feat(webhook): add webhook support for harbor (#27810)

[adityaraj178]

Closes: #27810

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Title of the PR
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.
• Optional. My organization is added to USERS.md.
• Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

[bunnyshell]

✅ Preview Environment deployed on Bunnyshell

Component	Endpoints
argocd	https://argocd-pcg2vl.bunnyenv.com/
argocd-ttyd	https://argocd-web-cli-pcg2vl.bunnyenv.com/

See: Environment Details | Pipeline Logs

Available commands (reply to this comment):

• 🔴 /bns:stop to stop the environment
• 🚀 /bns:deploy to redeploy the environment
• ❌ /bns:delete to remove the environment

[codecov]

Codecov Report

❌ Patch coverage is 83.33333% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.26%. Comparing base (662302f) to head (f8e77d1).
⚠️ Report is 17 commits behind head on master.

Files with missing lines	Patch %	Lines
util/webhook/harbor.go	89.47%	2 Missing and 2 partials ⚠️
util/settings/settings.go	33.33%	2 Missing ⚠️
util/webhook/registry.go	66.66%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #27884      +/-   ##
==========================================
+ Coverage   64.06%   64.26%   +0.20%     
==========================================
  Files         422      423       +1     
  Lines       57822    57895      +73     
==========================================
+ Hits        37043    37206     +163     
+ Misses      17296    17180     -116     
- Partials     3483     3509      +26     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[nitishfy]

Suggested change

	return r.Header.Get("Authorization") == p.secret
	return subtle.ConstantTimeCompare([]byte(r.Header.Get("Authorization")), []byte(p.secret)) == 1

[nitishfy]

This is cruicial information. This means if anyone captures the header value once can forget events indefinitely which further means it's weaker than GHCR's HMAC signing. Can you provide recommended methods here for users to prevent this such as rotating the secret periodically, terminate TLS etc.?

[nitishfy]

these changes doesn't look specific to harbor. I want to see this in a separate PR for a good discussion there.

[adityaraj178]

Hii @nitishfy
Without this fix, Harbor webhook support is broken. In Harbor users actually configure [repoURL = registry/project]+ [chart = chartname] in practice

[nitishfy]

Rather than stripping all this by ourselves, can't we use the net/url package here for parsing?

[adityaraj178]

net/url approach requires a hasScheme helper which will be prepending a dummy scheme because Harbor's resource_url often omits the scheme (e.g. "hub.harbor.com/test-webhook/debian:latest"). The result will be more code and less readable than now i guess.
Happy to change it if you still prefer net/url.

[nitishfy]

Left some comments, PTAL.

Also, please share a recording of this feature in the PR description itself.