Add webhooks for all harbor projects when created #1753
Conversation
cdchris12
added
9-security
| if (lagoonHarborRoute === 'http://172.17.0.1:8084'){ | ||
| var webhookAddress = 'http://172.17.0.1:7777' | ||
| } else { | ||
| var webhookAddress = "https://hooks.lagoon.amazeeio.cloud/" | ||
| } |
There was a problem hiding this comment.
I think this could be done a bit better:
- instead of using
http://172.17.0.1:7777we can usehttp://webhook-handler:3000as harbor and the webhook-handler are locally in the same docker network you can talk to the services with their DNS names and their internal ports. - The discovery of the public Hook WebHook URL can be fully automated via checking the env variables, see an example:
https://github.com/amazeeio/lagoon/blob/b6117c46d9fbc335b0dd0126a633904a70548486/services/api/src/clients/keycloakClient.js#L21-L26
There was a problem hiding this comment.
I agree with you on how to set the default for this variable. About the container address; we already use the 172.17.0.1 notation on line 7, which why I opted for it here. I'll test with webhook-handler to verify it works as expected.
There was a problem hiding this comment.
The webhook-handler:3000 works as expected. The only problem with that is that we aren't loading the webhook-handler for most of the CI tests. Should I write some testing logic which includes these webhooks as well?
There was a problem hiding this comment.
After sleeping on it, I realized that we can't really test this just yet because we do not yet have a webhook handler for these Harbor webhooks as of yet.
Checklist
This commit adds the ability for kubernetesbuilddeploy to automatically add a webhook for each project when that project is created. These webhooks will be triggered when a container security scan within Harbor either fails or completes.