Add code for webhook dispatcher

A dispatcher is a new component to manage incoming webhooks from Github.
It accept new requests and manage a queue based on cluster capacity.

A capacity is defined as a number of running pipelines in certain
namespace. This simple metrics will provide a buffer mechanism for time
periods when we receive a bunk releases of operators. The mechanism
keeps pending requests in the database queue and only trigger related
pipeline in case of free capacity.

The solution is made of:
- Rest API
- Postgres database
- Dispatcher
- Capacity manager

JIRA: ISV-6108

Signed-off-by: Ales Raszka <araszka@redhat.com>

Author: Allda

docker-compose.yml

@@ -0,0 +1,22 @@
+---
+services:
+  db:
+    image: registry.redhat.io/rhel10/postgresql-16@sha256:8515941a42d6bc5d59b753839174b3c0e839315d686ca2fdd6fa65e1cccf3390
+    container_name: webhook-dispatcher-db
+    restart: unless-stopped
+    environment:
+      POSTGRESQL_USER: user
+      POSTGRESQL_PASSWORD: password
+      POSTGRESQL_DATABASE: webhook_dispatcher
+    ports:
+      - "5432:5432"
+    volumes:
+      - pgdata:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${DB_USER} -d ${DB_NAME}"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+volumes:
+  pgdata:

docs/webhook-dispatecher.md

@@ -0,0 +1,173 @@
+# Webhook Dispatcher
+
+The Webhook Dispatcher is a microservice that receives GitHub webhooks and processes them for operator pipelines.
+It validates webhooks, stores events in a database, and triggers Tekton pipelines for operator pipelines with
+a capacity management system.
+
+## Overview
+
+The Webhook Dispatcher serves as the entry point for GitHub events in the operator pipelines.
+When developers submit operators via pull requests, the dispatcher:
+
+1. **Receives and validates** GitHub webhooks with signature verification
+2. **Stores webhook events** in a PostgreSQL database
+3. **Manages pipeline capacity** to prevent resource exhaustion
+4. **Triggers Tekton pipelines** for operator validation
+
+## Architecture
+
+```
+┌─────────────────┐    ┌──────────────────┐    ┌─────────────────┐
+│   GitHub        │    │   Webhook        │    │   PostgreSQL    │
+│   Webhooks      │───▶│   Dispatcher     │───▶│   Database      │
+└─────────────────┘    └──────────────────┘    └─────────────────┘
+                                │
+                                ▼
+                       ┌──────────────────┐
+                       │   Tekton         │
+                       │   Pipelines      │
+                       └──────────────────┘
+```
+
+## Features
+
+- **Secure webhook processing** with HMAC-SHA256 signature verification
+- **Multi-repository support** with configurable processing rules
+- **Pipeline capacity management** to prevent resource overload
+- **Background event processing** for improved performance
+- **Health monitoring** and status tracking
+
+
+## Installation
+
+### Prerequisites
+- Python 3.11+
+- PostgreSQL 12+
+- Kubernetes/OpenShift cluster access
+
+### Setup
+
+1. Install dependencies:
+```bash
+pdm install --no-dev
+```
+
+2. Create database:
+```bash
+docker compose up -d
