Merge pull request #393 from MateSaary/deprecate-x-secret-token

openshift-merge-bot[bot] · web-flow · commit 75caf483fbe5 · 2025-04-03T10:08:57.000Z
OSD-27752: Deprecate x-secret-token
diff --git a/README.md b/README.md
@@ -168,7 +168,6 @@ Grafana dashboard configmaps are stored in the [Dashboards](./dashboards/) direc
 * `CAD_PD_USERNAME`: refers to the username of CAD on PagerDuty
 * `CAD_SILENT_POLICY`: refers to the silent policy CAD should use if the incident shall be silent
 * `PD_SIGNATURE`: refers to the PagerDuty webhook signature (HMAC+SHA256)
-* `X_SECRET_TOKEN`: refers to our custom Secret Token for authenticating against our pipeline
 * `CAD_PROMETHEUS_PUSHGATEWAY`: refers to the URL cad will push metrics to
 * `BACKPLANE_URL`: refers to the backplane url to use
 * `BACKPLANE_INITIAL_ARN`: refers to the initial ARN used for the isolated backplane jumprole flow
diff --git a/deploy/README.md b/deploy/README.md
@@ -27,7 +27,7 @@ See [../pkg/pagerduty/](../pkg/pagerduty/) for more details.
 ##### OCM
 [task-cad-checks-secrets-ocm-client.yaml](./task-cad-checks-secrets-ocm-client.yaml) This will hold the ocm creds.
 
-CAD_OCM_CLIENT_* env vars are in internal kv store. 
+CAD_OCM_CLIENT_* env vars are in internal kv store.
 
 See [../pkg/ocm/](../pkg/ocm/) for more details.
 
@@ -49,11 +49,11 @@ Install CAD by running the following commands:
     ```
 
 2. Configure secrets
-   
+
     See section at the bottom of `Tasks Secrets` to configure.
 
 3. Deploy container image
-   
+
     The repo builds the binary to a container using [../Dockerfile](a container file). build it using:
 
     ```console
@@ -92,7 +92,7 @@ Install CAD by running the following commands:
 Pipeline runs can be started via the following post command:
 
 ```console
-oc exec -it deploy/el-cad-event-listener -- curl -X POST -H 'X-Secret-Token: samplesecret' --connect-timeout 1 -v --data '{"event": {"data": {"id":"12312"}}}' http://el-cad-event-listener.configuration-anomaly-detection.svc.cluster.local:8080
+oc exec -it deploy/el-cad-event-listener -- curl -X POST -H 'X-PagerDuty-Signature: v1=samplesecret' --connect-timeout 1 -v --data '{"event": {"data": {"id":"12312"}}}' http://el-cad-event-listener.configuration-anomaly-detection.svc.cluster.local:8080
 ```
 
 For more details, see the [Tekton Documentation](https://github.com/tektoncd/triggers/tree/main/examples#invoking-the-triggers-locally).
@@ -110,7 +110,7 @@ The `tkn` tool is pulled from https://github.com/tektoncd/cli.
 The result of the last runs can be seen with:
 
 ```console
-tkn pipelinerun list -n configuration-anomaly-detection 
+tkn pipelinerun list -n configuration-anomaly-detection
 ```
 
 See the [Tekton documentation](https://docs.openshift.com/container-platform/4.4/cli_reference/tkn_cli/op-tkn-reference.html) for further commands.
diff --git a/deploy/pipeline-trigger.yaml b/deploy/pipeline-trigger.yaml
@@ -49,11 +49,6 @@ metadata:
   name: cad-pipe-listener
 spec:
   interceptors:
-    - ref:
-        name: "cel"
-      params:
-      - name: "filter"
-        value: "header.canonical('X-Secret-Token').compareSecret('X_SECRET_TOKEN', 'cad-pd-token')"
     # Enable after interceptor deployment is tested
     - ref:
         name: "cad-interceptor"
@@ -97,4 +92,4 @@ spec:
                   valueFrom:
                     secretKeyRef:
                       key: tls.key
-                      name: cad-event-listener-tls-secret
+                      name: cad-event-listener-tls-secret
diff --git a/deploy/task-cad-checks-secrets-pd.yaml b/deploy/task-cad-checks-secrets-pd.yaml
@@ -10,5 +10,4 @@ stringData:
   CAD_PD_TOKEN: CHANGEME # refers to the generated private access token for token-based authentication
   CAD_PD_USERNAME: CHANGEME # refers to the username in case username/pw credentials should be used
   CAD_SILENT_POLICY: CHANGEME # refers to the silent policy CAD should use if the incident shall be silent
-  X_SECRET_TOKEN: CHANGEME # refers to the PagerDuty webhook signature (HMAC+SHA256)
-  PD_SIGNATURE: CHANGEME # refers to our custom Secret Token for authenticating against our pipeline
+  PD_SIGNATURE: CHANGEME # refers to the PagerDuty webhook signature (HMAC+SHA256)
diff --git a/openshift/template.yaml b/openshift/template.yaml
@@ -154,12 +154,6 @@ objects:
     bindings:
     - ref: cad-check-trigger
     interceptors:
-    - params:
-      - name: filter
-        value: header.canonical('X-Secret-Token').compareSecret('X_SECRET_TOKEN',
-          'cad-pd-token')
-      ref:
-        name: cel
     - ref:
         kind: NamespacedInterceptor
         name: cad-interceptor
@@ -286,7 +280,6 @@ objects:
     CAD_PD_USERNAME: CHANGEME
     CAD_SILENT_POLICY: CHANGEME
     PD_SIGNATURE: CHANGEME
-    X_SECRET_TOKEN: CHANGEME
   type: Opaque
 - apiVersion: tekton.dev/v1beta1
   kind: Task
