3

We had a strange issue Monday morning with our CI pipeline jobs that are triggered from Bitbucket webhooks.

Before the TLSv1 and TLSv1.1 deprecation on December 1, I suspect we only had webhooks coming from these IP addresses: bitbucket IP sources before December 1

All our pipelines were functioning fine and our kibana logs show few errors.

On Monday morning when people started making PRs (which triggered builds, checks and tests), people were complaining that their pipeline jobs weren't triggering. I switched on the setting to record the webhook requests and found a number of 403s returned from an upstream server: 403 errors.

Anyway turns out I had to add a bunch of IP addresses to our whitelist rules for our CI. This resolved the 403s for us.

I was hoping to share this experience and see if anyone else had this issue with the TLS deprecation occurring on the weekend.

ted-k42
  • 356
  • 3
  • 12

1 Answers1

5

We experiencing the same problem. After some research, we found a note on their blog: https://bitbucket.org/blog/update-to-outgoing-webhook-ip-addresses

EDIT: I wrote a simple python script which syncs AWS EC2 Security Group with Atlassian IP ranges list: https://github.com/agrzegorczyk-leonsoftware/atlassian-sg-updater
It's not well tested, but maybe will be useful for someone.

Adam Grzegorczyk
  • 51
  • 3
  • We stumbled across that article as well. It may have been that on November 30th they did the complete switch over to allow webhook from their external IP addresses. We hadn't had a problem with it until our first Monday back after December. – ted-k42 Dec 03 '18 at 22:24