feature(): making webhook secure (#206)

* feature(): making webhook secure

* chore(): updating secure webhook example

examples/gateways/secure-webhook-gateway-configmap.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: webhook-gateway-configmap
+data:
+  foo: |-
+    port: "12000"
+    endpoint: "/foo"
+    method: "POST"
+    # serverCertPath refers to file where certificate is stored
+    serverCertPath: "/etc/secret-volume/cert"
+    # serverKeyPath refers to file where private key is stored
+    serverKeyPath: "/etc/secret-volume/key"

examples/gateways/secure-webhook.yaml

@@ -0,0 +1,54 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Gateway
+metadata:
+  name: webhook-gateway-http
+  labels:
+    gateways.argoproj.io/gateway-controller-instanceid: argo-events
+    gateway-name: "webhook-gateway-http"
+spec:
+  configMap: "webhook-gateway-configmap"
+  type: "webhook"
+  processorPort: "9330"
+  eventProtocol:
+    type: "HTTP"
+    http:
+      port: "9300"
+  eventVersion: "1.0"
+  deploySpec:
+    metadata:
+      name: "webhook-gateway-http"
+      labels:
+        gateway-name: "webhook-gateway-http"
+    spec:
+      containers:
+        - name: "gateway-client"
+          image: "argoproj/gateway-client"
+          imagePullPolicy: "Always"
+          command: ["/bin/gateway-client"]
+        - name: "webhook-events"
+          image: "argoproj/webhook-gateway"
+          imagePullPolicy: "Always"
+          command: ["/bin/webhook-gateway"]
+          # there will be `cert` and `key` files available at this path
+          volumeMounts:
+            - name: secret-volume
+              mountPath: /etc/secret-volume
+      # make sure to create the secret with two keys- cert and key
+      volumes:
+        - name: secret-volume
+          secret:
+            secretName: cert-and-key-secret
+      serviceAccountName: "argo-events-sa"
+  serviceSpec:
+    metadata:
+      name: webhook-gateway-svc
+    spec:
+      selector:
+        gateway-name: "webhook-gateway-http"
+      ports:
+        - port: 12000
+          targetPort: 12000
+      type: LoadBalancer
+  watchers:
+    sensors:
+      - name: "trigger-source-git"

gateways/common/webhook.go

@@ -30,12 +30,16 @@ import (
 // Webhook is a general purpose REST API
 type Webhook struct {
 	// REST API endpoint
-	Endpoint string `json:"endpoint" protobuf:"bytes,1,opt,name=endpoint"`
+	Endpoint string `json:"endpoint" protobuf:"bytes,1,name=endpoint"`
 	// Method is HTTP request method that indicates the desired action to be performed for a given resource.
 	// See RFC7231 Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content
-	Method string `json:"method" protobuf:"bytes,2,opt,name=method"`
+	Method string `json:"method" protobuf:"bytes,2,name=method"`
 	// Port on which HTTP server is listening for incoming events.
-	Port string `json:"port" protobuf:"bytes,3,opt,name=port"`
+	Port string `json:"port" protobuf:"bytes,3,name=port"`
+	// ServerCertPath refers the file that contains the cert.
+	ServerCertPath string `json:"serverCertPath,omitempty" protobuf:"bytes,4,opt,name=serverCertPath"`
+	// ServerKeyPath refers the file that contains private key
+	ServerKeyPath string `json:"serverKeyPath,omitempty" protobuf:"bytes,5,opt,name=serverKeyPath"`
 	// srv holds reference to http server
 	srv *http.Server   `json:"srv,omitempty"`
 	mux *http.ServeMux `json:"mux,omitempty"`
@@ -142,7 +146,12 @@ func (rc *RouteConfig) startHttpServer(helper *WebhookHelper) {
 
 		// start http server
 		go func() {
-			err := rc.Webhook.srv.ListenAndServe()
+			var err error
+			if rc.Webhook.ServerCertPath == "" || rc.Webhook.ServerKeyPath == "" {
+				err = rc.Webhook.srv.ListenAndServe()
+			} else {
+				err = rc.Webhook.srv.ListenAndServeTLS(rc.Webhook.ServerCertPath, rc.Webhook.ServerKeyPath)
+			}
 			rc.Log.Info().Str("event-source", rc.EventSource.Name).Str("port", rc.Webhook.Port).Msg("http server stopped")
 			if err != nil {
 				errChan <- err