New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhancement: Add API key support to Spinnaker webhook endpoints #3777
Comments
This issue hasn't been updated in 45 days, so we are tagging it as 'stale'. If you want to remove this label, comment:
|
@spinnakerbot remove-label stale |
This issue hasn't been updated in 45 days, so we are tagging it as 'stale'. If you want to remove this label, comment:
|
@spinnakerbot remove-label stale |
This issue hasn't been updated in 45 days, so we are tagging it as 'stale'. If you want to remove this label, comment:
|
@spinnakerbot remove-label stale |
This issue hasn't been updated in 45 days, so we are tagging it as 'stale'. If you want to remove this label, comment:
|
@spinnakerbot remove-label stale |
This issue hasn't been updated in 45 days, so we are tagging it as 'stale'. If you want to remove this label, comment:
|
@spinnakerbot remove-label stale |
This issue hasn't been updated in 45 days, so we are tagging it as 'stale'. If you want to remove this label, comment:
|
@spinnakerbot remove-label stale |
Are webhook
|
Sort of, and I've kind of faked it this way on a small scale. But the problem with doing it this way is it's set on a per-pipeline level rather than a webhook level. Let's say your webhook alerts Spinnaker of a new container image. The container registry - a single source - raises the event with Spinnaker. Maybe you have 10 pipelines and the pipeline constraints filter which pipeline kicks off. If the API key is part of the payload constraints then:
The idea here is that the API key would be set at the webhook level and hidden along with other passwords. Pipelines could stay focused on the things that matter to the pipeline and service connections with the related security could be managed separately. |
It would also be nice from a display perspective. Manual triggers of pipelines show the user who started them, but from a webhook it just shows a big old "[anonymous] (unknown user)". Would be really nice to see it come from a service-user we setup. |
This issue hasn't been updated in 45 days, so we are tagging it as 'stale'. If you want to remove this label, comment:
|
This issue hasn't been updated in 45 days, so we are tagging it as 'stale'. If you want to remove this label, comment:
|
This issue is tagged as 'stale' and hasn't been updated in 45 days, so we are tagging it as 'to-be-closed'. It will be closed in 45 days unless updates are made. If you want to remove this label, comment:
|
@spinnakerbot remove-label to-be-closed |
This issue is tagged as 'stale' and hasn't been updated in 45 days, so we are tagging it as 'to-be-closed'. It will be closed in 45 days unless updates are made. If you want to remove this label, comment:
|
@spinnakerbot remove-label to-be-closed |
@spinnakerbot remove-label stale |
This issue hasn't been updated in 45 days, so we are tagging it as 'stale'. If you want to remove this label, comment:
|
@spinnakerbot remove-label stale |
This issue hasn't been updated in 45 days, so we are tagging it as 'stale'. If you want to remove this label, comment:
|
@spinnakerbot remove-label stale |
Saw this get merged which would enable use of x509 or basic auth authentication of webhook endpoint. |
This issue hasn't been updated in 45 days, so we are tagging it as 'stale'. If you want to remove this label, comment:
|
This issue is tagged as 'stale' and hasn't been updated in 45 days, so we are tagging it as 'to-be-closed'. It will be closed in 45 days unless updates are made. If you want to remove this label, comment:
|
This issue is tagged as 'stale' and hasn't been updated in 45 days, so we are tagging it as 'to-be-closed'. It will be closed in 45 days unless updates are made. If you want to remove this label, comment:
|
This issue is tagged as 'to-be-closed' and hasn't been updated in 45 days, so we are closing it. You can always reopen this issue if needed. |
When hosting Spinnaker in a cloud environment it's easy enough to add authentication to the UI and API... but the webhook endpoint
https://spinnaker-api/webhooks/webhook/sourcename
is anonymously accessible.It'd be nice if, like with Slack webhooks, you could set it so calls to the webhook endpoint would require some sort of API key, perhaps in the query string. This would help reduce risk that malicious users could flood pipelines with repeated fake webhook payloads.
The text was updated successfully, but these errors were encountered: