feat: Add custom header options for webhook notification (#2044)

* feat: Add custom header options for webhook notification

* feat: Add `webhookBroadcastCustomHeaders` helm deploy values

* chore: Add `operator.webhookBroadcastCustomHeaders` option to helm README.md

* chore: mage generated helm README.md

Author: bunseokbot

deploy/helm/README.md

@@ -83,6 +83,7 @@ Keeps security report resources updated
 | operator.valuesFromSecret | string | `""` | valuesFromSecret name of a Secret to apply OPERATOR_* environment variables. Will override Helm AND ConfigMap values. |
 | operator.vulnerabilityScannerEnabled | bool | `true` | the flag to enable vulnerability scanner |
 | operator.vulnerabilityScannerScanOnlyCurrentRevisions | bool | `true` | vulnerabilityScannerScanOnlyCurrentRevisions the flag to only create vulnerability scans on the current revision of a deployment. |
+| operator.webhookBroadcastCustomHeaders | string | `""` | webhookBroadcastCustomHeaders the flag to set webhook endpoint sent with custom defined headers if webhookBroadcastURL is enabled |
 | operator.webhookBroadcastTimeout | string | `"30s"` | webhookBroadcastTimeout the flag to set timeout for webhook requests if webhookBroadcastURL is enabled |
 | operator.webhookBroadcastURL | string | `""` | webhookBroadcastURL the flag to set reports should be sent to a webhook endpoint. "" means that the webhookBroadcastURL feature is disabled |
 | operator.webhookSendDeletedReports | bool | `false` | webhookSendDeletedReports the flag to enable sending deleted reports if webhookBroadcastURL is enabled |

deploy/helm/templates/configmaps/trivy-operator-config.yaml

@@ -37,6 +37,7 @@ data:
   OPERATOR_METRICS_CLUSTER_COMPLIANCE_INFO_ENABLED: {{ .Values.operator.metricsClusterComplianceInfo | quote }}
   OPERATOR_WEBHOOK_BROADCAST_URL: {{ .Values.operator.webhookBroadcastURL | quote }}
   OPERATOR_WEBHOOK_BROADCAST_TIMEOUT: {{ .Values.operator.webhookBroadcastTimeout | quote }}
+  OPERATOR_WEBHOOK_BROADCAST_CUSTOM_HEADERS: {{ .Values.operator.webhookBroadcastCustomHeaders | quote }}
   OPERATOR_SEND_DELETED_REPORTS: {{ .Values.operator.webhookSendDeletedReports | quote }}
   OPERATOR_PRIVATE_REGISTRY_SCAN_SECRETS_NAMES: {{ .Values.operator.privateRegistryScanSecretsNames | toJson | quote }}
   OPERATOR_ACCESS_GLOBAL_SECRETS_SERVICE_ACCOUNTS: {{ .Values.operator.accessGlobalSecretsAndServiceAccount | quote }}

deploy/helm/values.yaml

@@ -157,6 +157,9 @@ operator:
   # -- webhookBroadcastTimeout the flag to set timeout for webhook requests if webhookBroadcastURL is enabled
   webhookBroadcastTimeout: 30s
 
+  # -- webhookBroadcastCustomHeaders the flag to set webhook endpoint sent with custom defined headers if webhookBroadcastURL is enabled
+  webhookBroadcastCustomHeaders: ""
+
   # -- webhookSendDeletedReports the flag to enable sending deleted reports if webhookBroadcastURL is enabled
   webhookSendDeletedReports: false
 

deploy/static/trivy-operator.yaml

@@ -3003,6 +3003,7 @@ data:
   OPERATOR_METRICS_CLUSTER_COMPLIANCE_INFO_ENABLED: "false"
   OPERATOR_WEBHOOK_BROADCAST_URL: ""
   OPERATOR_WEBHOOK_BROADCAST_TIMEOUT: "30s"
+  OPERATOR_WEBHOOK_BROADCAST_CUSTOM_HEADERS: ""
   OPERATOR_SEND_DELETED_REPORTS: "false"
   OPERATOR_PRIVATE_REGISTRY_SCAN_SECRETS_NAMES: "{}"
   OPERATOR_ACCESS_GLOBAL_SECRETS_SERVICE_ACCOUNTS: "true"

