Bug 1826174 - Jenkins oAuth template fails when the ingress custom certificate is signed by an intermediate CA [NEEDINFO]
Summary: Jenkins oAuth template fails when the ingress custom certificate is signed by...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Jenkins
Version: 4.4
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.4.z
Assignee: Akram Ben Aissi
QA Contact: Jitendar Singh
URL:
Whiteboard:
Depends On: 1804345
Blocks: 1824987 1826172
TreeView+ depends on / blocked
 
Reported: 2020-04-21 07:36 UTC by jawed
Modified: 2020-06-23 00:57 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1804345
Environment:
Last Closed: 2020-06-23 00:57:24 UTC
Target Upstream Version:
pamoedom: needinfo? (abenaiss)


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift jenkins pull 1050 None closed [release-4.4] Bug 1826174: handle ingress certificate signed by custom ca 2020-07-28 07:51:25 UTC
Red Hat Product Errata RHBA-2020:2580 None None None 2020-06-23 00:57:42 UTC

Internal Links: 1858214

Comment 4 Jitendar Singh 2020-06-18 05:45:24 UTC
[jsingh@localhost templates]$ oc get cm
NAME                        DATA   AGE
jenkins-1-ca                1      28s
jenkins-1-global-ca         1      28s
jenkins-1-sys-config        0      28s
jenkins-trusted-ca-bundle   1      9s

