1602ec992d
* spelling: across Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: anyway Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: assessment Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: attribute Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: crlf Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: cmux Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: committed Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: convenience Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: does-not Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: e.g. Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: fall back Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: fall back to Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: then ... falls back Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: formatted Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: github Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: gitlab Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: gitops Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: health checks Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: located Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: logging Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: oidc Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: openshift Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: os Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: powershell Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: preferred Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: redact Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: repo Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: similarly Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: staging Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: statefulset Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: stopped Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: superseded Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: synchronization Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: to Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: unified Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: verification Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: zookeeper Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
3.2 KiB
Git Webhook Configuration
Overview
Argo CD polls Git repositories every three minutes to detect changes to the manifests. To eliminate this delay from polling, the API server can be configured to receive webhook events. Argo CD supports Git webhook notifications from GitHub, GitLab, Bitbucket, Bitbucket Server and Gogs. The following explains how to configure a Git webhook for GitHub, but the same process should be applicable to other providers.
1. Create The WebHook In The Git Provider
In your Git provider, navigate to the settings page where webhooks can be configured. The payload
URL configured in the Git provider should use the /api/webhook endpoint of your Argo CD instance
(e.g. https://argocd.example.com/api/webhook). If you wish to use a shared secret, input an
arbitrary value in the secret. This value will be used when configuring the webhook in the next step.
!!! note When creating the webhook in GitHub, the "Content type" needs to be set to "application/json". The default value "application/x-www-form-urlencoded" is not supported by the library used to handle the hooks
2. Configure Argo CD With The WebHook Secret (Optional)
Configuring a webhook shared secret is optional, since Argo CD will still refresh applications related to the Git repository, even with unauthenticated webhook events. This is safe to do since the contents of webhook payloads are considered untrusted, and will only result in a refresh of the application (a process which already occurs at three-minute intervals). If Argo CD is publicly accessible, then configuring a webhook secret is recommended to prevent a DDoS attack.
In the argocd-secret kubernetes secret, configure one of the following keys with the Git
provider's webhook secret configured in step 1.
| Provider | K8s Secret Key |
|---|---|
| GitHub | webhook.github.secret |
| GitLab | webhook.gitlab.secret |
| BitBucket | webhook.bitbucket.uuid |
| BitBucketServer | webhook.bitbucketserver.secret |
| Gogs | webhook.gogs.secret |
Edit the Argo CD kubernetes secret:
kubectl edit secret argocd-secret -n argocd
TIP: for ease of entering secrets, kubernetes supports inputting secrets in the stringData field,
which saves you the trouble of base64 encoding the values and copying it to the data field.
Simply copy the shared webhook secret created in step 1, to the corresponding
GitHub/GitLab/BitBucket key under the stringData field:
apiVersion: v1
kind: Secret
metadata:
name: argocd-secret
namespace: argocd
type: Opaque
data:
...
stringData:
# github webhook secret
webhook.github.secret: shhhh! it's a github secret
# gitlab webhook secret
webhook.gitlab.secret: shhhh! it's a gitlab secret
# bitbucket webhook secret
webhook.bitbucket.uuid: your-bitbucket-uuid
# bitbucket server webhook secret
webhook.bitbucketserver.secret: shhhh! it's a bitbucket server secret
# gogs server webhook secret
webhook.gogs.secret: shhhh! it's a gogs server secret
After saving, the changes should take effect automatically.