docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Improve webhook management docs for DTR (#8794) 

* Improve webhook management docs

UI and API updates

Final updates

Fix link to event types

Standardize word usage

Remove old page

Add clarification of webhook scope

* Incorporate feedback
This commit is contained in:
Maria Bermudez 2019-05-24 16:44:23 -07:00 committed by GitHub
parent f6889dc48d
commit a8c690c647
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 413 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
_data/toc.yaml
View File

@ -2299,8 +2299,14 @@ manuals:
path: /ee/dtr/user/audit-repository-events/
- title: Auto-delete repository events
path: /ee/dtr/admin/configure/auto-delete-repo-events/
- path: /ee/dtr/user/create-and-manage-webhooks/
title: Create and manage webhooks
- sectiontitle: Manage webhooks
section:
- title: Create and manage webhooks
path: /ee/dtr/admin/manage-webhooks/
- title: Use the web interface
path: /ee/dtr/admin/manage-webhooks/use-the-web-ui
- title: Use the API
path: /ee/dtr/admin/manage-webhooks/use-the-api
- title: Manage access tokens
path: /ee/dtr/user/access-tokens/
- title: Tag pruning

4
ee/dtr/admin/configure/auto-delete-repo-events.md
View File

@ -10,9 +10,9 @@ Docker Trusted Registry has a global setting for repository event auto-deletion.
## Steps
1. In your browser, navigate to `https://<dtr-url>` and log in with your UCP credentials.
1. In your browser, navigate to `https://<dtr-url>` and log in with your admin credentials.
2. Select **System** on the left navigation pane which will display the **Settings** page by default.
2. Select **System** from the left navigation pane which displays the **Settings** page by default.
3. Scroll down to **Repository Events** and turn on ***Auto-Deletion***.

36
ee/dtr/admin/manage-webhooks/index.md Normal file
View File

@ -0,0 +1,36 @@
---
title: Manage webhooks
description: Learn how to create, configure, and test webhooks in Docker Trusted Registry.
keywords: registry, webhooks
redirect_from:
- /datacenter/dtr/2.5/guides/user/create-and-manage-webhooks/
- /ee/dtr/user/create-and-manage-webhooks/
---
You can configure DTR to automatically post event notifications to a webhook URL of your choosing. This lets you build complex CI and CD pipelines with your Docker images. The following is a complete list of event types you can trigger webhook notifications for via the [web interface](use-the-web-ui) or the [API](use-the-API).
## Webhook types
| Event Type | Scope | Access Level | Availability |
| --------------------------------------- | ----------------------- | ---------------- | ------------ |
| Tag pushed to repository (`TAG_PUSH`) | Individual repositories | Repository admin | Web UI & API |
| Tag pulled from repository (`TAG_PULL`) | Individual repositories | Repository admin | Web UI & API |
| Tag deleted from repository (`TAG_DELETE`) | Individual repositories | Repository admin | Web UI & API |
| Manifest pushed to repository (`MANIFEST_PUSH`) | Individual repositories | Repository admin | Web UI & API |
| Manifest pulled from repository (`MANIFEST_PULL`) | Individual repositories | Repository admin | Web UI & API |
| Manifest deleted from repository (`MANIFEST_DELETE`) | Individual repositories | Repository admin | Web UI & API |
| Security scan completed (`SCAN_COMPLETED`) | Individual repositories | Repository admin | Web UI & API |
| Security scan failed (`SCAN_FAILED`) | Individual repositories | Repository admin | Web UI & API |
| Image promoted from repository (`PROMOTION`) | Individual repositories | Repository admin | Web UI & API |
| Image mirrored from repository (`PUSH_MIRRORING`) | Individual repositories | Repository admin | Web UI & API |
| Image mirrored from remote repository (`POLL_MIRRORING`) | Individual repositories | Repository admin | Web UI & API |
| Repository created, updated, or deleted (`REPO_CREATED`, `REPO_UPDATED`, and `REPO_DELETED`) | Namespaces / Organizations | Namespace / Org owners | API Only |
| Security scanner update completed (`SCANNER_UPDATE_COMPLETED`) | Global | DTR admin | API only |
You must have admin privileges to a repository or namespace in order to
subscribe to its webhook events. For example, a user must be an admin of repository "foo/bar" to subscribe to its tag push events. A DTR admin can subscribe to any event.
## Where to go next
- [Manage webhooks via the web interface](use-the-web-ui)
- [Manage webhooks via the the API](use-the-api)

