Bug 1693533
| Summary: | Jenkins Install plugin script missing curl -k (--insecure) flag for downloading plugins | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Ravi Trivedi <travi> |
| Component: | RFE | Assignee: | Adam Kaplan <adam.kaplan> |
| Status: | CLOSED DEFERRED | QA Contact: | Xiaoli Tian <xtian> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 3.11.0 | CC: | adam.kaplan, aos-bugs, gmontero, jokerman, mmccomas, pweil, vbobade, wzheng |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-05-29 17:53:35 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Moving to RFE for ability to pass arbitrary flags to the curl command. Adding -k to curl should not be supported out of the box as the flag allows SSL to be used even for connections considered insecure. The best way to avoid using this flag is to use valid, trusted certificates. |
Description of problem: In Jenkins, script at /usr/local/bin/install_plugins.sh is used to install plugins. In this script it uses curl to download plugins. We have plugins at internal repository, which we are trying to install. Since it is missing -k flag, it can't download plugins. Where are you experiencing the behavior? What environment? We should use environment variable CURL_OPTIONS, which can be overwritten as per customers need. Version-Release number of selected component (if applicable): registry.redhat.io/openshift3/jenkins-2-rhel7 How reproducible: Always Steps to Reproduce: 1. Instantiate registry.redhat.io/openshift3/jenkins-2-rhel7 and install plugins from private repo with insecure url (curl -k) Actual results: Not supported for now. Expected results: To be able to pass additional flags to curl command as required Additional info: So when I referred the upstream content from Openshift repository I came across [1] where there are no such options set. Example, ~~~ curl --connect-timeout "${CURL_CONNECTION_TIMEOUT:-20}" --retry "${CURL_RETRY:-5}" --retry-delay "${CURL_RETRY_DELAY:-0}" --retry-max-time "${CURL_RETRY_MAX_TIME:-60}" -s -f -L "$url" -o "$jpi" ~~~ However, I came across a similar content from Jenkins upstream repository [2], I see such an option available which would elaborate the requirement/concern. Example, ~~~ retry_command curl ${CURL_OPTIONS:--sSfL} --connect-timeout "${CURL_CONNECTION_TIMEOUT:-20}" --retry "${CURL_RETRY:-3}" --retry-delay "${CURL_RETRY_DELAY:-0}" --retry-max-time "${CURL_RETRY_MAX_TIME:-60}" "$url" -o "$jpi" ~~~ [1] - https://github.com/openshift/jenkins/blob/master/2/contrib/jenkins/install-plugins.sh#L229 [2] - https://github.com/jenkinsci/docker/blob/master/install-plugins.sh#L93 NOTE: Since the requirement is to install plugin from "insecure" URL, I understand that it wouldn't be advisable and supported as best practice but the provision to have additional flag to override curl options (CURL_OPTIONS) can help customization.