Integration between OpenShift and Quay (#3)

* Integration between OpenShift and Quay

* Updated based on ClusterRoles for OCP 4

Author: sabre1041

.gitignore

@@ -0,0 +1 @@
+node_modules/

README.md

@@ -9,3 +9,4 @@ This repository provides small software solutions for providing linkage and inte
 - [ansible-tower-bridges/github-webhook](ansible-tower-bridges/github-webhook) provides a bridge interfa
 ce between GitHub webhooks and Ansible Tower API job launch requests.
 - [argo-cd-bridges/gitlab](argo-cd-bridges/gitlab) provides a bridge interface between GitLab and Application resources in an Argo CD instance
+- [quay/imagestream-sync](quay/imagestream-sync) synchronizes ImageStreams referencing images from Quay using Quay notification based webhooks

quay/imagestream-sync/README.md

@@ -0,0 +1,91 @@
+# quay/imagestream-sync
+
+This implementation is used to synchronize images that are stored in [Quay](https://coreos.com/quay-enterprise/) and are referenced as ImageStreams within the OpenShift Container Platform from [Quay notifications](https://docs.quay.io/guides/notifications.html).
+
+
+## Requirements
+
+Although this can be run as a regular/standalone `node.js` app, it is recommended that this gets deployed on an OpenShift Container Platform for ease of maintenance. A minimum of NodeJS version 8 is required.
+
+## Configuration Options
+
+The following configuration items tune and control the behavior of the application.
+
+| Variable | Description | Defaults |
+|:---------|:------------|:---------|
+| HTTP_PORT | The http port for the application to listen on | 8080 |
+| HTTPS_PORT | The httpd (SSL) port for the application listen on (choose this or HTTP_PORT above) | 8443 |
+| HTTPS_SSL_CERTIFICATE | When HTTPS_PORT above is used, specify the certificate here | |
+| HTTPS_SSL_KEY | When the HTTPS_PORT above is used, specify the certificate key here | |
+| TOKEN_FILE | Location of a file containing the contents of an OAuth token to authenticate to the OpenShift API | `/var/run/secrets/kubernetes.io/serviceaccount/token` |
+| CA_FILE | Location of the certificate to communicate securely with the OpenShift API | `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt` |
+| AUTH_TOKEN | Value of the token used to communicate with the OpenShift API | |
+| MASTER_URL | Address of the OpenShift Master  | `https://kubernetes.default.svc:443` |
+| TLS_INSECURE | Allow insecure communication to the OpenShift API  | `false` |
+| NAMESPACE | Single namespace to allow image synchronization (defaults to entire cluster)  | |
+
+## Running in OpenShift
+
+### Prerequisites
+
+This application makes queries to the OpenShift API. The service account associated with the application must have sufficient rights to query for ImageStreams either at a cluster scope or namespace scope.
+
+The following command can be added to grant access to a service account at a cluster level using the included `registry-editor` ClusterRole.
+
+```
+$ oc adm policy add-cluster-role-to-user registry-editor -z <service-account>
+```
+
+To limit to a single namespace, the following command can be used:
+
+```
+$ oc project <namespace>
+$ oc policy add-role-to-user registry-editor -z <service-account>
+```
+
+### Application Deployment
+
+The `oc new-app` command in combination with `oc expose` command can be used to deploy the application:
+
+```
+$ oc new-app --name=quay-imagestream-sync openshift/nodejs:8~https://github.com/redhat-cop/tool-integrations.git --context-dir=quay/imagestream-sync
+$ oc expose service quay-imagestream-sync
+```
+
+Then add the environment variables below, and add a github webhook (with the `route` url) to test it out.
+
+## Quay Configuration
+
+The final step is to configure Quay to send webhook notifications to the application deployed in OpenShift. 
+
+First, obtain the url of the application previously deployed.
+
+```
+$ oc get routes quay-imagestream-sync --template='{{ .spec.host }}'
+```
+
+Login to quay and locate the repository associated with the image that has been previously configured in OpenShift. 
+
+Click on **Settings** and then **Create Notification**
+
+Under _When this event occurs_ dropdown, select **Push to Repository**.
+
+Under _Then issue a Notification_ dropdown, select **Webhook POST**
+
+Enter the URL of the webhook based on the result from the route found previously (such as `http://quay-imagestream-sync.myproject.apps.ocp.example.com`)
+
+Optionally, provide a _Notification title_ to easily identify the webhook.
+
+Select **Create Notification**
+
+
+License
+-------
+
+Apache License 2.0
+
+
+Author Information
+------------------
+
+Red Hat Community of Practice

quay/imagestream-sync/index.js

@@ -0,0 +1,64 @@
+
+const http = require('http');
+const https = require('https');
+const fs = require('fs');
+var express = require('express');
+var cors = require('cors');
+var app = express();
+var bodyParser = require('body-parser');
+var sync = require('./lib/sync');
+
+const httpPort = process.env.HTTP_PORT || 8080;
+const httpsPort = process.env.HTTPS_PORT || 8443;
+const httpsSSLKey = process.env.HTTPS_SSL_KEY || '';
+const httpsSSLCert = process.env.HTTPS_SSL_CERTIFICATE || '';
+
+
+app.use(cors());
+app.use(bodyParser.urlencoded({ extended: true }));
+app.use(bodyParser.json());
+
+app.post('/', function (req, res) {
+
+	if("docker_url" in req.body && "updated_tags" in req.body) {
+
+		if(req.body.updated_tags instanceof Array) {
+
+			sync.syncImageStreams(req.body, function(err, response){
+
+				if(err) {
+					res.status(500).send(err);
+				}
+				else {
+					res.status(200).send(response);
+				}
+		
+			});
+		}
+		else {
+			console.info("Request does not contain a list of updated tags");
+			res.status(204).send();
+		}
+	}
+	else {
+		res.status(400).send();
+	}
+
+});
+
+if (httpsSSLCert.trim() && httpsSSLKey.trim()) { // Secure
+	const options = {
+		  key: fs.readFileSync(httpsSSLKey),
+		  cert: fs.readFileSync(httpsSSLCert)
+	};
+
+	https.createServer(options, app).listen(httpsPort, function () {
+		console.log('Listening on https://localhost:' + httpsPort);
+	});
+}
+else { 	// non-Secure
+	http.createServer(app).listen(httpPort, function() {
+		console.log('Listening on UNSECURE http://localhost:' + httpPort);
+	});
+}
+