Description of problem:
The Jenkins Kubernetes client uses deprecated endpoints to check if a cluster is an OpenShift cluster. Some are removed in 4.2.
It also inspects the apiserver via root discovery, which is not exposed by default in more recent versions of k8s.
Version-Release number of selected component (if applicable): current
Additional info: https://github.com/fabric8io/kubernetes-client/issues/1587
This is a blocker for 4.2
As part of the skills transfer Vibhav and I talked about this one a little, working out a possible change, though that needs to be vetted by the fabric client maintainers.
I echoed the 4.2 blockage aspect in the associated github issue, along with the possible approach, in https://github.com/fabric8io/kubernetes-client/issues/1587#issuecomment-511877022
We are now waiting on an update of the kubernetes-client/kubernetes-model project which requires to update the Kubernetes-schema.json file to match the OpenShift API for the APIGroupList field.
For additional informations see issues comments on: https://github.com/fabric8io/kubernetes-client/issues/1587
Logical guess Akram but RELEASE_PENDING is reserved for the ART/OSBS/Brew processes.
Don't use it when you are cutting new versions of the plugins.
Move bugs to POST from ASSIGNED once you have merged PRs, and then, as you are going through the "jenkins release" mechanics,
when the ART Jira card is processed for the plugin RPM update, and you have that dist git
link, then move this to ON_QA.
There is an intermediate step when we are dealing with changes in releases that have gone out.
Next time one of those comes up we'll step through it.
This link https://mojo.redhat.com/docs/DOC-1093603 describes the process and was probably buried in the swath of new developer onboarding doc we forwarded to you.
Friendly reminder @Akram/@Vibhav - next step is the cherry pick https://github.com/openshift/jenkins-sync-plugin/commit/edb569c174679271f92c5f3cf622e992f3a7c1d6 into https://github.com/jenkinsci/openshift-sync-plugin and then cut a new release of the plugin
then update openshift/jenkins and OSBS with the new version
The PR fixing this is: https://github.com/openshift/jenkins/pull/901
ART team has been asked to release a new version in this JIRA:
@XiuJuan - reminder on the jenkins snowflake here ... we still need https://jira.coreos.com/browse/ART-834 after the openshift/jenkins PR merge before an nightly/OCP build will have this update
@Gabe Thanks, will wait for new build bump out.
Hi @XiuJuan , the new build seems to have bumped out.
You are good to go.
Yep, and for reference, the dist git commit we got was http://pkgs.devel.redhat.com/cgit/rpms/jenkins-2-plugins/commit/?h=rhaos-4.2-rhel-7&id=1f9c028acc4402c20b7f6c76bfd956425cebecba
Qe have checked jenkins images in 4.2.0-0.nightly-2019-08-06-062019 payload.
openshift-sync-plugin has updated to 1.0.40 with kubernetes-client 4.3.1.
Do regression with pipeline builds, no issue found.
Gabe, if these test are enough, I have no idea where to check the api endpoint, could you help have some clues?
on a running OpenShift 4.2 cluster, you can check that you don't have access to /oapis as unauthenticated user.
This done and the plugin working, means that we indeed use the /apis endpoint. This endpoint must be returning some "APIGroup" elements which contains openshift.io in the list also.
Hey @Akram and @XiuJuan
A couple of points
- it was the access to "/" that the fabric client / sync plugin were modified to avoid ...
- the change was made in openshift proper to prevent unauthenticated. See https://github.com/openshift/origin/pull/23049.
- There is no way for you to "configure the system" to prevent unauthorized access to "/" before this PR merges (and hence confirm the sync plugin is not trying to do it)
- the e2e's in that PR will ultimately verify
So based on what you did in #comment 15 is sufficient to mark this verified.
Thanks @Gabe and @Akram,
Mark this issue as verified.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.