github.com/argoproj/argo-cd/v3@v3.2.1/docs/operator-manual/applicationset/Generators-Pull-Request.md (about) 1 # Pull Request Generator 2 3 The Pull Request generator uses the API of an SCMaaS provider (GitHub, Gitea, or Bitbucket Server) to automatically discover open pull requests within a repository. This fits well with the style of building a test environment when you create a pull request. 4 5 ```yaml 6 apiVersion: argoproj.io/v1alpha1 7 kind: ApplicationSet 8 metadata: 9 name: myapps 10 spec: 11 goTemplate: true 12 goTemplateOptions: ["missingkey=error"] 13 generators: 14 - pullRequest: 15 # When using a Pull Request generator, the ApplicationSet controller polls every `requeueAfterSeconds` interval (defaulting to every 30 minutes) to detect changes. 16 requeueAfterSeconds: 1800 17 # See below for provider specific options. 18 github: 19 # ... 20 ``` 21 22 !!! note 23 Know the security implications of PR generators in ApplicationSets. 24 [Only admins may create ApplicationSets](./Security.md#only-admins-may-createupdatedelete-applicationsets) to avoid 25 leaking Secrets, and [only admins may create PRs](./Security.md#templated-project-field) if the `project` field of 26 an ApplicationSet with a PR generator is templated, to avoid granting management of out-of-bounds resources. 27 28 ## GitHub 29 30 Specify the repository from which to fetch the GitHub Pull requests. 31 32 ```yaml 33 apiVersion: argoproj.io/v1alpha1 34 kind: ApplicationSet 35 metadata: 36 name: myapps 37 spec: 38 goTemplate: true 39 goTemplateOptions: ["missingkey=error"] 40 generators: 41 - pullRequest: 42 github: 43 # The GitHub organization or user. 44 owner: myorg 45 # The Github repository 46 repo: myrepository 47 # For GitHub Enterprise (optional) 48 api: https://git.example.com/ 49 # Reference to a Secret containing an access token. (optional) 50 tokenRef: 51 secretName: github-token 52 key: token 53 # (optional) use a GitHub App to access the API instead of a PAT. 54 appSecretName: github-app-repo-creds 55 # Labels is used to filter the PRs that you want to target. (optional) 56 labels: 57 - preview 58 requeueAfterSeconds: 1800 59 template: 60 # ... 61 ``` 62 63 * `owner`: Required name of the GitHub organization or user. 64 * `repo`: Required name of the GitHub repository. 65 * `api`: If using GitHub Enterprise, the URL to access it. (Optional) 66 * `tokenRef`: A `Secret` name and key containing the GitHub access token to use for requests. If not specified, will make anonymous requests which have a lower rate limit and can only see public repositories. (Optional) 67 * `labels`: Filter the PRs to those containing **all** of the labels listed. (Optional) 68 * `appSecretName`: A `Secret` name containing a GitHub App secret in [repo-creds format][repo-creds]. 69 70 [repo-creds]: ../declarative-setup.md#repository-credentials 71 72 ## GitLab 73 74 Specify the project from which to fetch the GitLab merge requests. 75 76 ```yaml 77 apiVersion: argoproj.io/v1alpha1 78 kind: ApplicationSet 79 metadata: 80 name: myapps 81 spec: 82 goTemplate: true 83 goTemplateOptions: ["missingkey=error"] 84 generators: 85 - pullRequest: 86 gitlab: 87 # The GitLab project ID. 88 project: "12341234" 89 # For self-hosted GitLab (optional) 90 api: https://git.example.com/ 91 # Reference to a Secret containing an access token. (optional) 92 tokenRef: 93 secretName: gitlab-token 94 key: token 95 # Labels is used to filter the MRs that you want to target. (optional) 96 labels: 97 - preview 98 # MR state is used to filter MRs only with a certain state. (optional) 99 pullRequestState: opened 100 # If true, skips validating the SCM provider's TLS certificate - useful for self-signed certificates. 101 insecure: false 102 # Reference to a ConfigMap containing trusted CA certs - useful for self-signed certificates. (optional) 103 caRef: 104 configMapName: argocd-tls-certs-cm 105 key: gitlab-ca 106 requeueAfterSeconds: 1800 107 template: 108 # ... 109 ``` 110 111 * `project`: Required project ID of the GitLab project. 112 * `api`: If using self-hosted GitLab, the URL to access it. (Optional) 113 * `tokenRef`: A `Secret` name and key containing the GitLab access token to use for requests. If not specified, will make anonymous requests which have a lower rate limit and can only see public repositories. (Optional) 114 * `labels`: Labels is used to filter the MRs that you want to target. (Optional) 115 * `pullRequestState`: PullRequestState is an additional MRs filter to get only those with a certain state. By default all states. Default: "" (all states). Valid values: `""`, `opened`, `closed`, `merged` or `locked`. (Optional) 116 * `insecure`: By default (false) - Skip checking the validity of the SCM's certificate - useful for self-signed TLS certificates. 