Add code for webhook dispatcher

A dispatcher is a new component to manage incoming webhooks from Github.
It accept new requests and manage a queue based on cluster capacity.

A capacity is defined as a number of running pipelines in certain
namespace. This simple metrics will provide a buffer mechanism for time
periods when we receive a bunk releases of operators. The mechanism
keeps pending requests in the database queue and only trigger related
pipeline in case of free capacity.

The solution is made of:
- Rest API
- Postgres database
- Dispatcher
- Capacity manager

JIRA: ISV-6108

Signed-off-by: Ales Raszka <araszka@redhat.com>

Author: Allda

docker-compose.yml

@@ -0,0 +1,22 @@
+---
+services:
+  db:
+    image: registry.redhat.io/rhel10/postgresql-16@sha256:8515941a42d6bc5d59b753839174b3c0e839315d686ca2fdd6fa65e1cccf3390
+    container_name: webhook-dispatcher-db
+    restart: unless-stopped
+    environment:
+      POSTGRESQL_USER: user
+      POSTGRESQL_PASSWORD: password
+      POSTGRESQL_DATABASE: webhook_dispatcher
+    ports:
+      - "5432:5432"
+    volumes:
+      - pgdata:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${DB_USER} -d ${DB_NAME}"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+volumes:
+  pgdata:

docs/webhook-dispatecher.md

@@ -0,0 +1,173 @@
+# Webhook Dispatcher
+
+The Webhook Dispatcher is a microservice that receives GitHub webhooks and processes them for operator pipelines.
+It validates webhooks, stores events in a database, and triggers Tekton pipelines for operator pipelines with
+a capacity management system.
+
+## Overview
+
+The Webhook Dispatcher serves as the entry point for GitHub events in the operator pipelines.
+When developers submit operators via pull requests, the dispatcher:
+
+1. **Receives and validates** GitHub webhooks with signature verification
+2. **Stores webhook events** in a PostgreSQL database
+3. **Manages pipeline capacity** to prevent resource exhaustion
+4. **Triggers Tekton pipelines** for operator validation
+
+## Architecture
+
+```
+┌─────────────────┐    ┌──────────────────┐    ┌─────────────────┐
+│   GitHub        │    │   Webhook        │    │   PostgreSQL    │
+│   Webhooks      │───▶│   Dispatcher     │───▶│   Database      │
+└─────────────────┘    └──────────────────┘    └─────────────────┘
+                                │
+                                ▼
+                       ┌──────────────────┐
+                       │   Tekton         │
+                       │   Pipelines      │
+                       └──────────────────┘
+```
+
+## Features
+
+- **Secure webhook processing** with HMAC-SHA256 signature verification
+- **Multi-repository support** with configurable processing rules
+- **Pipeline capacity management** to prevent resource overload
+- **Background event processing** for improved performance
+- **Health monitoring** and status tracking
+
+
+## Installation
+
+### Prerequisites
+- Python 3.11+
+- PostgreSQL 12+
+- Kubernetes/OpenShift cluster access
+
+### Setup
+
+1. Install dependencies:
+```bash
+pdm install --no-dev
+```
+
+2. Create database:
+```bash
+docker compose up -d
+```
+
+3. Set environment variables:
+```bash
+export DATABASE_URL="postgresql://webhook_user:secure_password@localhost:5432/webhook_dispatcher"
+export GITHUB_WEBHOOK_SECRET="your_github_webhook_secret"
+```
+
+## Configuration
+
+Create a `dispatcher_config.yaml` file:
+
+```yaml
+---
+dispatcher:
+  items:
+    - name: "Community Operators"
+      events:
+        - opened
+        - synchronize
+        - ready_for_review
+      full_repository_name: "redhat-openshift-ecosystem/community-operators"
+      capacity:
+        type: ocp_tekton
+        pipeline_name: "operator-hosted-pipeline"
+        max_capacity: 5
+        namespace: "operator-pipeline-prod"
+      # Tekton pipeline listener URL
+      callback_url: "https://tekton-dashboard.example.com/api/v1/trigger"
+
+security:
+  github_webhook_secret: "${GITHUB_WEBHOOK_SECRET}"
+  verify_signatures: true
+  allowed_github_events:
+    - pull_request
+```
+
+### Configuration Parameters
+
+- **name**: Configuration identifier
+- **events**: GitHub PR events to process
+- **full_repository_name**: Repository in `owner/repo` format
+- **capacity**: Pipeline capacity settings
+- **callback_url**: Tekton pipeline trigger URL
+- **github_webhook_secret**: Webhook signature verification secret
+
+## Usage
+
+### Running the Service
+
+Production mode:
+```bash
+export CONFIG_FILE="/path/to/dispatcher_config.yaml"
+python -m operatorcert.webhook_dispatcher.main
+```
+
+### GitHub Webhook Setup
+
+1. Go to repository **Settings** → **Webhooks**
+2. Add webhook with:
+   - **URL**: `https://your-domain.com/api/v1/webhooks/github-pipeline`
+   - **Content type**: `application/json`
+   - **Secret**: Your webhook secret
+   - **Events**: Pull requests
+
+## API Endpoints
+
+- `POST /api/v1/webhooks/github-pipeline` - Receive GitHub webhooks
+- `GET /api/v1/status/ping` - Health check
+- `GET /api/v1/status/db` - Database health
+- `GET /api/v1/events/status` - Event status with pagination
+
+## Security
+
+- **HMAC-SHA256 signature verification** for all webhook requests
+- **GitHub User-Agent validation** to prevent spoofing
+- **Event type filtering** based on configuration
+- **TLS encryption** required for production deployments
+
+## Monitoring
+
+### Health Checks
+```bash
+curl http://localhost:5000/api/v1/status/ping
+curl http://localhost:5000/api/v1/status/db
+```
+
+### Event Status
+```bash
+curl "http://localhost:5000/api/v1/events/status?page_size=20"
+```
+
+## Troubleshooting
+
+### Common Issues
+
+**Signature verification failures**:
+- Verify `GITHUB_WEBHOOK_SECRET` matches GitHub configuration
+- Ensure webhook uses `application/json` content type
+
+**Database connection errors**:
+- Check `DATABASE_URL` format
+- Verify PostgreSQL is running and accessible
+
+**Event processing delays**:
+- Check dispatcher thread logs
+- Monitor pipeline capacity usage
+- Review database performance
+
+### Debug Mode
+```bash
+export LOG_LEVEL=DEBUG
+python -m operatorcert.webhook_dispatcher.main --verbose
+```
+
+For support, refer to the [operator-pipelines repository](https://github.com/redhat-openshift-ecosystem/operator-pipelines).

