Re: OpenShift Jenkins - Anonymous Web-hooks

2019-02-08 Thread Marc Boorshtein 
I did something similar with a reverse proxy. The proxy embeds the token in
the request to openshift.

On Fri, Feb 8, 2019, 9:30 AM Gabe Montero  You need to provide a bearer token with sufficient permissions to all the
> OpenShift project(s) involved.
>
> A quick example on how to get such a token is at
> https://github.com/openshift/jenkins-openshift-login-plugin#non-browser-access
> Apply what is done for the example curl invocation to the webhook
> config/invocation.
>
> And remember if your flow is spanning multiple projects, you'll need an SA
> with sufficient roles/permissions to each of those projects.
>
> On Fri, Feb 8, 2019 at 1:24 AM Samuel Martín Moro 
> wrote:
>
>> Hi,
>>
>> Using the generic webhook trigger plugin myself, while still relying on
>> OpenShift authentication logging into Jenkins, I don't remember having
>> anything like this.
>> Although I can't explain why your plugin would refuse this, unless maybe
>> something's wrong in Jenkins permissions matrix?
>>
>> As far as I've seen, generic triggers from a BuildConfig wouldn't allow
>> for multi-branch jobs - or if they do, I'm still looking for a way to
>> retrieve the triggering branch as a variable somewhere (note: that ruddra
>> sample shows the buildconfig has a "ref: master", which would suggest it is
>> not multi-branch capable).
>> So far, Jenkins plugins was my next best solution, although not ideal.
>>
>>
>> Anyway, you might be able to create a role - or clusterrole - and
>> corresponding binding, with something like this (not tested)
>>
>> - apiVersion: rbac.authorization.k8s.io/v1
>>   kind: ClusterRole
>>   metadata:
>> name: bitbucket-jenkins-hook
>>   rules:
>>   - nonResourceURLs: [ "/bitbucket-scmsource-hook/*" ]
>> verbs: [ "get", "post" ]
>>
>> - apiVersion: rbac.authorization.k8s.io/v1
>>   kind: ClusterRoleBinding
>>   metadata:
>> name: bitbucket-jenkins-hook
>>   roleRef:
>> apiGroup: rbac.authorization.k8s.io
>> kind: ClusterRole
>> name: bitbucket-jenkins-hook
>>   subjects:
>>   - apiGroup: rbac.authorization.k8s.io
>> kind: Group
>> name: system:unauthenticated
>>   - apiGroup: rbac.authorization.k8s.io
>> kind: Group
>> name: system:authenticated
>>
>> (see: https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
>>
>>
>>
>> On Fri, Feb 8, 2019 at 7:14 AM Graham Dumpleton 
>> wrote:
>>
>>> I believe you should be using the web book URL from the pipeline build
>>> config.
>>>
>>> You can get them from the web console page for the pipeline.
>>>
>>> See:
>>>
>>> *
>>> https://ruddra.com/posts/openshift-python-gunicorn-nginx-jenkins-pipelines-part-three/
>>>
>>> Graham
>>>
>>> On 8 Feb 2019, at 5:03 pm, Sean Dawson 
>>> wrote:
>>>
>>> Hi,
>>>
>>> I have Jenkins running in an OpenShift cluster and I have a multi
>>> branch job set up, with the source git repository residing in
>>> Bitbucket server.
>>>
>>> I wan't to set up a web hook from Bitbucket Server to Jenkins to
>>> trigger builds as soon as there are changes to the repo. In a vanilla
>>> Jenkins installation you are able to simply post the updates to
>>> "${JENKINS_URL}/bitbucket-scmsource-hook/notify" as mentioned in this
>>> article:
>>>
>>>
>>> https://support.cloudbees.com/hc/en-us/articles/11553051-How-to-Trigger-Multibranch-Jobs-from-Bitbucket-Server-#configurationinbitbucketserver
>>>
>>> However, our Jenkins instance is the OpenShift version and uses
>>> OpenShift to authenticate. When I try to post to this URL I get the
>>> following error:
>>>
>>>{
>>>"kind": "Status",
>>>"apiVersion": "v1",
>>>"metadata": {
>>>
>>>},
>>>"status": "Failure",
>>>"message": "forbidden: User \"system:anonymous\" cannot post path
>>> \"/bitbucket-scmsource-hook/notify\": no RBAC policy matched",
>>>"reason": "Forbidden",
>>>"details": {
>>>
>>>},
>>>"code": 403
>>>}
>>>
>>> Does anyone know of a way to allow the "system:anonymous" user to post
>>> to that path?
>>>
>>> Thanks
>>>
>>> Sean
>>>
>>> ___
>>> users mailing list
>>> users@lists.openshift.redhat.com
>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>>
>>>
>>> ___
>>> users mailing list
>>> users@lists.openshift.redhat.com
>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>>
>>
>>
>> --
>> Samuel Martín Moro
>> {EPITECH.} 2011
>>
>> "Nobody wants to say how this works.
>>  Maybe nobody knows ..."
>>   Xorg.conf(5)
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com

