Status

Table of Contents

Webhook Processing Architecture

This document illustrates how the Blueberry IDP processes webhooks from various sources including GitLab, GitHub, and custom integrations.

Webhook Processing Overview

graph TB subgraph "Webhook Sources" GITLAB[GitLab
CI/CD Webhooks] GITHUB[GitHub
Actions Webhooks] ARGOCD[ArgoCD
Sync Notifications] CUSTOM[Custom
Integrations] end subgraph "Ingress Layer" LB[Load Balancer
SSL Termination] INGRESS[Ingress Controller
Routing] RATE_LIMIT[Rate Limiting
& DDoS Protection] end subgraph "Webhook Endpoints" GITLAB_ENDPOINT[/api/webhooks/gitlab/pipeline] GITHUB_ENDPOINT[/api/webhooks/github] ARGOCD_ENDPOINT[/api/webhooks/argocd] GENERIC_ENDPOINT[/api/webhooks/generic] ENV_ENDPOINT[/api/webhooks/environment/event] end subgraph "Processing Pipeline" AUTH_VALIDATE[Authentication
& Validation] SIGNATURE_CHECK[Signature
Verification] PAYLOAD_PARSE[Payload
Parsing] EVENT_ROUTER[Event
Router] end subgraph "Event Handlers" ENV_HANDLER[Environment
Handler] NOTIFICATION_HANDLER[Notification
Handler] STATUS_HANDLER[Status Update
Handler] CUSTOM_HANDLER[Custom
Handler] end subgraph "Actions & Side Effects" CREATE_ENV[Create
Environment] UPDATE_STATUS[Update
Status] SEND_NOTIFICATION[Send
Notification] TRIGGER_CLEANUP[Trigger
Cleanup] LOG_EVENT[Log
Event] end %% Webhook flow GITLAB --> LB GITHUB --> LB ARGOCD --> LB CUSTOM --> LB LB --> INGRESS INGRESS --> RATE_LIMIT RATE_LIMIT --> GITLAB_ENDPOINT RATE_LIMIT --> GITHUB_ENDPOINT RATE_LIMIT --> ARGOCD_ENDPOINT RATE_LIMIT --> GENERIC_ENDPOINT RATE_LIMIT --> ENV_ENDPOINT %% Processing pipeline GITLAB_ENDPOINT --> AUTH_VALIDATE GITHUB_ENDPOINT --> AUTH_VALIDATE ARGOCD_ENDPOINT --> AUTH_VALIDATE GENERIC_ENDPOINT --> AUTH_VALIDATE ENV_ENDPOINT --> AUTH_VALIDATE AUTH_VALIDATE --> SIGNATURE_CHECK SIGNATURE_CHECK --> PAYLOAD_PARSE PAYLOAD_PARSE --> EVENT_ROUTER %% Event routing EVENT_ROUTER --> ENV_HANDLER EVENT_ROUTER --> NOTIFICATION_HANDLER EVENT_ROUTER --> STATUS_HANDLER EVENT_ROUTER --> CUSTOM_HANDLER %% Actions ENV_HANDLER --> CREATE_ENV ENV_HANDLER --> UPDATE_STATUS STATUS_HANDLER --> UPDATE_STATUS NOTIFICATION_HANDLER --> SEND_NOTIFICATION CUSTOM_HANDLER --> TRIGGER_CLEANUP %% All handlers log events ENV_HANDLER --> LOG_EVENT NOTIFICATION_HANDLER --> LOG_EVENT STATUS_HANDLER --> LOG_EVENT CUSTOM_HANDLER --> LOG_EVENT classDef source fill:#e3f2fd,stroke:#1976d2,stroke-width:2px classDef ingress fill:#fff3e0,stroke:#f57c00,stroke-width:2px classDef endpoint fill:#e8f5e9,stroke:#388e3c,stroke-width:2px classDef process fill:#fce4ec,stroke:#c2185b,stroke-width:2px classDef handler fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px classDef action fill:#e0f2f1,stroke:#00695c,stroke-width:2px class GITLAB,GITHUB,ARGOCD,CUSTOM source class LB,INGRESS,RATE_LIMIT ingress class GITLAB_ENDPOINT,GITHUB_ENDPOINT,ARGOCD_ENDPOINT,GENERIC_ENDPOINT,ENV_ENDPOINT endpoint class AUTH_VALIDATE,SIGNATURE_CHECK,PAYLOAD_PARSE,EVENT_ROUTER process class ENV_HANDLER,NOTIFICATION_HANDLER,STATUS_HANDLER,CUSTOM_HANDLER handler class CREATE_ENV,UPDATE_STATUS,SEND_NOTIFICATION,TRIGGER_CLEANUP,LOG_EVENT action

