docs(ex04): add optional git webhook trigger flow

docs/04-tekton-pipeline.md

@@ -362,6 +362,194 @@ De naam van een PipelineRun moet uniek zijn:
 
 ---
 
+## Bonus: triggeren via Git webhook (optioneel)
+
+Wil je dat Tekton automatisch runt bij een `git push`?
+Dan gebruik je **Tekton Triggers** met een webhook endpoint.
+
+Als je **GitHub** gebruikt, kun je onderstaande manifests direct volgen.
+Gebruik je GitLab/Gitea/Bitbucket, dan blijft het patroon hetzelfde maar de interceptor/payload-mapping kan verschillen.
+
+### 1. Triggers resources toevoegen
+
+**`manifests/ci/triggers/kustomization.yaml`**
+
+```yaml
+resources:
+  - https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml
+  - https://storage.googleapis.com/tekton-releases/triggers/latest/interceptors.yaml
+  - triggerbinding.yaml
+  - triggertemplate.yaml
+  - eventlistener.yaml
+  - ingress.yaml
+```
+
+**`manifests/ci/triggers/triggerbinding.yaml`**
+
+```yaml
+apiVersion: triggers.tekton.dev/v1beta1
+kind: TriggerBinding
+metadata:
+  name: github-push-binding
+  namespace: tekton-pipelines
+spec:
+  params:
+    - name: repo-url
+      value: $(body.repository.clone_url)
+```
+
+**`manifests/ci/triggers/triggertemplate.yaml`**
+
+```yaml
+apiVersion: triggers.tekton.dev/v1beta1
+kind: TriggerTemplate
+metadata:
+  name: github-push-template
+  namespace: tekton-pipelines
+spec:
+  params:
+    - name: repo-url
+      default: https://github.com/JOUW_USERNAME/JOUW_REPO.git
+  resourcetemplates:
+    - apiVersion: tekton.dev/v1
+      kind: PipelineRun
+      metadata:
+        generateName: webhook-bump-
+        namespace: tekton-pipelines
+      spec:
+        pipelineRef:
+          name: gitops-image-bump
+        taskRunTemplate:
+          serviceAccountName: pipeline-runner
+        params:
+          - name: repo-url
+            value: $(tt.params.repo-url)
+          - name: new-tag
+            value: "6.7.0"
+          - name: git-user-name
+            value: "Workshop Pipeline"
+          - name: git-user-email
+            value: "pipeline@workshop.local"
+        workspaces:
+          - name: source
+            volumeClaimTemplate:
+              spec:
+                accessModes: [ReadWriteOnce]
+                resources:
+                  requests:
+                    storage: 1Gi
+          - name: git-credentials
+            secret:
+              secretName: git-credentials
+```
+
+**`manifests/ci/triggers/eventlistener.yaml`**
+
+```yaml
+apiVersion: triggers.tekton.dev/v1beta1
+kind: EventListener
+metadata:
+  name: github-push-listener
+  namespace: tekton-pipelines
+spec:
+  serviceAccountName: pipeline-runner
+  triggers:
+    - name: on-push
+      interceptors:
+        - ref:
+            name: github
+          params:
+            - name: secretRef
+              value:
+                secretName: github-webhook-secret
+                secretKey: secretToken
+            - name: eventTypes
+              value:
+                - push
+      bindings:
+        - ref: github-push-binding
+      template:
+        ref: github-push-template
+```
+
+**`manifests/ci/triggers/ingress.yaml`**
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: tekton-triggers
+  namespace: tekton-pipelines
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: tekton-webhook.192.168.56.200.nip.io
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: el-github-push-listener
+                port:
+                  number: 8080
+```
+
+**`apps/ci/tekton-triggers.yaml`**
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: tekton-triggers
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "8"
+spec:
+  project: workshop
+  source:
+    repoURL: JOUW_FORK_URL
+    targetRevision: HEAD
+    path: manifests/ci/triggers
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: tekton-pipelines
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+```
+
+> **HOST**
+> ```bash
+> git add apps/ci/tekton-triggers.yaml manifests/ci/triggers/
+> git commit -m "feat: voeg Tekton Triggers webhook flow toe"
+> git push
+> ```
+
+### 2. Webhook secret zetten
+
+> **VM**
+> ```bash
+> kubectl -n tekton-pipelines create secret generic github-webhook-secret \
+>   --from-literal=secretToken='kies-een-sterke-random-string' \
+>   --dry-run=client -o yaml | kubectl apply -f -
+> ```
+
+### 3. GitHub webhook registreren
+
+- In GitHub: **Settings → Webhooks → Add webhook**
+- Payload URL: `http://tekton-webhook.192.168.56.200.nip.io`
+- Content type: `application/json`
+- Secret: dezelfde waarde als `secretToken`
+- Event: **Just the push event**
+
+Daarna maakt elke push een nieuwe `PipelineRun` aan.
+
+---
+
 ## Probleemoplossing
 
 | Symptoom                                | Oplossing                                                                                              |
@@ -372,6 +560,7 @@ De naam van een PipelineRun moet uniek zijn:
 | ArgoCD synchroniseert niet              | Klik **Refresh** in de UI                                                                              |
 | `root` blijft OutOfSync op app `tekton` | Verwijder de lege `kustomize: {}` uit `apps/ci/tekton.yaml` (Argo normaliseert deze weg in live state) |
 | Tekton Dashboard toont standaard Nginx/404 | Controleer `apps/ci/tekton-dashboard.yaml` en `manifests/ci/dashboard/ingress.yaml` host/service/poort |
+| Webhook maakt geen PipelineRun aan      | Check `kubectl get eventlistener -n tekton-pipelines` en controleer GitHub webhook URL/secret/eventtype |
 
 ---