Bug 1826174
| Summary: | Jenkins oAuth template fails when the ingress custom certificate is signed by an intermediate CA | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | jawed <jkhelil> |
| Component: | Jenkins | Assignee: | Akram Ben Aissi <abenaiss> |
| Status: | CLOSED ERRATA | QA Contact: | Jitendar Singh <jitsingh> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.4 | CC: | abenaiss, aos-bugs, jitsingh, mmariyan, pamoedom, pbhattac, vbobade |
| Target Milestone: | --- | ||
| Target Release: | 4.4.z | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1804345 | Environment: | |
| Last Closed: | 2020-06-23 00:57:24 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1804345 | ||
| Bug Blocks: | 1824987, 1826172 | ||
|
Comment 4
Jitendar Singh
2020-06-18 05:45:24 UTC
==============================================================================================================================
all details about the creation of the full certificate chain:
0) Pre-steps to hold the entire custom CA structure:
~~~
[RootCA]
$ cd /path/to/safe/storage/customCA
$ mkdir -p example.net.ca/root-ca/{certreqs,certs,crl,newcerts,private}
$ cd example.net.ca/root-ca
$ chmod 700 private
$ touch root-ca.index
$ echo 00 > root-ca.crlnum
$ openssl rand -hex 16 > root-ca.serial
[IntermediateCA]
$ cd /path/to/safe/storage/customCA
$ mkdir -p example.net.ca/intermed-ca/{certreqs,certs,crl,newcerts,private}
$ cd example.net.ca/intermed-ca
$ chmod 700 private
$ touch intermed-ca.index
$ echo 00 > intermed-ca.crlnum
$ openssl rand -hex 16 > intermed-ca.serial
~~~
1) Create RootCA config file as follows:
~~~
$ cd example.net.ca/root-ca
$ cat root-ca.cnf
#
# OpenSSL configuration for the Root Certification Authority.
#
#
# This definition doesn't work if HOME isn't defined.
CA_HOME = .
RANDFILE = $ENV::CA_HOME/private/.rnd
#
# Default Certification Authority
[ ca ]
default_ca = root_ca
#
# Root Certification Authority
[ root_ca ]
dir = $ENV::CA_HOME
certs = $dir/certs
serial = $dir/root-ca.serial
database = $dir/root-ca.index
new_certs_dir = $dir/newcerts
certificate = $dir/root-ca.cert.pem
private_key = $dir/private/root-ca.key.pem
default_days = 1826 # Five years
crl = $dir/root-ca.crl
crl_dir = $dir/crl
crlnumber = $dir/root-ca.crlnum
name_opt = multiline, align
cert_opt = no_pubkey
copy_extensions = copy
crl_extensions = crl_ext
default_crl_days = 180
default_md = sha256
preserve = no
email_in_dn = no
policy = policy
unique_subject = no
#
# Distinguished Name Policy for CAs
[ policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
#
# Root CA Request Options
[ req ]
default_bits = 4096
default_keyfile = private/root-ca.key.pem
encrypt_key = yes
default_md = sha256
string_mask = utf8only
utf8 = yes
prompt = no
req_extensions = root-ca_req_ext
distinguished_name = distinguished_name
subjectAltName = @subject_alt_name
#
# Root CA Request Extensions
[ root-ca_req_ext ]
subjectKeyIdentifier = hash
subjectAltName = @subject_alt_name
#
# Distinguished Name (DN)
[ distinguished_name ]
organizationName = example.net
commonName = example.net Root Certification Authority
#
# Root CA Certificate Extensions
[ root-ca_ext ]
basicConstraints = critical, CA:true
keyUsage = critical, keyCertSign, cRLSign
nameConstraints = critical, @name_constraints
subjectKeyIdentifier = hash
subjectAltName = @subject_alt_name
authorityKeyIdentifier = keyid:always
issuerAltName = issuer:copy
authorityInfoAccess = @auth_info_access
crlDistributionPoints = crl_dist