--------------------------------------------

pipeline build working - verified

=---------------------------------------------

VERIFIED

Comment 5 Jitendar Singh 2020-06-18 07:38:07 UTC
==============================================================================================================================
all details about the creation of the full certificate chain:
0) Pre-steps to hold the entire custom CA structure:
~~~
[RootCA]
$ cd /path/to/safe/storage/customCA
$ mkdir -p example.net.ca/root-ca/{certreqs,certs,crl,newcerts,private}
$ cd example.net.ca/root-ca
$ chmod 700 private
$ touch root-ca.index
$ echo 00 > root-ca.crlnum
$ openssl rand -hex 16 > root-ca.serial
[IntermediateCA]
$ cd /path/to/safe/storage/customCA
$ mkdir -p example.net.ca/intermed-ca/{certreqs,certs,crl,newcerts,private}
$ cd example.net.ca/intermed-ca
$ chmod 700 private
$ touch intermed-ca.index
$ echo 00 > intermed-ca.crlnum
$ openssl rand -hex 16 > intermed-ca.serial
~~~
1) Create RootCA config file as follows:
~~~
$ cd example.net.ca/root-ca
$ cat root-ca.cnf 
#
# OpenSSL configuration for the Root Certification Authority.
#
#
# This definition doesn't work if HOME isn't defined.
CA_HOME                 = .
RANDFILE                = $ENV::CA_HOME/private/.rnd
#
# Default Certification Authority
[ ca ]
default_ca              = root_ca
#
# Root Certification Authority
[ root_ca ]
dir                     = $ENV::CA_HOME
certs                   = $dir/certs
serial                  = $dir/root-ca.serial
database                = $dir/root-ca.index
new_certs_dir           = $dir/newcerts
certificate             = $dir/root-ca.cert.pem
private_key             = $dir/private/root-ca.key.pem
default_days            = 1826 # Five years
crl                     = $dir/root-ca.crl
crl_dir                 = $dir/crl
crlnumber               = $dir/root-ca.crlnum
name_opt                = multiline, align
cert_opt                = no_pubkey
copy_extensions         = copy
crl_extensions          = crl_ext
default_crl_days        = 180
default_md              = sha256
preserve                = no
email_in_dn             = no
policy                  = policy
unique_subject          = no
#
# Distinguished Name Policy for CAs
[ policy ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = supplied
organizationalUnitName  = optional
commonName              = supplied
#
# Root CA Request Options
[ req ]
default_bits            = 4096
default_keyfile         = private/root-ca.key.pem
encrypt_key             = yes
default_md              = sha256
string_mask             = utf8only
utf8                    = yes
prompt                  = no
req_extensions          = root-ca_req_ext
distinguished_name      = distinguished_name
subjectAltName          = @subject_alt_name
#
# Root CA Request Extensions
[ root-ca_req_ext ]
subjectKeyIdentifier    = hash
subjectAltName          = @subject_alt_name
#
# Distinguished Name (DN)
[ distinguished_name ]
organizationName        = example.net
commonName              = example.net Root Certification Authority
#
# Root CA Certificate Extensions
[ root-ca_ext ]
basicConstraints        = critical, CA:true
keyUsage                = critical, keyCertSign, cRLSign
nameConstraints         = critical, @name_constraints
subjectKeyIdentifier    = hash
subjectAltName          = @subject_alt_name
authorityKeyIdentifier  = keyid:always
issuerAltName           = issuer:copy
authorityInfoAccess     = @auth_info_access
crlDistributionPoints   = crl_dist
#
# Intermediate CA Certificate Extensions
[ intermed-ca_ext ]
basicConstraints        = critical, CA:true, pathlen:0
keyUsage                = critical, keyCertSign, cRLSign
subjectKeyIdentifier    = hash
subjectAltName          = @subject_alt_name
authorityKeyIdentifier  = keyid:always
issuerAltName           = issuer:copy
authorityInfoAccess     = @auth_info_access
crlDistributionPoints   = crl_dist
#
# CRL Certificate Extensions
[ crl_ext ]
authorityKeyIdentifier  = keyid:always
issuerAltName           = issuer:copy
#
# Certificate Authorities Alternative Names
[ subject_alt_name ]
URI                     = http://ca.example.net/
email                   = certmaster@example.net
#
# Name Constraints
[ name_constraints ]
permitted;DNS.1         = example.net
permitted;email.1       = example.net
#
# Certificate download addresses for the root CA
[ auth_info_access ]
caIssuers;URI           = http://ca.example.net/certs/example.net_Root_Certification_Authority.cert.pem
#
# CRL Download address for the root CA
[ crl_dist ]
fullname                = URI:http://ca.example.net/crl/example.net_Root_Certification_Authority.crl
# EOF
~~~
2) Make sure the config is active:
~~~
$ export OPENSSL_CONF=./root-ca.cnf
~~~
3) Generate CSR & Key:
~~~
$ openssl req -new -out root-ca.req.pem
$ chmod 400 private/root-ca.key.pem
~~~
4) Self-sign the Root certificate:
~~~
$ openssl rand -hex 16 > root-ca.serial
$ openssl ca -selfsign -in root-ca.req.pem -out root-ca.cert.pem -extensions root-ca_ext -startdate `date +%y%m%d000000Z -u -d -1day` -enddate `date +%y%m%d000000Z -u -d +10years+1day`
~~~
5) (Optional) Verify the cert:
~~~
$ openssl x509 -in ./root-ca.cert.pem -noout -text -certopt no_version,no_pubkey,no_sigdump -nameopt multiline
$ openssl verify -verbose -CAfile root-ca.cert.pem root-ca.cert.pem
~~~
6) Create IntermediateCA config file as follows:
~~~
$ cd example.net.ca/intermed-ca
$ cat intermed-ca.cnf 
#
# OpenSSL configuration for the Intermediate Certification Authority.
#
#
# This definition doesn't work if HOME isn't defined.
CA_HOME                 = .
RANDFILE                = $ENV::CA_HOME/private/.rnd
oid_section             = new_oids
#
# XMPP address Support
[ new_oids ]
xmppAddr          = 1.3.6.1.5.5.7.8.5
dnsSRV            = 1.3.6.1.5.5.7.8.7
#
# Default Certification Authority
[ ca ]
default_ca              = intermed_ca
#
# Intermediate Certification Authority
[ intermed_ca ]
dir                     = $ENV::CA_HOME
certs                   = $dir/certs
serial                  = $dir/intermed-ca.serial
database                = $dir/intermed-ca.index
new_certs_dir           = $dir/newcerts
certificate             = $dir/intermed-ca.cert.pem
private_key             = $dir/private/intermed-ca.key.pem
default_days            = 730 # Two years
crl                     = $dir/crl/intermed-ca.crl
crl_dir                 = $dir/crl
crlnumber               = $dir/intermed-ca.crlnum
name_opt                = multiline, align
cert_opt                = no_pubkey
copy_extensions         = copy
crl_extensions          = crl_ext
default_crl_days        = 30
default_md              = sha256
preserve                = no
email_in_dn             = no
policy                  = policy
unique_subject          = no
#
# Distinguished Name Policy
[ policy ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
#
# Distinguished Name Policy for Personal Certificates
[ user_policy ]
countryName             = supplied
stateOrProvinceName     = optional
localityName            = supplied
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = supplied
#xmppAddr               = optional # Added to SubjAltName by req
#
# Intermediate CA request options
[ req ]
default_bits            = 3072
default_keyfile         = private/intermed-ca.key.pem
encrypt_key             = yes
default_md              = sha256
string_mask             = utf8only
utf8                    = yes
prompt                  = no
req_extensions          = req_ext
distinguished_name      = distinguished_name
subjectAltName          = subject_alt_name
#
# Intermediate CA Request Extensions
[ req_ext ]
subjectKeyIdentifier    = hash
subjectAltName          = @subject_alt_name
#
# Distinguished Name (DN)
[ distinguished_name ]
organizationName        = example.net
commonName              = example.net Intermediate Certification Authority
#
# Server Certificate Extensions
[ server_ext ]
basicConstraints        = CA:FALSE
keyUsage                = critical, digitalSignature, keyEncipherment
extendedKeyUsage        = critical, serverAuth, clientAuth
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always
issuerAltName           = issuer:copy
authorityInfoAccess     = @auth_info_access
crlDistributionPoints   = crl_dist
#
# Client Certificate Extensions
[ client_ext ]
basicConstraints        = CA:FALSE
keyUsage                = critical, digitalSignature
extendedKeyUsage        = critical, clientAuth
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always
issuerAltName           = issuer:copy
authorityInfoAccess     = @auth_info_access
crlDistributionPoints   = crl_dist
#
# User Certificate Extensions
[ user_ext ]
basicConstraints        = CA:FALSE
keyUsage                = critical, digitalSignature
extendedKeyUsage        = critical, clientAuth, emailProtection
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always
issuerAltName           = issuer:copy
authorityInfoAccess     = @auth_info_access
crlDistributionPoints   = crl_dist
#
# CRL Certificate Extensions
[ crl_ext ]
authorityKeyIdentifier  = keyid:always
issuerAltName           = issuer:copy
#
# Certificate Authorities Alternative Names
[ subject_alt_name ]
URI                     = http://ca.example.net/
email                   = certmaster@example.net
#
# Certificate download addresses for the intermediate CA
[ auth_info_access ]
caIssuers;URI           = http://ca.example.net/certs/example.net_Intermediate_Certification_Authority.cert.pem
#
# CRL Download address for the intermediate CA
[ crl_dist ]
fullname                = URI:http://ca.example.net/crl/example.net_Intermediate_Certification_Authority.crl
# EOF
~~~
7) Switch to the proper config:
~~~
$ export OPENSSL_CONF=./intermed-ca.cnf
~~~
8) Generate CSR & Key:
~~~
$ openssl req -new -out intermed-ca.req.pem
$ chmod 400 private/intermed-ca.key.pem
~~~
9) Sign the IntermediateCA with the RootCA:
~~~
$ cp intermed-ca.req.pem /path/to/safe/storage/customCA/example.net.ca/root-ca/certreqs/
$ cd /path/to/safe/storage/customCA/example.net.ca/root-ca/
$ export OPENSSL_CONF=./root-ca.cnf
$ openssl rand -hex 16 > root-ca.serial
$ openssl ca -in certreqs/intermed-ca.req.pem -out certs/intermed-ca.cert.pem -extensions intermed-ca_ext -startdate `date +%y%m%d000000Z -u -d -1day` -enddate `date +%y%m%d000000Z -u -d +5years+1day`
$ cp certs/intermed-ca.cert.pem /path/to/safe/storage/customCA/example.net.ca/intermed-ca/
~~~
10) (Optional) Verify the cert:
~~~
$ openssl x509 -in certs/intermed-ca.cert.pem -noout -text -certopt no_version,no_pubkey,no_sigdump -nameopt multiline
$ openssl verify -verbose -CAfile root-ca.cert.pem certs/intermed-ca.cert.pem
~~~
11) Create the custom Ingress wildcard certificate for our cluster:
~~~
$ cd /path/to/safe/storage/customCA/example.net.ca/intermed-ca
$ export OPENSSL_CONF=./intermed-ca.cnf
$ INGRESS_DOMAIN="$(oc get ingress.config/cluster -o 'jsonpath={.spec.domain}')"
$ openssl genrsa -out example.key 2048
$ openssl req -new -key example.key -out example.csr -subj "/C=US/ST=NC/L=Raleigh/O=OCP4/OU=IT/CN=*.$INGRESS_DOMAIN"
$ mv example.csr ./certreqs/
~~~
12) Sign the Server Cert with the IntermediateCA:
~~~
$ openssl rand -hex 16 > intermed-ca.serial
$ openssl ca -in ./certreqs/example.csr -out ./certs/example.pem -extensions server_ext
~~~








