Provision DomainMapping resource for created Knative Service from GithubSource and use DomainMapping URL as the Webhook URL
Closed this issue · 1 comments
Problem
When the GithubSource CR is applied the controller creates a Knative Service, exposes the Service URL following the convention of name.namespace.custom-domain.com and adds it as a GitHub webhook on the repository.
This is a problem in some managed clusters (like SAP Kyma) as Let's Encrypt certificates are pre-provisioned and is only valid for *.<identifier>.kyma.ondemand.com
Due to organization restriction policies this cannot be modified from the platform provisioning team.
When this URL is added as a GitHub webhook tls verification fails because of -
tls: failed to verify certificate: x509:
certificate is valid for *.<identifier>.kyma.ondemand.com, not for
<name>.<namespace>.<identifier>.kyma.ondemand.com
I think we can overcome this restriction by using Knative DomainMapping resource to map it to a shorter domain and set that as the webhook URL.
I think this can be solved by adding an optional spec for example -
apiVersion: sources.knative.dev/v1alpha1
kind: GitHubSource
metadata:
name: my-githubsource-sample
spec:
githubAPIURL: "https://github.tools.sap/api/v3/"
eventTypes:
- pull_request
ownerAndRepository: "myOrg/sample"
domainMapping: # Optional
name: github-<unique-identifier>.custom-domain.com
tls: # Optional
name: <tls-secret-name>
....
sink:
ref:
...
which would result in the following DomainMapping
-
apiVersion: serving.knative.dev/v1alpha1
kind: DomainMapping
metadata:
name: github-<unique-identifier>.custom-domain.com
spec:
ref:
name: my-githubsource-sample-n5lsc # <- generated name suffix
kind: Service
apiVersion: serving.knative.dev/v1
# tls block specifies the secret to be used
tls:
secretName: <tls-secret-name>
Then use the URL from DomainMapping
status and set that as a GitHub Webhook
This would be very helpful for developers in organizations to not do any long ticketing Ops to get custom domain / DNS setup.
Additional Context
The need for DomainMapping
is because this resource cannot be applied to cluster in a GitOps approach because of generated name being used for the Knative Service name and also any manual updates made to the webhook URL will be replaced when the controller reconciles.
This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen
. Mark the issue as
fresh by adding the comment /remove-lifecycle stale
.