Re: OpenShift Jenkins - Anonymous Web-hooks

2019-02-08 Thread Gabe Montero 
You need to provide a bearer token with sufficient permissions to all the
OpenShift project(s) involved.

A quick example on how to get such a token is at
https://github.com/openshift/jenkins-openshift-login-plugin#non-browser-access
Apply what is done for the example curl invocation to the webhook
config/invocation.

And remember if your flow is spanning multiple projects, you'll need an SA
with sufficient roles/permissions to each of those projects.

On Fri, Feb 8, 2019 at 1:24 AM Samuel Martín Moro  wrote:

> Hi,
>
> Using the generic webhook trigger plugin myself, while still relying on
> OpenShift authentication logging into Jenkins, I don't remember having
> anything like this.
> Although I can't explain why your plugin would refuse this, unless maybe
> something's wrong in Jenkins permissions matrix?
>
> As far as I've seen, generic triggers from a BuildConfig wouldn't allow
> for multi-branch jobs - or if they do, I'm still looking for a way to
> retrieve the triggering branch as a variable somewhere (note: that ruddra
> sample shows the buildconfig has a "ref: master", which would suggest it is
> not multi-branch capable).
> So far, Jenkins plugins was my next best solution, although not ideal.
>
>
> Anyway, you might be able to create a role - or clusterrole - and
> corresponding binding, with something like this (not tested)
>
> - apiVersion: rbac.authorization.k8s.io/v1
>   kind: ClusterRole
>   metadata:
> name: bitbucket-jenkins-hook
>   rules:
>   - nonResourceURLs: [ "/bitbucket-scmsource-hook/*" ]
> verbs: [ "get", "post" ]
>
> - apiVersion: rbac.authorization.k8s.io/v1
>   kind: ClusterRoleBinding
>   metadata:
> name: bitbucket-jenkins-hook
>   roleRef:
> apiGroup: rbac.authorization.k8s.io
> kind: ClusterRole
> name: bitbucket-jenkins-hook
>   subjects:
>   - apiGroup: rbac.authorization.k8s.io
> kind: Group
> name: system:unauthenticated
>   - apiGroup: rbac.authorization.k8s.io
> kind: Group
> name: system:authenticated
>
> (see: https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
>
>
>
> On Fri, Feb 8, 2019 at 7:14 AM Graham Dumpleton 
> wrote:
>
>> I believe you should be using the web book URL from the pipeline build
>> config.
>>
>> You can get them from the web console page for the pipeline.
>>
>> See:
>>
>> *
>> https://ruddra.com/posts/openshift-python-gunicorn-nginx-jenkins-pipelines-part-three/
>>
>> Graham
>>
>> On 8 Feb 2019, at 5:03 pm, Sean Dawson 
>> wrote:
>>
>> Hi,
>>
>> I have Jenkins running in an OpenShift cluster and I have a multi
>> branch job set up, with the source git repository residing in
>> Bitbucket server.
>>
>> I wan't to set up a web hook from Bitbucket Server to Jenkins to
>> trigger builds as soon as there are changes to the repo. In a vanilla
>> Jenkins installation you are able to simply post the updates to
>> "${JENKINS_URL}/bitbucket-scmsource-hook/notify" as mentioned in this
>> article:
>>
>>
>> https://support.cloudbees.com/hc/en-us/articles/11553051-How-to-Trigger-Multibranch-Jobs-from-Bitbucket-Server-#configurationinbitbucketserver
>>
>> However, our Jenkins instance is the OpenShift version and uses
>> OpenShift to authenticate. When I try to post to this URL I get the
>> following error:
>>
>>{
>>"kind": "Status",
>>"apiVersion": "v1",
>>"metadata": {
>>
>>},
>>"status": "Failure",
>>"message": "forbidden: User \"system:anonymous\" cannot post path
>> \"/bitbucket-scmsource-hook/notify\": no RBAC policy matched",
>>"reason": "Forbidden",
>>"details": {
>>
>>},
>>"code": 403
>>}
>>
>> Does anyone know of a way to allow the "system:anonymous" user to post
>> to that path?
>>
>> Thanks
>>
>> Sean
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>
>
> --
> Samuel Martín Moro
> {EPITECH.} 2011
>
> "Nobody wants to say how this works.
>  Maybe nobody knows ..."
>   Xorg.conf(5)
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: OpenShift Jenkins - Anonymous Web-hooks

