Bug 1312278
| Summary: | Jenkins template has hardcoded SSL certificate and password | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Evgheni Dereveanchin <ederevea> |
| Component: | ImageStreams | Assignee: | Jim Minter <jminter> |
| Status: | CLOSED ERRATA | QA Contact: | Wang Haoran <haowang> |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | 3.1.0 | CC: | aos-bugs, bparees, dyan, jokerman, mmccomas, tdawson |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| URL: | https://access.redhat.com/documentation/en/openshift-enterprise/3.1/using-images/chapter-5-other-images#creating-a-jenkins-service-from-a-template | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Previously various OpenShift sample templates included an expired, self-signed X.509 certificate and key for www.example.com. These unnecessary certificates and keys have been removed from the templates.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-01-18 12:39:19 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Evgheni Dereveanchin
2016-02-26 10:19:43 UTC
There is no good way to generate a cert from within a template today. This is the best we can do to make it usable out of the box. Users concerned about security should of course substitute their own certificate. The password is settable via a parameter on the template, so again this can be set by users who care. Why would you need to include a broken SSL certificate prone to MITM attachs for the route if the Router already has one (which may actually be a normal signed certificate)? It's entirely possible that cert is no longer needed to ensure good jenkins behavior. Michal, can you see if we can remove the cert from the jenkins template route definition? Sorry for the delay, I'm going to check this out today. Taking a look. I can see the hard coded cert & key, but AFAICS there is no hardcoded password now. that's true, the jenkins admin password is now randomly generated. Commit pushed to master at https://github.com/openshift/origin https://github.com/openshift/origin/commit/4232ddf19329b042d25ebbe1520b31b47bc89fef Fix bug 1312278 Jenkins template has hardcoded SSL certificate. Remove expired www.example.com certificate and key from route objects in templates across examples/ and test/ excluding test/old-start-configs. In some cases this may alter the precise 'insecure certificate' error that users would see by default when accessing these apps. Previously they'd have got an expired www.example.com cert; now they'll get the default router cert, which currently by default is self-signed and not wildcarded. This has been merged into ose and is in OSE v3.4.0.12 or newer. Verified openshift v3.4.0.12 kubernetes v1.4.0+776c994 etcd 3.1.0-alpha.1 1.Create jenkins server using jenkins template $ oc new-app jenkins-ephemeral $ oc new-app jenkins-persistent 2.Access jenkins webconsole via route url Actual results: jenkins server is ready, could access jenkins webconsole via route url Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0066 |