==================================================================================================================================

jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc new-project jitsingh
Now using project "jitsingh" on server "https://api.wxj181-5422.qe.devcluster.openshift.com:6443".

You can add applications to this project with the 'new-app' command. For example, try:

    oc new-app django-psql-example

to build a new example application in Python. Or use kubectl to deploy a simple Kubernetes application:

    kubectl create deployment hello-node --image=gcr.io/hello-minikube-zero-install/hello-node

 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc create -f jenkins-ephemeral.json
template.template.openshift.io/jenkins-ephemeral created
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc get is
No resources found.
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc get pods
No resources found.
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc new-build https://github.com/jitendar-singh/jenkins.git --context-dir=2/
--> Found container image 8b61dd8 (11 hours old) from quay.io for "quay.io/openshift/origin-cli"

    OpenShift Client 
    ---------------- 
    OpenShift is a platform for developing, building, and deploying containerized applications.

    Tags: openshift, cli

    * An image stream tag will be created as "origin-cli:latest" that will track the source image
    * A Docker build using source code from https://github.com/jitendar-singh/jenkins.git will be created
      * The resulting image will be pushed to image stream tag "jenkins:latest"
      * Every time "origin-cli:latest" changes a new build will be triggered

--> Creating resources with label build=jenkins ...
    imagestream.image.openshift.io "origin-cli" created
    imagestream.image.openshift.io "jenkins" created
    buildconfig.build.openshift.io "jenkins" created
--> Success
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc new-app jenkins-ephemeral -p NAMESPACE=$(oc project -q) -p JENKINS_IMAGE_STREAM_TAG=jenkins:latest
--> Deploying template "jitsingh/jenkins-ephemeral" to project jitsingh

     Jenkins (Ephemeral)
     ---------
     Jenkins service, without persistent storage.
     
     WARNING: Any data stored will be lost upon pod destruction. Only use this template for testing.

     A Jenkins service has been created in your project.  Log into Jenkins with your OpenShift account.  The tutorial at https://github.com/openshift/origin/blob/master/examples/jenkins/README.md contains more information about using this template.

