From d92edc71b7a800a8a02c7fab9bf3901e8dacbc98 Mon Sep 17 00:00:00 2001
From: James Andariese <james@strudelline.net>
Date: Sun, 10 Mar 2024 15:14:26 -0500
Subject: [PATCH] add webhooks via argo-events with sample job runner

---
 gitea/cm.yaml      |   2 +
 gitea/webhook.yaml | 153 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 155 insertions(+)
 create mode 100644 gitea/webhook.yaml

diff --git a/gitea/cm.yaml b/gitea/cm.yaml
index 9b3ba47..11478c1 100644
--- a/gitea/cm.yaml
+++ b/gitea/cm.yaml
@@ -79,3 +79,5 @@ data:
 
   GITEA__session__PROVIDER: "file"
   GITEA__session__PROVIDER_CONFIG: "/data/gitea/sessions"
+
+  GITEA__webhook__ALLOWED_HOST_LIST: "*"
diff --git a/gitea/webhook.yaml b/gitea/webhook.yaml
new file mode 100644
index 0000000..223c909
--- /dev/null
+++ b/gitea/webhook.yaml
@@ -0,0 +1,153 @@
+# kubectl create secret generic gitea-update-webhook-token --dry-run=client -o yaml --from-literal=token=`uuid` | kubeseal -o yaml
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: gitea-update-webhook-token
+  namespace: gitea
+spec:
+  encryptedData:
+    token: AgAv2wu5eGwLjmj/yLUijCG1NacqONc2dK4URGGkXL6Iqe07u6PDLEovWyfdNmRdTRSXN4UpuA95+u4hk+EM0miEcAdfBqW3vzVq8S0oZxb4v00v1GPYYTXk47KKDi8AT1yHftWczU5ibM87T7w/sOWUoGgYxbO8z49c2UDt1Y665B05PyqK+SXQZfifRA2rBeOP8alL/lhzglh1RMYSe939gnhPbKL9j92zFwt5EtGe5qU56gmTG7ki/hydGusFNYt0K2GtoYJAdYIMwkAT+eRvA143+IhzG2RbjG5jXYkFUSTNtd+TtUczWUiFjnpBI0u6Ybd1maQVf+spFGx1lACHxXTkav5LfZoUi2BDzNWglH2sV6sGS/LcHy64BdyOwHQj3TjpkeP2/TLeJYotuEkp60Srh9P6WNxwLxc3X3I8nLu6Qb77msc5xh6BpdPHkTSMXPOAtRQuQaNufyGW8+oy2cJqWELzzE4cTWtx1ThOb29+mWYhjFFbU6WpuL2q4OiumC+9q03SVJh9DebuTMbqRj+Y55EXbRJQeMaHlBpWkAphWKh279dqZwrCLfzNFfNHiQrotRZnfMqwe6Xp2INwhaZsI4lPqZX47I5ISYpP4ZR5sG7op+dfRZzRvFIqtU9I4uAs9utGE5P86t3BsMKXwcr2zcZ/L3r/s1KHWByfdpbZ16lM+VvDGPUjCVILM+W0Fc1nt78wHDqUMMC5UHhTk+hNOUyGejYBmz6R1FVOT6pvzKw=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: gitea-update-webhook-token
+      namespace: gitea
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitea-update-webhook
+  namespace: gitea
+spec:
+  internalTrafficPolicy: Cluster
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - port: 12000
+    protocol: TCP
+    targetPort: 12000
+  selector:
+    eventsource-name: gitea-update-webhook
+  sessionAffinity: None
+  type: ClusterIP
+---
+apiVersion: argoproj.io/v1alpha1
+kind: EventBus
+metadata:
+  name: default
+  namespace: gitea
+spec:
+  jetstream:
+    version: latest
+    replicas: 3
+    persistence:
+      storageClassName: nvme
+      accessMode: ReadWriteOnce
+      volumeSize: 10Gi
+    streamConfig: |
+      maxAge: 24h
+    settings: |
+      max_file_store: 1GB       # see default values in argo-events-controller-config
+    startArgs:
+      - "-D"                    # debug-level logs
+---
+apiVersion: argoproj.io/v1alpha1
+kind: EventSource
+metadata:
+  name: gitea-update-webhook
+  namespace: gitea
+spec:
+  webhook:
+    gitea-update:
+      port: "12000"
+      endpoint: /gitea-update
+      method: POST
+      authSecret:
+        name: gitea-update-webhook-token
+        key: token
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Sensor
+metadata:
+  name: gitea-update-webhook-sensor
+  namespace: gitea
+spec:
+  template:
+    serviceAccountName: gitea-update-webhook-sensor-sa
+  dependencies:
+  - name: gitea-update-webhook-received
+    eventSourceName: gitea-update-webhook
+    eventName: gitea-update
+  triggers:
+  - template:
+      name: webhook-job-trigger
+      k8s:
+        operation: create
+        source:
+          resource:
+            apiVersion: batch/v1
+            kind: Job
+            metadata:
+              generateName: gitea-update-webhook-received-
+            spec:
+              ttlSecondsAfterFinished: 30
+              template:
+                spec:
+                  containers:
+                  - name: echo-contents
+                    args:
+                    - "nodatareceived"
+                    command:
+                    - echo
+                    image: "bash:latest"
+                  restartPolicy: OnFailure
+              backoffLimit: 2
+        parameters:
+        - src:
+            dependencyName: gitea-update-webhook-received
+          dest: spec.template.spec.containers.0.args.0
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gitea-update-webhook-sensor-sa
+  namespace: gitea
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: gitea
+  name: gitea-update-webhook-sensor-k8s-resource-creator-role
+rules:
+- apiGroups: ["*"]
+  resources:
+  - "*"
+  verbs:
+  - "*"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: gitea-update-webhook-sensor-resource-creator-rolebinding
+  namespace: gitea
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: gitea-update-webhook-sensor-k8s-resource-creator-role
+subjects:
+- kind: ServiceAccount
+  name: gitea-update-webhook-sensor-sa
+  namespace: gitea
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-update-webhook-sensor-sa
+  namespace: gitea
+  annotations:
+    kubernetes.io/service-account.name: gitea-update-webhook-sensor-sa
+type: kubernetes.io/service-account-token