Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancement: Add API key support to Spinnaker webhook endpoints #3777

Closed
tillig opened this issue Dec 20, 2018 · 46 comments
Closed

Enhancement: Add API key support to Spinnaker webhook endpoints #3777

tillig opened this issue Dec 20, 2018 · 46 comments
Labels
component/gate enhancement stale to-be-closed

Comments

@tillig
Copy link

tillig commented Dec 20, 2018

When hosting Spinnaker in a cloud environment it's easy enough to add authentication to the UI and API... but the webhook endpoint https://spinnaker-api/webhooks/webhook/sourcename is anonymously accessible.

It'd be nice if, like with Slack webhooks, you could set it so calls to the webhook endpoint would require some sort of API key, perhaps in the query string. This would help reduce risk that malicious users could flood pipelines with repeated fake webhook payloads.
@spinnakerbot
Copy link

This issue hasn't been updated in 45 days, so we are tagging it as 'stale'. If you want to remove this label, comment:

@spinnakerbot remove-label stale

@tillig
Copy link
Author

tillig commented Feb 3, 2019

@spinnakerbot remove-label stale

@spinnakerbot spinnakerbot removed the stale label Feb 3, 2019
@spinnakerbot
Copy link

This issue hasn't been updated in 45 days, so we are tagging it as 'stale'. If you want to remove this label, comment:

@spinnakerbot remove-label stale

@tillig
Copy link
Author

tillig commented Mar 20, 2019

@spinnakerbot remove-label stale

@spinnakerbot
Copy link

This issue hasn't been updated in 45 days, so we are tagging it as 'stale'. If you want to remove this label, comment:

@spinnakerbot remove-label stale

@tillig
Copy link
Author

tillig commented May 4, 2019

@spinnakerbot remove-label stale

@spinnakerbot spinnakerbot removed the stale label May 4, 2019
@spinnakerbot
Copy link

This issue hasn't been updated in 45 days, so we are tagging it as 'stale'. If you want to remove this label, comment:

@spinnakerbot remove-label stale

@tillig
Copy link
Author

tillig commented Jun 18, 2019

@spinnakerbot remove-label stale

@spinnakerbot
Copy link

This issue hasn't been updated in 45 days, so we are tagging it as 'stale'. If you want to remove this label, comment:

@spinnakerbot remove-label stale

@tillig
Copy link
Author

tillig commented Aug 3, 2019

@spinnakerbot remove-label stale

@spinnakerbot spinnakerbot removed the stale label Aug 3, 2019
@spinnakerbot
Copy link

This issue hasn't been updated in 45 days, so we are tagging it as 'stale'. If you want to remove this label, comment:

@spinnakerbot remove-label stale

@tillig
Copy link
Author

tillig commented Sep 17, 2019

@spinnakerbot remove-label stale

@error418
Copy link

Are webhook Payload Constraints not the feature you are looking for?

When provided, only a webhook with a payload containing at least the specified key/value pairs will be allowed to trigger this pipeline. For example, if you wanted to lockdown the systems/users that can trigger this pipeline via this webhook, you could require the key "secret" and value "something-secret" as a constraint.

The constraint values may be supplied as regex.

@tillig
Copy link
Author

tillig commented Sep 23, 2019

Sort of, and I've kind of faked it this way on a small scale. But the problem with doing it this way is it's set on a per-pipeline level rather than a webhook level.

Let's say your webhook alerts Spinnaker of a new container image. The container registry - a single source - raises the event with Spinnaker. Maybe you have 10 pipelines and the pipeline constraints filter which pipeline kicks off.

If the API key is part of the payload constraints then:

  • Every pipeline that uses the webhook has to know about the key - key management becomes a problem.
  • Anyone with read access to the pipeline can see the key - secrecy is a problem.

The idea here is that the API key would be set at the webhook level and hidden along with other passwords. Pipelines could stay focused on the things that matter to the pipeline and service connections with the related security could be managed separately.

@mrusinak
Copy link

mrusinak commented Sep 24, 2019
edited

It would also be nice from a display perspective.

Manual triggers of pipelines show the user who started them, but from a webhook it just shows a big old "[anonymous] (unknown user)". Would be really nice to see it come from a service-user we setup.

@spinnakerbot
Copy link

This issue hasn't been updated in 45 days, so we are tagging it as 'stale'. If you want to remove this label, comment:

@spinnakerbot remove-label stale

@spinnakerbot
Copy link

This issue hasn't been updated in 45 days, so we are tagging it as 'stale'. If you want to remove this label, comment:

@spinnakerbot remove-label stale

@spinnakerbot
Copy link

This issue is tagged as 'stale' and hasn't been updated in 45 days, so we are tagging it as 'to-be-closed'. It will be closed in 45 days unless updates are made. If you want to remove this label, comment:

@spinnakerbot remove-label to-be-closed

@iiro
Copy link

iiro commented Nov 2, 2020

@spinnakerbot remove-label to-be-closed

@spinnakerbot
Copy link

This issue is tagged as 'stale' and hasn't been updated in 45 days, so we are tagging it as 'to-be-closed'. It will be closed in 45 days unless updates are made. If you want to remove this label, comment:

@spinnakerbot remove-label to-be-closed

@tillig
Copy link
Author

tillig commented Dec 17, 2020

@spinnakerbot remove-label to-be-closed

@tillig
Copy link
Author

tillig commented Dec 17, 2020

@spinnakerbot remove-label stale

@spinnakerbot
Copy link

This issue hasn't been updated in 45 days, so we are tagging it as 'stale'. If you want to remove this label, comment:

@spinnakerbot remove-label stale

@snalvi
Copy link

snalvi commented Jan 31, 2021

@spinnakerbot remove-label stale

@spinnakerbot
Copy link

This issue hasn't been updated in 45 days, so we are tagging it as 'stale'. If you want to remove this label, comment:

@spinnakerbot remove-label stale

@iniinikoski
Copy link

@spinnakerbot remove-label stale

@karlskewes
Copy link
Contributor

Saw this get merged which would enable use of x509 or basic auth authentication of webhook endpoint.
Thanks to @mochacat
spinnaker/gate#1451

@spinnakerbot
Copy link

This issue hasn't been updated in 45 days, so we are tagging it as 'stale'. If you want to remove this label, comment:

@spinnakerbot remove-label stale

@spinnakerbot
Copy link

This issue is tagged as 'stale' and hasn't been updated in 45 days, so we are tagging it as 'to-be-closed'. It will be closed in 45 days unless updates are made. If you want to remove this label, comment:

@spinnakerbot remove-label to-be-closed

@spinnakerbot
Copy link

This issue is tagged as 'stale' and hasn't been updated in 45 days, so we are tagging it as 'to-be-closed'. It will be closed in 45 days unless updates are made. If you want to remove this label, comment:

@spinnakerbot remove-label to-be-closed

@spinnakerbot
Copy link

This issue is tagged as 'to-be-closed' and hasn't been updated in 45 days, so we are closing it. You can always reopen this issue if needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component/gate enhancement stale to-be-closed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@ghostsquad @tillig @iiro @mrusinak @snalvi @error418 @sameergn @karlskewes @iniinikoski @spinnakerbot