Alauda DevOps Pipelines Docs
  • English

    • Get the PAC Webhook URL

    The PAC controller receives webhook events from Git providers through the pipelines-as-code-controller Service. This page shows how to query the webhook URL after an administrator exposes that Service.

    Examples use the default PAC namespace tekton-pipelines. If your OpenShiftPipelinesAsCode CR uses a different targetNamespace, replace tekton-pipelines in the commands.

    The main sections below follow the same order as Configure Access: Gateway API, Ingress, and NodePort. Use the section that matches how PAC was exposed.

    TOC

    Using Gateway APIUsing IngressUsing NodePortVerificationNext steps

    Using Gateway API

    Use this section if PAC was exposed with Gateway API.

    Step 1: Check Gateway API resources. Confirm the Gateway is programmed and the route is accepted:

    kubectl get gateway pipelines-as-code -n tekton-pipelines
kubectl get httproute pipelines-as-code -n tekton-pipelines

    Expected result: the Gateway shows PROGRAMMED=True, and the HTTPRoute is accepted.

    Step 2: Get the external address. Print the generated Envoy Service and its external IP:

    kubectl get svc -A \
  -l gateway.envoyproxy.io/owning-gateway-name=pipelines-as-code,gateway.envoyproxy.io/owning-gateway-namespace=tekton-pipelines

EXTERNAL_IP=$(kubectl get svc -A \
  -l gateway.envoyproxy.io/owning-gateway-name=pipelines-as-code,gateway.envoyproxy.io/owning-gateway-namespace=tekton-pipelines \
  -o jsonpath='{.items[0].status.loadBalancer.ingress[0].ip}')

echo "${EXTERNAL_IP}"

    Expected result: EXTERNAL_IP is not empty.

    If EXTERNAL_IP is empty, configure the cluster LoadBalancer provider first. On ACP bare-metal clusters, use Alauda Container Platform Load Balancer for MetalLB. Reference: Configure MetalLB.

    Step 3: Verify and get the webhook URL. Make sure the Git provider can resolve and access the PAC domain. For example, resolve pac.example.com to the Service EXTERNAL_IP from the Git provider network.

    If DNS is not ready yet, or you only want to test the route from your current machine, use curl --resolve:

    curl -i --resolve "pac.example.com:80:${EXTERNAL_IP}" http://pac.example.com/

    After the domain is reachable from the Git provider network, print the URL:

    echo "WEBHOOK_URL=http://pac.example.com"

    Register this URL in the Git provider or enter it when tkn pac create repo prompts for a webhook URL.

    Do not register the raw IP unless the Gateway listener hostname and HTTPRoute hostnames were removed from the exposure manifest.

    If the Gateway was configured with envoyService.type: NodePort, print the IP-based webhook URL:

    NODEPORT=$(kubectl get svc -A \
  -l gateway.envoyproxy.io/owning-gateway-name=pipelines-as-code,gateway.envoyproxy.io/owning-gateway-namespace=tekton-pipelines \
  -o jsonpath='{.items[0].spec.ports[?(@.port==80)].nodePort}')

NODE_IP=$(kubectl get nodes \
  -o jsonpath='{.items[0].status.addresses[?(@.type=="InternalIP")].address}')

echo "WEBHOOK_URL=http://${NODE_IP}:${NODEPORT}"

    Using Ingress

    Use this section if PAC was exposed with an Ingress.

    Step 1: Check the Ingress address.

    kubectl get ingress pipelines-as-code -n tekton-pipelines

    Step 2: Get the webhook URL. If the Ingress has a host, print the URL:

    HOST=$(kubectl get ingress pipelines-as-code -n tekton-pipelines \
  -o jsonpath='{.spec.rules[0].host}')

echo "WEBHOOK_URL=http://${HOST}"

    Use https://${HOST} instead if the Ingress has TLS configured:

    echo "WEBHOOK_URL=https://${HOST}"

    If the Ingress is hostless, use the address shown by kubectl get ingress and register the reachable IP URL.

    Using NodePort

    Use this section if PAC was exposed with a dedicated NodePort Service. Print the URL from a reachable node IP and the generated NodePort:

    NODEPORT=$(kubectl get svc pipelines-as-code-controller-nodeport -n tekton-pipelines \
  -o jsonpath='{.spec.ports[?(@.name=="http-listener")].nodePort}')

NODE_IP=$(kubectl get nodes \
  -o jsonpath='{.items[0].status.addresses[?(@.type=="InternalIP")].address}')

echo "WEBHOOK_URL=http://${NODE_IP}:${NODEPORT}"

    Verification

    The webhook URL must be reachable from your Git provider. For a public Git provider, the URL must be publicly reachable. For a self-hosted Git provider, network reachability from the provider host to the cluster is enough.

    Run a quick check from a host that can reach the PAC endpoint:

    WEBHOOK_URL="http://pac.example.com"
curl -i "${WEBHOOK_URL}"

    In current PAC versions, GET / returns 200 OK with a small JSON status body. A connection refused or timeout indicates a network issue.

    Next steps