311
ee/dtr/admin/manage-webhooks/use-the-api.md Normal file
View File

@ -0,0 +1,311 @@
---
title: Manage webhooks via the API
description: Learn how to create, configure, and test webhooks for DTR using the API.
keywords: dtr, webhooks, api, registry
---
## Prerequisite
See [Event types for webhooks](/ee/dtr/admin/manage-webhooks/index.md/#event-types-for-webhooks) for a complete list of event types you can trigger notifications for via the API.
## API Base URL
Your DTR hostname serves as the base URL for your API requests.
## Swagger API explorer
From the DTR web interface, click **API** on the bottom left navigation pane to explore the API resources and endpoints. Click **Execute** to send your API request.
## API requests via curl
You can use [curl](https://curl.haxx.se/docs/manpage.html) to send HTTP or HTTPS API requests. Note that you will have to specify `skipTLSVerification: true` on your request in order to test the webhook endpoint over HTTP.
### Example curl request
```bash
curl -u test-user:$TOKEN -X POST "https://dtr-example.com/api/v0/webhooks" -H "accept: application/json" -H "content-type: application/json" -d "{ \"endpoint\": \"https://webhook.site/441b1584-949d-4608-a7f3-f240bdd31019\", \"key\": \"maria-testorg/lab-words\", \"skipTLSVerification\": true, \"type\": \"TAG_PULL\"}"
```
### Example JSON response
```json
{
"id": "b7bf702c31601efb4796da59900ddc1b7c72eb8ca80fdfb1b9fecdbad5418155",
"type": "TAG_PULL",
"key": "maria-testorg/lab-words",
"endpoint": "https://webhook.site/441b1584-949d-4608-a7f3-f240bdd31019",
"authorID": "194efd8e-9ee6-4d43-a34b-eefd9ce39087",
"createdAt": "2019-05-22T01:55:20.471286995Z",
"lastSuccessfulAt": "0001-01-01T00:00:00Z",
"inactive": false,
"tlsCert": "",
"skipTLSVerification": true
}
```
## Subscribe to events
To subscribe to events, send a `POST` request to
`/api/v0/webhooks` with the following JSON payload:
### Example usage
```
{
"type": "TAG_PUSH",
"key": "foo/bar",
"endpoint": "https://example.com"
}
```
The keys in the payload are:
- `type`: The event type to subcribe to.
- `key`: The namespace/organization or repo to subscribe to. For example, "foo/bar" to subscribe to
pushes to the "bar" repository within the namespace/organization "foo".
- `endpoint`: The URL to send the JSON payload to.
Normal users **must** supply a "key" to scope a particular webhook event to
a repository or a namespace/organization. DTR admins can choose to omit this,
meaning a POST event notification of your specified type will be sent for all DTR repositories and namespaces.
### Receive a payload
Whenever your specified event type occurs, DTR will send a POST request to the given
endpoint with a JSON-encoded payload. The payload will always have the
following wrapper:
```
{
"type": "...",
"createdAt": "2012-04-23T18:25:43.511Z",
"contents": {...}
}
```
- `type` refers to the event type received at the specified subscription endpoint.
- `contents` refers to the payload of the event itself. Each event is different, therefore the
structure of the JSON object in `contents` will change depending on the event
type. See [Content structure](#content-structure) for more details.
### Test payload subscriptions
Before subscribing to an event, you can view and test your endpoints using
fake data. To send a test payload, send `POST` request to
`/api/v0/webhooks/test` with the following payload:
```
{
"type": "...",
"endpoint": "https://www.example.com/"
}
```
Change `type` to the event type that you want to receive. DTR will then send
an example payload to your specified endpoint. The example
payload sent is always the same.
## Content structure
Comments after (`//`) are for informational purposes only, and the example payloads have been clipped for brevity.
### Repository event content structure
**Tag push**
```
{
"namespace": "", // (string) namespace/organization for the repository
"repository": "", // (string) repository name
"tag": "", // (string) the name of the tag just pushed
"digest": "", // (string) sha256 digest of the manifest the tag points to (eg. "sha256:0afb...")
"imageName": "", // (string) the fully-qualified image name including DTR host used to pull the image (eg. 10.10.10.1/foo/bar:tag)
"os": "", // (string) the OS for the tag's manifest
"architecture": "", // (string) the architecture for the tag's manifest
"author": "", // (string) the username of the person who pushed the tag
"pushedAt": "", // (string) JSON-encoded timestamp of when the push occurred
...
}
```
**Tag delete**
```
{
"namespace": "", // (string) namespace/organization for the repository
"repository": "", // (string) repository name
"tag": "", // (string) the name of the tag just deleted
"digest": "", // (string) sha256 digest of the manifest the tag points to (eg. "sha256:0afb...")
"imageName": "", // (string) the fully-qualified image name including DTR host used to pull the image (eg. 10.10.10.1/foo/bar:tag)
"os": "", // (string) the OS for the tag's manifest
"architecture": "", // (string) the architecture for the tag's manifest
"author": "", // (string) the username of the person who deleted the tag
"deletedAt": "", // (string) JSON-encoded timestamp of when the delete occurred
...
}
```
**Manifest push**
```
{
"namespace": "", // (string) namespace/organization for the repository
"repository": "", // (string) repository name
"digest": "", // (string) sha256 digest of the manifest (eg. "sha256:0afb...")
"imageName": "", // (string) the fully-qualified image name including DTR host used to pull the image (eg. 10.10.10.1/foo/bar@sha256:0afb...)
"os": "", // (string) the OS for the manifest
"architecture": "", // (string) the architecture for the manifest