     * With parameters:
        * Jenkins Service Name=jenkins
        * Jenkins JNLP Service Name=jenkins-jnlp
        * Enable OAuth in Jenkins=true
        * Memory Limit=1Gi
        * Jenkins ImageStream Namespace=jitsingh
        * Disable memory intensive administrative monitors=false
        * Jenkins ImageStreamTag=jenkins:latest
        * Allows use of Jenkins Update Center repository with invalid SSL certificate=false

--> Creating resources ...
    route.route.openshift.io "jenkins" created
    configmap "jenkins-trusted-ca-bundle" created
    deploymentconfig.apps.openshift.io "jenkins" created
    serviceaccount "jenkins" created
    rolebinding.authorization.openshift.io "jenkins_edit" created
    service "jenkins-jnlp" created
    service "jenkins" created
--> Success
    Access your application via route 'jenkins-jitsingh.apps.wxj181-5422.qe.devcluster.openshift.com' 
    Run 'oc status' to view your app.
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc get pods 
NAME              READY   STATUS    RESTARTS   AGE
jenkins-1-build   1/1     Running   0          26s
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc describe pods/jenkins-1-build
Name:               jenkins-1-build
Namespace:          jitsingh
Priority:           0
PriorityClassName:  <none>
Node:               ip-10-0-50-255.us-east-2.compute.internal/10.0.50.255
Start Time:         Thu, 18 Jun 2020 12:43:10 +0530
Labels:             openshift.io/build.name=jenkins-1
Annotations:        k8s.v1.cni.cncf.io/networks-status:
                      [{
                          "name": "openshift-sdn",
                          "interface": "eth0",
                          "ips": [
                              "10.129.2.28"
                          ],
                          "dns": {},
                          "default-route": [
                              "10.129.2.1"
                          ]
                      }]
                    openshift.io/build.name: jenkins-1
                    openshift.io/scc: privileged
Status:             Running
IP:                 10.129.2.28
Controlled By:      Build/jenkins-1
Init Containers:
  git-clone:
    Container ID:  cri-o://338ccd641b2c44747409b718d99b6d12c6035bd7d23a2585380ff9144bbffa57
    Image:         quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0c9afa4b0e8ed0a929d78f54e116aadebd6d7ceaf85dc551ddbbc48f85020b2d
    Image ID:      quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0c9afa4b0e8ed0a929d78f54e116aadebd6d7ceaf85dc551ddbbc48f85020b2d
    Port:          <none>
    Host Port:     <none>
    Command:
      openshift-git-clone
    Args:
      --loglevel=0
    State:          Terminated
      Reason:       Completed
      Exit Code:    0
      Started:      Thu, 18 Jun 2020 12:43:12 +0530
      Finished:     Thu, 18 Jun 2020 12:43:16 +0530
    Ready:          True
    Restart Count:  0
    Environment:
      BUILD:                        {"kind":"Build","apiVersion":"build.openshift.io/v1","metadata":{"name":"jenkins-1","namespace":"jitsingh","selfLink":"/apis/build.openshift.io/v1/namespaces/jitsingh/builds/jenkins-1","uid":"4d90cf73-139a-4a10-8f7d-9f56c0938d00","resourceVersion":"158107","creationTimestamp":"2020-06-18T07:13:10Z","labels":{"build":"jenkins","buildconfig":"jenkins","openshift.io/build-config.name":"jenkins","openshift.io/build.start-policy":"Serial"},"annotations":{"openshift.io/build-config.name":"jenkins","openshift.io/build.number":"1"},"ownerReferences":[{"apiVersion":"build.openshift.io/v1","kind":"BuildConfig","name":"jenkins","uid":"ff03320f-161a-404f-93c7-9234c6db9fdd","controller":true}]},"spec":{"serviceAccount":"builder","source":{"type":"Git","git":{"uri":"https://github.com/jitendar-singh/jenkins.git"},"contextDir":"2"},"strategy":{"type":"Docker","dockerStrategy":{"from":{"kind":"DockerImage","name":"quay.io/openshift/origin-cli@sha256:e4e40d4fd585029f7287f7bcdb45067c696d126869a3d817891049cd5039f04d"},"pullSecret":{"name":"builder-dockercfg-mdg5d"}}},"output":{"to":{"kind":"DockerImage","name":"image-registry.openshift-image-registry.svc:5000/jitsingh/jenkins:latest"},"pushSecret":{"name":"builder-dockercfg-mdg5d"}},"resources":{},"postCommit":{},"nodeSelector":null,"triggeredBy":[{"message":"Build configuration change"}]},"status":{"phase":"New","outputDockerImageReference":"image-registry.openshift-image-registry.svc:5000/jitsingh/jenkins:latest","config":{"kind":"BuildConfig","namespace":"jitsingh","name":"jenkins"},"output":{}}}
                                    
