Re: Jenkins/GitHub integration

Mon, 15 Sep 2014 22:29:33 -0700 

On Fri, Sep 12, 2014 at 11:34:44AM -0400, Mike Seda wrote:
> Hi All,
> I am a Systems Administrator who was recently asked to perform a
> Jenkins/GitHub integration.
> 
> The requirements are...
> 
> 1) When a GitHub pull request is made, start a Jenkins build.
> 2) Tell GitHub through the APIs that a Jenkins build is running.
> 3) When the Jenkins build finishes, inform GitHub that the Jenkins
> build succeeded/failed.
> 4) Update the GitHub pull request with a comment containing the URL
> of the webapp built for the branch after having deployed it.
> 
> I am being told by my internal Developers that Requirement # 1
> involves exposing my Jenkins server to the 1000+ GitHub IPs [as
> documented below]:
> https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist
> 
> The most secure of the two options [HTTPS with HTTP Basic Auth]
> presented at the above link has me confused though... Where do we
> configure the username and password for the HTTPS with HTTP Basic
> Auth in GitHub? I know how to configure it on my end, but how do I
> tell GitHub about it - so that the GitHub POST to my Jenkins server
> will actually succeed?

Put a reverse HTTP proxy in front of Jenkins that allows anyone
anonymous access to /github-webhook and nothing else.

Supposedly this is secure (the GitHub plugin doesn't trust the data
submitted but just extracts the repository name and polls it to see
whether there were any real changes).

Excerpt from my Apache config:

  <Location />
    AuthType Basic
    AuthName "jenkins.example.com"
    AuthUserFile /etc/apache2/htpasswd
    Require valid-user
  </Location>
  <Location /github-webhook>
    # 
https://wiki.jenkins-ci.org/display/JENKINS/GitHub+Plugin#GitHubPlugin-SecurityImplications
    # says it's fine
    Allow from all
    Satisfy Any
  </Location>

> Also, is there any way to meet the above requirements without
> exposing my Jenkins server to GitHub?

You only need that one endpoint and only for your requirement (1).

> Please let me know how most folks meet the aforementioned
> requirements - as I am told that this is already a solved problem
> for many shops.
> 
> BTW, we are pretty certain that we will need the following plugin:
> https://wiki.jenkins-ci.org/display/JENKINS/Github+pull+request+builder+plugin
> 
> However, I am not quite sure how to leverage it at the moment.

(I haven't used it yet.)

Marius Gedminas
-- 
"When the grammar checker identifies an error,
it suggests a correction and can even makes
some changes for you."
                -- Microsoft Word for Windows 2.0 User's Guide.

Attachment: signature.asc
Description: Digital signature

Reply via email to