Hi XiuJuan Wang we are looking at this
To make Jenkins work with a proxy to pass the correct proxy variables to the JVM using system properties (-D modifiers) . They can be passed using the JAVA_TOOL_OPTIONS or the JAVA_GC_OPTIONS. The required options are: -Dhttps.proxyHost=<your_proxy_host> -Dhttps.proxyUser=your-proxy-user -Dhttps.proxyPassword=your-proxy-password -Dhttp.nonProxyHosts="*.svc|*.svc.cluster.*|*.svc.cluster.local|172.30.*|kubernetes.default|172.30.0.1" ``` Starting from Java 8, the Basic authentication with a proxy is by default disabled, so it is also required to add: ``` -Djdk.http.auth.tunneling.disabledSchemes= -Djdk.http.auth.proxying.disabledSchemes= ``` However, a bug has been found with the OpenJDK version that we are using that requires to define a defaultAuthenticator that passes authentication parameters to the proxy. This fix provides the required authenticator.
The fix is done in the PR: https://github.com/openshift/jenkins-openshift-login-plugin/pull/84
As per OpenJDK team discussion: Default Authenticator implementations that requires user/login must fail. So, in our case, defining a custom Authenticator is required. There is no bug per se in OpenJDK for this scenario. https://docs.oracle.com/javase/8/docs/api/java/net/Authenticator.html Note: "All methods that request authentication have a default implementation that fails." However, the Authenticator for plain HTTP proxied connections supports Basic authentication out of the box.
jenkins image quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:9fc7d32efd031c585e5921755e76c369752006fa1e1ed54e15d605f9ec27c16a from 4.2.0-0.nightly-2019-09-21-183303 has included openshift-login:1.0.20 And set JENKINS_JAVA_OVERRIDES, could access jenkins webconsole now. sh-4.2$ env | grep proxy JENKINS_JAVA_OVERRIDES=-Dhttp.proxyHost=ec2-18-216-140-36.us-east-2.compute.amazonaws.com -Dhttp.proxyPort=3128 -Dhttp.proxyUser=proxy-user1 -Dhttp.proxyPassword=******** -Dhttps.proxyHost=ec2-18-216-140-36.us-east-2.compute.amazonaws.com -Dhttps.proxyPort=3128 -Dhttps.proxyUser=proxy-user1 -Dhttps.proxyPassword=******** -Dhttp.nonProxyHosts="*.svc|*.svc.cluster.*|*.svc.cluster.local|172.30.*|kubernetes.default|172.30.0.1" -Djdk.http.auth.tunneling.disabledSchemes="" -Djdk.http.auth.proxying.disabledSchemes=""
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2922