Bug 1712240
| Summary: | [OSO][STG]Unable to oauth authenticate with github/keycloak to openshift jenkins instance | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | XiuJuan Wang <xiuwang> |
| Component: | ImageStreams | Assignee: | Gabe Montero <gmontero> |
| Status: | CLOSED ERRATA | QA Contact: | XiuJuan Wang <xiuwang> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 4.1.0 | CC: | adam.kaplan, aos-bugs, bparees, gmontero, jokerman, jupierce, misalunk, mkhan, mmccomas, pweil, scuppett, sponnaga, wewang, wkulhane, wzheng |
| Target Milestone: | --- | Keywords: | OnlineStarter |
| Target Release: | 4.1.z | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | 4.1.4 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Cause: The changes to OpenShift OAuth support in 4.x can now allow for differing certificate configuration between the Jenkins service account cert and the cert used by the router for the OAuth server, and the openshift jenkins login plugin needed to be updated to account for that.
Consequence: You could not log into the Jenkins console in such scenarios
Fix: The openshift jenkins login plugin was updated to attempt TLS connections with the default certs available to the JVM in addition to the certs mounted into the its pod.
Result: You can log into the jenkins console in such scenarios.
|
Story Points: | --- |
| Clone Of: | 1709575 | Environment: | |
| Last Closed: | 2019-07-04 09:01:22 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1709575 | ||
| Bug Blocks: | |||
|
Comment 1
Gabe Montero
2019-05-21 14:09:52 UTC
PR https://github.com/openshift/jenkins/pull/856 is up for 4.1 ... will merge when release opens up post GA @XiuJuan Yeah this problem does not arise with an "out of the box" configuration using the 4.x installer against AWS. Some additional configuration around the certs used by the jenkins SA (more or less an api server cert in practice) and the cert used for the router that handles the openshift oauth server is needed to render the jenkins SA cert incompatible with the openshift oauth server router cert. You'll need to talk to Justin Pierce and/or Mo Khan for the specific step (both are on on CC: in this bug) if you want to go down that path. Raise a needinfo against one of them as needed. It would be great to have this in the next patch release. Default for the Jenkins templates is to enable OAUTH. And this breaks OAUTH. At least on our cluster with Let's Encrypt Certs. Putting this under consideration for 4.1.3, since this issue impacts starter clusters. *** Bug 1721760 has been marked as a duplicate of this bug. *** PR https://github.com/openshift/jenkins/pull/856 has merged and Opened https://jira.coreos.com/browse/ART-681 to get jenkins plugin rpm updated ... combination of 4 recent plugin updates for 4.1 osbs brew distgit http://pkgs.devel.redhat.com/cgit/rpms/jenkins-2-plugins/commit/?h=rhaos-4.1-rhel-7&id=495d2aabfadfe7c6ecdd16dd151ed741b76052d1 The default installed openshift-login is still 1.0.16, wait for new nightly build comes out. Checked the lastest nightly build 4.1.0-0.nightly-2019-06-20-015058 Can't reproduce this bug with the signed certificate configured cluster. openshift-login: 1.0.19 Test with jenkins quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8043331ad4bfe03e84bf0c691267fbf0331ed9eb807f2dfdbbb683a373c75114 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:1635 |