Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1369746

Summary: Fail to delete resource using `openShiftDeleteResourceByJsonYaml` pipeline dsl step
Product: OpenShift Container Platform Reporter: shiyang.wang <shiywang>
Component: ImageStreamsAssignee: Gabe Montero <gmontero>
Status: CLOSED ERRATA QA Contact: Wang Haoran <haowang>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.3.0CC: aos-bugs, bparees, jokerman, mmccomas, sdodson, tdawson, wewang
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: The OpenShift Pipeline Plugin for Jenkins did not properly handle permission issues when attempting to access the Route for Jenkins. Consequence: Any of the steps or post-build actions in Jenkins jobs could fail unnecessarily with a Java stack trace citing an inability to access routes. Fix: Add correct error handling when attempting to list routes. Result: Jenkins jobs not longer fail unnecessarily if the token used by the OpenShift Pipeline Plugin for Jenkins to access the OpenShift API Master did not have permission to list routes.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-27 09:10:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description shiyang.wang 2016-08-24 09:55:31 UTC 
Description of problem:

jenkins pipeline DSL  using  `openShiftDeleteResourceByJsonYaml` build failed, also did not delete pod


Version-Release number of selected component (if applicable):

OCP/image
M/M
version:
brew-pulp.../openshift3/jenkins-1-rhel7@sha256:d087cb40014e3bb9b8d3efc43092c608e0c4e04b9d4e249c18d3bb8a2d00e417"

How reproducible:


Steps to Reproduce:
1.$oc new-app -f https://raw.githubusercontent.com/openshift/origin/master/examples/jenkins/jenkins-ephemeral-template.json

2. $oc create -f https://raw.githubusercontent.com/openshift/origin/master/examples/hello-openshift/hello-pod.json

3.
$Open the Jenkins  in browser,
$Go to jenkins job page click "new item" -->write item name: openshifttest-->select "Pipeline"-->save
$Select pipelinejob "openshifttest" to Configure 
$Config "openShiftDeleteResourceByKey"  follow 
node{
    stage 'build'
    openshiftCreateResource(  apiURL:  'https://openshift.default.svc.cluster.local', authToken: '', jsonyaml:  ''' <file content>  ''', namespace: 'test', verbose: 'false' )
}

4. click  "build"

Actual results:
Started by user Jenkins Admin
[Pipeline] node
Running on master in /var/lib/jenkins/jobs/openshifttest/workspace
[Pipeline] {
[Pipeline] stage (build)
Entering stage build
Proceeding
[Pipeline] openshiftDeleteResourceByJsonYaml
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
com.openshift.restclient.authorization.ResourceForbiddenException: User "system:serviceaccount:shiywang:jenkins" cannot list routes in project "test"
        at com.openshift.internal.restclient.DefaultClient.createOpenShiftException(DefaultClient.java:483)
        at com.openshift.internal.restclient.DefaultClient.list(DefaultClient.java:158)
        at com.openshift.internal.restclient.DefaultClient.list(DefaultClient.java:139)
        at com.openshift.jenkins.plugins.pipeline.model.IOpenShiftPlugin.constructBuildUrl(IOpenShiftPlugin.java:205)
        at com.openshift.jenkins.plugins.pipeline.model.IOpenShiftPlugin.doItCore(IOpenShiftPlugin.java:235)
        at com.openshift.jenkins.plugins.pipeline.dsl.OpenShiftDeleterJsonYamlExecution.run(OpenShiftDeleterJsonYamlExecution.java:42)
        at com.openshift.jenkins.plugins.pipeline.dsl.OpenShiftDeleterJsonYamlExecution.run(OpenShiftDeleterJsonYamlExecution.java:18)
        at org.jenkinsci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1$1.call(AbstractSynchronousNonBlockingStepExecution.java:49)
        at hudson.security.ACL.impersonate(ACL.java:213)
        at org.jenkinsci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1.run(AbstractSynchronousNonBlockingStepExecution.java:47)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
Caused by: com.openshift.internal.restclient.http.HttpClientException: {
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "User \"system:serviceaccount:shiywang:jenkins\" cannot list routes in project \"test\"",
  "reason": "Forbidden",
  "details": {
    "kind": "routes"
  },
  "code": 403
}
 
        at com.openshift.internal.restclient.http.UrlConnectionHttpClient.createException(UrlConnectionHttpClient.java:278)
        at com.openshift.internal.restclient.http.UrlConnectionHttpClient.request(UrlConnectionHttpClient.java:211)
        at com.openshift.internal.restclient.http.UrlConnectionHttpClient.request(UrlConnectionHttpClient.java:187)
        at com.openshift.internal.restclient.http.UrlConnectionHttpClient.get(UrlConnectionHttpClient.java:149)
        at com.openshift.internal.restclient.DefaultClient.list(DefaultClient.java:153)
        ... 13 more
Caused by: java.io.IOException: Server returned HTTP response code: 403 for URL: https://openshift.default.svc.cluster.local/oapi/v1/namespaces/test/routes
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1840)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
        at com.openshift.internal.restclient.http.UrlConnectionHttpClient.request(UrlConnectionHttpClient.java:207)
        ... 16 more
Finished: FAILURE


Expected results:
jenkins job build success, delete pod successfully

Additional info:
Comment 1 Gabe Montero 2016-08-24 16:37:18 UTC 
OK, this particular stack trace was fixed with https://github.com/openshift/jenkins-plugin/commit/90fb270e7a14d9e27f47bc46888383f924779db0#diff-8bc5575e72911f22d92892b6b3e4c3ca

That is a post v1.021 fix.  So as Ben noted in IRC, we'll need to craft a new version of the plugin, followed by a new RPM for rhel, followed by a new jenkins rhel image on brew-pulp.

I'll hold off on that process until I have triaged the other recently opened bugzillas.
Comment 2 Gabe Montero 2016-08-24 16:53:40 UTC 
*** Bug 1369702 has been marked as a duplicate of this bug. ***
Comment 3 Gabe Montero 2016-08-25 23:42:04 UTC 
brew pulp latest has v1.0.22 of the plugin

QE can attempt to verify
Comment 4 wewang 2016-08-26 05:36:02 UTC 
verified in openshift3/jenkins-1-rhel7 023723e2e0ff and 
deleted resource using `openShiftDeleteResourceByJsonYaml` pipeline successfully
Comment 6 errata-xmlrpc 2016-09-27 09:10:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1937