add ntfy provider

Signed-off-by: Bruno Paz <[email protected]>

api/v1beta3/provider_types.go

@@ -52,12 +52,13 @@ const (
 	PagerDutyProvider       string = "pagerduty"
 	DataDogProvider         string = "datadog"
 	NATSProvider            string = "nats"
+	NtfyProvider            string = "ntfy"
 )
 
 // ProviderSpec defines the desired state of the Provider.
 type ProviderSpec struct {
 	// Type specifies which Provider implementation to use.
-	// +kubebuilder:validation:Enum=slack;discord;msteams;rocket;generic;generic-hmac;github;gitlab;gitea;bitbucketserver;bitbucket;azuredevops;googlechat;googlepubsub;webex;sentry;azureeventhub;telegram;lark;matrix;opsgenie;alertmanager;grafana;githubdispatch;pagerduty;datadog;nats
+	// +kubebuilder:validation:Enum=slack;discord;msteams;rocket;generic;generic-hmac;github;gitlab;gitea;bitbucketserver;bitbucket;azuredevops;googlechat;googlepubsub;webex;sentry;azureeventhub;telegram;lark;matrix;opsgenie;alertmanager;grafana;githubdispatch;pagerduty;datadog;nats;ntfy
 	// +required
 	Type string `json:"type"`
 

docs/spec/v1beta3/providers.md

@@ -108,6 +108,7 @@ The supported alerting providers are:
 | [Telegram](#telegram)                                   | `telegram`       |
 | [WebEx](#webex)                                         | `webex`          |
 | [NATS](#nats)                                           | `nats`           |
+| [Ntfy](#ntfy)                                           | `ntfy`           |
 
 The supported providers for [Git commit status updates](#git-commit-status-updates) are:
 