#
# Intermediate CA Certificate Extensions
[ intermed-ca_ext ]
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, keyCertSign, cRLSign
subjectKeyIdentifier = hash
subjectAltName = @subject_alt_name
authorityKeyIdentifier = keyid:always
issuerAltName = issuer:copy
authorityInfoAccess = @auth_info_access
crlDistributionPoints = crl_dist
#
# CRL Certificate Extensions
[ crl_ext ]
authorityKeyIdentifier = keyid:always
issuerAltName = issuer:copy
#
# Certificate Authorities Alternative Names
[ subject_alt_name ]
URI = http://ca.example.net/
email = certmaster
#
# Name Constraints
[ name_constraints ]
permitted;DNS.1 = example.net
permitted;email.1 = example.net
#
# Certificate download addresses for the root CA
[ auth_info_access ]
caIssuers;URI = http://ca.example.net/certs/example.net_Root_Certification_Authority.cert.pem
#
# CRL Download address for the root CA
[ crl_dist ]
fullname = URI:http://ca.example.net/crl/example.net_Root_Certification_Authority.crl
# EOF
~~~
2) Make sure the config is active:
~~~
$ export OPENSSL_CONF=./root-ca.cnf
~~~
3) Generate CSR & Key:
~~~
$ openssl req -new -out root-ca.req.pem
$ chmod 400 private/root-ca.key.pem
~~~
4) Self-sign the Root certificate:
~~~
$ openssl rand -hex 16 > root-ca.serial
$ openssl ca -selfsign -in root-ca.req.pem -out root-ca.cert.pem -extensions root-ca_ext -startdate `date +%y%m%d000000Z -u -d -1day` -enddate `date +%y%m%d000000Z -u -d +10years+1day`
~~~
5) (Optional) Verify the cert:
~~~
$ openssl x509 -in ./root-ca.cert.pem -noout -text -certopt no_version,no_pubkey,no_sigdump -nameopt multiline
$ openssl verify -verbose -CAfile root-ca.cert.pem root-ca.cert.pem
~~~
6) Create IntermediateCA config file as follows:
~~~
$ cd example.net.ca/intermed-ca
$ cat intermed-ca.cnf
#
# OpenSSL configuration for the Intermediate Certification Authority.
#
#
# This definition doesn't work if HOME isn't defined.
CA_HOME = .
RANDFILE = $ENV::CA_HOME/private/.rnd
oid_section = new_oids
#
# XMPP address Support
[ new_oids ]
xmppAddr = 1.3.6.1.5.5.7.8.5
dnsSRV = 1.3.6.1.5.5.7.8.7
#
# Default Certification Authority
[ ca ]
default_ca = intermed_ca
#
# Intermediate Certification Authority
[ intermed_ca ]
dir = $ENV::CA_HOME
certs = $dir/certs
serial = $dir/intermed-ca.serial
database = $dir/intermed-ca.index
new_certs_dir = $dir/newcerts
certificate = $dir/intermed-ca.cert.pem
private_key = $dir/private/intermed-ca.key.pem
default_days = 730 # Two years
crl = $dir/crl/intermed-ca.crl
crl_dir = $dir/crl
crlnumber = $dir/intermed-ca.crlnum
name_opt = multiline, align
cert_opt = no_pubkey
copy_extensions = copy
crl_extensions = crl_ext
default_crl_days = 30
default_md = sha256
preserve = no
email_in_dn = no
policy = policy
unique_subject = no
#
# Distinguished Name Policy
[ policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
#
# Distinguished Name Policy for Personal Certificates
[ user_policy ]
countryName = supplied
stateOrProvinceName = optional
localityName = supplied
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = supplied
#xmppAddr = optional # Added to SubjAltName by req
#
# Intermediate CA request options
[ req ]
default_bits = 3072
default_keyfile = private/intermed-ca.key.pem
encrypt_key = yes
default_md = sha256
string_mask = utf8only
utf8 = yes
prompt = no
req_extensions = req_ext
distinguished_name = distinguished_name
subjectAltName = subject_alt_name
#
# Intermediate CA Request Extensions
[ req_ext ]
subjectKeyIdentifier = hash