"author": "", // (string) the username of the person who pushed the manifest
...
}
```
**Manifest delete**
```
{
"namespace": "", // (string) namespace/organization for the repository
"repository": "", // (string) repository name
"digest": "", // (string) sha256 digest of the manifest (eg. "sha256:0afb...")
"imageName": "", // (string) the fully-qualified image name including DTR host used to pull the image (eg. 10.10.10.1/foo/bar@sha256:0afb...)
"os": "", // (string) the OS for the manifest
"architecture": "", // (string) the architecture for the manifest
"author": "", // (string) the username of the person who deleted the manifest
"deletedAt": "", // (string) JSON-encoded timestamp of when the delete occurred
...
}
```
**Security scan completed**
```
{
"namespace": "", // (string) namespace/organization for the repository
"repository": "", // (string) repository name
"tag": "", // (string) the name of the tag scanned
"imageName": "", // (string) the fully-qualified image name including DTR host used to pull the image (eg. 10.10.10.1/foo/bar:tag)
"scanSummary": {
"namespace": "", // (string) repository's namespace/organization name
"repository": "", // (string) repository name
"tag": "", // (string) the name of the tag just pushed
"critical": 0, // (int) number of critical issues, where CVSS >= 7.0
"major": 0, // (int) number of major issues, where CVSS >= 4.0 && CVSS < 7
"minor": 0, // (int) number of minor issues, where CVSS > 0 && CVSS < 4.0
"last_scan_status": 0, // (int) enum; see scan status section
"check_completed_at": "", // (string) JSON-encoded timestamp of when the scan completed
...
}
}
```
**Security scan failed**
```
{
"namespace": "", // (string) namespace/organization for the repository
"repository": "", // (string) repository name
"tag": "", // (string) the name of the tag scanned
"imageName": "", // (string) the fully-qualified image name including DTR host used to pull the image (eg. 10.10.10.1/foo/bar@sha256:0afb...)
"error": "", // (string) the error that occurred while scanning
...
}
```
### Namespace-specific event structure
**Repository event (created/updated/deleted)**
```
{
"namespace": "", // (string) repository's namespace/organization name
"repository": "", // (string) repository name
"event": "", // (string) enum: "REPO_CREATED", "REPO_DELETED" or "REPO_UPDATED"
"author": "", // (string) the name of the user responsible for the event
"data": {} // (object) when updating or creating a repo this follows the same format as an API response from /api/v0/repositories/{namespace}/{repository}
}
```
### Global event structure
**Security scanner update complete**
```
{
"scanner_version": "",
"scanner_updated_at": "", // (string) JSON-encoded timestamp of when the scanner updated
"db_version": 0, // (int) newly updated database version
"db_updated_at": "", // (string) JSON-encoded timestamp of when the database updated
"success": <true|false> // (bool) whether the update was successful
"replicas": { // (object) a map keyed by replica ID containing update information for each replica
"replica_id": {
"db_updated_at": "", // (string) JSON-encoded time of when the replica updated
"version": "", // (string) version updated to
"replica_id": "" // (string) replica ID
},
...
}
}
```
### Security scan status codes
- 0: **Failed**. An error occurred checking an image's layer
- 1: **Unscanned**. The image has not yet been scanned
- 2: **Scanning**. Scanning in progress
- 3: **Pending**: The image will be scanned when a worker is available
- 4: **Scanned**: The image has been scanned but vulnerabilities have not yet been checked
- 5: **Checking**: The image is being checked for vulnerabilities
- 6: **Completed**: The image has been fully security scanned
## View and manage existing subscriptions
### View all subscriptions
To view existing subscriptions, send a `GET` request to `/api/v0/webhooks`. As
a normal user (i.e. not a DTR admin), this will show all of your
current subscriptions across every namespace/organization and repository. As a DTR
admin, this will show **every** webhook configured for your DTR.
The API response will be in the following format:
```
[
{
"id": "", // (string): UUID of the webhook subscription
"type": "", // (string): webhook event type
"key": "", // (string): the individual resource this subscription is scoped to
"endpoint": "", // (string): the endpoint to send POST event notifications to
"authorID": "", // (string): the user ID resposible for creating the subscription
"createdAt": "", // (string): JSON-encoded datetime when the subscription was created
},
...
]
```
For more information, [view the API documentation](/reference/dtr/{{site.dtr_version}}/api/).
### View subscriptions for a particular resource
You can also view subscriptions for a given resource that you are an
admin of. For example, if you have admin rights to the repository
"foo/bar", you can view all subscriptions (even other people's) from a
particular API endpoint. These endpoints are:
- `GET /api/v0/repositories/{namespace}/{repository}/webhooks`: View all
webhook subscriptions for a repository
- `GET /api/v0/repositories/{namespace}/webhooks`: View all webhook subscriptions for a
namespace/organization
### Delete a subscription
To delete a webhook subscription, send a `DELETE` request to
`/api/v0/webhooks/{id}`, replacing `{id}` with the webhook subscription ID
which you would like to delete.
Only a DTR admin or an admin for the resource with the event subscription can delete a subscription. As a normal user, you can only
delete subscriptions for repositories which you manage.
## Where to go next
- [Create promotion policies](promotion-policies/index.md)

