If you want to use a secure GitHub webhook as an event source, you will need to use the GitHub event source type. GitHub webhooks send a special authorization header, X-Hub-Signature/X-Hub-Signature-256, that includes as hashed value of the webhook secret. The "regular" webhook event source expects a standard Bearer token with an authorization header in the form of "Authorization: Bearer <webhook-secret>".
You can read more about GitHub webhook delivery headers here. You can then compare that to the Argo Events webhook event source authentication documentation here.
There are basically two options when creating the GitHub webhook event source.
- Provide GitHub API credentials in a Kubernetes secret so Argo Events can make the API call to GitHub to create the webhook on your behalf.
- Omit the GitHub API credentials in the EventSource spec and create the webhook yourself either manually or through whichever means you normally create a webhook (Terraform, scripted API calls, etc).
Here is an example for the second option:
apiVersion: argoproj.io/v1alpha1
kind: EventSource
metadata:
name: github-events
namespace: my-namespace
spec:
service:
ports:
- name: http
port: 12000
targetPort: 12000
github:
default:
owner: my-github-org-or-username
repository: my-github-repo-name
webhook:
url: https://my-argo-events-server-fqdn
endpoint: /push
port: "12000"
method: POST
events:
- "*"
webhookSecret:
name: my-secret-name
key: my-secret-key
insecure: false
active: true
contentType: "json"