117 * `caRef`: Optional `ConfigMap` name and key containing the GitLab certificates to trust - useful for self-signed TLS certificates. Possibly reference the ArgoCD CM holding the trusted certs. 118 119 As a preferable alternative to setting `insecure` to true, you can configure self-signed TLS certificates for Gitlab by [mounting self-signed certificate to the applicationset controller](./Generators-SCM-Provider.md#self-signed-tls-certificates). 120 121 ## Gitea 122 123 Specify the repository from which to fetch the Gitea Pull requests. 124 125 ```yaml 126 apiVersion: argoproj.io/v1alpha1 127 kind: ApplicationSet 128 metadata: 129 name: myapps 130 spec: 131 goTemplate: true 132 goTemplateOptions: ["missingkey=error"] 133 generators: 134 - pullRequest: 135 gitea: 136 # The Gitea organization or user. 137 owner: myorg 138 # The Gitea repository 139 repo: myrepository 140 # The Gitea url to use 141 api: https://gitea.mydomain.com/ 142 # Reference to a Secret containing an access token. (optional) 143 tokenRef: 144 secretName: gitea-token 145 key: token 146 # many gitea deployments use TLS, but many are self-hosted and self-signed certificates 147 insecure: true 148 requeueAfterSeconds: 1800 149 template: 150 # ... 151 ``` 152 153 * `owner`: Required name of the Gitea organization or user. 154 * `repo`: Required name of the Gitea repository. 155 * `api`: The url of the Gitea instance. 156 * `tokenRef`: A `Secret` name and key containing the Gitea access token to use for requests. If not specified, will make anonymous requests which have a lower rate limit and can only see public repositories. (Optional) 157 * `insecure`: `Allow for self-signed certificates, primarily for testing.` 158 159 ## Bitbucket Server 160 161 Fetch pull requests from a repo hosted on a Bitbucket Server (not the same as Bitbucket Cloud). 162 163 ```yaml 164 apiVersion: argoproj.io/v1alpha1 165 kind: ApplicationSet 166 metadata: 167 name: myapps 168 spec: 169 goTemplate: true 170 goTemplateOptions: ["missingkey=error"] 171 generators: 172 - pullRequest: 173 bitbucketServer: 174 project: myproject 175 repo: myrepository 176 # URL of the Bitbucket Server. Required. 177 api: https://mycompany.bitbucket.org 178 # Credentials for Basic authentication (App Password). Either basicAuth or bearerToken 179 # authentication is required to access private repositories 180 basicAuth: 181 # The username to authenticate with 182 username: myuser 183 # Reference to a Secret containing the password or personal access token. 184 passwordRef: 185 secretName: mypassword 186 key: password 187 # Credentials for Bearer Token (App Token) authentication. Either basicAuth or bearerToken 188 # authentication is required to access private repositories 189 bearerToken: 190 # Reference to a Secret containing the bearer token. 191 tokenRef: 192 secretName: repotoken 193 key: token 194 # If true, skips validating the SCM provider's TLS certificate - useful for self-signed certificates. 195 insecure: true 196 # Reference to a ConfigMap containing trusted CA certs - useful for self-signed certificates. (optional) 197 caRef: 198 configMapName: argocd-tls-certs-cm 199 key: bitbucket-ca 200 # Labels are not supported by Bitbucket Server, so filtering by label is not possible. 201 # Filter PRs using the source branch name. (optional) 202 filters: 203 - branchMatch: ".*-argocd" 204 template: 205 # ... 206 ``` 207 208 * `project`: Required name of the Bitbucket project 209 * `repo`: Required name of the Bitbucket repository. 210 * `api`: Required URL to access the Bitbucket REST API. For the example above, an API request would be made to `https://mycompany.bitbucket.org/rest/api/1.0/projects/myproject/repos/myrepository/pull-requests` 211 * `branchMatch`: Optional regexp filter which should match the source branch name. This is an alternative to labels which are not supported by Bitbucket server. 212 213 If you want to access a private repository, you must also provide the credentials for Basic auth (this is the only auth supported currently): 214 * `username`: The username to authenticate with. It only needs read access to the relevant repo. 215 * `passwordRef`: A `Secret` name and key containing the password or personal access token to use for requests. 