feat(webhook): add env variables for rate limit flags and update manifests to include them

cjcocokrisp · cjcocokrisp · commit 5046ebe1b595 · 2025-08-07T12:02:49.000-04:00
Signed-off-by: Christopher Coco &lt;chriscoco1205@gmail.com&gt;
diff --git a/cmd/run.go b/cmd/run.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"math"
 	"os"
 	"strings"
 	"sync"
@@ -345,10 +346,10 @@ func newRunCommand() *cobra.Command {
 	runCmd.Flags().StringVar(&webhookCfg.GHCRSecret, "ghcr-webhook-secret", env.GetStringVal("GHCR_WEBHOOK_SECRET", ""), "Secret for validating GitHub Container Registry webhooks")
 	runCmd.Flags().StringVar(&webhookCfg.QuaySecret, "quay-webhook-secret", env.GetStringVal("QUAY_WEBHOOK_SECRET", ""), "Secret for validating Quay webhooks")
 	runCmd.Flags().StringVar(&webhookCfg.HarborSecret, "harbor-webhook-secret", env.GetStringVal("HARBOR_WEBHOOK_SECRET", ""), "Secret for validating Harbor webhooks")
-	runCmd.Flags().BoolVar(&webhookCfg.RateLimitEnabled, "enable-webhook-ratelimit", false, "Enable rate limiting for the webhook endpoint")
-	runCmd.Flags().IntVar(&webhookCfg.RateLimitNumAllowedRequests, "webhook-ratelimit-num-allowed", 100, "The number of allowed requests in a window for webhook rate limiting")
-	runCmd.Flags().DurationVar(&webhookCfg.RateLimitWindow, "webhook-ratelimit-window", 2*time.Minute, "The duration for the window for the webhook rate limiting")
-	runCmd.Flags().DurationVar(&webhookCfg.RateLimitCleanUpInterval, "webhook-ratelimit-cleanup-interval", 1*time.Hour, "How often the rate limiter cleans up stale clients")
+	runCmd.Flags().BoolVar(&webhookCfg.RateLimitEnabled, "enable-webhook-ratelimit", env.GetBoolVal("ENABLE_WEBHOOK_RATELIMIT", false), "Enable rate limiting for the webhook endpoint")
+	runCmd.Flags().IntVar(&webhookCfg.RateLimitNumAllowedRequests, "webhook-ratelimit-num-allowed", env.ParseNumFromEnv("WEBHOOK_RATELIMIT_NUM_ALLOWED_REQUESTS", 100, 0, math.MaxInt), "The number of allowed requests in a window for webhook rate limiting")
+	runCmd.Flags().DurationVar(&webhookCfg.RateLimitWindow, "webhook-ratelimit-window", env.GetDurationVal("WEBHOOK_RATELIMIT_WINDOW", 2*time.Minute), "The duration for the window for the webhook rate limiting")
+	runCmd.Flags().DurationVar(&webhookCfg.RateLimitCleanUpInterval, "webhook-ratelimit-cleanup-interval", env.GetDurationVal("WEBHOOK_RATELIMIT_CLEANUP_INTERVAL", 1*time.Hour), "How often the rate limiter cleans up stale clients")
 