subjectAltName = @subject_alt_name
#
# Distinguished Name (DN)
[ distinguished_name ]
organizationName = example.net
commonName = example.net Intermediate Certification Authority
#
# Server Certificate Extensions
[ server_ext ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = critical, serverAuth, clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
issuerAltName = issuer:copy
authorityInfoAccess = @auth_info_access
crlDistributionPoints = crl_dist
#
# Client Certificate Extensions
[ client_ext ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
issuerAltName = issuer:copy
authorityInfoAccess = @auth_info_access
crlDistributionPoints = crl_dist
#
# User Certificate Extensions
[ user_ext ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, clientAuth, emailProtection
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
issuerAltName = issuer:copy
authorityInfoAccess = @auth_info_access
crlDistributionPoints = crl_dist
#
# CRL Certificate Extensions
[ crl_ext ]
authorityKeyIdentifier = keyid:always
issuerAltName = issuer:copy
#
# Certificate Authorities Alternative Names
[ subject_alt_name ]
URI = http://ca.example.net/
email = certmaster
#
# Certificate download addresses for the intermediate CA
[ auth_info_access ]
caIssuers;URI = http://ca.example.net/certs/example.net_Intermediate_Certification_Authority.cert.pem
#
# CRL Download address for the intermediate CA
[ crl_dist ]
fullname = URI:http://ca.example.net/crl/example.net_Intermediate_Certification_Authority.crl
# EOF
~~~
7) Switch to the proper config:
~~~
$ export OPENSSL_CONF=./intermed-ca.cnf
~~~
8) Generate CSR & Key:
~~~
$ openssl req -new -out intermed-ca.req.pem
$ chmod 400 private/intermed-ca.key.pem
~~~
9) Sign the IntermediateCA with the RootCA:
~~~
$ cp intermed-ca.req.pem /path/to/safe/storage/customCA/example.net.ca/root-ca/certreqs/
$ cd /path/to/safe/storage/customCA/example.net.ca/root-ca/
$ export OPENSSL_CONF=./root-ca.cnf
$ openssl rand -hex 16 > root-ca.serial
$ openssl ca -in certreqs/intermed-ca.req.pem -out certs/intermed-ca.cert.pem -extensions intermed-ca_ext -startdate `date +%y%m%d000000Z -u -d -1day` -enddate `date +%y%m%d000000Z -u -d +5years+1day`
$ cp certs/intermed-ca.cert.pem /path/to/safe/storage/customCA/example.net.ca/intermed-ca/
~~~
10) (Optional) Verify the cert:
~~~
$ openssl x509 -in certs/intermed-ca.cert.pem -noout -text -certopt no_version,no_pubkey,no_sigdump -nameopt multiline
$ openssl verify -verbose -CAfile root-ca.cert.pem certs/intermed-ca.cert.pem
~~~
11) Create the custom Ingress wildcard certificate for our cluster:
~~~
$ cd /path/to/safe/storage/customCA/example.net.ca/intermed-ca
$ export OPENSSL_CONF=./intermed-ca.cnf
$ INGRESS_DOMAIN="$(oc get ingress.config/cluster -o 'jsonpath={.spec.domain}')"
$ openssl genrsa -out example.key 2048
$ openssl req -new -key example.key -out example.csr -subj "/C=US/ST=NC/L=Raleigh/O=OCP4/OU=IT/CN=*.$INGRESS_DOMAIN"
$ mv example.csr ./certreqs/
~~~
12) Sign the Server Cert with the IntermediateCA:
~~~
$ openssl rand -hex 16 > intermed-ca.serial
$ openssl ca -in ./certreqs/example.csr -out ./certs/example.pem -extensions server_ext
~~~
==================================================================================================================================
jsingh@localhost ~/go/src/github.com/redhat-developer/jenkins/openshift/templates ➦ 1c19ede oc new-project jitsingh
Now using project "jitsingh" on server "https://api.wxj181-5422.qe.devcluster.openshift.com:6443".