+```
+
+3. Set environment variables:
+```bash
+export DATABASE_URL="postgresql://webhook_user:secure_password@localhost:5432/webhook_dispatcher"
+export GITHUB_WEBHOOK_SECRET="your_github_webhook_secret"
+```
+
+## Configuration
+
+Create a `dispatcher_config.yaml` file:
+
+```yaml
+---
+dispatcher:
+  items:
+    - name: "Community Operators"
+      events:
+        - opened
+        - synchronize
+        - ready_for_review
+      full_repository_name: "redhat-openshift-ecosystem/community-operators"
+      capacity:
+        type: ocp_tekton
+        pipeline_name: "operator-hosted-pipeline"
+        max_capacity: 5
+        namespace: "operator-pipeline-prod"
+      # Tekton pipeline listener URL
+      callback_url: "https://tekton-dashboard.example.com/api/v1/trigger"
+
+security:
+  github_webhook_secret: "${GITHUB_WEBHOOK_SECRET}"
+  verify_signatures: true
+  allowed_github_events:
+    - pull_request
+```
+
+### Configuration Parameters
+
+- **name**: Configuration identifier
+- **events**: GitHub PR events to process
+- **full_repository_name**: Repository in `owner/repo` format
+- **capacity**: Pipeline capacity settings
+- **callback_url**: Tekton pipeline trigger URL
+- **github_webhook_secret**: Webhook signature verification secret
+
+## Usage
+
+### Running the Service
+
+Production mode:
+```bash
+export CONFIG_FILE="/path/to/dispatcher_config.yaml"
+python -m operatorcert.webhook_dispatcher.main
+```
+
+### GitHub Webhook Setup
+
+1. Go to repository **Settings** → **Webhooks**
+2. Add webhook with:
+   - **URL**: `https://your-domain.com/api/v1/webhooks/github-pipeline`
+   - **Content type**: `application/json`
+   - **Secret**: Your webhook secret
+   - **Events**: Pull requests
+
+## API Endpoints
+
+- `POST /api/v1/webhooks/github-pipeline` - Receive GitHub webhooks
+- `GET /api/v1/status/ping` - Health check
+- `GET /api/v1/status/db` - Database health
+- `GET /api/v1/events/status` - Event status with pagination
+
+## Security
+
+- **HMAC-SHA256 signature verification** for all webhook requests
+- **GitHub User-Agent validation** to prevent spoofing
+- **Event type filtering** based on configuration
+- **TLS encryption** required for production deployments
+
+## Monitoring
+
+### Health Checks
+```bash
+curl http://localhost:5000/api/v1/status/ping
+curl http://localhost:5000/api/v1/status/db
+```
+
+### Event Status
+```bash
+curl "http://localhost:5000/api/v1/events/status?page_size=20"
+```
+
+## Troubleshooting
+
+### Common Issues
+
+**Signature verification failures**:
+- Verify `GITHUB_WEBHOOK_SECRET` matches GitHub configuration
+- Ensure webhook uses `application/json` content type
+
+**Database connection errors**:
+- Check `DATABASE_URL` format
+- Verify PostgreSQL is running and accessible
+
+**Event processing delays**:
+- Check dispatcher thread logs
+- Monitor pipeline capacity usage
+- Review database performance
+
+### Debug Mode
+```bash
+export LOG_LEVEL=DEBUG
+python -m operatorcert.webhook_dispatcher.main --verbose
+```
+
+For support, refer to the [operator-pipelines repository](https://github.com/redhat-openshift-ecosystem/operator-pipelines).