      LANG:                         en_US.utf8
      SOURCE_REPOSITORY:            https://github.com/jitendar-singh/jenkins.git
      SOURCE_URI:                   https://github.com/jitendar-singh/jenkins.git
      SOURCE_CONTEXT_DIR:           2
      BUILD_REGISTRIES_CONF_PATH:   /var/run/configs/openshift.io/build-system/registries.conf
      BUILD_REGISTRIES_DIR_PATH:    /var/run/configs/openshift.io/build-system/registries.d
      BUILD_SIGNATURE_POLICY_PATH:  /var/run/configs/openshift.io/build-system/policy.json
      BUILD_STORAGE_CONF_PATH:      /var/run/configs/openshift.io/build-system/storage.conf
      BUILD_BLOBCACHE_DIR:          /var/cache/blobs
      HTTP_PROXY:                   
      HTTPS_PROXY:                  
      NO_PROXY:                     
    Mounts:
      /etc/pki/ca-trust/extracted/pem from build-proxy-ca-bundles (rw)
      /tmp/build from buildworkdir (rw)
      /var/cache/blobs from build-blob-cache (rw)
      /var/run/configs/openshift.io/build-system from build-system-configs (ro)
      /var/run/configs/openshift.io/certs from build-ca-bundles (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from builder-token-zq27b (ro)
  manage-dockerfile:
    Container ID:  cri-o://62019732ce24ec2cd0f592ffe2b36c8e551aeab8e188b96dadf7ea504033a026
    Image:         quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0c9afa4b0e8ed0a929d78f54e116aadebd6d7ceaf85dc551ddbbc48f85020b2d
    Image ID:      quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0c9afa4b0e8ed0a929d78f54e116aadebd6d7ceaf85dc551ddbbc48f85020b2d
    Port:          <none>
    Host Port:     <none>
    Command:
      openshift-manage-dockerfile
    Args:
      --loglevel=0
    State:          Terminated
      Reason:       Completed
      Exit Code:    0
      Started:      Thu, 18 Jun 2020 12:43:17 +0530
      Finished:     Thu, 18 Jun 2020 12:43:17 +0530
    Ready:          True
    Restart Count:  0
    Environment:
      BUILD:                        {"kind":"Build","apiVersion":"build.openshift.io/v1","metadata":{"name":"jenkins-1","namespace":"jitsingh","selfLink":"/apis/build.openshift.io/v1/namespaces/jitsingh/builds/jenkins-1","uid":"4d90cf73-139a-4a10-8f7d-9f56c0938d00","resourceVersion":"158107","creationTimestamp":"2020-06-18T07:13:10Z","labels":{"build":"jenkins","buildconfig":"jenkins","openshift.io/build-config.name":"jenkins","openshift.io/build.start-policy":"Serial"},"annotations":{"openshift.io/build-config.name":"jenkins","openshift.io/build.number":"1"},"ownerReferences":[{"apiVersion":"build.openshift.io/v1","kind":"BuildConfig","name":"jenkins","uid":"ff03320f-161a-404f-93c7-9234c6db9fdd","controller":true}]},"spec":{"serviceAccount":"builder","source":{"type":"Git","git":{"uri":"https://github.com/jitendar-singh/jenkins.git"},"contextDir":"2"},"strategy":{"type":"Docker","dockerStrategy":{"from":{"kind":"DockerImage","name":"quay.io/openshift/origin-cli@sha256:e4e40d4fd585029f7287f7bcdb45067c696d126869a3d817891049cd5039f04d"},"pullSecret":{"name":"builder-dockercfg-mdg5d"}}},"output":{"to":{"kind":"DockerImage","name":"image-registry.openshift-image-registry.svc:5000/jitsingh/jenkins:latest"},"pushSecret":{"name":"builder-dockercfg-mdg5d"}},"resources":{},"postCommit":{},"nodeSelector":null,"triggeredBy":[{"message":"Build configuration change"}]},"status":{"phase":"New","outputDockerImageReference":"image-registry.openshift-image-registry.svc:5000/jitsingh/jenkins:latest","config":{"kind":"BuildConfig","namespace":"jitsingh","name":"jenkins"},"output":{}}}
                                    
      LANG:                         en_US.utf8
      SOURCE_REPOSITORY:            https://github.com/jitendar-singh/jenkins.git
      SOURCE_URI:                   https://github.com/jitendar-singh/jenkins.git
      SOURCE_CONTEXT_DIR:           2
      BUILD_REGISTRIES_CONF_PATH:   /var/run/configs/openshift.io/build-system/registries.conf
      BUILD_REGISTRIES_DIR_PATH:    /var/run/configs/openshift.io/build-system/registries.d
      BUILD_SIGNATURE_POLICY_PATH:  /var/run/configs/openshift.io/build-system/policy.json
      BUILD_STORAGE_CONF_PATH:      /var/run/configs/openshift.io/build-system/storage.conf
      BUILD_BLOBCACHE_DIR:          /var/cache/blobs
      HTTP_PROXY:                   
      HTTPS_PROXY:                  
      NO_PROXY:                     
    Mounts:
      /etc/pki/ca-trust/extracted/pem from build-proxy-ca-bundles (rw)
      /tmp/build from buildworkdir (rw)
      /var/cache/blobs from build-blob-cache (rw)
      /var/run/configs/openshift.io/build-system from build-system-configs (ro)
      /var/run/configs/openshift.io/certs from build-ca-bundles (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from builder-token-zq27b (ro)
Containers:
  docker-build:
    Container ID:  cri-o://fe503fddaa194dd4c6b829dce61c03869543359d780f4daa5d23b0011d0aaac1
    Image:         quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0c9afa4b0e8ed0a929d78f54e116aadebd6d7ceaf85dc551ddbbc48f85020b2d
    Image ID:      quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0c9afa4b0e8ed0a929d78f54e116aadebd6d7ceaf85dc551ddbbc48f85020b2d
    Port:          <none>
    Host Port:     <none>
    Command:
      openshift-docker-build
    Args:
      --loglevel=0
    State:          Running
      Started:      Thu, 18 Jun 2020 12:43:18 +0530
    Ready:          True
    Restart Count:  0
    Environment:
      BUILD:                        {"kind":"Build","apiVersion":"build.openshift.io/v1","metadata":{"name":"jenkins-1","namespace":"jitsingh","selfLink":"/apis/build.openshift.io/v1/namespaces/jitsingh/builds/jenkins-1","uid":"4d90cf73-139a-4a10-8f7d-9f56c0938d00","resourceVersion":"158107","creationTimestamp":"2020-06-18T07:13:10Z","labels":{"build":"jenkins","buildconfig":"jenkins","openshift.io/build-config.name":"jenkins","openshift.io/build.start-policy":"Serial"},"annotations":{"openshift.io/build-config.name":"jenkins","openshift.io/build.number":"1"},"ownerReferences":[{"apiVersion":"build.openshift.io/v1","kind":"BuildConfig","name":"jenkins","uid":"ff03320f-161a-404f-93c7-9234c6db9fdd","controller":true}]},"spec":{"serviceAccount":"builder","source":{"type":"Git","git":{"uri":"https://github.com/jitendar-singh/jenkins.git"},"contextDir":"2"},"strategy":{"type":"Docker","dockerStrategy":{"from":{"kind":"DockerImage","name":"quay.io/openshift/origin-cli@sha256:e4e40d4fd585029f7287f7bcdb45067c696d126869a3d817891049cd5039f04d"},"pullSecret":{"name":"builder-dockercfg-mdg5d"}}},"output":{"to":{"kind":"DockerImage","name":"image-registry.openshift-image-registry.svc:5000/jitsingh/jenkins:latest"},"pushSecret":{"name":"builder-dockercfg-mdg5d"}},"resources":{},"postCommit":{},"nodeSelector":null,"triggeredBy":[{"message":"Build configuration change"}]},"status":{"phase":"New","outputDockerImageReference":"image-registry.openshift-image-registry.svc:5000/jitsingh/jenkins:latest","config":{"kind":"BuildConfig","namespace":"jitsingh","name":"jenkins"},"output":{}}}
                                    