54
ee/dtr/admin/manage-webhooks/use-the-web-ui.md Normal file
View File

@ -0,0 +1,54 @@
---
title: Manage repository webhooks via the web interface
description: Learn how to create, configure, and test repository webhooks for DTR using the web interface.
keywords: dtr, webhooks, ui, web interface, registry
---
## Prerequisites
- You must have admin privileges to the repository in order to create a webhook.
- See [Event types](/ee/dtr/admin/manage-webhooks/index.md/#event-types-for-webhooks) for a complete list of event types you can trigger notifications for using the web interface.
## Create a webhook for your repository
1. In your browser, navigate to `https://<dtr-url>` and log in with your credentials.
2. Select **Repositories** from the left navigation pane, and then click on the name of the repository that you want to view. Note that you will have to click on the repository name following the `/` after the specific namespace for your repository.
3. Select the **Webhooks** tab, and click **New Webhook**.
![](/ee/dtr/images/manage-webhooks-1.png){: .with-border}
4. From the drop-down list, select the event that will trigger the webhook.
5. Set the URL which will receive the JSON payload. Click **Test** next to the **Webhook URL** field, so that you can validate that the integration is working. At your specified URL, you should receive a JSON payload for your chosen event type notification.
```json
{
"type": "TAG_PUSH",
"createdAt": "2019-05-15T19:39:40.607337713Z",
"contents": {
"namespace": "foo",
"repository": "bar",
"tag": "latest",
"digest": "sha256:b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c",
"imageName": "foo/bar:latest",
"os": "linux",
"architecture": "amd64",
"author": "",
"pushedAt": "2015-01-02T15:04:05Z"
},
"location": "/repositories/foo/bar/tags/latest"
}
```
6. Expand "Show advanced settings" to paste the TLS certificate associated with your webhook URL. For testing purposes, you can test over HTTP instead of HTTPS.
7. Click **Create** to save. Once saved, your webhook is active and starts sending POST notifications whenever your chosen event type is triggered.
![](/ee/dtr/images/manage-webhooks-2.png){: .with-border}
As a repository admin, you can add or delete a webhook at any point. Additionally, you can create, view, and delete webhooks for your organization or trusted registry [using the API](use-the-api).
## Where to go next
- [Manage webhooks via the API](use-the-api)

