argoproj-labs
diff --git a/‎cmd/main.go
Lines changed: 3 additions & 0 deletions b/‎cmd/main.go
Lines changed: 3 additions & 0 deletions
diff --git a/‎cmd/run.go
Lines changed: 74 additions & 0 deletions b/‎cmd/run.go
Lines changed: 74 additions & 0 deletions
diff --git a/‎cmd/webhook.go
Lines changed: 147 additions & 0 deletions b/‎cmd/webhook.go
Lines changed: 147 additions & 0 deletions
diff --git a/‎pkg/argocd/updater_config.go
Lines changed: 35 additions & 0 deletions b/‎pkg/argocd/updater_config.go
Lines changed: 35 additions & 0 deletions
@@ -51,6 +51,8 @@ type ImageUpdaterConfig struct {
 	GitCommitSignOff       bool
 	DisableKubeEvents      bool
 	GitCreds               git.CredsStore
+	WebhookPort            int
+	EnableWebhook          bool
 }
 
 // newRootCommand implements the root command of argocd-image-updater
@@ -63,6 +65,7 @@ func newRootCommand() error {
 	rootCmd.AddCommand(newVersionCommand())
 	rootCmd.AddCommand(newTestCommand())
 	rootCmd.AddCommand(newTemplateCommand())
+	rootCmd.AddCommand(NewWebhookCommand())
 	err := rootCmd.Execute()
 	return err
 }
 
@@ -15,6 +15,7 @@ import (
 	"github.com/argoproj-labs/argocd-image-updater/pkg/health"
 	"github.com/argoproj-labs/argocd-image-updater/pkg/metrics"
 	"github.com/argoproj-labs/argocd-image-updater/pkg/version"
+	"github.com/argoproj-labs/argocd-image-updater/pkg/webhook"
 	"github.com/argoproj-labs/argocd-image-updater/registry-scanner/pkg/env"
 	"github.com/argoproj-labs/argocd-image-updater/registry-scanner/pkg/log"
 	"github.com/argoproj-labs/argocd-image-updater/registry-scanner/pkg/registry"
@@ -144,6 +145,7 @@ func newRunCommand() *cobra.Command {
 			// Health server will start in a go routine and run asynchronously
 			var hsErrCh chan error
 			var msErrCh chan error
+			var whErrCh chan error
 			if cfg.HealthPort > 0 {
 				log.Infof("Starting health probe server TCP port=%d", cfg.HealthPort)
 				hsErrCh = health.StartHealthServer(cfg.HealthPort)
@@ -179,6 +181,61 @@ func newRunCommand() *cobra.Command {
 
 			cfg.GitCreds = cs
 
+			// Start the webhook server if enabled
+			var webhookServer *webhook.WebhookServer
+			if cfg.EnableWebhook && cfg.WebhookPort > 0 {
+				// Initialize the ArgoCD client for webhook server
+				var argoClient argocd.ArgoCD
+				switch cfg.ApplicationsAPIKind {
+				case applicationsAPIKindK8S:
+					argoClient, err = argocd.NewK8SClient(cfg.KubeClient, &argocd.K8SClientOptions{AppNamespace: cfg.AppNamespace})
+				case applicationsAPIKindArgoCD:
+					argoClient, err = argocd.NewAPIClient(&cfg.ClientOpts)
+				}
+				if err != nil {
+					log.Fatalf("Could not create ArgoCD client for webhook server: %v", err)
+				}
+
+				// Create webhook handler
+				handler := webhook.NewWebhookHandler()
+
+				// Register supported webhook handlers with default empty secrets
+				// In production, these would be configured via flags or environment variables
+				dockerHandler := webhook.NewDockerHubWebhook("")
+				handler.RegisterHandler(dockerHandler)
+
+				ghcrHandler := webhook.NewGHCRWebhook("")
+				handler.RegisterHandler(ghcrHandler)
+
+				harborHandler := webhook.NewHarborWebhook("")
+				handler.RegisterHandler(harborHandler)
+
+				log.Infof("Starting webhook server on port %d", cfg.WebhookPort)
+				webhookServer = webhook.NewWebhookServer(cfg.WebhookPort, handler, cfg.KubeClient, argoClient)
+
+				// Set updater config
+				updaterConfig := &argocd.UpdaterConfig{
+					DryRun:                 cfg.DryRun,
+					GitCommitUser:          cfg.GitCommitUser,
+					GitCommitEmail:         cfg.GitCommitMail,
+					GitCommitMessage:       cfg.GitCommitMessage.Tree.Root.String(),
+					GitCommitSigningKey:    cfg.GitCommitSigningKey,
+					GitCommitSigningMethod: cfg.GitCommitSigningMethod,
+					GitCommitSignOff:       cfg.GitCommitSignOff,
+				}
+				webhookServer.UpdaterConfig = updaterConfig
+
+				whErrCh = make(chan error, 1)
+				go func() {
+					if err := webhookServer.Start(); err != nil {
+						log.Errorf("Webhook server error: %v", err)
+						whErrCh <- err
+					}
+				}()
+
+				log.Infof("Webhook server started and listening on port %d", cfg.WebhookPort)
+			}
+
 			// This is our main loop. We leave it only when our health probe server
 			// returns an error.
 			for {
@@ -189,13 +246,28 @@ func newRunCommand() *cobra.Command {
 					} else {
 						log.Infof("Health probe server exited gracefully")
 					}
+					// Clean shutdown of webhook server if running
+					if webhookServer != nil {
+						if err := webhookServer.Stop(); err != nil {
+							log.Errorf("Error stopping webhook server: %v", err)
+						}
+					}
 					return nil
 				case err := <-msErrCh:
 					if err != nil {
 						log.Errorf("Metrics server exited with error: %v", err)
 					} else {
 						log.Infof("Metrics server exited gracefully")
 					}
+					// Clean shutdown of webhook server if running
+					if webhookServer != nil {
+						if err := webhookServer.Stop(); err != nil {
+							log.Errorf("Error stopping webhook server: %v", err)
+						}
+					}
+					return nil
+				case err := <-whErrCh:
+					log.Errorf("Webhook server exited with error: %v", err)
 					return nil
 				default:
 					if lastRun.IsZero() || time.Since(lastRun) > cfg.CheckInterval {
@@ -251,6 +323,8 @@ func newRunCommand() *cobra.Command {
 	runCmd.Flags().BoolVar(&cfg.GitCommitSignOff, "git-commit-sign-off", env.GetBoolVal("GIT_COMMIT_SIGN_OFF", false), "Whether to sign-off git commits")
 	runCmd.Flags().StringVar(&commitMessagePath, "git-commit-message-path", defaultCommitTemplatePath, "Path to a template to use for Git commit messages")
 	runCmd.Flags().BoolVar(&cfg.DisableKubeEvents, "disable-kube-events", env.GetBoolVal("IMAGE_UPDATER_KUBE_EVENTS", false), "Disable kubernetes events")
+	runCmd.Flags().IntVar(&cfg.WebhookPort, "webhook-port", env.ParseNumFromEnv("WEBHOOK_PORT", 8082, 0, 65535), "Port to start the webhook server on, 0 to disable")
+	runCmd.Flags().BoolVar(&cfg.EnableWebhook, "enable-webhook", env.GetBoolVal("ENABLE_WEBHOOK", false), "Enable webhook server for receiving registry events")
 
