Bug 1752831 - [Disconnect]Can't access jenkins console in disconnected env behind http proxy in aws platform
Summary: [Disconnect]Can't access jenkins console in disconnected env behind http prox...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Jenkins
Version: 4.2.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.2.0
Assignee: Akram Ben Aissi
QA Contact: XiuJuan Wang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-09-17 10:35 UTC by XiuJuan Wang
Modified: 2019-10-16 06:41 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-16 06:41:14 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift jenkins-openshift-login-plugin pull 84 0 None closed Bug 1752831: Handle HTTP proxy for HTTPS connections 2020-06-09 12:05:25 UTC
Red Hat Product Errata RHBA-2019:2922 0 None None None 2019-10-16 06:41:29 UTC

Comment 1 Akram Ben Aissi 2019-09-18 03:32:38 UTC 
Hi XiuJuan Wang 
we are looking at this
Comment 2 Akram Ben Aissi 2019-09-19 10:10:18 UTC 
To make Jenkins work with a proxy to pass the correct proxy variables to the JVM using system properties (-D modifiers) .
They can be passed using the JAVA_TOOL_OPTIONS or the JAVA_GC_OPTIONS.
The required options are:
-Dhttps.proxyHost=<your_proxy_host>
-Dhttps.proxyUser=your-proxy-user 
-Dhttps.proxyPassword=your-proxy-password
-Dhttp.nonProxyHosts="*.svc|*.svc.cluster.*|*.svc.cluster.local|172.30.*|kubernetes.default|172.30.0.1"

```

Starting from Java 8, the Basic authentication with a proxy is by default disabled, so it is also required to add:
```
-Djdk.http.auth.tunneling.disabledSchemes=
-Djdk.http.auth.proxying.disabledSchemes= 
```

However, a bug has been found with the OpenJDK version that we are using that requires to define a defaultAuthenticator that passes authentication parameters to the proxy.
This fix provides the required authenticator.
Comment 3 Akram Ben Aissi 2019-09-19 10:11:30 UTC 
The fix is done in the PR: https://github.com/openshift/jenkins-openshift-login-plugin/pull/84
Comment 5 Akram Ben Aissi 2019-09-19 14:42:03 UTC 
As per OpenJDK team discussion:
Default Authenticator implementations that requires user/login must fail. So, in our case, defining a custom Authenticator is required. There is no bug per se in OpenJDK for this scenario.
https://docs.oracle.com/javase/8/docs/api/java/net/Authenticator.html

Note: "All methods that request authentication have a default
implementation that fails."



However, the Authenticator for plain HTTP proxied connections supports Basic authentication out of the box.
Comment 10 XiuJuan Wang 2019-09-22 02:11:26 UTC 
jenkins image quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:9fc7d32efd031c585e5921755e76c369752006fa1e1ed54e15d605f9ec27c16a from 4.2.0-0.nightly-2019-09-21-183303 has included openshift-login:1.0.20
And set JENKINS_JAVA_OVERRIDES, could access jenkins webconsole now.

sh-4.2$ env | grep proxy 
JENKINS_JAVA_OVERRIDES=-Dhttp.proxyHost=ec2-18-216-140-36.us-east-2.compute.amazonaws.com -Dhttp.proxyPort=3128 -Dhttp.proxyUser=proxy-user1 -Dhttp.proxyPassword=******** -Dhttps.proxyHost=ec2-18-216-140-36.us-east-2.compute.amazonaws.com -Dhttps.proxyPort=3128 -Dhttps.proxyUser=proxy-user1 -Dhttps.proxyPassword=******** -Dhttp.nonProxyHosts="*.svc|*.svc.cluster.*|*.svc.cluster.local|172.30.*|kubernetes.default|172.30.0.1" -Djdk.http.auth.tunneling.disabledSchemes="" -Djdk.http.auth.proxying.disabledSchemes=""
Comment 11 errata-xmlrpc 2019-10-16 06:41:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922
Note You need to log in before you can comment on or make changes to this bug.