216 217 In case of Bitbucket App Token, go with `bearerToken` section. 218 * `tokenRef`: A `Secret` name and key containing the app token to use for requests. 219 220 In case self-signed BitBucket Server certificates, the following options can be usefully: 221 * `insecure`: By default (false) - Skip checking the validity of the SCM's certificate - useful for self-signed TLS certificates. 222 * `caRef`: Optional `ConfigMap` name and key containing the BitBucket server certificates to trust - useful for self-signed TLS certificates. Possibly reference the ArgoCD CM holding the trusted certs. 223 224 ## Bitbucket Cloud 225 226 Fetch pull requests from a repo hosted on a Bitbucket Cloud. 227 228 ```yaml 229 apiVersion: argoproj.io/v1alpha1 230 kind: ApplicationSet 231 metadata: 232 name: myapps 233 spec: 234 goTemplate: true 235 goTemplateOptions: ["missingkey=error"] 236 generators: 237 - pullRequest: 238 bitbucket: 239 # Workspace name where the repository is stored under. Required. 240 owner: myproject 241 # Repository slug. Required. 242 repo: myrepository 243 # URL of the Bitbucket Server. (optional) Will default to 'https://api.bitbucket.org/2.0'. 244 api: https://api.bitbucket.org/2.0 245 # Credentials for Basic authentication (App Password). Either basicAuth or bearerToken 246 # authentication is required to access private repositories 247 basicAuth: 248 # The username to authenticate with 249 username: myuser 250 # Reference to a Secret containing the password or personal access token. 251 passwordRef: 252 secretName: mypassword 253 key: password 254 # Credentials for Bearer Token (App Token) authentication. Either basicAuth or bearerToken 255 # authentication is required to access private repositories 256 bearerToken: 257 # Reference to a Secret containing the bearer token. 258 tokenRef: 259 secretName: repotoken 260 key: token 261 # Labels are not supported by Bitbucket Cloud, so filtering by label is not possible. 262 # Filter PRs using the source branch name. (optional) 263 filters: 264 - branchMatch: ".*-argocd" 265 266 # If you need to filter destination branch too, you can use this 267 - targetBranchMatch: "master" 268 269 # Also you can combine source and target branch filters like 270 # This case will match any pull-request where source branch ends with "-argocd" and destination branch is master 271 - branchMatch: ".*-argocd" 272 targetBranchMatch: "master" 273 template: 274 # ... 275 ``` 276 277 - `owner`: Required name of the Bitbucket workspace 278 - `repo`: Required name of the Bitbucket repository. 279 - `api`: Optional URL to access the Bitbucket REST API. For the example above, an API request would be made to `https://api.bitbucket.org/2.0/repositories/{workspace}/{repo_slug}/pullrequests`. If not set, defaults to `https://api.bitbucket.org/2.0` 280 281 You can use branch `filters` like 282 - `branchMatch`: Optional regexp filter which should match the source branch name. 283 - `targetBranchMatch`: Optional regexp filter which should match destination branch name. 284 285 > Note: Labels are not supported by Bitbucket. 286 287 If you want to access a private repository, Argo CD will need credentials to access repository in Bitbucket Cloud. You can use Bitbucket App Password (generated per user, with access to whole workspace), or Bitbucket App Token (generated per repository, with access limited to repository scope only). If both App Password and App Token are defined, App Token will be used. 288 289 To use Bitbucket App Password, use `basicAuth` section. 290 - `username`: The username to authenticate with. It only needs read access to the relevant repo. 291 - `passwordRef`: A `Secret` name and key containing the password or personal access token to use for requests. 292 293 In case of Bitbucket App Token, go with `bearerToken` section. 294 - `tokenRef`: A `Secret` name and key containing the app token to use for requests. 295 296 ## Azure DevOps 297 298 Specify the organization, project and repository from which you want to fetch pull requests. 299 300 ```yaml 301 apiVersion: argoproj.io/v1alpha1 302 kind: ApplicationSet 303 metadata: 304 name: myapps 305 spec: 306 goTemplate: true 307 goTemplateOptions: ["missingkey=error"] 308 generators: 309 - pullRequest: 310 azuredevops: 311 # Azure DevOps org to scan. Required. 