 	return runCmd
 }
 
@@ -0,0 +1,147 @@
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/argoproj-labs/argocd-image-updater/pkg/argocd"
+	"github.com/argoproj-labs/argocd-image-updater/pkg/kube"
+	"github.com/argoproj-labs/argocd-image-updater/pkg/webhook"
+	"github.com/argoproj-labs/argocd-image-updater/registry-scanner/pkg/log"
+
+	"github.com/spf13/cobra"
+)
+
+// WebhookOptions holds the options for the webhook server
+type WebhookOptions struct {
+	Port                int
+	DockerSecret        string
+	GHCRSecret          string
+	UpdateOnEvent       bool
+	ApplicationsAPIKind string
+	AppNamespace        string
+	ServerAddr          string
+	Insecure            bool
+	Plaintext           bool
+	GRPCWeb             bool
+	AuthToken           string
+}
+
+var webhookOpts WebhookOptions
+
+// NewWebhookCommand creates a new webhook command
+func NewWebhookCommand() *cobra.Command {
+	var webhookCmd = &cobra.Command{
+		Use:   "webhook",
+		Short: "Start webhook server to receive registry events",
+		Long: `
+The webhook command starts a server that listens for webhook events from
+container registries. When an event is received, it can trigger an image
+update check for the affected images.
+
+Supported registries:
+- Docker Hub
+- GitHub Container Registry (GHCR)
+`,
+		Run: func(cmd *cobra.Command, args []string) {
+			runWebhook()
+		},
+	}
+
+	webhookCmd.Flags().IntVar(&webhookOpts.Port, "port", 8080, "Port to listen on for webhook events")
+	webhookCmd.Flags().StringVar(&webhookOpts.DockerSecret, "docker-secret", "", "Secret for validating Docker Hub webhooks")
+	webhookCmd.Flags().StringVar(&webhookOpts.GHCRSecret, "ghcr-secret", "", "Secret for validating GitHub Container Registry webhooks")
+	webhookCmd.Flags().BoolVar(&webhookOpts.UpdateOnEvent, "update-on-event", true, "Whether to trigger image update checks when webhook events are received")
+	webhookCmd.Flags().StringVar(&webhookOpts.ApplicationsAPIKind, "applications-api", applicationsAPIKindK8S, "API kind that is used to manage Argo CD applications ('kubernetes' or 'argocd')")
+	webhookCmd.Flags().StringVar(&webhookOpts.AppNamespace, "application-namespace", "", "namespace where Argo Image Updater will manage applications")
+	webhookCmd.Flags().StringVar(&webhookOpts.ServerAddr, "argocd-server-addr", "", "address of ArgoCD API server")
+	webhookCmd.Flags().BoolVar(&webhookOpts.Insecure, "argocd-insecure", false, "(INSECURE) ignore invalid TLS certs for ArgoCD server")
+	webhookCmd.Flags().BoolVar(&webhookOpts.Plaintext, "argocd-plaintext", false, "(INSECURE) connect without TLS to ArgoCD server")
+	webhookCmd.Flags().BoolVar(&webhookOpts.GRPCWeb, "argocd-grpc-web", false, "use grpc-web for connection to ArgoCD")
+	webhookCmd.Flags().StringVar(&webhookOpts.AuthToken, "argocd-auth-token", "", "use token for authenticating to ArgoCD")
+
+	return webhookCmd
+}
+
+// runWebhook starts the webhook server
+func runWebhook() {
+	log.Infof("Starting webhook server on port %d", webhookOpts.Port)
+
+	// Initialize the ArgoCD client
+	var argoClient argocd.ArgoCD
+	var err error
+
+	// Create Kubernetes client
+	var kubeClient *kube.ImageUpdaterKubernetesClient
+	kubeClient, err = getKubeConfig(context.TODO(), "", "")
+	if err != nil {