docs/getting-started/installation/configuration.md

@@ -11,6 +11,7 @@ You can enable the Webhook integration as follows:
 1. Required: Set `OPERATOR_WEBHOOK_BROADCAST_URL` to the webhook endpoint you'd like to send the reports to.
 2. Optional: Set `OPERATOR_WEBHOOK_BROADCAST_TIMEOUT` to a time limit that suites your use case. Default is `30s`.
 3. Optional: Set `OPERATOR_SEND_DELETED_REPORTS` to `true` to send webhook notifications when reports are deleted. Default is `false`.
+4. Optional: Set `OPERATOR_WEBHOOK_BROADCAST_CUSTOM_HEADERS` to comma seperated `key:value` to send webhook notifications with custom headers. Default is ``
 
 The Webhook integration support the following reports types:
 

docs/tutorials/integrations/webhook.md

@@ -3,6 +3,7 @@ package etc
 import (
 	"encoding/json"
 	"fmt"
+	"net/http"
 	"strings"
 	"time"
 
@@ -51,6 +52,7 @@ type Config struct {
 	ExposedSecretScannerEnabled                  bool           `env:"OPERATOR_EXPOSED_SECRET_SCANNER_ENABLED" envDefault:"true"`
 	WebhookBroadcastURL                          string         `env:"OPERATOR_WEBHOOK_BROADCAST_URL"`
 	WebhookBroadcastTimeout                      *time.Duration `env:"OPERATOR_WEBHOOK_BROADCAST_TIMEOUT" envDefault:"30s"`
+	WebhookBroadcastCustomHeaders                string         `env:"OPERATOR_WEBHOOK_BROADCAST_CUSTOM_HEADERS"`
 	WebhookSendDeletedReports                    bool           `env:"OPERATOR_SEND_DELETED_REPORTS" envDefault:"false"`
 	TargetWorkloads                              string         `env:"OPERATOR_TARGET_WORKLOADS" envDefault:"Pod,ReplicaSet,ReplicationController,StatefulSet,DaemonSet,CronJob,Job"`
 	AccessGlobalSecretsAndServiceAccount         bool           `env:"OPERATOR_ACCESS_GLOBAL_SECRETS_SERVICE_ACCOUNTS" envDefault:"true"`
@@ -103,6 +105,23 @@ func (c Config) GetPrivateRegistryScanSecretsNames() (map[string]string, error)
 	return secretsInfoMap, nil
 }
 
+func (c Config) GetWebhookBroadcastCustomHeaders() http.Header {
+	customHeaders := c.WebhookBroadcastCustomHeaders
+	headers := http.Header{}
+
+	if customHeaders != "" {
+		for _, header := range strings.Split(customHeaders, ",") {
+			s := strings.SplitN(header, ":", 2)
+			if len(s) != 2 {
+				continue
+			}
+			headers.Set(s[0], s[1])
+		}
+	}
+
+	return headers
+}
+
 func (c Config) GetTargetWorkloads() []string {
 	workloads := c.TargetWorkloads
 	if workloads != "" {

pkg/operator/etc/config.go

@@ -1,6 +1,7 @@
 package etc_test
 
 import (
+	"net/http"
 	"testing"
 
 	"github.com/aquasecurity/trivy-operator/pkg/operator/etc"
@@ -104,6 +105,35 @@ func TestOperator_ResolveInstallMode(t *testing.T) {
 	}
 }
 
+func TestOperator_GetWebhookBroadcastCustomHeaders(t *testing.T) {
+	testCases := []struct {
+		name                                  string
+		operator                              etc.Config
+		expectedWebhookBroadcastCustomHeaders http.Header
+	}{
+		{
+			name: "Should return single custom header",
+			operator: etc.Config{
+				WebhookBroadcastCustomHeaders: "x-api-key:trivy",
+			},
+			expectedWebhookBroadcastCustomHeaders: http.Header{"X-Api-Key": {"trivy"}},
+		},
+		{
+			name: "Should return multiple custom headers",
+			operator: etc.Config{
+				WebhookBroadcastCustomHeaders: "x-api-key:trivy,X-Api-User:trivy-operator,X-API-TOKEN:trivy-token",
+			},
+			expectedWebhookBroadcastCustomHeaders: http.Header{"X-Api-Key": {"trivy"}, "X-Api-User": {"trivy-operator"}, "X-Api-Token": {"trivy-token"}},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			assert.Equal(t, tc.expectedWebhookBroadcastCustomHeaders, tc.operator.GetWebhookBroadcastCustomHeaders())
+		})
+	}
+}
+
 func TestOperator_GetTargetWorkloads(t *testing.T) {
 	testCases := []struct {
 		name                    string

pkg/operator/etc/config_test.go

@@ -91,24 +91,35 @@ func (r *WebhookReconciler) reconcileReport(reportType client.Object) reconcile.
 			return ctrl.Result{}, nil
 		}
 