2019-02-07 Thread Samuel Martín Moro 
Hi,

Using the generic webhook trigger plugin myself, while still relying on
OpenShift authentication logging into Jenkins, I don't remember having
anything like this.
Although I can't explain why your plugin would refuse this, unless maybe
something's wrong in Jenkins permissions matrix?

As far as I've seen, generic triggers from a BuildConfig wouldn't allow for
multi-branch jobs - or if they do, I'm still looking for a way to retrieve
the triggering branch as a variable somewhere (note: that ruddra sample
shows the buildconfig has a "ref: master", which would suggest it is not
multi-branch capable).
So far, Jenkins plugins was my next best solution, although not ideal.


Anyway, you might be able to create a role - or clusterrole - and
corresponding binding, with something like this (not tested)

- apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata:
name: bitbucket-jenkins-hook
  rules:
  - nonResourceURLs: [ "/bitbucket-scmsource-hook/*" ]
verbs: [ "get", "post" ]

- apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRoleBinding
  metadata:
name: bitbucket-jenkins-hook
  roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: bitbucket-jenkins-hook
  subjects:
  - apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:unauthenticated
  - apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated

(see: https://kubernetes.io/docs/reference/access-authn-authz/rbac/)



On Fri, Feb 8, 2019 at 7:14 AM Graham Dumpleton  wrote:

> I believe you should be using the web book URL from the pipeline build
> config.
>
> You can get them from the web console page for the pipeline.
>
> See:
>
> *
> https://ruddra.com/posts/openshift-python-gunicorn-nginx-jenkins-pipelines-part-three/
>
> Graham
>
> On 8 Feb 2019, at 5:03 pm, Sean Dawson 
> wrote:
>
> Hi,
>
> I have Jenkins running in an OpenShift cluster and I have a multi
> branch job set up, with the source git repository residing in
> Bitbucket server.
>
> I wan't to set up a web hook from Bitbucket Server to Jenkins to
> trigger builds as soon as there are changes to the repo. In a vanilla
> Jenkins installation you are able to simply post the updates to
> "${JENKINS_URL}/bitbucket-scmsource-hook/notify" as mentioned in this
> article:
>
>
> https://support.cloudbees.com/hc/en-us/articles/11553051-How-to-Trigger-Multibranch-Jobs-from-Bitbucket-Server-#configurationinbitbucketserver
>
> However, our Jenkins instance is the OpenShift version and uses
> OpenShift to authenticate. When I try to post to this URL I get the
> following error:
>
>{
>"kind": "Status",
>"apiVersion": "v1",
>"metadata": {
>
>},
>"status": "Failure",
>"message": "forbidden: User \"system:anonymous\" cannot post path
> \"/bitbucket-scmsource-hook/notify\": no RBAC policy matched",
>"reason": "Forbidden",
>"details": {
>
>},
>"code": 403
>}
>
> Does anyone know of a way to allow the "system:anonymous" user to post
> to that path?
>
> Thanks
>
> Sean
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>


-- 
Samuel Martín Moro
{EPITECH.} 2011

"Nobody wants to say how this works.
 Maybe nobody knows ..."
  Xorg.conf(5)
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: OpenShift Jenkins - Anonymous Web-hooks

2019-02-07 Thread Sean Dawson 
Hi Graham,

We don't use any OpenShift build configs so unfortunately that won't
work for us.

The builds are orchestrated completely by Jenkins so the webhook has
to be posted to Jenkins itself, not OpenShift.