GitLab Webhook Processing

sequenceDiagram participant GitLab CI participant Load Balancer participant Webhook Endpoint participant Auth Validator participant Event Processor participant Environment Service participant Notification Service participant Firestore Note over GitLab CI,Firestore: GitLab Pipeline Webhook Flow GitLab CI->>Load Balancer: POST webhook payload Load Balancer->>Webhook Endpoint: Forward request Webhook Endpoint->>Auth Validator: Validate GitLab token Auth Validator->>Webhook Endpoint: Token valid Webhook Endpoint->>Event Processor: Parse pipeline event Event Processor->>Event Processor: Extract event details alt Pipeline Success Event Processor->>Environment Service: Create/update environment Environment Service->>Firestore: Store environment data Environment Service->>Event Processor: Environment created Event Processor->>Notification Service: Send success notification else Pipeline Failed Event Processor->>Environment Service: Mark environment as failed Environment Service->>Firestore: Update status Event Processor->>Notification Service: Send failure notification else Pipeline Running Event Processor->>Environment Service: Update status to building Environment Service->>Firestore: Update status end Event Processor->>Webhook Endpoint: Processing complete Webhook Endpoint->>Load Balancer: HTTP 200 OK Load Balancer->>GitLab CI: Response

GitHub Webhook Processing

sequenceDiagram participant GitHub participant Webhook Endpoint participant Signature Validator participant Event Processor participant Environment Service participant Notification Service Note over GitHub,Notification Service: GitHub Actions Webhook Flow GitHub->>Webhook Endpoint: POST with X-Hub-Signature-256 Webhook Endpoint->>Signature Validator: Verify HMAC signature alt Valid Signature Signature Validator->>Event Processor: Process GitHub event alt Pull Request Opened Event Processor->>Environment Service: Create PR environment Environment Service->>Event Processor: Environment queued else Pull Request Closed Event Processor->>Environment Service: Delete PR environment Environment Service->>Event Processor: Environment terminated else Workflow Complete Event Processor->>Environment Service: Update environment status Environment Service->>Event Processor: Status updated end Event Processor->>Notification Service: Send notification Event Processor->>Webhook Endpoint: Success else Invalid Signature Signature Validator->>Webhook Endpoint: Reject request end Webhook Endpoint->>GitHub: HTTP response

Webhook Event Types and Handlers

graph LR subgraph "GitLab Events" GL_PIPELINE[Pipeline
Status] GL_PUSH[Push
Events] GL_MR[Merge Request
Events] end subgraph "GitHub Events" GH_PR[Pull Request
Events] GH_PUSH[Push
Events] GH_WORKFLOW[Workflow
Events] end subgraph "ArgoCD Events" ARGO_SYNC[Application
Sync] ARGO_HEALTH[Health
Status] ARGO_DEPLOY[Deployment
Status] end subgraph "Custom Events" ENV_CREATE[Environment
Creation] ENV_DELETE[Environment
Deletion] NOTIFICATION[Custom
Notifications] end subgraph "Event Actions" CREATE[Create
Environment] UPDATE[Update
Status] DELETE[Delete
Environment] NOTIFY[Send
Notification] LOG[Audit
Log] end %% Event routing GL_PIPELINE --> CREATE GL_PIPELINE --> UPDATE GL_MR --> CREATE GL_MR --> DELETE GH_PR --> CREATE GH_PR --> DELETE GH_WORKFLOW --> UPDATE ARGO_SYNC --> UPDATE ARGO_HEALTH --> UPDATE ARGO_DEPLOY --> UPDATE ENV_CREATE --> CREATE ENV_DELETE --> DELETE NOTIFICATION --> NOTIFY %% All events generate logs CREATE --> LOG UPDATE --> LOG DELETE --> LOG NOTIFY --> LOG classDef gitlab fill:#e3f2fd,stroke:#1976d2,stroke-width:2px classDef github fill:#fff3e0,stroke:#f57c00,stroke-width:2px classDef argocd fill:#e8f5e9,stroke:#388e3c,stroke-width:2px classDef custom fill:#fce4ec,stroke:#c2185b,stroke-width:2px classDef action fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px class GL_PIPELINE,GL_PUSH,GL_MR gitlab class GH_PR,GH_PUSH,GH_WORKFLOW github class ARGO_SYNC,ARGO_HEALTH,ARGO_DEPLOY argocd class ENV_CREATE,ENV_DELETE,NOTIFICATION custom class CREATE,UPDATE,DELETE,NOTIFY,LOG action

Webhook Security and Validation

graph TB subgraph "Security Layers" DDOS[DDoS
Protection] RATE_LIMIT[Rate
Limiting] TOKEN_AUTH[Token
Authentication] SIGNATURE[Signature
Verification] end subgraph "Validation Steps" HEADER_CHECK[Header
Validation] PAYLOAD_SIZE[Payload Size
Limit] JSON_PARSE[JSON
Parsing] SCHEMA_VALIDATE[Schema
Validation] end subgraph "Error Handling" AUTH_ERROR[401
Unauthorized] RATE_ERROR[429
Rate Limited] PARSE_ERROR[400
Bad Request] SERVER_ERROR[500
Server Error] end %% Security flow DDOS --> RATE_LIMIT RATE_LIMIT --> TOKEN_AUTH TOKEN_AUTH --> SIGNATURE %% Validation flow SIGNATURE --> HEADER_CHECK HEADER_CHECK --> PAYLOAD_SIZE PAYLOAD_SIZE --> JSON_PARSE JSON_PARSE --> SCHEMA_VALIDATE %% Error routing TOKEN_AUTH -.->|"Invalid"| AUTH_ERROR RATE_LIMIT -.->|"Exceeded"| RATE_ERROR JSON_PARSE -.->|"Invalid"| PARSE_ERROR SCHEMA_VALIDATE -.->|"Failure"| SERVER_ERROR classDef security fill:#e3f2fd,stroke:#1976d2,stroke-width:2px classDef validation fill:#fff3e0,stroke:#f57c00,stroke-width:2px classDef error fill:#ffebee,stroke:#d32f2f,stroke-width:2px class DDOS,RATE_LIMIT,TOKEN_AUTH,SIGNATURE security class HEADER_CHECK,PAYLOAD_SIZE,JSON_PARSE,SCHEMA_VALIDATE validation class AUTH_ERROR,RATE_ERROR,PARSE_ERROR,SERVER_ERROR error