312 organization: myorg 313 # Azure DevOps project name to scan. Required. 314 project: myproject 315 # Azure DevOps repo name to scan. Required. 316 repo: myrepository 317 # The Azure DevOps API URL to talk to. If blank, use https://dev.azure.com/. 318 api: https://dev.azure.com/ 319 # Reference to a Secret containing an access token. (optional) 320 tokenRef: 321 secretName: azure-devops-token 322 key: token 323 # Labels is used to filter the PRs that you want to target. (optional) 324 labels: 325 - preview 326 requeueAfterSeconds: 1800 327 template: 328 # ... 329 ``` 330 331 * `organization`: Required name of the Azure DevOps organization. 332 * `project`: Required name of the Azure DevOps project. 333 * `repo`: Required name of the Azure DevOps repository. 334 * `api`: If using self-hosted Azure DevOps Repos, the URL to access it. (Optional) 335 * `tokenRef`: A `Secret` name and key containing the Azure DevOps access token to use for requests. If not specified, will make anonymous requests which have a lower rate limit and can only see public repositories. (Optional) 336 * `labels`: Filter the PRs to those containing **all** of the labels listed. (Optional) 337 338 ## Filters 339 340 Filters allow selecting which pull requests to generate for. Each filter can declare one or more conditions, all of which must pass. If multiple filters are present, any can match for a repository to be included. If no filters are specified, all pull requests will be processed. 341 Currently, only a subset of filters is available when comparing with [SCM provider](Generators-SCM-Provider.md) filters. 342 343 ```yaml 344 apiVersion: argoproj.io/v1alpha1 345 kind: ApplicationSet 346 metadata: 347 name: myapps 348 spec: 349 goTemplate: true 350 goTemplateOptions: ["missingkey=error"] 351 generators: 352 - pullRequest: 353 # ... 354 # Include any pull request branch ending with "argocd" 355 # and pull request title starting with "feat:". (optional) 356 filters: 357 - branchMatch: ".*-argocd" 358 - titleMatch: "^feat:" 359 template: 360 # ... 361 ``` 362 363 * `branchMatch`: A regexp matched against source branch names. 364 * `targetBranchMatch`: A regexp matched against target branch names. 365 * `titleMatch`: A regexp matched against Pull Request title. 366 367 [GitHub](#github) and [GitLab](#gitlab) also support a `labels` filter. 368 369 ## Template 370 371 As with all generators, several keys are available for replacement in the generated application. 372 373 The following is a comprehensive Helm Application example; 374 375 ```yaml 376 apiVersion: argoproj.io/v1alpha1 377 kind: ApplicationSet 378 metadata: 379 name: myapps 380 spec: 381 goTemplate: true 382 goTemplateOptions: ["missingkey=error"] 383 generators: 384 - pullRequest: 385 # ... 386 template: 387 metadata: 388 name: 'myapp-{{.branch}}-{{.number}}' 389 spec: 390 source: 391 repoURL: 'https://github.com/myorg/myrepo.git' 392 targetRevision: '{{.head_sha}}' 393 path: kubernetes/ 394 helm: 395 parameters: 396 - name: "image.tag" 397 value: "pull-{{.author}}-{{.head_sha}}" 398 project: "my-project" 399 destination: 400 server: https://kubernetes.default.svc 401 namespace: default 402 ``` 403 404 And, here is a robust Kustomize example; 405 406 ```yaml 407 apiVersion: argoproj.io/v1alpha1 408 kind: ApplicationSet 409 metadata: 410 name: myapps 411 spec: 412 goTemplate: true 413 goTemplateOptions: ["missingkey=error"] 414 generators: 415 - pullRequest: 416 # ... 417 template: 418 metadata: 419 name: 'myapp-{{.branch}}-{{.number}}' 420 spec: 421 source: 422 repoURL: 'https://github.com/myorg/myrepo.git' 423 targetRevision: '{{.head_sha}}' 424 path: kubernetes/ 425 kustomize: 426 nameSuffix: '{{.branch}}' 427 commonLabels: 428 app.kubernetes.io/instance: '{{.branch}}-{{.number}}' 429 images: 430 - 'ghcr.io/myorg/myrepo:{{.author}}-{{.head_sha}}' 431 project: "my-project" 432 destination: 433 server: https://kubernetes.default.svc 434 namespace: default 435 ``` 436 437 * `number`: The ID number of the pull request. 438 * `title`: The title of the pull request. 439 * `branch`: The name of the branch of the pull request head. 440 * `branch_slug`: The branch name will be cleaned to be conform to the DNS label standard as defined in [RFC 1123](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-label-names), and truncated to 50 characters to give room to append/suffix-ing it with 13 more characters. 