Idea is that we can setup salt-api to receive hook call from GitHub, and configured run stat.sls
only if the request HMAC signature matche is successful.
Unfortunately most documentation says to deactivate salt-api hooks authentication (i.e. webhook_disable_auth: True
) which is not a good idea.
This Gist is about finding a way to declare which state to run based on data GitHub sends on push hook. But ONLY if the request is valid.
Skeleton defines desired logic, see reactor_github_push.py below.
Problem is that I have next to no experience in Python and it goes beyond my skill set.
Help would be much appreciated.
curl -XPOST -ski https://128.52.178.67:8080/hook/github/push \
-H "Content-Type: application/json"\
-H "User-Agent: GitHub-Hookshot/renoirb"\
-H "X-Github-Delivery: bf9d3700-ec39-11e4-87ec-abf8ab3d9134"\
-H "X-Github-Event: push"\
-H "X-Hub-Signature: sha1=756c2d03cdb736432072b61280194e51f11bd696"\
--data @github_push_payload.json
Setup a reactor similar to:
# /etc/salt/master.d/reactor.conf
reactor:
- 'salt/netapi/hook/github/push':
- /srv/salt/reactor/github/push.sls'
rest_cherrypy:
port: 8080
ssl_crt: /etc/pki/tls/certs/128.52.178.67.crt
ssl_key: /etc/pki/tls/certs/128.52.178.67.key
webhook_disable_auth: True
See also the thread in this Pull request