Description of problem: In my employee.openshift.comproject, I have a BuildConfig with defined GitHub and Generic webhooks. Neither does not seem to trigger a rebuild of the image: $ oc describe bc freeipa-org-planet Name: freeipa-org-planet Namespace: freeipa Created: 2 months ago Labels: app=freeipa-org-planet template=freeipa-org-planet Description: Defines how to build the application Annotations: template.alpha.openshift.io/wait-for-ready=true Latest Version: 7 Strategy: Source URL: https://github.com/freeipa/freeipa-planet.git From Image: ImageStreamTag openshift/php:7.0 Output to: ImageStreamTag freeipa-org-planet:latest Build Run Policy: Serial Triggered by: Config, ImageChange Webhook GitHub: URL: https://api.rh-us-east-1.openshift.com:443/apis/build.openshift.io/v1/namespaces/freeipa/buildconfigs/freeipa-org-planet/webhooks/<secret>/github Webhook Generic: URL: https://api.rh-us-east-1.openshift.com:443/apis/build.openshift.io/v1/namespaces/freeipa/buildconfigs/freeipa-org-planet/webhooks/<secret>/generic AllowEnv: false Builds History Limit: Successful: 5 Failed: 5 $ curl -X post -k https://api.rh-us-east-1.openshift.com:443/apis/build.openshift.io/v1/namespaces/freeipa/buildconfigs/freeipa-org-planet/webhooks/<secret>/generic { "kind": "Status", "apiVersion": "v1", "metadata": { }, "status": "Failure", "message": "buildconfigs.build.openshift.io \"freeipa-org-planet\" is forbidden: User \"system:anonymous\" cannot buildconfigs.build.openshift.io/webhooks in the namespace \"freeipa\": no RBAC policy matched", "reason": "Forbidden", "details": { "name": "freeipa-org-planet", "group": "build.openshift.io", "kind": "buildconfigs" }, "code": 403 Version-Release number of selected component (if applicable): OpenShift Master: v3.11.43 Kubernetes Master: v1.11.0+d4cacc0 OpenShift Web Console: v3.11.43 How reproducible: Always Steps to Reproduce: 1. oc set triggers bc freeipa-org-planet --remove-all 2. oc set triggers bc/freeipa-org-planet --from-github 3. oc set triggers bc/freeipa-org-planet --from-webhook 4. oc describe bc freeipa-org-planet 5. Trigger generic or github webhook with the right secret Actual results: Generic webhook - I get error above GitHub webhook - I get success reported from GitHub, but no rebuild is done Expected results: Webhooks trigger rebuild Additional info:
This bug is obviously extremely old, but still appears first for "openshift webhooks not working" searches. As of right now, it seems most likely you are getting this error if you send an unauthenticated webhook request. Full details are in https://access.redhat.com/solutions/7105930 but the short version is > From OCP version 4.16 onward, all webhooks for BuildConfigs must either have an OpenShift authentication token in their HTTP headers, OR an administrator must grant the system:webhook role to the system:unauthenticated group in the namespace where the BuildConfig resides. > Fore more details regarding the same, kindly refer to OCPBUGS-33041 as well as OCP 4.16 official documentation. Somewhat confusingly, you seem to get a 200 response on the gitlab/github webhook endpoints, but if you add a generic webhook endpoint you will likely see the 403 error. I've filed https://issues.redhat.com/browse/OCPBUGS-60867 about that So if you are reading this post this comment, you likely need to tell your administrator this. I close this out.