@@ -1018,6 +1019,47 @@ stringData:
   password: <NATS Password>
 ```
 
+##### Ntfy
+
+When `.spec.type` is set to `ntfy`, the controller will publish the payload of
+an [Event](events.md#event-structure) to an [Ntfy topic](https://ntfy.sh/) provided in the
+[Channel](#channel) field, using the server specified in the [Address](#address) field.
+
+This Provider type can optionally use the [Secret reference](#secret-reference) to authenticate to the Ntfy server using [Username/Password](https://docs.ntfy.sh/publish/?h=username#username-password).
+The credentials must be specified in [the `username`](#username-example) and `password` fields of the Secret.
+Alternatively, you can also an [Access Token](https://docs.ntfy.sh/publish/?h=username#access-tokens) In this case the `token` should be provided through a
+Secret reference.
+
+###### Ntfy with Username/Password Credentials Example
+
+To configure a Provider for Ntfy authenticating with Username/Password, create a Secret with the
+`username` and `password` fields set, and add a `ntfy` Provider with the associated
+[Secret reference](#secret-reference).
+
+```yaml
+---
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Provider
+metadata:
+  name: ntfy-provider
+  namespace: desired-namespace
+spec:
+  type: ntfy
+  address: <Ntfy Server URL>
+  channel: <Ntfy topic>
+  secretRef:
+    name: ntfy-provider-creds
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ntfy-provider-creds
+  namespace: desired-namespace
+stringData:
+  username: <Ntfy Username>
+  password: <Ntfy Password>
+```
+
 ### Address
 
 `.spec.address` is an optional field that specifies the endpoint where the events are posted.

internal/notifier/factory.go

@@ -119,6 +119,8 @@ func (f Factory) Notifier(provider string) (Interface, error) {
 		n, err = NewDataDog(f.URL, f.ProxyURL, f.CertPool, f.Token)
 	case apiv1.NATSProvider:
 		n, err = NewNATS(f.URL, f.Channel, f.Username, f.Password)
+	case apiv1.NtfyProvider:
+		n, err = NewNtfy(f.URL, f.Channel, f.Token, f.Username, f.Password)
 	default:
 		err = fmt.Errorf("provider %s not supported", provider)
 	}

internal/notifier/ntfy.go

@@ -0,0 +1,121 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package notifier
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/url"
+	"strings"
+
+	eventv1 "github.com/fluxcd/pkg/apis/event/v1beta1"
+	"github.com/hashicorp/go-retryablehttp"
+)
+
+const (
+	NtfyTagInfo  = "information_source"
+	NtfyTagError = "rotating_light"
+)
+
+type Ntfy struct {
+	ServerURL string
+	Topic     string
+	Token     string
+	Username  string
+	Password  string
+}
+
+type NtfyMessage struct {
+	Topic   string   `json:"topic"`
+	Message string   `json:"message"`
+	Title   string   `json:"title"`
+	Tags    []string `json:"tags,omitempty"`
+}
+
+func NewNtfy(serverURL string, topic string, token string, username string, password string) (*Ntfy, error) {
+	_, err := url.ParseRequestURI(serverURL)
+	if err != nil {
+		return nil, fmt.Errorf("invalid Ntfy server URL %s: '%w'", serverURL, err)
+	}
+
+	if topic == "" {
+		return nil, errors.New("ntfy topic cannot be empty")
+	}
+
+	return &Ntfy{
+		ServerURL: serverURL,
+		Topic:     topic,
+		Token:     token,
+		Username:  username,
+		Password:  password,
+	}, nil
+}
+
+func (n *Ntfy) Post(ctx context.Context, event eventv1.Event) error {
+
+	// Skip Git commit status update event.
+	if event.HasMetadata(eventv1.MetaCommitStatusKey, eventv1.MetaCommitStatusUpdateValue) {
+		return nil
+	}
+
+	tags := make([]string, 0)
+
+	switch event.Severity {
+	case eventv1.EventSeverityInfo:
+		tags = append(tags, NtfyTagInfo)
+	case eventv1.EventSeverityError:
+		tags = append(tags, NtfyTagError)
+	}
+
+	payload := NtfyMessage{
+		Topic:   n.Topic,
+		Title:   fmt.Sprintf("FluxCD: %s", event.ReportingController),
+		Message: n.buildMessageFromEvent(event),
+		Tags:    tags,
+	}
+
+	err := postMessage(ctx, n.ServerURL, "", nil, payload, func(req *retryablehttp.Request) {
+		n.addAuthorizationHeader(req)
+	})
+
+	return err
+}
+
+func (n *Ntfy) addAuthorizationHeader(req *retryablehttp.Request) {
+	if n.Username != "" && n.Password != "" {
+		req.Header.Set("Authorization", fmt.Sprintf("Basic %s", basicAuth(n.Username, n.Password)))
+	} else if n.Token != "" {
+		req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", n.Token))
+	}
+}
+
+func (n *Ntfy) buildMessageFromEvent(event eventv1.Event) string {
+	var messageBuilder strings.Builder
+
+	messageBuilder.WriteString(fmt.Sprintf("%s\n\n", event.Message))
+	messageBuilder.WriteString(fmt.Sprintf("Object: %s/%s.%s\n", event.InvolvedObject.Namespace, event.InvolvedObject.Name, event.InvolvedObject.Kind))
+
+	if event.Metadata != nil {
+		messageBuilder.WriteString("\nMetadata:\n")
+		for key, val := range event.Metadata {
+			messageBuilder.WriteString(fmt.Sprintf("%s: %s\n", key, val))
+		}
+	}
+
+	return messageBuilder.String()
+}

internal/notifier/ntfy_test.go

@@ -0,0 +1,93 @@
+package notifier
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewNtfy(t *testing.T) {
+	t.Run("default values", func(t *testing.T) {
+		n, err := NewNtfy("https://ntfy.sh", "my-topic", "token", "user", "pass")
+		assert.NoError(t, err)
+		assert.Equal(t, "https://ntfy.sh", n.ServerURL)
+		assert.Equal(t, "my-topic", n.Topic)
+		assert.Equal(t, "token", n.Token)
+		assert.Equal(t, "user", n.Username)
+		assert.Equal(t, "pass", n.Password)
+	})
+
+	t.Run("invalid URL", func(t *testing.T) {
+		_, err := NewNtfy("not a url", "my-topic", "", "", "")
+		assert.Contains(t, err.Error(), "invalid Ntfy server URL")
+	})
+
+	t.Run("empty topic", func(t *testing.T) {
+		_, err := NewNtfy("https://ntfy.sh", "", "", "", "")
+		assert.Equal(t, err.Error(), "ntfy topic cannot be empty")
+	})
+}
+
+func TestNtfy_Post(t *testing.T) {
+
+	t.Run("success", func(t *testing.T) {
+		evt := testEvent()
+
+		ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			b, err := io.ReadAll(r.Body)
+			require.NoError(t, err)
+
+			var payload NtfyMessage
+			err = json.Unmarshal(b, &payload)
+			require.NoError(t, err)
+
+			assert.Equal(t, "my-topic", payload.Topic)
+			assert.Equal(t, "FluxCD: source-controller", payload.Title)
+			assert.Equal(t, []string{NtfyTagInfo}, payload.Tags)
+			assert.Equal(t, "message\n\nObject: gitops-system/webapp.GitRepository\n\nMetadata:\ntest: metadata\n", payload.Message)
+		}))
+		defer ts.Close()
+
+		ntfy, err := NewNtfy(ts.URL, "my-topic", "", "", "")
+		require.NoError(t, err)
+
+		err = ntfy.Post(context.Background(), evt)
+		require.NoError(t, err)
+	})
+
+	t.Run("basic authorization", func(t *testing.T) {
+		evt := testEvent()
+
+		ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			assert.Equal(t, r.Header.Get("Authorization"), "Basic YmFzaWMtdXNlcjpiYXNpYy1wYXNzd29yZA==")
+		}))
+		defer ts.Close()
+
+		ntfy, err := NewNtfy(ts.URL, "my-topic", "", "basic-user", "basic-password")
+		require.NoError(t, err)
+
+		err = ntfy.Post(context.Background(), evt)
+		require.NoError(t, err)
+	})
+
+	t.Run("access token", func(t *testing.T) {
+		evt := testEvent()
+
+		ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			assert.Equal(t, r.Header.Get("Authorization"), "Bearer access-token")
+		}))
+		defer ts.Close()
+
+		ntfy, err := NewNtfy(ts.URL, "my-topic", "access-token", "", "")
+		require.NoError(t, err)
+
+		err = ntfy.Post(context.Background(), evt)
+		require.NoError(t, err)
+	})
+}