You can add applications to this project with the 'new-app' command. For example, try:
oc new-app django-psql-example
to build a new example application in Python. Or use kubectl to deploy a simple Kubernetes application:
kubectl create deployment hello-node --image=gcr.io/hello-minikube-zero-install/hello-node
jsingh@localhost ~/go/src/github.com/redhat-developer/jenkins/openshift/templates ➦ 1c19ede oc create -f jenkins-ephemeral.json
template.template.openshift.io/jenkins-ephemeral created
jsingh@localhost ~/go/src/github.com/redhat-developer/jenkins/openshift/templates ➦ 1c19ede oc get is
No resources found.
jsingh@localhost ~/go/src/github.com/redhat-developer/jenkins/openshift/templates ➦ 1c19ede oc get pods
No resources found.
jsingh@localhost ~/go/src/github.com/redhat-developer/jenkins/openshift/templates ➦ 1c19ede oc new-build https://github.com/jitendar-singh/jenkins.git --context-dir=2/
--> Found container image 8b61dd8 (11 hours old) from quay.io for "quay.io/openshift/origin-cli"
OpenShift Client
----------------
OpenShift is a platform for developing, building, and deploying containerized applications.
Tags: openshift, cli
* An image stream tag will be created as "origin-cli:latest" that will track the source image
* A Docker build using source code from https://github.com/jitendar-singh/jenkins.git will be created
* The resulting image will be pushed to image stream tag "jenkins:latest"
* Every time "origin-cli:latest" changes a new build will be triggered
--> Creating resources with label build=jenkins ...
imagestream.image.openshift.io "origin-cli" created
imagestream.image.openshift.io "jenkins" created
buildconfig.build.openshift.io "jenkins" created
--> Success
jsingh@localhost ~/go/src/github.com/redhat-developer/jenkins/openshift/templates ➦ 1c19ede oc new-app jenkins-ephemeral -p NAMESPACE=$(oc project -q) -p JENKINS_IMAGE_STREAM_TAG=jenkins:latest
--> Deploying template "jitsingh/jenkins-ephemeral" to project jitsingh
Jenkins (Ephemeral)
---------
Jenkins service, without persistent storage.
WARNING: Any data stored will be lost upon pod destruction. Only use this template for testing.
A Jenkins service has been created in your project. Log into Jenkins with your OpenShift account. The tutorial at https://github.com/openshift/origin/blob/master/examples/jenkins/README.md contains more information about using this template.
* With parameters:
* Jenkins Service Name=jenkins
* Jenkins JNLP Service Name=jenkins-jnlp
* Enable OAuth in Jenkins=true
* Memory Limit=1Gi
* Jenkins ImageStream Namespace=jitsingh
* Disable memory intensive administrative monitors=false
* Jenkins ImageStreamTag=jenkins:latest
* Allows use of Jenkins Update Center repository with invalid SSL certificate=false
--> Creating resources ...
route.route.openshift.io "jenkins" created
configmap "jenkins-trusted-ca-bundle" created
deploymentconfig.apps.openshift.io "jenkins" created
serviceaccount "jenkins" created
rolebinding.authorization.openshift.io "jenkins_edit" created
service "jenkins-jnlp" created
service "jenkins" created
--> Success
Access your application via route 'jenkins-jitsingh.apps.wxj181-5422.qe.devcluster.openshift.com'
Run 'oc status' to view your app.
