Bug 1369746 - Fail to delete resource using `openShiftDeleteResourceByJsonYaml` pipeline dsl step
Summary: Fail to delete resource using `openShiftDeleteResourceByJsonYaml` pipeline d...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: ImageStreams
Version: 3.3.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Gabe Montero
QA Contact: Wang Haoran
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-24 09:55 UTC by shiyang.wang
Modified: 2017-03-08 18:26 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: The OpenShift Pipeline Plugin for Jenkins did not properly handle permission issues when attempting to access the Route for Jenkins. Consequence: Any of the steps or post-build actions in Jenkins jobs could fail unnecessarily with a Java stack trace citing an inability to access routes. Fix: Add correct error handling when attempting to list routes. Result: Jenkins jobs not longer fail unnecessarily if the token used by the OpenShift Pipeline Plugin for Jenkins to access the OpenShift API Master did not have permission to list routes.
Clone Of:
Environment:
Last Closed: 2016-09-27 09:10:53 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:1937 0 normal SHIPPED_LIVE Red Hat OpenShift Enterprise Jenkins image bug fix and enhancement update 2016-09-27 13:05:12 UTC

Description shiyang.wang 2016-08-24 09:55:31 UTC 
Description of problem:

jenkins pipeline DSL  using  `openShiftDeleteResourceByJsonYaml` build failed, also did not delete pod


Version-Release number of selected component (if applicable):

OCP/image
M/M
version:
brew-pulp.../openshift3/jenkins-1-rhel7@sha256:d087cb40014e3bb9b8d3efc43092c608e0c4e04b9d4e249c18d3bb8a2d00e417"

How reproducible:


Steps to Reproduce:
1.$oc new-app -f https://raw.githubusercontent.com/openshift/origin/master/examples/jenkins/jenkins-ephemeral-template.json

2. $oc create -f https://raw.githubusercontent.com/openshift/origin/master/examples/hello-openshift/hello-pod.json

3.
$Open the Jenkins  in browser,
$Go to jenkins job page click "new item" -->write item name: openshifttest-->select "Pipeline"-->save
$Select pipelinejob "openshifttest" to Configure 
$Config "openShiftDeleteResourceByKey"  follow 
node{
    stage 'build'
    openshiftCreateResource(  apiURL:  'https://openshift.default.svc.cluster.local', authToken: '', jsonyaml:  ''' <file content>  ''', namespace: 'test', verbose: 'false' )
}

4. click  "build"

Actual results:
Started by user Jenkins Admin
[Pipeline] node
Running on master in /var/lib/jenkins/jobs/openshifttest/workspace
[Pipeline] {
[Pipeline] stage (build)
Entering stage build
Proceeding
[Pipeline] openshiftDeleteResourceByJsonYaml
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
com.openshift.restclient.authorization.ResourceForbiddenException: User "system:serviceaccount:shiywang:jenkins" cannot list routes in project "test"
        at com.openshift.internal.restclient.DefaultClient.createOpenShiftException(DefaultClient.java:483)
        at com.openshift.internal.restclient.DefaultClient.list(DefaultClient.java:158)
        at com.openshift.internal.restclient.DefaultClient.list(DefaultClient.java:139)
        at com.openshift.jenkins.plugins.pipeline.model.IOpenShiftPlugin.constructBuildUrl(IOpenShiftPlugin.java:205)
        at com.openshift.jenkins.plugins.pipeline.model.IOpenShiftPlugin.doItCore(IOpenShiftPlugin.java:235)
        at com.openshift.jenkins.plugins.pipeline.dsl.OpenShiftDeleterJsonYamlExecution.run(OpenShiftDeleterJsonYamlExecution.java:42)
        at com.openshift.jenkins.plugins.pipeline.dsl.OpenShiftDeleterJsonYamlExecution.run(OpenShiftDeleterJsonYamlExecution.java:18)
        at org.jenkinsci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1$1.call(AbstractSynchronousNonBlockingStepExecution.java:49)
        at hudson.security.ACL.impersonate(ACL.java:213)
        at org.jenkinsci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1.run(AbstractSynchronousNonBlockingStepExecution.java:47)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
Caused by: com.openshift.internal.restclient.http.HttpClientException: {
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "User \"system:serviceaccount:shiywang:jenkins\" cannot list routes in project \"test\"",
  "reason": "Forbidden",
  "details": {
    "kind": "routes"
  },
  "code": 403
}
 
        at com.openshift.internal.restclient.http.UrlConnectionHttpClient.createException(UrlConnectionHttpClient.java:278)
        at com.openshift.internal.restclient.http.UrlConnectionHttpClient.request(UrlConnectionHttpClient.java:211)
        at com.openshift.internal.restclient.http.UrlConnectionHttpClient.request(UrlConnectionHttpClient.java:187)
        at com.openshift.internal.restclient.http.UrlConnectionHttpClient.get(UrlConnectionHttpClient.java:149)
        at com.openshift.internal.restclient.DefaultClient.list(DefaultClient.java:153)
        ... 13 more
Caused by: java.io.IOException: Server returned HTTP response code: 403 for URL: https://openshift.default.svc.cluster.local/oapi/v1/namespaces/test/routes
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1840)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
        at com.openshift.internal.restclient.http.UrlConnectionHttpClient.request(UrlConnectionHttpClient.java:207)
        ... 16 more
Finished: FAILURE


Expected results:
jenkins job build success, delete pod successfully

Additional info:
Comment 1 Gabe Montero 2016-08-24 16:37:18 UTC 
OK, this particular stack trace was fixed with https://github.com/openshift/jenkins-plugin/commit/90fb270e7a14d9e27f47bc46888383f924779db0#diff-8bc5575e72911f22d92892b6b3e4c3ca

That is a post v1.021 fix.  So as Ben noted in IRC, we'll need to craft a new version of the plugin, followed by a new RPM for rhel, followed by a new jenkins rhel image on brew-pulp.

I'll hold off on that process until I have triaged the other recently opened bugzillas.
Comment 2 Gabe Montero 2016-08-24 16:53:40 UTC 
*** Bug 1369702 has been marked as a duplicate of this bug. ***
Comment 3 Gabe Montero 2016-08-25 23:42:04 UTC 
brew pulp latest has v1.0.22 of the plugin

QE can attempt to verify
Comment 4 wewang 2016-08-26 05:36:02 UTC 
verified in openshift3/jenkins-1-rhel7 023723e2e0ff and 
deleted resource using `openShiftDeleteResourceByJsonYaml` pipeline successfully
Comment 6 errata-xmlrpc 2016-09-27 09:10:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1937
Note You need to log in before you can comment on or make changes to this bug.