Description of problem: Jenkins templates shipped with the installer have hardcoded certificates and password. This is insecure, this kind of data should be generated when an app is created from template. Version-Release number of selected component (if applicable): openshift-ansible-roles-3.0.35-1.git.0.6a386dd.el7aos.noarch How reproducible: Always Steps to Reproduce: 1. check template files /usr/share/ansible/openshift-ansible/roles/openshift_examples/files/examples/v1.1/quickstart-templates/jenkins-ephemeral-template.json /usr/share/ansible/openshift-ansible/roles/openshift_examples/files/examples/v1.1/quickstart-templates/jenkins-persistent-template.json 2. import them into OpenShift during installation and deploy an app Actual results: jenkins deployed with hardcoded certificate and password equal to "password" Expected results: certificates are generated (or the default router cert is used) as well as the admin password Additional info:
There is no good way to generate a cert from within a template today. This is the best we can do to make it usable out of the box. Users concerned about security should of course substitute their own certificate. The password is settable via a parameter on the template, so again this can be set by users who care.
Why would you need to include a broken SSL certificate prone to MITM attachs for the route if the Router already has one (which may actually be a normal signed certificate)?
It's entirely possible that cert is no longer needed to ensure good jenkins behavior. Michal, can you see if we can remove the cert from the jenkins template route definition?
Sorry for the delay, I'm going to check this out today.
Taking a look. I can see the hard coded cert & key, but AFAICS there is no hardcoded password now.
that's true, the jenkins admin password is now randomly generated.
https://github.com/openshift/origin/pull/11053
Commit pushed to master at https://github.com/openshift/origin https://github.com/openshift/origin/commit/4232ddf19329b042d25ebbe1520b31b47bc89fef Fix bug 1312278 Jenkins template has hardcoded SSL certificate. Remove expired www.example.com certificate and key from route objects in templates across examples/ and test/ excluding test/old-start-configs. In some cases this may alter the precise 'insecure certificate' error that users would see by default when accessing these apps. Previously they'd have got an expired www.example.com cert; now they'll get the default router cert, which currently by default is self-signed and not wildcarded.
This has been merged into ose and is in OSE v3.4.0.12 or newer.
Verified openshift v3.4.0.12 kubernetes v1.4.0+776c994 etcd 3.1.0-alpha.1 1.Create jenkins server using jenkins template $ oc new-app jenkins-ephemeral $ oc new-app jenkins-persistent 2.Access jenkins webconsole via route url Actual results: jenkins server is ready, could access jenkins webconsole via route url
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0066