Generic WebHook
What is "Generic WebHook" Hook about?
Installing the Generic WebHook hook will add a ReadOnly Hook to your namespace which is capable of sending scan results containing findings to a given webhook url.
Deployment
The generic-webhook chart can be deployed via helm:
# Install HelmChart (use -n to configure another namespace)
helm upgrade --install generic-webhook secureCodeBox/generic-webhook
Requirements
Kubernetes: >=v1.11.0-0
Additional Chart Configurations
The webhook URL is set as follows:
helm upgrade --install generic-webhook secureCodeBox/generic-webhook \
--set="webhookUrl=http://http-webhook/hello-world"
Two authentication methods exist for the Generic WebHook Hook. You can either use Basic authentication or API authentication. The authentication method is set by creating the corresponding secret as follows:
Basic authentication:
kubectl create secret generic generic-webhook-credentials \
--from-literal=username='admin' \
--from-literal=password='ThisIsAPassword'
API authentication:
kubectl create secret generic generic-webhook-credentials \
--from-literal=headerName='X-Example-Header' \
--from-literal=headerValue='ThisIsAnAPIkeyValue'
Only one authentication method can be used at a time.
The keys for your secret mapping can also be renamed if necessary, for example headerName and headerValue can be renamed to name and value respectively.
This is usually done to reuse existing secrets.
helm upgrade --install generic-webhook secureCodeBox/generic-webhook \
--set="hook.authentication.apikey.headerNameKey=name" \
--set="hook.authentication.apikey.headerValueKey=value"
Values
| Key | Type | Default | Description |
|---|---|---|---|
| hook.affinity | object | {} | Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) |
| hook.authentication | object | {"apikey":{"headerNameKey":"headerName","headerValueKey":"headerValue","userSecret":"generic-webhook-credentials"},"basic":{"passwordKey":"password","userSecret":"generic-webhook-credentials","usernameKey":"username"}} | Optional basic authentication credentials or apikey |
| hook.authentication.apikey.headerNameKey | string | "headerName" | Name of the header name key in the userSecret secret. Use this if you already have a secret with different key / value pairs |
| hook.authentication.apikey.headerValueKey | string | "headerValue" | Name of the header value key in the userSecret secret. Use this if you already have a secret with different key / value pairs |
| hook.authentication.apikey.userSecret | string | "generic-webhook-credentials" | Link a pre-existing generic secret with headerNameKey and headerValueKey key / value pairs |
| hook.authentication.basic.passwordKey | string | "password" | Name of the password key in the userSecret secret. Use this if you already have a secret with different key / value pairs |
| hook.authentication.basic.userSecret | string | "generic-webhook-credentials" | Link a pre-existing generic secret with usernameKey and passwordKey key / value pairs |
| hook.authentication.basic.usernameKey | string | "username" | Name of the username key in the userSecret secret. Use this if you already have a secret with different key / value pairs |
| hook.image.repository | string | "docker.io/securecodebox/hook-generic-webhook" | Hook image repository |
| hook.image.tag | string | defaults to the charts version | The image Tag defaults to the charts version if not defined. |
| hook.labels | object | {} | Add Kubernetes Labels to the hook definition |
| hook.priority | int | 0 | Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks. |
| hook.resources | object | { requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } } | Optional resources lets you control resource limits and requests for the hook container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
| hook.tolerations | list | [] | Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
| hook.ttlSecondsAfterFinished | string | nil | Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
| imagePullSecrets | list | [] | Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) |
| webhookUrl | string | "http://example.com" | The URL of your WebHook endpoint |
License
Code of secureCodeBox is licensed under the Apache License 2.0.