441 * `target_branch`: The name of the target branch of the pull request. 442 * `target_branch_slug`: The target branch name will be cleaned to be conform to the DNS label standard as defined in [RFC 1123](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-label-names), and truncated to 50 characters to give room to append/suffix-ing it with 13 more characters. 443 * `head_sha`: This is the SHA of the head of the pull request. 444 * `head_short_sha`: This is the short SHA of the head of the pull request (8 characters long or the length of the head SHA if it's shorter). 445 * `head_short_sha_7`: This is the short SHA of the head of the pull request (7 characters long or the length of the head SHA if it's shorter). 446 * `labels`: The array of pull request labels. (Supported only for Go Template ApplicationSet manifests.) 447 * `author`: The author/creator of the pull request. 448 449 ## Webhook Configuration 450 451 When using a Pull Request generator, the ApplicationSet controller polls every `requeueAfterSeconds` interval (defaulting to every 30 minutes) to detect changes. To eliminate this delay from polling, the ApplicationSet webhook server can be configured to receive webhook events, which will trigger Application generation by the Pull Request generator. 452 453 The configuration is almost the same as the one described [in the Git generator](Generators-Git.md), but there is one difference: if you want to use the Pull Request Generator as well, additionally configure the following settings. 454 455 !!! note 456 The ApplicationSet controller webhook does not use the same webhook as the API server as defined [here](../webhook.md). ApplicationSet exposes a webhook server as a service of type ClusterIP. An ApplicationSet specific Ingress resource needs to be created to expose this service to the webhook source. 457 458 ### Github webhook configuration 459 460 In section 1, _"Create the webhook in the Git provider"_, add an event so that a webhook request will be sent when a pull request is created, closed, or label changed. 461 462 Add Webhook URL with uri `/api/webhook` and select content-type as json 463  464 465 Select `Let me select individual events` and enable the checkbox for `Pull requests`. 466 467  468 469 The Pull Request Generator will requeue when the next action occurs. 470 471 - `opened` 472 - `closed` 473 - `reopened` 474 - `labeled` 475 - `unlabeled` 476 - `synchronized` 477 478 For more information about each event, please refer to the [official documentation](https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads). 479 480 ### Gitlab webhook configuration 481 482 Enable checkbox for "Merge request events" in triggers list. 483 484  485 486 The Pull Request Generator will requeue when the next action occurs. 487 488 - `open` 489 - `close` 490 - `reopen` 491 - `update` 492 - `merge` 493 494 For more information about each event, please refer to the [official documentation](https://docs.gitlab.com/ee/user/project/integrations/webhook_events.html#merge-request-events). 495 496 ## Lifecycle 497 498 An Application will be generated when a Pull Request is discovered when the configured criteria is met - i.e. for GitHub when a Pull Request matches the specified `labels` and/or `pullRequestState`. Application will be removed when a Pull Request no longer meets the specified criteria. 499 500 ## Pass additional key-value pairs via `values` field 501 502 You may pass additional, arbitrary string key-value pairs via the `values` field of any Pull Request generator. Values added via the `values` field are added as `values.(field)`. 503 504 ```yaml 505 apiVersion: argoproj.io/v1alpha1 506 kind: ApplicationSet 507 metadata: 508 name: myapps 509 spec: 510 goTemplate: true 511 goTemplateOptions: ["missingkey=error"] 512 generators: 513 - pullRequest: 514 # ... 515 values: 516 pr_branch: '{{ .branch }}' 517 template: 518 metadata: 519 name: '{{ .values.name }}' 520 spec: 521 source: 522 repoURL: '{{ .url }}' 523 targetRevision: '{{ .branch }}' 524 path: kubernetes/ 525 project: default 526 destination: 527 server: https://kubernetes.default.svc 528 namespace: default 529 ``` 530 531 !!! note 532 The `values.` prefix is always prepended to values provided via `generators.pullRequest.values` field. Ensure you include this prefix in the parameter name within the `template` when using it. 533 534 In `values` we can also interpolate all fields set by the Pull Request generator as mentioned above.