Webhook Configuration Examples

GitLab Webhook Setup

# GitLab Project Webhook Configuration
webhook:
  url: "https://blueberry.florenciacomuzzi.com/api/webhooks/gitlab/pipeline"
  secret_token: "${GITLAB_WEBHOOK_TOKEN}"
  events:
    - pipeline_events
    - merge_request_events
    - push_events
  ssl_verification: true
  custom_headers:
    X-GitLab-Source: "blueberry-integration"

GitHub Webhook Setup

# GitHub Repository Webhook Configuration
webhook:
  url: "https://blueberry.florenciacomuzzi.com/api/webhooks/github"
  secret: "${GITHUB_WEBHOOK_SECRET}"
  content_type: "application/json"
  events:
    - pull_request
    - workflow_run
    - push
  active: true
  insecure_ssl: false

Custom Webhook Example

# Custom webhook call
curl -X POST "https://blueberry.florenciacomuzzi.com/api/webhooks/generic" \
  -H "Content-Type: application/json" \
  -H "X-Custom-Source: monitoring-system" \
  -d '{
    "event": "environment_health_check",
    "environment_id": "pr-123",
    "status": "healthy",
    "timestamp": "2024-01-01T10:00:00Z",
    "details": {
      "response_time": "120ms",
      "status_code": 200
    }
  }'

Webhook Processing Performance

Throughput Metrics

Webhook Type Rate Limit Processing Time Timeout
GitLab 500/min per project < 200ms 30s
GitHub 500/min per repo < 200ms 30s
ArgoCD 1000/min < 100ms 15s
Generic 100/min per source < 500ms 60s

Error Handling Strategy

graph TD WEBHOOK[Webhook Received] --> VALIDATE{Valid?} VALIDATE -->|No| ERROR_RESPONSE[Return Error
Response] VALIDATE -->|Yes| PROCESS[Process Event] PROCESS --> SUCCESS{Success?} SUCCESS -->|Yes| OK_RESPONSE[Return 200 OK] SUCCESS -->|No| RETRY{Retryable?} RETRY -->|Yes| QUEUE[Queue for
Retry] RETRY -->|No| ERROR_LOG[Log Error &
Return 500] QUEUE --> BACKOFF[Exponential
Backoff] BACKOFF --> PROCESS ERROR_RESPONSE --> LOG[Audit Log] ERROR_LOG --> LOG OK_RESPONSE --> LOG

Webhook Monitoring and Alerting

Key Metrics

  • Request Rate: Webhooks per minute by source
  • Success Rate: Percentage of successful webhook processing
  • Processing Latency: Time to process webhook events
  • Error Rate: Failed webhook processing by error type
  • Queue Depth: Number of webhooks awaiting processing

Alert Conditions

# Webhook monitoring alerts
alerts:
  - name: "High Webhook Error Rate"
    condition: "webhook_error_rate > 5%"
    duration: "5 minutes"
    severity: "warning"

  - name: "Webhook Processing Latency"
    condition: "webhook_processing_time_p95 > 1s"
    duration: "2 minutes"
    severity: "warning"

  - name: "Webhook Queue Backup"
    condition: "webhook_queue_depth > 100"
    duration: "1 minute"
    severity: "critical"

Webhook Debugging

Debug Endpoints

# Get webhook processing logs
curl -H "Authorization: Bearer ${TOKEN}" \
  "https://blueberry.florenciacomuzzi.com/api/webhooks/logs?source=gitlab&limit=50"

# Get webhook statistics
curl -H "Authorization: Bearer ${TOKEN}" \
  "https://blueberry.florenciacomuzzi.com/api/webhooks/stats"

# Test webhook processing
curl -X POST "https://blueberry.florenciacomuzzi.com/api/webhooks/test" \
  -H "Authorization: Bearer ${TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{"source": "gitlab", "event": "pipeline", "test": true}'

Common Issues and Solutions

Issue Symptoms Solution
Authentication Failure 401 responses Check webhook tokens/secrets
Signature Mismatch 403 responses Verify signature calculation
Rate Limiting 429 responses Reduce webhook frequency
Payload Too Large 413 responses Check payload size limits
Processing Timeout 504 responses Optimize event handlers

Last Updated: January 2024

Document ID: architecture/diagrams/webhook-processing