      LANG:                         en_US.utf8
      SOURCE_REPOSITORY:            https://github.com/jitendar-singh/jenkins.git
      SOURCE_URI:                   https://github.com/jitendar-singh/jenkins.git
      SOURCE_CONTEXT_DIR:           2
      PUSH_DOCKERCFG_PATH:          /var/run/secrets/openshift.io/push
      PULL_DOCKERCFG_PATH:          /var/run/secrets/openshift.io/pull
      BUILD_REGISTRIES_CONF_PATH:   /var/run/configs/openshift.io/build-system/registries.conf
      BUILD_REGISTRIES_DIR_PATH:    /var/run/configs/openshift.io/build-system/registries.d
      BUILD_SIGNATURE_POLICY_PATH:  /var/run/configs/openshift.io/build-system/policy.json
      BUILD_STORAGE_CONF_PATH:      /var/run/configs/openshift.io/build-system/storage.conf
      BUILD_STORAGE_DRIVER:         overlay
      BUILD_ISOLATION:              chroot
      BUILD_BLOBCACHE_DIR:          /var/cache/blobs
      HTTP_PROXY:                   
      HTTPS_PROXY:                  
      NO_PROXY:                     
    Mounts:
      /etc/pki/ca-trust/extracted/pem from build-proxy-ca-bundles (rw)
      /tmp/build from buildworkdir (rw)
      /var/cache/blobs from build-blob-cache (rw)
      /var/lib/containers/cache from buildcachedir (rw)
      /var/lib/containers/storage from container-storage-root (rw)
      /var/run/configs/openshift.io/build-system from build-system-configs (ro)
      /var/run/configs/openshift.io/certs from build-ca-bundles (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from builder-token-zq27b (ro)
      /var/run/secrets/openshift.io/pull from builder-dockercfg-mdg5d-pull (ro)
      /var/run/secrets/openshift.io/push from builder-dockercfg-mdg5d-push (ro)
Conditions:
  Type              Status
  Initialized       True 
  Ready             True 
  ContainersReady   True 
  PodScheduled      True 
Volumes:
  buildcachedir:
    Type:          HostPath (bare host directory volume)
    Path:          /var/lib/containers/cache
    HostPathType:  
  buildworkdir:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:     
    SizeLimit:  <unset>
  builder-dockercfg-mdg5d-push:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  builder-dockercfg-mdg5d
    Optional:    false
  builder-dockercfg-mdg5d-pull:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  builder-dockercfg-mdg5d
    Optional:    false
  build-system-configs:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      jenkins-1-sys-config
    Optional:  false
  build-ca-bundles:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      jenkins-1-ca
    Optional:  false
  build-proxy-ca-bundles:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      jenkins-1-global-ca
    Optional:  false
  container-storage-root:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:     
    SizeLimit:  <unset>
  build-blob-cache:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:     
    SizeLimit:  <unset>
  builder-token-zq27b:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  builder-token-zq27b
    Optional:    false
QoS Class:       BestEffort
Node-Selectors:  kubernetes.io/os=linux
Tolerations:     node.kubernetes.io/not-ready:NoExecute for 300s
                 node.kubernetes.io/unreachable:NoExecute for 300s
Events:
  Type    Reason     Age   From                                                Message
  ----    ------     ----  ----                                                -------
  Normal  Scheduled  52s   default-scheduler                                   Successfully assigned jitsingh/jenkins-1-build to ip-10-0-50-255.us-east-2.compute.internal
  Normal  Pulled     50s   kubelet, ip-10-0-50-255.us-east-2.compute.internal  Container image "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0c9afa4b0e8ed0a929d78f54e116aadebd6d7ceaf85dc551ddbbc48f85020b2d" already present on machine
  Normal  Created    50s   kubelet, ip-10-0-50-255.us-east-2.compute.internal  Created container git-clone
  Normal  Started    49s   kubelet, ip-10-0-50-255.us-east-2.compute.internal  Started container git-clone
  Normal  Pulled     46s   kubelet, ip-10-0-50-255.us-east-2.compute.internal  Container image "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0c9afa4b0e8ed0a929d78f54e116aadebd6d7ceaf85dc551ddbbc48f85020b2d" already present on machine
  Normal  Created    45s   kubelet, ip-10-0-50-255.us-east-2.compute.internal  Created container manage-dockerfile
  Normal  Started    45s   kubelet, ip-10-0-50-255.us-east-2.compute.internal  Started container manage-dockerfile
  Normal  Pulled     45s   kubelet, ip-10-0-50-255.us-east-2.compute.internal  Container image "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0c9afa4b0e8ed0a929d78f54e116aadebd6d7ceaf85dc551ddbbc48f85020b2d" already present on machine
  Normal  Created    44s   kubelet, ip-10-0-50-255.us-east-2.compute.internal  Created container docker-build
  Normal  Started    44s   kubelet, ip-10-0-50-255.us-east-2.compute.internal  Started container docker-build
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc status
In project jitsingh on server https://api.wxj181-5422.qe.devcluster.openshift.com:6443

