Generic WebHook
What is "Generic WebHook" Hook about?
Installing the Generic WebHook hook will add a ReadOnly Hook to your namespace which is capable of sending scan results containing findings
to a given webhook url.
Deployment
The generic-webhook chart can be deployed via helm:
# Install HelmChart (use -n to configure another namespace)
helm upgrade --install generic-webhook oci://ghcr.io/securecodebox/helm/generic-webhook
Requirements
Kubernetes: >=v1.11.0-0
Additional Chart Configurations
The webhook URL is set as follows:
helm upgrade --install generic-webhook oci://ghcr.io/securecodebox/helm/generic-webhook \
--set="webhookUrl=http://http-webhook/hello-world"
Two authentication methods exist for the Generic WebHook Hook. You can either use Basic authentication or API authentication. The authentication method is set by creating the corresponding secret as follows:
Basic authentication:
kubectl create secret generic generic-webhook-credentials \
--from-literal=username='admin' \
--from-literal=password='ThisIsAPassword'
API authentication:
kubectl create secret generic generic-webhook-credentials \
--from-literal=headerName='X-Example-Header' \
--from-literal=headerValue='ThisIsAnAPIkeyValue'
Only one authentication method can be used at a time.
The keys for your secret mapping can also be renamed if necessary, for example headerName
and headerValue
can be renamed to name
and value
respectively.
This is usually done to reuse existing secrets.
helm upgrade --install generic-webhook oci://ghcr.io/securecodebox/helm/generic-webhook \
--set="hook.authentication.apikey.headerNameKey=name" \
--set="hook.authentication.apikey.headerValueKey=value"
Values
Key | Type | Default | Description |
---|---|---|---|
hook.affinity | object | {} | Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) |
hook.authentication | object | {"apikey":{"headerNameKey":"headerName","headerValueKey":"headerValue","userSecret":"generic-webhook-credentials"},"basic":{"passwordKey":"password","userSecret":"generic-webhook-credentials","usernameKey":"username"}} | Optional basic authentication credentials or apikey |
hook.authentication.apikey.headerNameKey | string | "headerName" | Name of the header name key in the userSecret secret. Use this if you already have a secret with different key / value pairs |
hook.authentication.apikey.headerValueKey | string | "headerValue" | Name of the header value key in the userSecret secret. Use this if you already have a secret with different key / value pairs |
hook.authentication.apikey.userSecret | string | "generic-webhook-credentials" | Link a pre-existing generic secret with headerNameKey and headerValueKey key / value pairs |
hook.authentication.basic.passwordKey | string | "password" | Name of the password key in the userSecret secret. Use this if you already have a secret with different key / value pairs |
hook.authentication.basic.userSecret | string | "generic-webhook-credentials" | Link a pre-existing generic secret with usernameKey and passwordKey key / value pairs |
hook.authentication.basic.usernameKey | string | "username" | Name of the username key in the userSecret secret. Use this if you already have a secret with different key / value pairs |
hook.env | list | [] | Optional environment variables mapped into the hook (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
hook.extraVolumeMounts | list | [] | Optional VolumeMounts mapped into the hook (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
hook.extraVolumes | list | [] | Optional Volumes mapped into the hook (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
hook.image.repository | string | "docker.io/securecodebox/hook-generic-webhook" | Hook image repository |
hook.image.tag | string | defaults to the charts version | The image Tag defaults to the charts version if not defined. |
hook.labels | object | {} | Add Kubernetes Labels to the hook definition |
hook.priority | int | 0 | Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks. |
hook.resources | object | { requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } } | Optional resources lets you control resource limits and requests for the hook container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
hook.tolerations | list | [] | Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
hook.ttlSecondsAfterFinished | string | nil | Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
imagePullSecrets | list | [] | Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) |
webhookUrl | string | "http://example.com" | The URL of your WebHook endpoint |
License
Code of secureCodeBox is licensed under the Apache License 2.0.