Bug 1312278 - Jenkins template has hardcoded SSL certificate and password
Jenkins template has hardcoded SSL certificate and password
Product: OpenShift Container Platform
Classification: Red Hat
Component: Image (Show other bugs)
Unspecified Unspecified
medium Severity low
: ---
: ---
Assigned To: Jim Minter
Wang Haoran
Depends On:
  Show dependency treegraph
Reported: 2016-02-26 05:19 EST by Evgheni Dereveanchin
Modified: 2017-03-08 13 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously various OpenShift sample templates included an expired, self-signed X.509 certificate and key for www.example.com. These unnecessary certificates and keys have been removed from the templates.
Story Points: ---
Clone Of:
Last Closed: 2017-01-18 07:39:19 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Evgheni Dereveanchin 2016-02-26 05:19:43 EST
Description of problem:
Jenkins templates shipped with the installer have hardcoded certificates and password. This is insecure, this kind of data should be generated when an app is created from template.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. check template files
2. import them into OpenShift during installation and deploy an app

Actual results:
jenkins deployed with hardcoded certificate and password equal to "password"

Expected results:
certificates are generated (or the default router cert is used) as well as the admin password

Additional info:
Comment 1 Ben Parees 2016-02-26 13:29:16 EST
There is no good way to generate a cert from within a template today.  This is the best we can do to make it usable out of the box.  Users concerned about security should of course substitute their own certificate.

The password is settable via a parameter on the template, so again this can be set by users who care.
Comment 2 Evgheni Dereveanchin 2016-02-29 02:39:56 EST
Why would you need to include a broken SSL certificate prone to MITM attachs for the route if the Router already has one (which may actually be a normal signed certificate)?
Comment 3 Ben Parees 2016-02-29 09:02:13 EST
It's entirely possible that cert is no longer needed to ensure good jenkins behavior.  Michal, can you see if we can remove the cert from the jenkins template route definition?
Comment 4 Michal Fojtik 2016-07-18 04:12:29 EDT
Sorry for the delay, I'm going to check this out today.
Comment 5 Jim Minter 2016-09-22 07:43:20 EDT
Taking a look.  I can see the hard coded cert & key, but AFAICS there is no hardcoded password now.
Comment 6 Ben Parees 2016-09-22 07:55:07 EDT
that's true, the jenkins admin password is now randomly generated.
Comment 7 Jim Minter 2016-09-22 10:09:11 EDT
Comment 8 openshift-github-bot 2016-09-27 14:35:48 EDT
Commit pushed to master at https://github.com/openshift/origin

Fix bug 1312278 Jenkins template has hardcoded SSL certificate.

Remove expired www.example.com certificate and key from route objects in templates across examples/ and test/ excluding test/old-start-configs.

In some cases this may alter the precise 'insecure certificate' error that users would see by default when accessing these apps.  Previously they'd have got an expired www.example.com cert; now they'll get the default router cert, which currently by default is self-signed and not wildcarded.
Comment 9 Troy Dawson 2016-10-18 12:06:19 EDT
This has been merged into ose and is in OSE v3.4.0.12 or newer.
Comment 11 Dongbo Yan 2016-10-19 03:08:41 EDT
openshift v3.4.0.12
kubernetes v1.4.0+776c994
etcd 3.1.0-alpha.1

1.Create jenkins server using jenkins template
$ oc new-app jenkins-ephemeral
$ oc new-app jenkins-persistent
2.Access jenkins webconsole via route url

Actual results: jenkins server is ready, could access jenkins webconsole via route url
Comment 13 errata-xmlrpc 2017-01-18 07:39:19 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.