Shell webhooks on Kubernetes
Sometimes there is a need to run simple shell commands in the containers on Kubernetes or even setup mesh of services that will run shell commands triggered by webhooks (for example from monitoring frameworks like Solarwinds). For this purpose I am using shell2http, but I know also webhook can be used, both written in Go.
I am using Dockerfile below to build shell2http images for Kubernetes. This one will run ‘curl’ triggered by ‘/device_state’ webhook with basic authentication. Webhook is parametrized with names ‘files’ , ‘ip’ and ‘key’. This particular shell command will export Palo Alto Firewall (of given ip i.e. 10.34.1.21 and api key) device state to a file.
FROM msoap/shell2http
RUN apk add --update \
python3 \
curl
WORKDIR /app
COPY ["requirements.txt","/app/"]
RUN pip3 install --no-cache-dir -r requirements.txt
ENV PYTHONUNBUFFERED=0
CMD ["-basic-auth=user:pass","-form","/device_state", "curl -kv -o $v_file \"https://$v_ip/api/?type=export&category=device-state&key=$v_key\""]The webhook itself could look like this when image is running running on localhost:
curl -v -X GET 'http://localhost:8080/device_state?file=/pan/pan1new7.tgz&ip=10.34.1.21&key=XXX' -u user:passor in powershell (i.e. Solarwinds monitoring)
$Url = "http://localhost:8080/shields"
$user="user"
$pass="pass"$base64AuthInfo= [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $user,$pass)))
$pass = ConvertTo-SecureString $pass -AsPlainText -Force
$cred = New-Object Management.Automation.PSCredential ($user, $pass)
$response = Invoke-RestMethod -Method Get -Uri $url -ContentType 'application/json' -cred $cred -Headers @{Authorization = "Basic $base64AuthInfo" } -AllowUnencryptedAuthentication
or with Jenkins HTTP Request plugin (host address 10.4.1.100 instead of localhost)

The yaml file to schedule pod with the image above on Kubernetes is mounting also Azure file share (in my case mounted as ‘/pan’). Ignore api_key below which can be optionally taken from Kubernetes secret instead of query parameters. But the other secret has to be created to keep Azure storage account name and key for the file share.

Optionally mounting ‘/scripts ‘from config map if I want webhook i.e. ‘/scripts’ to run ‘/scripts/script.sh’. There are options for https certificates, webhook by adnanh has support also for rules matching i.e. header.
