[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OpenShift Jenkins - Anonymous Web-hooks



Seems like a reverse proxy is the way to go. I think I'll add one as a
sidecar to the Jenkins pod.

Thanks everyone for your quick responses!

Sean


On Sat, 9 Feb 2019 at 03:59, Marc Boorshtein <mboorshtein gmail com> wrote:
>
> I did something similar with a reverse proxy. The proxy embeds the token in the request to openshift.
>
> On Fri, Feb 8, 2019, 9:30 AM Gabe Montero <gmontero redhat com wrote:
>>
>> You need to provide a bearer token with sufficient permissions to all the OpenShift project(s) involved.
>>
>> A quick example on how to get such a token is at https://github.com/openshift/jenkins-openshift-login-plugin#non-browser-access
>> Apply what is done for the example curl invocation to the webhook config/invocation.
>>
>> And remember if your flow is spanning multiple projects, you'll need an SA with sufficient roles/permissions to each of those projects.
>>
>> On Fri, Feb 8, 2019 at 1:24 AM Samuel Martín Moro <faust64 gmail com> wrote:
>>>
>>> Hi,
>>>
>>> Using the generic webhook trigger plugin myself, while still relying on OpenShift authentication logging into Jenkins, I don't remember having anything like this.
>>> Although I can't explain why your plugin would refuse this, unless maybe something's wrong in Jenkins permissions matrix?
>>>
>>> As far as I've seen, generic triggers from a BuildConfig wouldn't allow for multi-branch jobs - or if they do, I'm still looking for a way to retrieve the triggering branch as a variable somewhere (note: that ruddra sample shows the buildconfig has a "ref: master", which would suggest it is not multi-branch capable).
>>> So far, Jenkins plugins was my next best solution, although not ideal.
>>>
>>>
>>> Anyway, you might be able to create a role - or clusterrole - and corresponding binding, with something like this (not tested)
>>>
>>> - apiVersion: rbac.authorization.k8s.io/v1
>>>   kind: ClusterRole
>>>   metadata:
>>>     name: bitbucket-jenkins-hook
>>>   rules:
>>>   - nonResourceURLs: [ "/bitbucket-scmsource-hook/*" ]
>>>     verbs: [ "get", "post" ]
>>>
>>> - apiVersion: rbac.authorization.k8s.io/v1
>>>   kind: ClusterRoleBinding
>>>   metadata:
>>>     name: bitbucket-jenkins-hook
>>>   roleRef:
>>>     apiGroup: rbac.authorization.k8s.io
>>>     kind: ClusterRole
>>>     name: bitbucket-jenkins-hook
>>>   subjects:
>>>   - apiGroup: rbac.authorization.k8s.io
>>>     kind: Group
>>>     name: system:unauthenticated
>>>   - apiGroup: rbac.authorization.k8s.io
>>>     kind: Group
>>>     name: system:authenticated
>>>
>>> (see: https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
>>>
>>>
>>>
>>> On Fri, Feb 8, 2019 at 7:14 AM Graham Dumpleton <gdumplet redhat com> wrote:
>>>>
>>>> I believe you should be using the web book URL from the pipeline build config.
>>>>
>>>> You can get them from the web console page for the pipeline.
>>>>
>>>> See:
>>>>
>>>> * https://ruddra.com/posts/openshift-python-gunicorn-nginx-jenkins-pipelines-part-three/
>>>>
>>>> Graham
>>>>
>>>> On 8 Feb 2019, at 5:03 pm, Sean Dawson <spdawson agiledigital com au> wrote:
>>>>
>>>> Hi,
>>>>
>>>> I have Jenkins running in an OpenShift cluster and I have a multi
>>>> branch job set up, with the source git repository residing in
>>>> Bitbucket server.
>>>>
>>>> I wan't to set up a web hook from Bitbucket Server to Jenkins to
>>>> trigger builds as soon as there are changes to the repo. In a vanilla
>>>> Jenkins installation you are able to simply post the updates to
>>>> "${JENKINS_URL}/bitbucket-scmsource-hook/notify" as mentioned in this
>>>> article:
>>>>
>>>> https://support.cloudbees.com/hc/en-us/articles/115000053051-How-to-Trigger-Multibranch-Jobs-from-Bitbucket-Server-#configurationinbitbucketserver
>>>>
>>>> However, our Jenkins instance is the OpenShift version and uses
>>>> OpenShift to authenticate. When I try to post to this URL I get the
>>>> following error:
>>>>
>>>>    {
>>>>    "kind": "Status",
>>>>    "apiVersion": "v1",
>>>>    "metadata": {
>>>>
>>>>    },
>>>>    "status": "Failure",
>>>>    "message": "forbidden: User \"system:anonymous\" cannot post path
>>>> \"/bitbucket-scmsource-hook/notify\": no RBAC policy matched",
>>>>    "reason": "Forbidden",
>>>>    "details": {
>>>>
>>>>    },
>>>>    "code": 403
>>>>    }
>>>>
>>>> Does anyone know of a way to allow the "system:anonymous" user to post
>>>> to that path?
>>>>
>>>> Thanks
>>>>
>>>> Sean
>>>>
>>>> _______________________________________________
>>>> users mailing list
>>>> users lists openshift redhat com
>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>>>
>>>>
>>>> _______________________________________________
>>>> users mailing list
>>>> users lists openshift redhat com
>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>>
>>>
>>>
>>> --
>>> Samuel Martín Moro
>>> {EPITECH.} 2011
>>>
>>> "Nobody wants to say how this works.
>>>  Maybe nobody knows ..."
>>>                       Xorg.conf(5)
>>> _______________________________________________
>>> users mailing list
>>> users lists openshift redhat com
>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>> _______________________________________________
>> users mailing list
>> users lists openshift redhat com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]