BCD 3.3.0 Jenkins doesn't work with webhook ?

1
0
-1

Hi,

When a webhook from Bitbucket tries to execute a bcd-pipeline, the following error appears:

Jenkins server responds with an "Error 403 No valid crumb was included in the request".

On Jenkins documentation said that it is required an API token, but the Bonitasoft documentation doesn't say anything how to integrated.

Can you explain the step by step to perform the CI? Can you point out the documentation where it is described?

I did some research and I've found this online that seems to point out to a bug:
https://github.com/cdancy/jenkins-rest/issues/67
https://github.com/jenkinsci/java-client-api/issues/429

I've also found this closed bug IT-3058. Could you please share the solution that was implemented to resolve this bug?

Thanks in advance,

2 answers

1
+1
-1

Hi Marielle,

Your question is in fact a set of configuration steps involving Bitbucket, Jenkins and in fact ... not BCD. let's go into a step by step how to

First, of course your Bonita studio is plug to a GIT (bitbucket) repo.

Your bitbucket account must have a "App Password" set for jour jenkins server. this password will be used instead of your main bitbucket password

Then, in your jenkins serveur, in my case a 2.235.3 which is the latest LTS available today, just add the bitbucket source plugin https://plugins.jenkins.io/cloudbees-bitbucket-branch-source/

In your repository settings, add a web hook to "http://YOUR-SERVER:YOUR-IP/bitbucket-scmsource-hook/notify/" it must include repository push & Merge Request events.

the "Skip certificate verification" option depends on your HTTPS policy, if you use self-signed certificates

NOTE about webhooks: if your Jenkins server is hosted on AWS, you must add Bitbucket IP in your security group so that Jenkins will receive webhooks requests.

Current Ip today are 131.103.20.165/32 and 131.103.20.166/32

In the global jenkins admin section add your credentials, and then configure a new job that will use this plugin, your credentials and scan projects based on your needs

This project will then be build, based on an existing Jenkinsfile located in your GIT repo base directory.

1
0
-1

The "Error 403 No valid crumb was included in the request" error occurs when CSRF is enabled on the Jenkins instance. This security option is enabled by default with the standalone Jenkins example provided by BCD (https://documentation.bonitasoft.com/bcd/3.3/jenkins_example#toc4).

This option may be opted out by a Jenkins Administrator by going to: Manage Jenkins > Configure Global Security > CSRF Protection, and un-checking the "Prevent Cross Site Request Forgery exploits" checkbox. It is a better practice to keep this protection enabled though.

Meanwhile, you need to use a "username:apiToken" string in your webhook configuration in order to be granted remote access to the Jenkins target URL. The user's "apiToken" can be generated from the Jenkins interface in your personal configuration page. Click your user's name on the top right corner on every page, then click "Configure" to see your API token. (The URL $jenkinsRoot/me/configure is a good shortcut too.) You can also change your API token from here.

Jenkins user API token

Then in your Bitbucket webhook configuration, you should prepend the target Jenkins URL with "username:apiToken" as follows: "https://username:apiToken@jenkins.yourcompany.com/[...]". Webhook creation may differ from an SCM provider to another. But that's the idea. The Cloudbees/Jenkins documentation may contain detailed instructions to set up Bitbucket webhooks.

This link may be worth reading too regarding Jenkins CSRF: https://support.cloudbees.com/hc/en-us/articles/219257077-CSRF-Protection-Explained

The BCD documentation may indeed contain some guidance to cover this use case.

HTH

Notifications