Bug 1729522 - Jenkins k8s client uses deprecated route paths
Summary: Jenkins k8s client uses deprecated route paths
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Jenkins
Version: 4.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.2.0
Assignee: Vibhav Bobade
QA Contact: XiuJuan Wang
URL:
Whiteboard:
Depends On:
Blocks: 1711533
TreeView+ depends on / blocked
 
Reported: 2019-07-12 13:30 UTC by Adam Kaplan
Modified: 2019-10-16 06:29 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-16 06:29:43 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift jenkins pull 901 0 None None None 2019-08-02 14:11:42 UTC
Red Hat Product Errata RHBA-2019:2922 0 None None None 2019-10-16 06:29:58 UTC

Description Adam Kaplan 2019-07-12 13:30:54 UTC
Description of problem:

The Jenkins Kubernetes client uses deprecated endpoints to check if a cluster is an OpenShift cluster. Some are removed in 4.2.

It also inspects the apiserver via root discovery, which is not exposed by default in more recent versions of k8s.


Version-Release number of selected component (if applicable): current


Additional info: https://github.com/fabric8io/kubernetes-client/issues/1587

Comment 1 Adam Kaplan 2019-07-12 13:31:47 UTC
This is a blocker for 4.2

Comment 2 Gabe Montero 2019-07-16 15:56:18 UTC
As part of the skills transfer Vibhav and I talked about this one a little, working out a possible change, though that needs to be vetted by the fabric client maintainers.

I echoed the 4.2 blockage aspect in the associated github issue, along with the possible approach, in https://github.com/fabric8io/kubernetes-client/issues/1587#issuecomment-511877022

Comment 3 Akram Ben Aissi 2019-07-18 09:37:38 UTC
We are now waiting on an update of the kubernetes-client/kubernetes-model project which requires to update the Kubernetes-schema.json file to match the OpenShift API for the  APIGroupList field.

For additional informations see issues comments on: https://github.com/fabric8io/kubernetes-client/issues/1587

Comment 4 Gabe Montero 2019-07-22 12:30:03 UTC
Logical guess Akram but RELEASE_PENDING is reserved for the ART/OSBS/Brew processes.

Don't use it when you are cutting new versions of the plugins.

Move bugs to POST from ASSIGNED once you have merged PRs, and then, as you are going through the "jenkins release" mechanics,
when the ART Jira card is processed for the plugin RPM update, and you have that dist git
link, then move this to ON_QA.

There is an intermediate step when we are dealing with changes in releases that have gone out.

Next time one of those comes up we'll step through it.

Comment 5 Gabe Montero 2019-07-22 12:31:59 UTC
This link https://mojo.redhat.com/docs/DOC-1093603 describes the process and was probably buried in the swath of new developer onboarding doc we forwarded to you.

Comment 7 Gabe Montero 2019-07-30 15:33:10 UTC
Friendly reminder @Akram/@Vibhav - next step is the cherry  pick https://github.com/openshift/jenkins-sync-plugin/commit/edb569c174679271f92c5f3cf622e992f3a7c1d6 into https://github.com/jenkinsci/openshift-sync-plugin and then cut a new release of the plugin

then update openshift/jenkins and OSBS with the new version

Comment 8 Akram Ben Aissi 2019-08-02 14:04:43 UTC
The PR fixing this is: https://github.com/openshift/jenkins/pull/901

Comment 9 Akram Ben Aissi 2019-08-02 17:06:42 UTC
ART team has been asked to release a new version in this JIRA:
https://jira.coreos.com/browse/ART-834

Comment 11 Gabe Montero 2019-08-02 18:36:17 UTC
@XiuJuan - reminder on the jenkins snowflake here ... we still need https://jira.coreos.com/browse/ART-834 after the openshift/jenkins PR merge before an nightly/OCP build  will have this update

Comment 12 XiuJuan Wang 2019-08-05 05:34:08 UTC
@Gabe Thanks, will wait for new build bump out.

Comment 13 Akram Ben Aissi 2019-08-05 16:56:16 UTC
Hi @XiuJuan , the new build seems to have bumped out.
You are good to go.

Comment 14 Gabe Montero 2019-08-05 18:12:51 UTC
Yep, and for reference, the dist git commit we got was http://pkgs.devel.redhat.com/cgit/rpms/jenkins-2-plugins/commit/?h=rhaos-4.2-rhel-7&id=1f9c028acc4402c20b7f6c76bfd956425cebecba

Comment 15 XiuJuan Wang 2019-08-06 08:41:23 UTC
Qe have checked jenkins images in 4.2.0-0.nightly-2019-08-06-062019 payload.
openshift-sync-plugin has updated to 1.0.40 with kubernetes-client 4.3.1.
Do regression with pipeline builds, no issue found.

Gabe, if these test are enough, I have no idea where to check the api endpoint, could you help have some clues?
Thanks

Comment 16 Akram Ben Aissi 2019-08-06 10:16:54 UTC
Hi XiuJuan

on a running OpenShift 4.2 cluster, you can check that you don't have access to /oapis as unauthenticated user.
This done and the plugin working, means that we indeed use the /apis endpoint. This endpoint must be returning some "APIGroup" elements which contains openshift.io in the list also.

Comment 17 Gabe Montero 2019-08-06 13:09:30 UTC
Hey @Akram and @XiuJuan

A couple of points
- it was the access to "/" that the fabric client / sync plugin were modified to avoid ...
- the change was made in openshift proper to prevent unauthenticated.  See https://github.com/openshift/origin/pull/23049.  
- There is no way for you to "configure the system" to prevent unauthorized access to "/" before this PR merges (and hence confirm the sync plugin is not trying to do it)
- the e2e's in that PR will ultimately verify

So based on what you did in #comment 15 is sufficient to mark this verified.

Comment 18 XiuJuan Wang 2019-08-07 02:29:41 UTC
Thanks @Gabe and @Akram,

Mark this issue as verified.

Comment 19 errata-xmlrpc 2019-10-16 06:29:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922


Note You need to log in before you can comment on or make changes to this bug.