svc/jenkins-jnlp - 172.30.217.21:50000
https://jenkins-jitsingh.apps.wxj181-5422.qe.devcluster.openshift.com (redirects) (svc/jenkins)
  dc/jenkins deploys istag/jenkins:latest <-
    bc/jenkins docker builds https://github.com/jitendar-singh/jenkins.git on istag/origin-cli:latest 
      build #1 running for about a minute - 51b5550: Fix the local build (Jitendar Singh <jsingh@localhost.localdomain>)
    deployment #1 waiting on image or update

View details with 'oc describe <resource>/<name>' or list everything with 'oc get all'.
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc get pods
NAME              READY   STATUS    RESTARTS   AGE
jenkins-1-build   1/1     Running   0          79s
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc status
In project jitsingh on server https://api.wxj181-5422.qe.devcluster.openshift.com:6443

svc/jenkins-jnlp - 172.30.217.21:50000
https://jenkins-jitsingh.apps.wxj181-5422.qe.devcluster.openshift.com (redirects) (svc/jenkins)
  dc/jenkins deploys istag/jenkins:latest <-
    bc/jenkins docker builds https://github.com/jitendar-singh/jenkins.git on istag/origin-cli:latest 
      build #1 running for about a minute - 51b5550: Fix the local build (Jitendar Singh <jsingh@localhost.localdomain>)
    deployment #1 waiting on image or update

View details with 'oc describe <resource>/<name>' or list everything with 'oc get all'.
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc get cm
NAME                        DATA   AGE
jenkins-1-ca                1      94s
jenkins-1-global-ca         1      94s
jenkins-1-sys-config        0      94s
jenkins-trusted-ca-bundle   1      76s
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc get pods -w
NAME              READY   STATUS    RESTARTS   AGE
jenkins-1-build   1/1     Running   0          102s
jenkins-1-build   0/1     Completed   0          8m36s
jenkins-1-build   0/1     Completed   0          8m36s
jenkins-1-deploy   0/1     Pending     0          0s
jenkins-1-deploy   0/1     Pending     0          0s
jenkins-1-deploy   0/1     ContainerCreating   0          0s
jenkins-1-deploy   0/1     ContainerCreating   0          2s
jenkins-1-deploy   1/1     Running             0          3s
jenkins-1-build    0/1     Completed           0          8m41s
jenkins-1-sk7nc    0/1     Pending             0          0s
jenkins-1-sk7nc    0/1     Pending             0          0s
jenkins-1-sk7nc    0/1     ContainerCreating   0          0s
jenkins-1-sk7nc    0/1     ContainerCreating   0          2s
jenkins-1-sk7nc    0/1     ContainerCreating   0          6s
jenkins-1-sk7nc    0/1     Running             0          41s
jenkins-1-sk7nc    1/1     Running             0          2m19s
jenkins-1-deploy   0/1     Completed           0          2m24s
jenkins-1-deploy   0/1     Completed           0          2m24s
^C%                                                                                                                                                                                            ✘ jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc get routes
NAME      HOST/PORT                                                       PATH   SERVICES   PORT    TERMINATION     WILDCARD
jenkins   jenkins-jitsingh.apps.wxj181-5422.qe.devcluster.openshift.com          jenkins    <all>   edge/Redirect   None
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc get ca
error: the server doesn't have a resource type "ca"
 ✘ jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc get cm
NAME                        DATA   AGE
jenkins-1-ca                1      11m
jenkins-1-global-ca         1      11m
jenkins-1-sys-config        0      11m
jenkins-trusted-ca-bundle   1      11m
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc new-app -f https://raw.githubusercontent.com/openshift/origin/master/examples/jenkins/pipeline/maven-pipeline.yaml                                       
--> Deploying template "jitsingh/maven-pipeline" for "https://raw.githubusercontent.com/openshift/origin/master/examples/jenkins/pipeline/maven-pipeline.yaml" to project jitsingh

