To secure your Source Control Management (SCM) provider integration and allow CloudBees Previews to verify the authenticity of the webhook data, you should configure a webhook secret. This procedure is optional, but recommended.
You configure a webhook secret in two places: your SCM and CloudBees Previews.
First, you need a random string with high entropy, which serves as a secret. You can create such a string, for example, using:
$ openssl rand -base64 20 mJHHic0/MLn4TOCop28aBFfAvps=
You must add this secret to the webhook configuration in your SCM. GitHub’s Securing your webhooks describes how you configure the secret for GitHub.
You also must configure the secret in CloudBees Previews. You can create a new Kubernetes Secret containing the webhook secret, similar to creating the API token secret:
kubectl create secret generic acme-webhook-secret --from-literal=secret='<generated-random-string-secret>'
You then add a reference to this secret to the GitRepository CR for the repository:
kubectl apply -f - <<EOF apiVersion: environment.cloudbees.com/v1alpha1 kind: GitRepository metadata: name: acme-web spec: url: https://github.com/acme/acme-web.git apiTokenSecretRef: name: acme-github-token webhookSecretRef: name: acme-webhook-secret (1) EOF
1 | Reference to a Secret name containing the webhook secret. This value is optional. |