+		log.Fatalf("Could not create Kubernetes client: %v", err)
+	}
+
+	// Set up based on application API kind
+	if webhookOpts.ApplicationsAPIKind == applicationsAPIKindK8S {
+		argoClient, err = argocd.NewK8SClient(kubeClient, &argocd.K8SClientOptions{AppNamespace: webhookOpts.AppNamespace})
+	} else {
+		// Use defaults if not specified
+		serverAddr := webhookOpts.ServerAddr
+		if serverAddr == "" {
+			serverAddr = defaultArgoCDServerAddr
+		}
+
+		// Check for auth token from environment if not provided
+		authToken := webhookOpts.AuthToken
+		if authToken == "" {
+			if token := os.Getenv("ARGOCD_TOKEN"); token != "" {
+				authToken = token
+			}
+		}
+
+		clientOpts := argocd.ClientOptions{
+			ServerAddr: serverAddr,
+			Insecure:   webhookOpts.Insecure,
+			Plaintext:  webhookOpts.Plaintext,
+			GRPCWeb:    webhookOpts.GRPCWeb,
+			AuthToken:  authToken,
+		}
+		argoClient, err = argocd.NewAPIClient(&clientOpts)
+	}
+
+	if err != nil {
+		log.Fatalf("Could not create ArgoCD client: %v", err)
+	}
+
+	// Create webhook handler
+	handler := webhook.NewWebhookHandler()
+
+	// Register supported webhook handlers
+	dockerHandler := webhook.NewDockerHubWebhook(webhookOpts.DockerSecret)
+	handler.RegisterHandler(dockerHandler)
+
+	ghcrHandler := webhook.NewGHCRWebhook(webhookOpts.GHCRSecret)
+	handler.RegisterHandler(ghcrHandler)
+
+	// Create webhook server
+	server := webhook.NewWebhookServer(webhookOpts.Port, handler, kubeClient, argoClient)
+
+	// Set up graceful shutdown
+	stop := make(chan os.Signal, 1)
+	signal.Notify(stop, os.Interrupt, syscall.SIGTERM)
+
+	// Start the server in a separate goroutine
+	go func() {
+		if err := server.Start(); err != nil {
+			log.Fatalf("Failed to start webhook server: %v", err)
+		}
+	}()
+
+	// Wait for interrupt signal
+	<-stop
+
+	// Gracefully shut down the server
+	log.Infof("Shutting down webhook server")
+	if err := server.Stop(); err != nil {
+		log.Errorf("Error stopping webhook server: %v", err)
+	}
+}
@@ -0,0 +1,35 @@
+package argocd
+
+// UpdaterConfig holds configuration for image updating
+type UpdaterConfig struct {
+	// DryRun if true, do not modify anything
+	DryRun bool
+	// MaxConcurrency is the maximum number of concurrent update operations
+	MaxConcurrency int
+	// GitCommitUser is the user name to use for Git commits
+	GitCommitUser string
+	// GitCommitEmail is the email to use for Git commits
+	GitCommitEmail string
+	// GitCommitMessage is the template for Git commit messages
+	GitCommitMessage string
+	// GitCommitSigningKey is the key to use for signing Git commits
+	GitCommitSigningKey string
+	// GitCommitSigningMethod is the method to use for signing Git commits
+	GitCommitSigningMethod string
+	// GitCommitSignOff if true, add sign-off line to Git commits
+	GitCommitSignOff bool
+}
+
+// NewUpdaterConfig creates a new UpdaterConfig with default values
+func NewUpdaterConfig() *UpdaterConfig {
+	return &UpdaterConfig{
+		DryRun:                 false,
+		MaxConcurrency:         10,
+		GitCommitUser:          "argocd-image-updater",
+		GitCommitEmail:         "noreply@argoproj.io",
+		GitCommitMessage:       "Update image version",
+		GitCommitSigningKey:    "",
+		GitCommitSigningMethod: "openpgp",
+		GitCommitSignOff:       false,
+	}
+}