BIN
ee/dtr/images/manage-webhooks-1.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 266 KiB

After

Width:  |  Height:  |  Size: 45 KiB

BIN
ee/dtr/images/manage-webhooks-2.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 267 KiB

After

Width:  |  Height:  |  Size: 34 KiB

4
ee/dtr/user/audit-repository-events.md
View File

@ -13,9 +13,9 @@ In the following section, we will show you how to view and audit the list of eve
## View List of Events
As of DTR 2.3, admins were able to view a list of DTR events [using the API](/datacenter/dtr/2.3/reference/api/#!/events/GetEvents). DTR 2.6 enhances that feature by showing a permission-based events list for each repository page on the web interface. To view the list of events within a repository, do the following:
1. Navigate to `https://<dtr-url>` and log in with your UCP credentials.
1. Navigate to `https://<dtr-url>` and log in with your DTR credentials.
2. Select **Repositories** on the left navigation pane, and then click on the name of the repository that you want to view. Note that you will have to click on the repository name following the `/` after the specific namespace for your repository.
2. Select **Repositories** from the left navigation pane, and then click on the name of the repository that you want to view. Note that you will have to click on the repository name following the `/` after the specific namespace for your repository.
3. Select the **Activity** tab. You should see a paginated list of the latest events based on your repository permission level. By default, **Activity** shows the latest `10` events and excludes pull events, which are only visible to repository and DTR admins.
* If you're a repository or a DTR admin, uncheck "Exclude pull" to view pull events. This should give you a better understanding of who is consuming your images.

50
ee/dtr/user/create-and-manage-webhooks.md
View File

@ -1,50 +0,0 @@
---
title: Manage webhooks
description: Learn how to create, configure, and test webhooks in Docker Trusted Registry.
keywords: registry, webhooks
redirect_from:
- /datacenter/dtr/2.5/guides/user/create-and-manage-webhooks/
---
DTR has webhooks so that you can run custom logic when an event happens. This
lets you build complex CI and CD pipelines with your Docker images.
## Create a webhook
To create a webhook, navigate to the **repository details** page, choose
the **Webhooks** tab, and click **New Webhook**.
![](../images/manage-webhooks-1.png){: .with-border}
Select the event that will trigger the webhook, and set the URL to send
information about the event. Once everything is set up, click **Test** for
DTR to send a JSON payload to the URL you set up, so that you can validate
that the integration is working. You'll get an event that looks like this:
```json
{
"contents": {
"architecture": "amd64",
"author": "",
"digest": "sha256:b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c",
"imageName": "example.com/foo/bar:latest",
"namespace": "foo",
"os": "linux",
"pushedAt": "2015-01-02T15:04:05Z",
"repository": "bar",
"tag": "latest"
},
"createdAt": "2017-06-20T01:29:53.046620425Z",
"location": "/repositories/foo/bar/tags/latest",
"type": "TAG_PUSH"
}
```
Once you save, your webhook is active and starts sending notifications when
the event is triggered.
![](../images/manage-webhooks-2.png){: .with-border}
## Where to go next
* [Create promotion policies](promotion-policies/index.md)