Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SHIP : Git event-driven build executions #41

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from

Conversation

sbose78
Copy link
Member

@sbose78 sbose78 commented Nov 3, 2021

An easy way to setup webhooks for triggered Git event-based builds.

( Extension of the proof of concepts in shipwright-io/build#912 and https://github.com/imjasonh/build-task )

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 3, 2021
@openshift-ci
Copy link

openshift-ci bot commented Nov 3, 2021

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please ask for approval from sbose78 after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@sbose78 sbose78 changed the title SHIP : Git Event-driven build executions SHIP : Git event-driven build executions Nov 3, 2021
...
webhook:
type: github
imageTagPolicy: short_sha # optional, allowed values: 'short_sha' , 'branch'. Defaults to 'branch'.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure if mixing in the concept of image tag policies here into the webhook is correct. Imo an image tag policy should be outside of it as it also makes sense as a standalone concept.

Copy link
Member Author

@sbose78 sbose78 Nov 4, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed.

This was mainly brought it to address the issue of receiving events for all branches. I wonder if we should probably support:

  • what are the branches you wish to support listening on?
  • what's your tag policy? short_sha' / 'branch'.

We could definitely de-scope things and say, we'll only act on events which come in from the .spec.source.revision only. My over-enthusiastic self wanted to dabble with more than that.

spec:
...
...
webhook:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could generalize this to triggers to support other scenarios in the future such as a daily build.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 ..... image change triggers could be a peer type like git/scm webhook triggers ... and a build can have multiple "trigger types"

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good 👍

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm good with the change you've put in for this @sbose78

Comment on lines 266 to 267
While the enhancement could have been scoped to only deal with the branch/revision explicitly specified in the `Build` resource,
doing the same would have have excluded some key use cases where users push to a different branch before merging to 'main'.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm, but what is the user's expectation? I'd say if I specify a Build with a source revision set to main, that I only want commits into main to trigger a BuildRun.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did go in that direction and quickly found it to be too cumbersome to have to define a new Build for every branch. 🤷‍♂️

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see. We'll have to think about a good solution. Let's look at the scenario first: in my experience, repositories typically only have one or two major branches (main and develop) - having two Builds for this would be okayish for me because of how we use those branches internally (the images go into different repos).

The other branches you have in mind, would not that have been pull requests ? Because that would make sense for me as a scenario: define branch A in the build and define that pull requests for that branch should also be built.

Another scenario where branches do not play any role would be to build a tag once it gets pushed.

Comment on lines +287 to +288
Similar to the `Drawbacks` section the `Alternatives` section is used to highlight and record other
possible approaches to delivering the value proposed by an enhancement.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How much simpler would it be if we implement our own webhook endpoint that directly consumes the event data from GitHub or GitLab? I personally think, it is much simpler. And it will be trivial to implement logic there that checks the branch of the payload and compares it with what is defined in the Build.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You mean - write a simple http service which understands the payload and creates corresponding Build/BuildRuns?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes.

Comment on lines +103 to +104
secretRef: # optional, will be genereated if not specified.
name: my-webhook-secret.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if optional is reasonable here because if we generate it, then the user will need to decode it to get the webhook token to then store it in GitHub, right?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct, this is more of a knob of convenience :)

@sbose78
Copy link
Member Author

sbose78 commented Nov 29, 2021

Requesting another round of review, the following changes have been addressed:

  • Remove support for arbitrary branches.
  • Renamed webhook to trigger. The type: github is the key to deciding which ClusterTriggerBinding would be used.

Copy link
Member

@gabemontero gabemontero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per discussion in the community meeting today, I've asked @sbose78 to add some diagrams to help illustrate things, and he has graciously agreed :-)

@SaschaSchwarze0
Copy link
Member

@sbose78 quick formal request: please change the PR title to SHIP-0026 and please also rename the file then. Then you claimed a number. 25 has been taken in the meantime. ;-)


## Open Questions [optional]

1. Almost every user would need an exposed `Service`, how do we create a vendor-agnostic `Ingress` object ?
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds like something for a Helm Chart? Users could choose between Ingress and Route. Since we don't have a Helm Chart yet, installation instructions should do it.

specified in the `Build` CR.


2. Exposing a webhook URL enables creation of pods ( ie, processes on the node ) by actors who may not necessarily have access to the cluster.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As part of the installation instructions, we must include instructions for the cluster admin to only allow access to certain IP addresses. This filtering ability completely depend on the cluster capabilities, like for instance when using a service mesh in place.


2. Exposing a webhook URL enables creation of pods ( ie, processes on the node ) by actors who may not necessarily have access to the cluster.

This does open up an attack vector given the execution of the build is done using the configured service account.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given we are dealing with external access, we need to be clear that it does require special attention from the cluster admin.

---
title: event-driven-builds
authors:
- "@sbose787"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Little typo here, the extra 7 at the end.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants