SHIP : Git event-driven build executions #41
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
sbose78
changed the title
ships/0025-event-driven-builds.md
Outdated
| ... | ||
| webhook: | ||
| type: github | ||
| imageTagPolicy: short_sha # optional, allowed values: 'short_sha' , 'branch'. Defaults to 'branch'. |
There was a problem hiding this comment.
I am not sure if mixing in the concept of image tag policies here into the webhook is correct. Imo an image tag policy should be outside of it as it also makes sense as a standalone concept.
There was a problem hiding this comment.
Agreed.
This was mainly brought it to address the issue of receiving events for all branches. I wonder if we should probably support:
- what are the branches you wish to support listening on?
- what's your tag policy? short_sha' / 'branch'.
We could definitely de-scope things and say, we'll only act on events which come in from the .spec.source.revision only. My over-enthusiastic self wanted to dabble with more than that.
ships/0025-event-driven-builds.md
Outdated
| spec: | ||
| ... | ||
| ... | ||
| webhook: |
There was a problem hiding this comment.
We could generalize this to triggers to support other scenarios in the future such as a daily build.
There was a problem hiding this comment.
+1 ..... image change triggers could be a peer type like git/scm webhook triggers ... and a build can have multiple "trigger types"
There was a problem hiding this comment.
I'm good with the change you've put in for this @sbose78
ships/0025-event-driven-builds.md
Outdated
| While the enhancement could have been scoped to only deal with the branch/revision explicitly specified in the `Build` resource, | ||
| doing the same would have have excluded some key use cases where users push to a different branch before merging to 'main'. |
There was a problem hiding this comment.
Hm, but what is the user's expectation? I'd say if I specify a Build with a source revision set to main, that I only want commits into main to trigger a BuildRun.
There was a problem hiding this comment.
I did go in that direction and quickly found it to be too cumbersome to have to define a new Build for every branch. 🤷♂️
There was a problem hiding this comment.
I see. We'll have to think about a good solution. Let's look at the scenario first: in my experience, repositories typically only have one or two major branches (main and develop) - having two Builds for this would be okayish for me because of how we use those branches internally (the images go into different repos).
The other branches you have in mind, would not that have been pull requests ? Because that would make sense for me as a scenario: define branch A in the build and define that pull requests for that branch should also be built.
Another scenario where branches do not play any role would be to build a tag once it gets pushed.
| Similar to the `Drawbacks` section the `Alternatives` section is used to highlight and record other | ||
| possible approaches to delivering the value proposed by an enhancement. |
There was a problem hiding this comment.
How much simpler would it be if we implement our own webhook endpoint that directly consumes the event data from GitHub or GitLab? I personally think, it is much simpler. And it will be trivial to implement logic there that checks the branch of the payload and compares it with what is defined in the Build.
There was a problem hiding this comment.
You mean - write a simple http service which understands the payload and creates corresponding Build/BuildRuns?
| secretRef: # optional, will be genereated if not specified. | ||
| name: my-webhook-secret. |
There was a problem hiding this comment.
I wonder if optional is reasonable here because if we generate it, then the user will need to decode it to get the webhook token to then store it in GitHub, right?
There was a problem hiding this comment.
Correct, this is more of a knob of convenience :)
|
Requesting another round of review, the following changes have been addressed:
|
There was a problem hiding this comment.
Per discussion in the community meeting today, I've asked @sbose78 to add some diagrams to help illustrate things, and he has graciously agreed :-)
|
@sbose78 quick formal request: please change the PR title to |
|
|
||
| ## Open Questions [optional] | ||
|
|
||
| 1. Almost every user would need an exposed `Service`, how do we create a vendor-agnostic `Ingress` object ? |
There was a problem hiding this comment.
Sounds like something for a Helm Chart? Users could choose between Ingress and Route. Since we don't have a Helm Chart yet, installation instructions should do it.
| specified in the `Build` CR. | ||
|
|
||
|
|
||
| 2. Exposing a webhook URL enables creation of pods ( ie, processes on the node ) by actors who may not necessarily have access to the cluster. |
There was a problem hiding this comment.
As part of the installation instructions, we must include instructions for the cluster admin to only allow access to certain IP addresses. This filtering ability completely depend on the cluster capabilities, like for instance when using a service mesh in place.
|
|
||
| 2. Exposing a webhook URL enables creation of pods ( ie, processes on the node ) by actors who may not necessarily have access to the cluster. | ||
|
|
||
| This does open up an attack vector given the execution of the build is done using the configured service account. |
There was a problem hiding this comment.
Given we are dealing with external access, we need to be clear that it does require special attention from the cluster admin.
| --- | ||
| title: event-driven-builds | ||
| authors: | ||
| - "@sbose787" |
There was a problem hiding this comment.
Little typo here, the extra 7 at the end.
An easy way to setup webhooks for triggered Git event-based builds.
( Extension of the proof of concepts in shipwright-io/build#912 and https://github.com/imjasonh/build-task )