+		webhookBroadcastCustomHeaders := r.Config.GetWebhookBroadcastCustomHeaders()
+
 		if r.WebhookSendDeletedReports {
 			msg := WebhookMsg{OperatorObject: reportType, Verb: verb}
 
-			return ctrl.Result{}, sendReport(msg, r.WebhookBroadcastURL, *r.WebhookBroadcastTimeout)
+			return ctrl.Result{}, sendReport(msg, r.WebhookBroadcastURL, *r.WebhookBroadcastTimeout, webhookBroadcastCustomHeaders)
 		}
-		return ctrl.Result{}, sendReport(reportType, r.WebhookBroadcastURL, *r.WebhookBroadcastTimeout)
+		return ctrl.Result{}, sendReport(reportType, r.WebhookBroadcastURL, *r.WebhookBroadcastTimeout, webhookBroadcastCustomHeaders)
 	}
 }
 
-func sendReport[T any](reports T, endpoint string, timeout time.Duration) error {
+func sendReport[T any](reports T, endpoint string, timeout time.Duration, headerValues http.Header) error {
 	b, err := json.Marshal(reports)
 	if err != nil {
 		return fmt.Errorf("failed to marshal reports: %w", err)
 	}
 	hc := http.Client{
 		Timeout: timeout,
 	}
-	_, err = hc.Post(endpoint, "application/json", bytes.NewBuffer(b))
+
+	req, err := http.NewRequest("POST", endpoint, bytes.NewBuffer(b))
+	if err != nil {
+		return fmt.Errorf("failed to make a new request: %w", err)
+	}
+
+	headerValues.Set("Content-Type", "application/json")
+	req.Header = headerValues
+
+	_, err = hc.Do(req)
 	if err != nil {
 		return fmt.Errorf("failed to send reports to endpoint: %w", err)
 	}

pkg/webhook/webhookreporter.go

@@ -20,6 +20,7 @@ func Test_sendReports(t *testing.T) {
 		inputReport   any
 		timeout       time.Duration
 		expectedError string
+		headerValues  http.Header
 	}{
 		{
 			name: "happy path, vuln report data",
@@ -38,7 +39,8 @@ func Test_sendReports(t *testing.T) {
 					},
 				},
 			},
-			timeout: time.Hour,
+			timeout:      time.Hour,
+			headerValues: http.Header{},
 		},
 		{
 			name: "happy path, secret report data",
@@ -55,7 +57,8 @@ func Test_sendReports(t *testing.T) {
 					},
 				},
 			},
-			timeout: time.Hour,
+			timeout:      time.Hour,
+			headerValues: http.Header{},
 		},
 		{
 			name: "sad path, timeout occurs",
@@ -64,12 +67,14 @@ func Test_sendReports(t *testing.T) {
 			},
 			timeout:       time.Nanosecond,
 			expectedError: "context deadline exceeded (Client.Timeout exceeded while awaiting headers)",
+			headerValues:  http.Header{},
 		},
 		{
 			name:          "sad path, bad report",
 			inputReport:   math.Inf(1),
 			timeout:       time.Hour,
 			expectedError: `failed to marshal reports`,
+			headerValues:  http.Header{},
 		},
 	}
 
@@ -80,7 +85,7 @@ func Test_sendReports(t *testing.T) {
 				assert.JSONEq(t, tc.want, string(b))
 			}))
 			defer ts.Close()
-			gotError := sendReport(tc.inputReport, ts.URL, tc.timeout)
+			gotError := sendReport(tc.inputReport, ts.URL, tc.timeout, tc.headerValues)
 			switch {
 			case tc.expectedError != "":
 				assert.ErrorContains(t, gotError, tc.expectedError, tc.name)