当前位置：网站首页>Harbor webhook from principle to construction

Harbor webhook from principle to construction

2022-07-01 11:24:00 【huzai9527】

1. What is? webhook

The following is from wiki
To sum up ： webhook It can be regarded as a hook , For example, when we start from harbor When you pull up the image ,harbor Will transform the request into a readable JSON Format , And forward it to webhook endpoint（ Implementation of hook ） To deal with . The following is harbor Yes pull Requested json Generalization , Including the specific information of the image , User specific information and project information, etc . When endpoint After getting this information , You can carry out relevant operations according to the information . For example pull To check malicious files , If the inspection fails, stop pull The operation of .

{
    
   "type":"PULL_ARTIFACT",
   "occur_at":1656324256,
   "operator":"admin",
   "event_data":{
    
       "resources":[
           {
    
               "digest":"sha256:f841a2abd0422364ec94bb633a56707a38c330179f2bbccebd95f9aff4a36808",
               "tag":"sha256:f841a2abd0422364ec94bb633a56707a38c330179f2bbccebd95f9aff4a36808",
               "resource_url":"10.9.33.98/library/[email protected]:f841a2abd0422364ec94bb633a56707a38c330179f2bbccebd95f9aff4a36808"
           }
       ],
       "repository":{
    
           "date_created":1656315229,
           "name":"java",
           "namespace":"library",
           "repo_full_name":"library/java",
           "repo_type":"private"
       }
   }
}

2. harbor How to use webhook

Official documents
Just like what I summarized above ,webhook endpoint according to harbor The transmitted information scans the image , Finally, perform relevant operations according to the scanning results .

3. How to open harbor webhook

harbor To configure , Choose from your project webhook, Just configure it directly , Pay attention here endpoint The address is one of our own httpserver.

Enable in global configuration webhook testing , In system settings in configuration management

4. Construct a webhook endpoint

there webhook endpoint It's actually a httpserver, Here we use gin Construct a httpserver, And will harbor Print out the information coming through , Just look here api that will do

func main() {
    
	r := gin.Default()
	r.POST("/push_image", func(c *gin.Context) {
    
		postData := &PushImage{
    }
		data, _ := ioutil.ReadAll(c.Request.Body)
		fmt.Println("string => ", string(data))

		if err := json.Unmarshal(data, &postData); err != nil {
    
			fmt.Println(err)
		}
		fmt.Printf("ctx.Request.body: %s", postData.EventData.Resources[0].Digest)
	})
	r.POST("/pullimage", func(c *gin.Context) {
    
		postData := &PullImage{
    }
		data, _ := ioutil.ReadAll(c.Request.Body)
		if err := json.Unmarshal(data, &postData); err != nil {
    
			fmt.Println(err)
		}
		fmt.Println("api TYPE => ", postData.Type)
		fmt.Println("iamge name => ", postData.EventData.Resources[0].ResourceURL)
	})
	r.POST("/api", func(c *gin.Context) {
    

		var body map[string]interface{
    }
		data, _ := ioutil.ReadAll(c.Request.Body)
		if err := json.Unmarshal(data, &body); err != nil {
    
			fmt.Println(err)
		}
		fmt.Println("body data => ", string(data))
		for k, v := range c.Request.Header {
    
			fmt.Println(k, v)
		}

	})
	r.Run() // listen and serve on 0.0.0.0:8080
}

Next launch server And from harbor in pull Mirror image , We can do it in server The terminal sees the following information
Of course , We can also send the requested json Turn into go Objects in the , Then get the information from the object

type PushImage struct {
    
	Type      string `json:"type"`
	OccurAt   int    `json:"occur_at"`
	Operator  string `json:"operator"`
	EventData struct {
    
		Resources []struct {
    
			Digest      string `json:"digest"`
			Tag         string `json:"tag"`
			ResourceURL string `json:"resource_url"`
		} `json:"resources"`
		Repository struct {
    
			DateCreated  int    `json:"date_created"`
			Name         string `json:"name"`
			Namespace    string `json:"namespace"`
			RepoFullName string `json:"repo_full_name"`
			RepoType     string `json:"repo_type"`
		} `json:"repository"`
	} `json:"event_data"`
}
type PullImage struct {
    
	Type      string `json:"type"`
	OccurAt   int    `json:"occur_at"`
	Operator  string `json:"operator"`
	EventData struct {
    
		Resources []struct {
    
			Digest      string `json:"digest"`
			Tag         string `json:"tag"`
			ResourceURL string `json:"resource_url"`
		} `json:"resources"`
		Repository struct {
    
			DateCreated  int    `json:"date_created"`
			Name         string `json:"name"`
			Namespace    string `json:"namespace"`
			RepoFullName string `json:"repo_full_name"`
			RepoType     string `json:"repo_type"`
		} `json:"repository"`
	} `json:"event_data"`
}

Insert picture description here

5. endpoint How to feed back the results to users

differ docker plugin, harbor webhook There is no correlation authorization library , It can eliminate the scanning results and directly return relevant results （ allow / prohibit ）, It looks like this

func defaultAuthResponse() *authorization.Response {
    
	return &authorization.Response{
    
		Allow: true,
	}
}

therefore , If relevant blocking operation is required , We need to pass harbor Of api To carry out relevant operations , In fact, the above authorization Library is right docker api Encapsulation , I was still issue 了 harbor webhook The maintainer of
therefore , To sum up , First harbor Turn the operation request into json Send to webhook endpoint, then enpoint Conduct relevant inspections , Last ,enpoint You can call harbor api Carry out relevant operations , I haven't thought about the operation yet , So there are no examples , To be continued ...