knative-extensions/eventing-github

Provision DomainMapping resource for created Knative Service from GithubSource and use DomainMapping URL as the Webhook URL

Closed this issue · 1 comments

dreamrdeceiver commented

Problem
When the GithubSource CR is applied the controller creates a Knative Service, exposes the Service URL following the convention of name.namespace.custom-domain.com and adds it as a GitHub webhook on the repository.

This is a problem in some managed clusters (like SAP Kyma) as Let's Encrypt certificates are pre-provisioned and is only valid for *.<identifier>.kyma.ondemand.com

Due to organization restriction policies this cannot be modified from the platform provisioning team.

When this URL is added as a GitHub webhook tls verification fails because of -

tls: failed to verify certificate: x509: 
certificate is valid for *.<identifier>.kyma.ondemand.com, not for 
<name>.<namespace>.<identifier>.kyma.ondemand.com

I think we can overcome this restriction by using Knative DomainMapping resource to map it to a shorter domain and set that as the webhook URL.

I think this can be solved by adding an optional spec for example -

apiVersion: sources.knative.dev/v1alpha1
kind: GitHubSource
metadata:
  name: my-githubsource-sample
spec:
  githubAPIURL: "https://github.tools.sap/api/v3/"
  eventTypes:
    - pull_request
  ownerAndRepository: "myOrg/sample"
  domainMapping: # Optional
    name: github-<unique-identifier>.custom-domain.com
    tls: # Optional
      name: <tls-secret-name>
   ....
  sink:
    ref:
      ...

which would result in the following DomainMapping -

apiVersion: serving.knative.dev/v1alpha1
kind: DomainMapping
metadata:
  name: github-<unique-identifier>.custom-domain.com
spec:
  ref:
    name: my-githubsource-sample-n5lsc # <- generated name suffix
    kind: Service
    apiVersion: serving.knative.dev/v1
# tls block specifies the secret to be used
  tls:
    secretName: <tls-secret-name>

Then use the URL from DomainMapping status and set that as a GitHub Webhook

This would be very helpful for developers in organizations to not do any long ticketing Ops to get custom domain / DNS setup.

Additional Context

The need for DomainMapping is because this resource cannot be applied to cluster in a GitOps approach because of generated name being used for the Knative Service name and also any manual updates made to the webhook URL will be replaced when the controller reconciles.

github-actions commented

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.