Thanks,

Sean




On Fri, 8 Feb 2019 at 17:14, Graham Dumpleton  wrote:
>
> I believe you should be using the web book URL from the pipeline build config.
>
> You can get them from the web console page for the pipeline.
>
> See:
>
> * 
> https://ruddra.com/posts/openshift-python-gunicorn-nginx-jenkins-pipelines-part-three/
>
> Graham
>
> On 8 Feb 2019, at 5:03 pm, Sean Dawson  wrote:
>
> Hi,
>
> I have Jenkins running in an OpenShift cluster and I have a multi
> branch job set up, with the source git repository residing in
> Bitbucket server.
>
> I wan't to set up a web hook from Bitbucket Server to Jenkins to
> trigger builds as soon as there are changes to the repo. In a vanilla
> Jenkins installation you are able to simply post the updates to
> "${JENKINS_URL}/bitbucket-scmsource-hook/notify" as mentioned in this
> article:
>
> https://support.cloudbees.com/hc/en-us/articles/11553051-How-to-Trigger-Multibranch-Jobs-from-Bitbucket-Server-#configurationinbitbucketserver
>
> However, our Jenkins instance is the OpenShift version and uses
> OpenShift to authenticate. When I try to post to this URL I get the
> following error:
>
>{
>"kind": "Status",
>"apiVersion": "v1",
>"metadata": {
>
>},
>"status": "Failure",
>"message": "forbidden: User \"system:anonymous\" cannot post path
> \"/bitbucket-scmsource-hook/notify\": no RBAC policy matched",
>"reason": "Forbidden",
>"details": {
>
>},
>"code": 403
>}
>
> Does anyone know of a way to allow the "system:anonymous" user to post
> to that path?
>
> Thanks
>
> Sean
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: OpenShift Jenkins - Anonymous Web-hooks

2019-02-07 Thread Graham Dumpleton 
I believe you should be using the web book URL from the pipeline build config.

You can get them from the web console page for the pipeline.

See:

* 
https://ruddra.com/posts/openshift-python-gunicorn-nginx-jenkins-pipelines-part-three/
 


Graham

> On 8 Feb 2019, at 5:03 pm, Sean Dawson  wrote:
> 
> Hi,
> 
> I have Jenkins running in an OpenShift cluster and I have a multi
> branch job set up, with the source git repository residing in
> Bitbucket server.
> 
> I wan't to set up a web hook from Bitbucket Server to Jenkins to
> trigger builds as soon as there are changes to the repo. In a vanilla
> Jenkins installation you are able to simply post the updates to
> "${JENKINS_URL}/bitbucket-scmsource-hook/notify" as mentioned in this
> article:
> 
> https://support.cloudbees.com/hc/en-us/articles/11553051-How-to-Trigger-Multibranch-Jobs-from-Bitbucket-Server-#configurationinbitbucketserver
> 
> However, our Jenkins instance is the OpenShift version and uses
> OpenShift to authenticate. When I try to post to this URL I get the
> following error:
> 
>{
>"kind": "Status",
>"apiVersion": "v1",
>"metadata": {
> 
>},
>"status": "Failure",
>"message": "forbidden: User \"system:anonymous\" cannot post path
> \"/bitbucket-scmsource-hook/notify\": no RBAC policy matched",
>"reason": "Forbidden",
>"details": {
> 
>},
>"code": 403
>}
> 
> Does anyone know of a way to allow the "system:anonymous" user to post
> to that path?
> 
> Thanks
> 
> Sean
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

OpenShift Jenkins - Anonymous Web-hooks

2019-02-07 Thread Sean Dawson 
Hi,

I have Jenkins running in an OpenShift cluster and I have a multi
branch job set up, with the source git repository residing in
Bitbucket server.

I wan't to set up a web hook from Bitbucket Server to Jenkins to
trigger builds as soon as there are changes to the repo. In a vanilla
Jenkins installation you are able to simply post the updates to
"${JENKINS_URL}/bitbucket-scmsource-hook/notify" as mentioned in this
article:

https://support.cloudbees.com/hc/en-us/articles/11553051-How-to-Trigger-Multibranch-Jobs-from-Bitbucket-Server-#configurationinbitbucketserver

However, our Jenkins instance is the OpenShift version and uses
OpenShift to authenticate. When I try to post to this URL I get the
following error:

{
"kind": "Status",
"apiVersion": "v1",
"metadata": {

},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot post path
\"/bitbucket-scmsource-hook/notify\": no RBAC policy matched",
"reason": "Forbidden",
"details": {

},
"code": 403
}

Does anyone know of a way to allow the "system:anonymous" user to post
to that path?

Thanks

Sean

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users