Git Webhook Configuration

Overview

Argo CD polls Git repositories every three minutes to detect changes to the manifests. To eliminate this delay from polling, the API server can be configured to receive webhook events. Argo CD supports Git webhook notifications from GitHub, GitLab, Bitbucket, Bitbucket Server, Azure DevOps and Gogs. The following explains how to configure a Git webhook for GitHub, but the same process should be applicable to other providers.

Note

The webhook handler does not differentiate between branch events and tag events where the branch and tag names are the same. A hook event for a push to branch x will trigger a refresh for an app pointing at the same repo with targetRevision: refs/tags/x.

1. Create The WebHook In The Git Provider

In your Git provider, navigate to the settings page where webhooks can be configured. The payload URL configured in the Git provider should use the /api/webhook endpoint of your Argo CD instance (e.g. https://argocd.example.com/api/webhook). If you wish to use a shared secret, input an arbitrary value in the secret. This value will be used when configuring the webhook in the next step.

To prevent DDoS attacks with unauthenticated webhook events (the /api/webhook endpoint currently lacks rate limiting protection), it is recommended to limit the payload size. You can achieve this by configuring the argocd-cm ConfigMap with the webhook.maxPayloadSizeMB attribute. The default value is 1GB.

Github

Add Webhook

Note

When creating the webhook in GitHub, the “Content type” needs to be set to “application/json”. The default value “application/x-www-form-urlencoded” is not supported by the library used to handle the hooks

Azure DevOps

Add Webhook

Azure DevOps optionally supports securing the webhook using basic authentication. To use it, specify the username and password in the webhook configuration and configure the same username/password in argocd-secret Kubernetes secret in webhook.azuredevops.username and webhook.azuredevops.password keys.

2. Configure Argo CD With The WebHook Secret (Optional)

Configuring a webhook shared secret is optional, since Argo CD will still refresh applications related to the Git repository, even with unauthenticated webhook events. This is safe to do since the contents of webhook payloads are considered untrusted, and will only result in a refresh of the application (a process which already occurs at three-minute intervals). If Argo CD is publicly accessible, then configuring a webhook secret is recommended to prevent a DDoS attack.

In the argocd-secret kubernetes secret, configure one of the following keys with the Git provider’s webhook secret configured in step 1.

ProviderK8s Secret Key
GitHubwebhook.github.secret
GitLabwebhook.gitlab.secret
BitBucketwebhook.bitbucket.uuid
BitBucketServerwebhook.bitbucketserver.secret
Gogswebhook.gogs.secret
Azure DevOpswebhook.azuredevops.username
webhook.azuredevops.password

Edit the Argo CD kubernetes secret:

  1. kubectl edit secret argocd-secret -n argocd

TIP: for ease of entering secrets, kubernetes supports inputting secrets in the stringData field, which saves you the trouble of base64 encoding the values and copying it to the data field. Simply copy the shared webhook secret created in step 1, to the corresponding GitHub/GitLab/BitBucket key under the stringData field:

  1. apiVersion: v1
  2. kind: Secret
  3. metadata:
  4. name: argocd-secret
  5. namespace: argocd
  6. type: Opaque
  7. data:
  8. ...
  9. stringData:
  10. # github webhook secret
  11. webhook.github.secret: shhhh! it's a GitHub secret
  12. # gitlab webhook secret
  13. webhook.gitlab.secret: shhhh! it's a GitLab secret
  14. # bitbucket webhook secret
  15. webhook.bitbucket.uuid: your-bitbucket-uuid
  16. # bitbucket server webhook secret
  17. webhook.bitbucketserver.secret: shhhh! it's a Bitbucket server secret
  18. # gogs server webhook secret
  19. webhook.gogs.secret: shhhh! it's a gogs server secret
  20. # azuredevops username and password
  21. webhook.azuredevops.username: admin
  22. webhook.azuredevops.password: secret-password

After saving, the changes should take effect automatically.