Skip to main content

Generic WebHook

License Apache-2.0GitHub release (latest SemVer)OWASP Lab ProjectArtifact HUBGitHub Repo starsMastodon Follower

What is "Generic WebHook" Hook about?

Installing the Generic WebHook hook will add a ReadOnly Hook to your namespace which is capable of sending scan results containing findings to a given webhook url.

Deployment

The generic-webhook chart can be deployed via helm:

# Install HelmChart (use -n to configure another namespace)
helm upgrade --install generic-webhook oci://ghcr.io/securecodebox/helm/generic-webhook

Requirements

Kubernetes: >=v1.11.0-0

Additional Chart Configurations

The webhook URL is set as follows:

helm upgrade --install generic-webhook oci://ghcr.io/securecodebox/helm/generic-webhook \
--set="webhookUrl=http://http-webhook/hello-world"

Two authentication methods exist for the Generic WebHook Hook. You can either use Basic authentication or API authentication. The authentication method is set by creating the corresponding secret as follows:

Basic authentication:
kubectl create secret generic generic-webhook-credentials \
--from-literal=username='admin' \
--from-literal=password='ThisIsAPassword'
API authentication:
kubectl create secret generic generic-webhook-credentials \
--from-literal=headerName='X-Example-Header' \
--from-literal=headerValue='ThisIsAnAPIkeyValue'

Only one authentication method can be used at a time.

The keys for your secret mapping can also be renamed if necessary, for example headerName and headerValue can be renamed to name and value respectively.

This is usually done to reuse existing secrets.

helm upgrade --install generic-webhook oci://ghcr.io/securecodebox/helm/generic-webhook \
--set="hook.authentication.apikey.headerNameKey=name" \
--set="hook.authentication.apikey.headerValueKey=value"

Values

KeyTypeDefaultDescription
hook.affinityobject{}Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/)
hook.authenticationobject{"apikey":{"headerNameKey":"headerName","headerValueKey":"headerValue","userSecret":"generic-webhook-credentials"},"basic":{"passwordKey":"password","userSecret":"generic-webhook-credentials","usernameKey":"username"}}Optional basic authentication credentials or apikey
hook.authentication.apikey.headerNameKeystring"headerName"Name of the header name key in the userSecret secret. Use this if you already have a secret with different key / value pairs
hook.authentication.apikey.headerValueKeystring"headerValue"Name of the header value key in the userSecret secret. Use this if you already have a secret with different key / value pairs
hook.authentication.apikey.userSecretstring"generic-webhook-credentials"Link a pre-existing generic secret with headerNameKey and headerValueKey key / value pairs
hook.authentication.basic.passwordKeystring"password"Name of the password key in the userSecret secret. Use this if you already have a secret with different key / value pairs
hook.authentication.basic.userSecretstring"generic-webhook-credentials"Link a pre-existing generic secret with usernameKey and passwordKey key / value pairs
hook.authentication.basic.usernameKeystring"username"Name of the username key in the userSecret secret. Use this if you already have a secret with different key / value pairs
hook.envlist[]Optional environment variables mapped into the hook (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
hook.extraVolumeMountslist[]Optional VolumeMounts mapped into the hook (see: https://kubernetes.io/docs/concepts/storage/volumes/)
hook.extraVolumeslist[]Optional Volumes mapped into the hook (see: https://kubernetes.io/docs/concepts/storage/volumes/)
hook.image.repositorystring"docker.io/securecodebox/hook-generic-webhook"Hook image repository
hook.image.tagstringdefaults to the charts versionThe image Tag defaults to the charts version if not defined.
hook.labelsobject{}Add Kubernetes Labels to the hook definition
hook.priorityint0Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks.
hook.resourcesobject{ requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } }Optional resources lets you control resource limits and requests for the hook container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
hook.tolerationslist[]Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
hook.ttlSecondsAfterFinishedstringnilSeconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
imagePullSecretslist[]Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/)
webhookUrlstring"http://example.com"The URL of your WebHook endpoint

License

License

Code of secureCodeBox is licensed under the Apache License 2.0.