jsingh@localhost ~/go/src/github.com/redhat-developer/jenkins/openshift/templates ➦ 1c19ede oc get pods
NAME READY STATUS RESTARTS AGE
jenkins-1-build 1/1 Running 0 26s
jsingh@localhost ~/go/src/github.com/redhat-developer/jenkins/openshift/templates ➦ 1c19ede oc describe pods/jenkins-1-build
Name: jenkins-1-build
Namespace: jitsingh
Priority: 0
PriorityClassName: <none>
Node: ip-10-0-50-255.us-east-2.compute.internal/10.0.50.255
Start Time: Thu, 18 Jun 2020 12:43:10 +0530
Labels: openshift.io/build.name=jenkins-1
Annotations: k8s.v1.cni.cncf.io/networks-status:
[{
"name": "openshift-sdn",
"interface": "eth0",
"ips": [
"10.129.2.28"
],
"dns": {},
"default-route": [
"10.129.2.1"
]
}]
openshift.io/build.name: jenkins-1
openshift.io/scc: privileged
Status: Running
IP: 10.129.2.28
Controlled By: Build/jenkins-1
Init Containers:
git-clone:
Container ID: cri-o://338ccd641b2c44747409b718d99b6d12c6035bd7d23a2585380ff9144bbffa57
Image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0c9afa4b0e8ed0a929d78f54e116aadebd6d7ceaf85dc551ddbbc48f85020b2d
Image ID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0c9afa4b0e8ed0a929d78f54e116aadebd6d7ceaf85dc551ddbbc48f85020b2d
Port: <none>
Host Port: <none>
Command:
openshift-git-clone
Args:
--loglevel=0
State: Terminated
Reason: Completed
Exit Code: 0
Started: Thu, 18 Jun 2020 12:43:12 +0530
Finished: Thu, 18 Jun 2020 12:43:16 +0530
Ready: True
Restart Count: 0
Environment:
BUILD: {"kind":"Build","apiVersion":"build.openshift.io/v1","metadata":{"name":"jenkins-1","namespace":"jitsingh","selfLink":"/apis/build.openshift.io/v1/namespaces/jitsingh/builds/jenkins-1","uid":"4d90cf73-139a-4a10-8f7d-9f56c0938d00","resourceVersion":"158107","creationTimestamp":"2020-06-18T07:13:10Z","labels":{"build":"jenkins","buildconfig":"jenkins","openshift.io/build-config.name":"jenkins","openshift.io/build.start-policy":"Serial"},"annotations":{"openshift.io/build-config.name":"jenkins","openshift.io/build.number":"1"},"ownerReferences":[{"apiVersion":"build.openshift.io/v1","kind":"BuildConfig","name":"jenkins","uid":"ff03320f-161a-404f-93c7-9234c6db9fdd","controller":true}]},"spec":{"serviceAccount":"builder","source":{"type":"Git","git":{"uri":"https://github.com/jitendar-singh/jenkins.git"},"contextDir":"2"},"strategy":{"type":"Docker","dockerStrategy":{"from":{"kind":"DockerImage","name":"quay.io/openshift/origin-cli@sha256:e4e40d4fd585029f7287f7bcdb45067c696d126869a3d817891049cd5039f04d"},"pullSecret":{"name":"builder-dockercfg-mdg5d"}}},"output":{"to":{"kind":"DockerImage","name":"image-registry.openshift-image-registry.svc:5000/jitsingh/jenkins:latest"},"pushSecret":{"name":"builder-dockercfg-mdg5d"}},"resources":{},"postCommit":{},"nodeSelector":null,"triggeredBy":[{"message":"Build configuration change"}]},"status":{"phase":"New","outputDockerImageReference":"image-registry.openshift-image-registry.svc:5000/jitsingh/jenkins:latest","config":{"kind":"BuildConfig","namespace":"jitsingh","name":"jenkins"},"output":{}}}
LANG: en_US.utf8
SOURCE_REPOSITORY: https://github.com/jitendar-singh/jenkins.git
SOURCE_URI: https://github.com/jitendar-singh/jenkins.git
SOURCE_CONTEXT_DIR: 2
