Bug 1752831
| Summary: | [Disconnect]Can't access jenkins console in disconnected env behind http proxy in aws platform | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | XiuJuan Wang <xiuwang> |
| Component: | Jenkins | Assignee: | Akram Ben Aissi <abenaiss> |
| Status: | CLOSED ERRATA | QA Contact: | XiuJuan Wang <xiuwang> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 4.2.0 | CC: | vbobade, wewang, wzheng |
| Target Milestone: | --- | ||
| Target Release: | 4.2.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-10-16 06:41:14 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Comment 1
Akram Ben Aissi
2019-09-18 03:32:38 UTC
To make Jenkins work with a proxy to pass the correct proxy variables to the JVM using system properties (-D modifiers) . They can be passed using the JAVA_TOOL_OPTIONS or the JAVA_GC_OPTIONS. The required options are: -Dhttps.proxyHost=<your_proxy_host> -Dhttps.proxyUser=your-proxy-user -Dhttps.proxyPassword=your-proxy-password -Dhttp.nonProxyHosts="*.svc|*.svc.cluster.*|*.svc.cluster.local|172.30.*|kubernetes.default|172.30.0.1" ``` Starting from Java 8, the Basic authentication with a proxy is by default disabled, so it is also required to add: ``` -Djdk.http.auth.tunneling.disabledSchemes= -Djdk.http.auth.proxying.disabledSchemes= ``` However, a bug has been found with the OpenJDK version that we are using that requires to define a defaultAuthenticator that passes authentication parameters to the proxy. This fix provides the required authenticator. The fix is done in the PR: https://github.com/openshift/jenkins-openshift-login-plugin/pull/84 As per OpenJDK team discussion: Default Authenticator implementations that requires user/login must fail. So, in our case, defining a custom Authenticator is required. There is no bug per se in OpenJDK for this scenario. https://docs.oracle.com/javase/8/docs/api/java/net/Authenticator.html Note: "All methods that request authentication have a default implementation that fails." However, the Authenticator for plain HTTP proxied connections supports Basic authentication out of the box. jenkins image quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:9fc7d32efd031c585e5921755e76c369752006fa1e1ed54e15d605f9ec27c16a from 4.2.0-0.nightly-2019-09-21-183303 has included openshift-login:1.0.20 And set JENKINS_JAVA_OVERRIDES, could access jenkins webconsole now. sh-4.2$ env | grep proxy JENKINS_JAVA_OVERRIDES=-Dhttp.proxyHost=ec2-18-216-140-36.us-east-2.compute.amazonaws.com -Dhttp.proxyPort=3128 -Dhttp.proxyUser=proxy-user1 -Dhttp.proxyPassword=******** -Dhttps.proxyHost=ec2-18-216-140-36.us-east-2.compute.amazonaws.com -Dhttps.proxyPort=3128 -Dhttps.proxyUser=proxy-user1 -Dhttps.proxyPassword=******** -Dhttp.nonProxyHosts="*.svc|*.svc.cluster.*|*.svc.cluster.local|172.30.*|kubernetes.default|172.30.0.1" -Djdk.http.auth.tunneling.disabledSchemes="" -Djdk.http.auth.proxying.disabledSchemes="" Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2922 |