fluxcd / notification-controller

At the moment a secret with at least a token field has to be referenced in the generic webhook receiver, which is kinda strange given that it doesn't do anything with that secret.

Is there any plan to change that or a particular reason it has to stay that way?

Hi, in Receivers, the secret reference is used to get a random token which is used to create a unique digest for the receiver webhook endpoint path. It is also described in the docs https://fluxcd.io/flux/components/notification/receiver/#secret-reference , second paragraph.
You can also see in the implementation what values are used to construct a unique webhook path

notification-controller/api/v1/receiver_types.go

Lines 109 to 112 in 18c49ad

    
           func (in *Receiver) GetWebhookPath(token string) string { 
        
           	digest := sha256.Sum256([]byte(token + in.GetName() + in.GetNamespace())) 
        
           	return fmt.Sprintf("%s%x", ReceiverWebhookPath, digest) 
        
           }

.

At the top of the same docs page, there's an example showing how to generate this token:

TOKEN=$(head -c 12 /dev/urandom | shasum | cut -d ' ' -f1)

kubectl -n flux-system create secret generic receiver-token \
  --from-literal=token=$TOKEN

It's just a random value to make sure no two Receivers have the same webhook path.
Hence the secret reference is a required field in Receiver.

Hope that answers your question.

Ah, I see, thanks!

	func (in *Receiver) GetWebhookPath(token string) string {
	digest := sha256.Sum256([]byte(token + in.GetName() + in.GetNamespace()))
	return fmt.Sprintf("%s%x", ReceiverWebhookPath, digest)
	}

Don't require a secret for the generic webhook receiver