BUILD_REGISTRIES_CONF_PATH: /var/run/configs/openshift.io/build-system/registries.conf
BUILD_REGISTRIES_DIR_PATH: /var/run/configs/openshift.io/build-system/registries.d
BUILD_SIGNATURE_POLICY_PATH: /var/run/configs/openshift.io/build-system/policy.json
BUILD_STORAGE_CONF_PATH: /var/run/configs/openshift.io/build-system/storage.conf
BUILD_BLOBCACHE_DIR: /var/cache/blobs
HTTP_PROXY:
HTTPS_PROXY:
NO_PROXY:
Mounts:
/etc/pki/ca-trust/extracted/pem from build-proxy-ca-bundles (rw)
/tmp/build from buildworkdir (rw)
/var/cache/blobs from build-blob-cache (rw)
/var/run/configs/openshift.io/build-system from build-system-configs (ro)
/var/run/configs/openshift.io/certs from build-ca-bundles (rw)
/var/run/secrets/kubernetes.io/serviceaccount from builder-token-zq27b (ro)
manage-dockerfile:
Container ID: cri-o://62019732ce24ec2cd0f592ffe2b36c8e551aeab8e188b96dadf7ea504033a026
Image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0c9afa4b0e8ed0a929d78f54e116aadebd6d7ceaf85dc551ddbbc48f85020b2d
Image ID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0c9afa4b0e8ed0a929d78f54e116aadebd6d7ceaf85dc551ddbbc48f85020b2d
Port: <none>
Host Port: <none>
Command:
openshift-manage-dockerfile
Args:
--loglevel=0
State: Terminated
Reason: Completed
Exit Code: 0
Started: Thu, 18 Jun 2020 12:43:17 +0530
Finished: Thu, 18 Jun 2020 12:43:17 +0530
Ready: True
Restart Count: 0
Environment:
BUILD: {"kind":"Build","apiVersion":"build.openshift.io/v1","metadata":{"name":"jenkins-1","namespace":"jitsingh","selfLink":"/apis/build.openshift.io/v1/namespaces/jitsingh/builds/jenkins-1","uid":"4d90cf73-139a-4a10-8f7d-9f56c0938d00","resourceVersion":"158107","creationTimestamp":"2020-06-18T07:13:10Z","labels":{"build":"jenkins","buildconfig":"jenkins","openshift.io/build-config.name":"jenkins","openshift.io/build.start-policy":"Serial"},"annotations":{"openshift.io/build-config.name":"jenkins","openshift.io/build.number":"1"},"ownerReferences":[{"apiVersion":"build.openshift.io/v1","kind":"BuildConfig","name":"jenkins","uid":"ff03320f-161a-404f-93c7-9234c6db9fdd","controller":true}]},"spec":{"serviceAccount":"builder","source":{"type":"Git","git":{"uri":"https://github.com/jitendar-singh/jenkins.git"},"contextDir":"2"},"strategy":{"type":"Docker","dockerStrategy":{"from":{"kind":"DockerImage","name":"quay.io/openshift/origin-cli@sha256:e4e40d4fd585029f7287f7bcdb45067c696d126869a3d817891049cd5039f04d"},"pullSecret":{"name":"builder-dockercfg-mdg5d"}}},"output":{"to":{"kind":"DockerImage","name":"image-registry.openshift-image-registry.svc:5000/jitsingh/jenkins:latest"},"pushSecret":{"name":"builder-dockercfg-mdg5d"}},"resources":{},"postCommit":{},"nodeSelector":null,"triggeredBy":[{"message":"Build configuration change"}]},"status":{"phase":"New","outputDockerImageReference":"image-registry.openshift-image-registry.svc:5000/jitsingh/jenkins:latest","config":{"kind":"BuildConfig","namespace":"jitsingh","name":"jenkins"},"output":{}}}
LANG: en_US.utf8
SOURCE_REPOSITORY: https://github.com/jitendar-singh/jenkins.git
SOURCE_URI: https://github.com/jitendar-singh/jenkins.git
SOURCE_CONTEXT_DIR: 2
BUILD_REGISTRIES_CONF_PATH: /var/run/configs/openshift.io/build-system/registries.conf