operator-pipeline-images/config/dispatcher_config.yaml

@@ -0,0 +1,24 @@
+---
+dispatcher:
+  items:
+    - name: Red Hat community operators preprod
+      events:
+        - labeled
+        - opened
+        - reopened
+        - synchronize
+        - ready_for_review
+        - closed
+      full_repository_name: "redhat-openshift-ecosystem/community-operators-preprod"
+      capacity:
+        type: ocp_tekton
+        pipeline_name: "operator-hosted-pipeline"
+        max_capacity: 2
+        namespace: "operator-pipeline-stage"
+      callback_url: "https://example.com/foo" # Placeholder URL
+
+security:
+  # github_webhook_secret: "" # This can be also set by `GITHUB_WEBHOOK_SECRET`
+  verify_signatures: true
+  allowed_github_events:
+    - pull_request

operator-pipeline-images/operatorcert/webhook_dispatcher/__init__.py

@@ -0,0 +1,165 @@
+"""
+Webhook API for handling GitHub pipeline events.
+"""
+
+import logging
+import os
+from typing import Any
+
+import flask
+from flask import jsonify, request
+from operatorcert.webhook_dispatcher.config import load_config
+from operatorcert.webhook_dispatcher.database import get_database, get_db_session
+from operatorcert.webhook_dispatcher.models import (
+    WebhookEvent,
+    convert_to_webhook_event,
+)
+from operatorcert.webhook_dispatcher.security import validate_github_webhook
+
+_CONFIG = None
+
+LOGGER = logging.getLogger("operator-cert")
+app = flask.Flask(__name__)
+
+
+def get_config() -> Any:
+    """
+    Load and return the configuration.
+    If the configuration is already loaded, return the cached version.
+    """
+    # singleton pattern for configuration loading
+    global _CONFIG  # pylint: disable=global-statement
+    if _CONFIG is None:
+        _CONFIG = load_config(
+            os.getenv("WEBHOOK_DISPATCHER_CONFIG", "dispatcher_config.json")
+        )
+    return _CONFIG
+
+
+def event_to_dict(event: WebhookEvent) -> dict[str, Any]:
+    """
+    Convert a WebhookEvent object to a dictionary.
+    """
+    return {
+        "id": event.id,
+        "delivery_id": event.delivery_id,
+        "repository_full_name": event.repository_full_name,
+        "pull_request_number": event.pull_request_number,
+        "processed": event.processed,
+        "processing_error": event.processing_error,
+        "received_at": event.received_at.isoformat(),
+        "processed_at": event.processed_at.isoformat() if event.processed_at else None,
+        "status": event.status,
+    }
+
+
+@app.route("/api/v1/webhooks/github-pipeline", methods=["POST"])
+def github_pipeline_webhook() -> Any:
+    """
+    Receive GitHub webhook events for pipeline execution.
+
+    Returns:
+        Any: A JSON response indicating the status of the event processing.
+    """
+    payload = request.get_json()
+    config = get_config()
+    result = validate_github_webhook(request, config.security)
+    if isinstance(result, tuple):
+        LOGGER.debug("GitHub webhook validation failed: %s", result)
+        return jsonify(result[0]), result[1]
+    LOGGER.info("GitHub webhook validation result: %s", result)
+    webhook_event = convert_to_webhook_event(payload, request)
+    if webhook_event is None:
+        return jsonify({"status": "rejected", "message": "Unsupported event"}), 400
+
+    db_session = next(get_db_session())
+    db_session.add(webhook_event)
+    db_session.commit()
+
+    return (
+        jsonify(
+            {
+                "status": "ok",
+                "message": "Event received",
+                **event_to_dict(webhook_event),
+            }
+        ),
+        200,
+    )
+
+
+@app.route("/api/v1/events/status", methods=["GET"])
+def events_status() -> Any:
+    """
+    Get a summary of webhook events.
+
+    Returns:
+        Any: A JSON response containing the status of webhook events.
+    """
+    page = request.args.get("page", 1, type=int)
+    page_size = request.args.get("page_size", 10, type=int)
+    request_filter = request.args.get("filter", "")
+
+    db_filter = []
+
+    for item in request_filter.split(";"):
+        if "=" in item:
+            key, val = item.split("=")
+            db_filter.append(getattr(WebhookEvent, key) == val)
+
+    db_session = next(get_db_session())
+
+    events = (
+        db_session.query(WebhookEvent)
+        .filter(*db_filter)
+        .order_by(WebhookEvent.received_at.desc())
+        .offset((page - 1) * page_size)
+        .limit(page_size)
+        .all()
+    )
+    total_count = db_session.query(WebhookEvent).filter(*db_filter).count()
+
+    output = []
+    for event in events:
+        output.append(event_to_dict(event))
+
+    return (
+        jsonify(
+            {
+                "status": "ok",
+                "events": output,
+                "page": page,
+                "page_size": page_size,
+                "total_count": total_count,
+            }
+        ),
+        200,
+    )
+
+
+@app.route("/api/v1/status/ping", methods=["GET"])
+def get_ping() -> Any:
+    """
+    Health check endpoint to verify the API is running.
+
+    Returns:
+        Any: A JSON response indicating the API status.
+    """
+    return jsonify({"status": "pong"}), 200
+
+
+@app.route("/api/v1/status/db", methods=["GET"])
+def get_db_status() -> Any:
+    """
+    Health check endpoint to verify the database is running.
+
+    Returns:
+        Any: A JSON response indicating the API status.
+    """
+    db_manager = get_database()
+    if db_manager.health_check():
+        return jsonify({"status": "ok", "message": "Database is running"}), 200
+    return (
+        jsonify({"status": "error", "message": "Database health check failed"}),
+        500,
+    )