Skip to content
This repository has been archived by the owner on Apr 4, 2023. It is now read-only.

keskad/webhook-conversion-service

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits

.github

.github

 
 

pkg/app

pkg/app

 
 

.dockerignore

.dockerignore

 
 

.gitignore

.gitignore

 
 

Dockerfile

Dockerfile

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

example-config.yaml

example-config.yaml

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

main.go

main.go

 
 

sonar-project.properties

sonar-project.properties

 
 

Repository files navigation

webhook-conversion-service

Fixes up your webhooks. Impossible becomes possible ;)

Created originally for purpose to fix invalid URL addresses injected by Gitlab in webhook body. ArgoCD was not able to recognize from which repository the webhook came from. The case was in communication between Gitlab and ArgoCD over the internal network, when both services are behind a VPN.

Features:

  • Replacing text in body of a request and response
  • Multiple webhooks/endpoints support
  • Configuration in a YAML file
  • Non-root, distroless container image
  • Stateless service, could be running easily in HA mode by simply bumping the replicas count

Usage

webhook-conversion-service --config ./example-config.yaml --listen ":8080"
endpoints:
    # Example for ArgoCD
    - path: /api/webhook
      targetUrl: http://argocd-server.argocd.svc.cluster.local
      replacements:
          - from: gitlab.example.org
            to: my-instance.gitlab.svc.cluster.local

    # just for testing
    - path: /test
      targetUrl: https://google.com/search
      replacements:
          - from: google
            to: DuckDuckLetsGo
          - from: Google
            to: DuckDuckLetsGo

Resources requirements

The reverse proxy is very lightweight, probably after some time you would forget that it exists at all.

limits:
    cpu: 100m
    memory: 32Mi
requests:
    cpu: 50m
    memory: 16Mi

Security

This is a reverse proxy. All headers, body and query string are passed to the upstream, which means the upstream could be manipulated in those ways. Please be aware of a fact, that potential attacker could access your upstream service using your REVERSE PROXY IP.

Advices:

  • Control who has access to the service using firewall rules or ingress network policy in Kubernetes
  • If its possible use only for internal services

Example Network Policy:

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-only-gitlab-to-argocd
  namespace: argocd
spec:
    podSelector:
        matchLabels:
            app.kubernetes.io/instance: webhooks-conversion
            app.kubernetes.io/name: webhooks-conversion
    policyTypes:
        - Ingress
        - Egress
    ingress:
        - namespaceSelector:
              matchLabels:
                  name: gitlab
          ports:
              - protocol: TCP
                port: 8080
    egress:
        - to:
            - namespaceSelector:
                  matchLabels:
                      name: argocd
          ports:
              - port: 80
                protocol: TCP

About

Fix up your webhook. Impossible becomes possible ;)

Topics

go golang proxy webhook reverse-proxy workaround patching fixing argocd webhook-mutation webhook-modification webhook-conversion

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages 1

 

Contributors 2

  •  
  •  

Languages