Securing your webhooks

1 minute read

To secure your Source Control Management (SCM) provider integration and allow CloudBees Previews to verify the authenticity of the webhook data, you should configure a webhook secret. This procedure is optional, but recommended.

You configure a webhook secret in two places: your SCM and CloudBees Previews.

First, you need a random string with high entropy, which serves as a secret. You can create such a string, for example, using:

Creating a random string for use as a webhook secret
$ openssl rand -base64 20
mJHHic0/MLn4TOCop28aBFfAvps=

You must add this secret to the webhook configuration in your SCM. GitHub’s Securing your webhooks describes how you configure the secret for GitHub.

You also must configure the secret in CloudBees Previews. You can create a new Kubernetes Secret containing the webhook secret, similar to creating the API token secret:

Creating Kubernetes Secret for webhook secret
kubectl create secret generic acme-webhook-secret --from-literal=secret='<generated-random-string-secret>'

You then add a reference to this secret to the GitRepository CR for the repository:

GitRepository CR with a webhook secret.
kubectl apply -f - <<EOF
apiVersion: environment.cloudbees.com/v1alpha1
kind: GitRepository
metadata:
  name: acme-web
spec:
  url: https://github.com/acme/acme-web.git
  apiTokenSecretRef:
    name: acme-github-token
  webhookSecretRef:
    name: acme-webhook-secret                (1)
EOF
1Reference to a Secret name containing the webhook secret. This value is optional.