddToScheme(scheme)
_ = apiv1.AddToScheme(scheme)
+ _ = apiv1b2.AddToScheme(scheme)
// +kubebuilder:scaffold:scheme
}
@@ -188,6 +190,10 @@ func main() {
store, err := memorystore.New(&memorystore.Config{
Interval: rateLimitInterval,
})
+ if err != nil {
+ setupLog.Error(err, "unable to create middleware store")
+ os.Exit(1)
+ }
setupLog.Info("starting event server", "addr", eventsAddr)
eventMdlw := middleware.New(middleware.Config{