Chapter 7. Creating a secret for a webhook

Procedure

1. Create a Base64-encoded secret string.

   For example:

   echo -n "qwerty" | base64

   The preceding command encodes a plain-text string, qwerty, and displays the encoded string.

   For example:

   cXdlcnR5

2. Create a secret.yaml file that defines an object of kind Secret.

   For example:

   kind: Secret
   apiVersion: v1
   metadata:
     name: jws-secret
   data:
     WebHookSecretKey: cXdlcnR5

   In the preceding example, jws-secret is the name of the secret and cXdlcnR5 is the encoded secret string.

3. To create the secret, enter the following command:

   oc create -f secret.yaml

   The preceding command displays a message to confirm that the secret is created.

   For example:

   secret/jws-secret created

   Based on the preceding example, you can set the webhookSecrets:generic parameter to jws-secret.

Verification

1. Get the URL for the webhook:

   oc describe BuildConfig | grep webhooks

   The preceding command generates the webhook URL in the following format:

   https://<host>:<port>/apis/build.openshift.io/v1/namespaces/<namespace>/buildconfigs/<name>/webhooks/<secret>/generic

2. To send a request to the webhook, enter the following curl command:

   curl -k -X POST https://<host>:<port>/apis/build.openshift.io/v1/namespaces/<namespace>/buildconfigs/<name>/webhooks/<secret>/generic

   In the preceding command, replace <host>, <port>, <namespace>, and <name> in the URL string with values that are appropriate for your environment. Replace <secret> with the plain-text secret string (for example, qwerty).

   The preceding command generates the following type of webhook response in JSON format and the build is triggered:

   {"kind":"Build","apiVersion":"build.openshift.io/v1","metadata":{"name":"test-2","namespace":"jfc","selfLink":"/apis/build.openshift.io/v1/namespaces/jfc/buildconfigs/test-2/instantiate","uid":"a72dd529-edc6-4e1c-898e-7c0dbbea176e","resourceVersion":"846159","creationTimestamp":"2020-10-30T12:29:30Z","labels":{"application":"test","buildconfig":"test","openshift.io/build-config.name":"test","openshift.io/build.start-policy":"Serial"},"annotations":{"openshift.io/build-config.name":"test","openshift.io/build.number":"2"},"ownerReferences":[{"apiVersion":"build.openshift.io/v1","kind":"BuildConfig","name":"test","uid":"1f78fa3f-2f3b-421b-9f49-192184cc2280","controller":true}],"managedFields":[{"manager":"openshift-apiserver","operation":"Update","apiVersion":"build.openshift.io/v1","time":"2020-10-30T12:29:30Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:openshift.io/build-config.name":{},"f:openshift.io/build.number":{}},"f:labels":{".":{},"f:application":{},"f:buildconfig":{},"f:openshift.io/build-config.name":{},"f:openshift.io/build.start-policy":{}},"f:ownerReferences":{".":{},"k:{\"uid\":\"1f78fa3f-2f3b-421b-9f49-192184cc2280\"}":{".":{},"f:apiVersion":{},"f:controller":{},"f:kind":{},"f:name":{},"f:uid":{}}}},"f:spec":{"f:output":{"f:to":{".":{},"f:kind":{},"f:name":{}}},"f:serviceAccount":{},"f:source":{"f:contextDir":{},"f:git":{".":{},"f:ref":{},"f:uri":{}},"f:type":{}},"f:strategy":{"f:sourceStrategy":{".":{},"f:env":{},"f:forcePull":{},"f:from":{".":{},"f:kind":{},"f:name":{}},"f:pullSecret":{".":{},"f:name":{}}},"f:type":{}},"f:triggeredBy":{}},"f:status":{"f:conditions":{".":{},"k:{\"type\":\"New\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:status":{},"f:type":{}}},"f:config":{".":{},"f:kind":{},"f:name":{},"f:namespace":{}},"f:phase":{}}}}]},"spec":{"serviceAccount":"builder","source":{"type":"Git","git":{"uri":"https://github.com/jfclere/demo-webapp.git","ref":"master"},"contextDir":"/"},"strategy":{"type":"Source","sourceStrategy":{"from":{"kind":"DockerImage","name":"image-registry.openshift-image-registry.svc:5000/jfc/jboss-webserver54-tomcat9-openshift@sha256:75dcdf81011e113b8c8d0a40af32dc705851243baa13b68352706154174319e7"},"pullSecret":{"name":"builder-dockercfg-rvbh8"},"env":[{"name":"MAVEN_MIRROR_URL"},{"name":"ARTIFACT_DIR"}],"forcePull":true}},"output":{"to":{"kind":"ImageStreamTag","name":"test:latest"}},"resources":{},"postCommit":{},"nodeSelector":null,"triggeredBy":[{"message":"Generic WebHook","genericWebHook":{"secret":"\u003csecret\u003e"}}]},"status":{"phase":"New","config":{"kind":"BuildConfig","namespace":"jfc","name":"test"},"output":{},"conditions":[{"type":"New","status":"True","lastUpdateTime":"2020-10-30T12:29:30Z","lastTransitionTime":"2020-10-30T12:29:30Z"}]}}
   {
     "kind": "Status",
     "apiVersion": "v1",
     "metadata": {},
     "status": "Success",
     "message": "invalid Content-Type on payload, ignoring payload and continuing with build",
     "code": 200
   }

   Note

   If a User "system:anonymous" cannot create resource error results, you can resolve this error either by adding unauthenticated users to the system:webhook role binding or by creating a token and running the curl command.

   For example, to create a token and run the curl command:

   TOKEN=`oc create token builder`
   
   curl -H "Authorization: Bearer $TOKEN" -k -X POST https://<host>:<port>/apis/build.openshift.io/v1/namespaces/<namespace>/buildconfigs/<name>/webhooks/<secret>/generic

3. If you want to use the webhook in GitHub:

   1. In your GitHub project, select Settings > Webhooks > Add webhook.
   2. In the Payload URL field, add the URL.
   3. Set the content type to application/json.
   4. Disable SSL verification, if necessary.
   5. Click Add webhook.

   For more information, see https://docs.openshift.com/container-platform/4.6/builds/triggering-builds-build-hooks.html.