     * With parameters:
        * Application Name=openshift-jee-sample
        * Source URL=https://github.com/openshift/openshift-jee-sample.git
        * Source Ref=master
        * GitHub Webhook Secret=KpxJ0R2R8WFn0uPeXowT6cwCOXM03dps3BG8aVg3 # generated
        * Generic Webhook Secret=USnq1J6aaeQaMmePWCcmOKUy6nYnnogxbmOmIdq1 # generated

--> Creating resources ...
    imagestream.image.openshift.io "openshift-jee-sample" created
    imagestream.image.openshift.io "wildfly" created
    buildconfig.build.openshift.io "openshift-jee-sample" created
    buildconfig.build.openshift.io "openshift-jee-sample-docker" created
    deploymentconfig.apps.openshift.io "openshift-jee-sample" created
    service "openshift-jee-sample" created
    route.route.openshift.io "openshift-jee-sample" created
--> Success
    Use 'oc start-build openshift-jee-sample' to start a build.
    Use 'oc start-build openshift-jee-sample-docker' to start a build.
    Access your application via route 'openshift-jee-sample-jitsingh.apps.wxj181-5422.qe.devcluster.openshift.com' 
    Run 'oc status' to view your app.
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc get pods -w
NAME               READY   STATUS      RESTARTS   AGE
jenkins-1-build    0/1     Completed   0          13m
jenkins-1-deploy   0/1     Completed   0          5m9s
jenkins-1-sk7nc    1/1     Running     0          5m5s
^C%                                                                                                                                                                                            ✘ jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc start-build openshift-jee-sample
build.build.openshift.io/openshift-jee-sample-1 started
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc get pods -w
NAME               READY   STATUS      RESTARTS   AGE
jenkins-1-build    0/1     Completed   0          14m
jenkins-1-deploy   0/1     Completed   0          5m38s
jenkins-1-sk7nc    1/1     Running     0          5m34s
maven-hvd6d        0/1     Pending     0          0s
maven-hvd6d        0/1     Pending     0          0s
maven-hvd6d        0/1     ContainerCreating   0          0s
maven-hvd6d        0/1     ContainerCreating   0          3s
maven-hvd6d        1/1     Running             0          3s
maven-hvd6d        1/1     Terminating         0          52s
maven-hvd6d        1/1     Terminating         0          52s
openshift-jee-sample-docker-1-build   0/1     Pending             0          0s
openshift-jee-sample-docker-1-build   0/1     Pending             0          0s
openshift-jee-sample-docker-1-build   0/1     Init:0/2            0          0s
maven-hvd6d                           0/1     Terminating         0          53s
maven-hvd6d                           0/1     Terminating         0          54s
maven-hvd6d                           0/1     Terminating         0          55s
openshift-jee-sample-docker-1-build   0/1     Init:0/2            0          2s
openshift-jee-sample-docker-1-build   0/1     Init:0/2            0          3s
openshift-jee-sample-docker-1-build   0/1     Init:1/2            0          4s
openshift-jee-sample-docker-1-build   0/1     PodInitializing     0          5s
openshift-jee-sample-docker-1-build   1/1     Running             0          6s
openshift-jee-sample-docker-1-build   0/1     Completed           0          94s
openshift-jee-sample-docker-1-build   0/1     Completed           0          94s
openshift-jee-sample-docker-1-build   0/1     Completed           0          101s
openshift-jee-sample-1-deploy         0/1     Pending             0          0s
openshift-jee-sample-1-deploy         0/1     Pending             0          0s
openshift-jee-sample-1-deploy         0/1     ContainerCreating   0          0s
openshift-jee-sample-1-deploy         0/1     ContainerCreating   0          2s
openshift-jee-sample-1-jmxkw          0/1     Pending             0          0s
openshift-jee-sample-1-jmxkw          0/1     Pending             0          0s
openshift-jee-sample-1-jmxkw          0/1     ContainerCreating   0          0s
openshift-jee-sample-1-deploy         1/1     Running             0          3s
openshift-jee-sample-1-jmxkw          0/1     ContainerCreating   0          1s
openshift-jee-sample-1-jmxkw          0/1     ContainerCreating   0          11s
openshift-jee-sample-1-jmxkw          0/1     Running             0          49s
openshift-jee-sample-1-jmxkw          1/1     Running             0          81s
openshift-jee-sample-1-deploy         0/1     Completed           0          85s
openshift-jee-sample-1-deploy         0/1     Completed           0          85s
openshift-jee-sample-1-deploy         0/1     Completed           0          90s
^C%                            
====================================================================================
                                              jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc get cm
NAME                                       DATA   AGE
jenkins-1-ca                               1      24m
jenkins-1-global-ca                        1      24m
jenkins-1-sys-config                       0      24m
jenkins-trusted-ca-bundle                  1      23m
openshift-jee-sample-docker-1-ca           1      8m53s
openshift-jee-sample-docker-1-global-ca    1      8m53s
openshift-jee-sample-docker-1-sys-config   0      8m53s
========================================================================

verified on 4.4.9

Comment 7 errata-xmlrpc 2020-06-23 00:57:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2580


Note You need to log in before you can comment on or make changes to this bug.