Bug 1712240 - [OSO][STG]Unable to oauth authenticate with github/keycloak to openshift jenkins instance
Summary: [OSO][STG]Unable to oauth authenticate with github/keycloak to openshift jenk...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: ImageStreams
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.1.z
Assignee: Gabe Montero
QA Contact: XiuJuan Wang
URL:
Whiteboard: 4.1.4
: 1721760 (view as bug list)
Depends On: 1709575
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-05-21 06:42 UTC by XiuJuan Wang
Modified: 2020-02-20 08:12 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: The changes to OpenShift OAuth support in 4.x can now allow for differing certificate configuration between the Jenkins service account cert and the cert used by the router for the OAuth server, and the openshift jenkins login plugin needed to be updated to account for that. Consequence: You could not log into the Jenkins console in such scenarios Fix: The openshift jenkins login plugin was updated to attempt TLS connections with the default certs available to the JVM in addition to the certs mounted into the its pod. Result: You can log into the jenkins console in such scenarios.
Clone Of: 1709575
Environment:
Last Closed: 2019-07-04 09:01:22 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:1635 0 None None None 2019-07-04 09:01:33 UTC

Comment 1 Gabe Montero 2019-05-21 14:09:52 UTC
waiting for 4.1 branch to open up

Comment 2 Gabe Montero 2019-05-21 14:23:12 UTC
PR https://github.com/openshift/jenkins/pull/856 is up for 4.1 ... will merge when release opens up post GA

Comment 4 Gabe Montero 2019-05-22 13:58:34 UTC
@XiuJuan

Yeah this problem does not arise with an "out of the box" configuration using the 4.x installer against AWS.

Some additional configuration around the certs used by the jenkins SA (more or less an api server cert in practice)
and the cert used for the router that handles the openshift oauth server is needed to render the jenkins SA cert
incompatible with the openshift oauth server router cert.

You'll need to talk to Justin Pierce and/or Mo Khan for the specific step (both are on on CC: in this bug)
if you want to go down that path.  Raise a needinfo against one of them as needed.

Comment 5 Wolfgang Kulhanek 2019-06-07 17:07:28 UTC
It would be great to have this in the next patch release. Default for the Jenkins templates is to enable OAUTH. And this breaks OAUTH. At least on our cluster with Let's Encrypt Certs.

Comment 6 Adam Kaplan 2019-06-13 14:53:31 UTC
Putting this under consideration for 4.1.3, since this issue impacts starter clusters.

Comment 7 Mo 2019-06-19 03:08:19 UTC
*** Bug 1721760 has been marked as a duplicate of this bug. ***

Comment 8 Gabe Montero 2019-06-19 17:47:42 UTC
PR https://github.com/openshift/jenkins/pull/856 has merged and Opened https://jira.coreos.com/browse/ART-681 to get jenkins plugin rpm updated ... combination of 4 recent plugin updates for 4.1

Comment 11 XiuJuan Wang 2019-06-20 05:45:02 UTC
The default installed openshift-login is still 1.0.16, wait for new nightly build comes out.
Checked the lastest nightly build 4.1.0-0.nightly-2019-06-20-015058

Comment 14 XiuJuan Wang 2019-06-26 03:19:27 UTC
Can't reproduce this bug with the signed certificate configured cluster.
openshift-login: 1.0.19

Test with jenkins quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8043331ad4bfe03e84bf0c691267fbf0331ed9eb807f2dfdbbb683a373c75114

Comment 16 errata-xmlrpc 2019-07-04 09:01:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:1635


Note You need to log in before you can comment on or make changes to this bug.