In one of the cases I was helping with, I ran into a requirement that needed to have a webhook be sent from Jira to Jenkins to trigger a build based on certain condition.
You can trigger a webhook from Jira based on a Jira search query or on a certain action, eg: upon creation of an issue in a project for example.
The problem is that Jira doesn't support using userinfo fields in the URL, which is actually deprecated and should be used as per the RFC https://tools.ietf.org/html/rfc3986, and thus, Jira would have a way to send authentication information out of the box to Jenkins to trigger a build.
To solve this, I proposed to run Jenkins behind an Apache reverse proxy and use a virtual host definition similar to the below:
<VirtualHost *:80>
ServerName feanor
DocumentRoot /var/www/html/
SetEnvIf Remote_Addr "10.0.0.12" buildtriggerjira
RequestHeader set Authorization "Basic c2hlcmlmOnNoZXJpZg==" env=buildtriggerjira
ProxyPreserveHost on
ProxyVia on
ProxyPass "/jenkins" "http://feanor:8080/jenkins"
ProxyPassReverse "/jenkins" "http://feanor:8080/jenkins"
</VirtualHost>
The above configuration will inject an Authorization header in the incoming request on condition that the remote address is the IP address of the Jira server.
This works by setting an Apache environment variable to a certain value in the SetEnvIf condition and then setting the Authorization header if the variable has that value set.
More checks can be made to harden the condition by checking more request fields like the user-agent string or other headers set by the Jira http client sending the webhook request.
You can trigger a webhook from Jira based on a Jira search query or on a certain action, eg: upon creation of an issue in a project for example.
The problem is that Jira doesn't support using userinfo fields in the URL, which is actually deprecated and should be used as per the RFC https://tools.ietf.org/html/rfc3986, and thus, Jira would have a way to send authentication information out of the box to Jenkins to trigger a build.
To solve this, I proposed to run Jenkins behind an Apache reverse proxy and use a virtual host definition similar to the below:
<VirtualHost *:80>
ServerName feanor
DocumentRoot /var/www/html/
SetEnvIf Remote_Addr "10.0.0.12" buildtriggerjira
RequestHeader set Authorization "Basic c2hlcmlmOnNoZXJpZg==" env=buildtriggerjira
ProxyPreserveHost on
ProxyVia on
ProxyPass "/jenkins" "http://feanor:8080/jenkins"
ProxyPassReverse "/jenkins" "http://feanor:8080/jenkins"
</VirtualHost>
The above configuration will inject an Authorization header in the incoming request on condition that the remote address is the IP address of the Jira server.
This works by setting an Apache environment variable to a certain value in the SetEnvIf condition and then setting the Authorization header if the variable has that value set.
More checks can be made to harden the condition by checking more request fields like the user-agent string or other headers set by the Jira http client sending the webhook request.
No comments:
Post a Comment