operator-pipeline-images/config/dispatcher_config.yaml

@@ -0,0 +1,24 @@
+---
+dispatcher:
+  items:
+    - name: Red Hat community operators preprod
+      events:
+        - labeled
+        - opened
+        - reopened
+        - synchronize
+        - ready_for_review
+        - closed
+      full_repository_name: "redhat-openshift-ecosystem/community-operators-preprod"
+      capacity:
+        type: ocp_tekton
+        pipeline_name: "operator-hosted-pipeline"
+        max_capacity: 2
+        namespace: "operator-pipeline-stage"
+      callback_url: "https://example.com/foo" # Placeholder URL
+
+security:
+  # github_webhook_secret: "" # This can be also set by `GITHUB_WEBHOOK_SECRET`
+  verify_signatures: true
+  allowed_github_events:
+    - pull_request

operator-pipeline-images/operatorcert/static_tests/community/__init__.py

@@ -1,8 +1,8 @@
 """
-    Community operators static test suite
+Community operators static test suite
 
-    A test suite is a python package with two modules called "operator"
-    and "bundle" each containing a collection of check functions for the
-    respective type of resources.
+A test suite is a python package with two modules called "operator"
+and "bundle" each containing a collection of check functions for the
+respective type of resources.
 
 """

operator-pipeline-images/operatorcert/static_tests/community/bundle.py

@@ -1,9 +1,9 @@
 """
-    Bundle checks for the community operator static test suite
+Bundle checks for the community operator static test suite
 
-    A bundle check is a function with a name starting with "check_"
-    and taking a Bundle argument and yielding OperatorCheck objects
-    (either Fail or Warn) to describe the issues found in the given Bundle.
+A bundle check is a function with a name starting with "check_"
+and taking a Bundle argument and yielding OperatorCheck objects
+(either Fail or Warn) to describe the issues found in the given Bundle.
 """
 
 import json

operator-pipeline-images/operatorcert/static_tests/community/validations.py

@@ -1,5 +1,5 @@
 """
-    Utility functions to support the check_required_fields bundle check
+Utility functions to support the check_required_fields bundle check
 """
 
 import binascii

operator-pipeline-images/operatorcert/static_tests/helpers.py

@@ -1,4 +1,4 @@
-""" Static tests helper utilities. """
+"""Static tests helper utilities."""
 
 import logging
 from functools import wraps