 	return runCmd
 }
diff --git a/cmd/webhook.go b/cmd/webhook.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"math"
 	"os"
 	"os/signal"
 	"strconv"
@@ -195,10 +196,10 @@ Supported registries:
 	webhookCmd.Flags().StringVar(&webhookCfg.GHCRSecret, "ghcr-webhook-secret", env.GetStringVal("GHCR_WEBHOOK_SECRET", ""), "Secret for validating GitHub Container Registry webhooks")
 	webhookCmd.Flags().StringVar(&webhookCfg.QuaySecret, "quay-webhook-secret", env.GetStringVal("QUAY_WEBHOOK_SECRET", ""), "Secret for validating Quay webhooks")
 	webhookCmd.Flags().StringVar(&webhookCfg.HarborSecret, "harbor-webhook-secret", env.GetStringVal("HARBOR_WEBHOOK_SECRET", ""), "Secret for validating Harbor webhooks")
-	webhookCmd.Flags().BoolVar(&webhookCfg.RateLimitEnabled, "enable-webhook-ratelimit", false, "Enable rate limiting for the webhook endpoint")
-	webhookCmd.Flags().IntVar(&webhookCfg.RateLimitNumAllowedRequests, "webhook-ratelimit-num-allowed", 100, "The number of allowed requests in a window for webhook rate limiting")
-	webhookCmd.Flags().DurationVar(&webhookCfg.RateLimitWindow, "webhook-ratelimit-window", 2*time.Minute, "The duration for the window for the webhook rate limiting")
-	webhookCmd.Flags().DurationVar(&webhookCfg.RateLimitCleanUpInterval, "webhook-ratelimit-cleanup-interval", 1*time.Hour, "How often the rate limiter cleans up stale clients")
+	webhookCmd.Flags().BoolVar(&webhookCfg.RateLimitEnabled, "enable-webhook-ratelimit", env.GetBoolVal("ENABLE_WEBHOOK_RATELIMIT", false), "Enable rate limiting for the webhook endpoint")
+	webhookCmd.Flags().IntVar(&webhookCfg.RateLimitNumAllowedRequests, "webhook-ratelimit-num-allowed", env.ParseNumFromEnv("WEBHOOK_RATELIMIT_NUM_ALLOWED_REQUESTS", 100, 0, math.MaxInt), "The number of allowed requests in a window for webhook rate limiting")
+	webhookCmd.Flags().DurationVar(&webhookCfg.RateLimitWindow, "webhook-ratelimit-window", env.GetDurationVal("WEBHOOK_RATELIMIT_WINDOW", 2*time.Minute), "The duration for the window for the webhook rate limiting")
+	webhookCmd.Flags().DurationVar(&webhookCfg.RateLimitCleanUpInterval, "webhook-ratelimit-cleanup-interval", env.GetDurationVal("WEBHOOK_RATELIMIT_CLEANUP_INTERVAL", 1*time.Hour), "How often the rate limiter cleans up stale clients")
 
 	return webhookCmd
 }
diff --git a/manifests/base/deployment/argocd-image-updater-deployment.yaml b/manifests/base/deployment/argocd-image-updater-deployment.yaml
@@ -149,7 +149,28 @@ spec:
                 name: argocd-image-updater-secret
                 key: webhook.harbor-secret
                 optional: true
-        livenessProbe:
+        - name: ENABLE_WEBHOOK_RATELIMIT
+          valueFrom:
+            configMapKeyRef:
+                name: argocd-image-updater-config
+                key: webhook.enable-rate-limit
+                optional: true
+        - name: WEBHOOK_RATELIMIT_NUM_ALLOWED_REQUESTS
+          valueFrom:
+            configMapKeyRef:
+                name: argocd-image-updater-config
+                key: webhook.ratelimit-num-allowed-requests
+          livenessProbe:
+        - name: WEBHOOK_RATELIMIT_WINDOW
+          valueFrom:
+            configMapKeyRef:
+                name: argocd-image-updater-config
+                key: webhook.ratelimit-window
+        - name: WEBHOOK_RATELIMIT_CLEANUP_INTERVAL
+          valueFrom:
+            configMapKeyRef:
+                name: argocd-image-updater-config
+                key: webhook.ratelimit-cleanup-interval
           httpGet:
             path: /healthz
             port: 8080
diff --git a/manifests/install.yaml b/manifests/install.yaml
@@ -257,14 +257,35 @@ spec:
               key: webhook.harbor-secret
               name: argocd-image-updater-secret
               optional: true
-        image: quay.io/argoprojlabs/argocd-image-updater:latest
-        imagePullPolicy: Always
-        livenessProbe:
-          httpGet:
+        - name: ENABLE_WEBHOOK_RATELIMIT
+          valueFrom:
+            configMapKeyRef:
+              key: webhook.enable-rate-limit
+              name: argocd-image-updater-config
+              optional: true
+        - livenessProbe: null
+          name: WEBHOOK_RATELIMIT_NUM_ALLOWED_REQUESTS
+          valueFrom:
+            configMapKeyRef:
+              key: webhook.ratelimit-num-allowed-requests
+              name: argocd-image-updater-config
+        - name: WEBHOOK_RATELIMIT_WINDOW
+          valueFrom:
+            configMapKeyRef:
+              key: webhook.ratelimit-window
+              name: argocd-image-updater-config
+        - httpGet:
             path: /healthz
             port: 8080
           initialDelaySeconds: 3
+          name: WEBHOOK_RATELIMIT_CLEANUP_INTERVAL
           periodSeconds: 30
+          valueFrom:
+            configMapKeyRef:
+              key: webhook.ratelimit-cleanup-interval
+              name: argocd-image-updater-config
+        image: quay.io/argoprojlabs/argocd-image-updater:latest
+        imagePullPolicy: Always
         name: argocd-image-updater
         ports:
         - containerPort: 8080