BUILD_REGISTRIES_DIR_PATH: /var/run/configs/openshift.io/build-system/registries.d
BUILD_SIGNATURE_POLICY_PATH: /var/run/configs/openshift.io/build-system/policy.json
BUILD_STORAGE_CONF_PATH: /var/run/configs/openshift.io/build-system/storage.conf
BUILD_BLOBCACHE_DIR: /var/cache/blobs
HTTP_PROXY:
HTTPS_PROXY:
NO_PROXY:
Mounts:
/etc/pki/ca-trust/extracted/pem from build-proxy-ca-bundles (rw)
/tmp/build from buildworkdir (rw)
/var/cache/blobs from build-blob-cache (rw)
/var/run/configs/openshift.io/build-system from build-system-configs (ro)
/var/run/configs/openshift.io/certs from build-ca-bundles (rw)
/var/run/secrets/kubernetes.io/serviceaccount from builder-token-zq27b (ro)
Containers:
docker-build:
Container ID: cri-o://fe503fddaa194dd4c6b829dce61c03869543359d780f4daa5d23b0011d0aaac1
Image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0c9afa4b0e8ed0a929d78f54e116aadebd6d7ceaf85dc551ddbbc48f85020b2d
Image ID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0c9afa4b0e8ed0a929d78f54e116aadebd6d7ceaf85dc551ddbbc48f85020b2d
Port: <none>
Host Port: <none>
Command:
openshift-docker-build
Args:
--loglevel=0
State: Running
Started: Thu, 18 Jun 2020 12:43:18 +0530
Ready: True
Restart Count: 0
Environment:
BUILD: {"kind":"Build","apiVersion":"build.openshift.io/v1","metadata":{"name":"jenkins-1","namespace":"jitsingh","selfLink":"/apis/build.openshift.io/v1/namespaces/jitsingh/builds/jenkins-1","uid":"4d90cf73-139a-4a10-8f7d-9f56c0938d00","resourceVersion":"158107","creationTimestamp":"2020-06-18T07:13:10Z","labels":{"build":"jenkins","buildconfig":"jenkins","openshift.io/build-config.name":"jenkins","openshift.io/build.start-policy":"Serial"},"annotations":{"openshift.io/build-config.name":"jenkins","openshift.io/build.number":"1"},"ownerReferences":[{"apiVersion":"build.openshift.io/v1","kind":"BuildConfig","name":"jenkins","uid":"ff03320f-161a-404f-93c7-9234c6db9fdd","controller":true}]},"spec":{"serviceAccount":"builder","source":{"type":"Git","git":{"uri":"https://github.com/jitendar-singh/jenkins.git"},"contextDir":"2"},"strategy":{"type":"Docker","dockerStrategy":{"from":{"kind":"DockerImage","name":"quay.io/openshift/origin-cli@sha256:e4e40d4fd585029f7287f7bcdb45067c696d126869a3d817891049cd5039f04d"},"pullSecret":{"name":"builder-dockercfg-mdg5d"}}},"output":{"to":{"kind":"DockerImage","name":"image-registry.openshift-image-registry.svc:5000/jitsingh/jenkins:latest"},"pushSecret":{"name":"builder-dockercfg-mdg5d"}},"resources":{},"postCommit":{},"nodeSelector":null,"triggeredBy":[{"message":"Build configuration change"}]},"status":{"phase":"New","outputDockerImageReference":"image-registry.openshift-image-registry.svc:5000/jitsingh/jenkins:latest","config":{"kind":"BuildConfig","namespace":"jitsingh","name":"jenkins"},"output":{}}}
LANG: en_US.utf8
SOURCE_REPOSITORY: https://github.com/jitendar-singh/jenkins.git
SOURCE_URI: https://github.com/jitendar-singh/jenkins.git
SOURCE_CONTEXT_DIR: 2
PUSH_DOCKERCFG_PATH: /var/run/secrets/openshift.io/push
PULL_DOCKERCFG_PATH: /var/run/secrets/openshift.io/pull
BUILD_REGISTRIES_CONF_PATH: /var/run/configs/openshift.io/build-system/registries.conf
BUILD_REGISTRIES_DIR_PATH: /var/run/configs/openshift.io/build-system/registries.d
BUILD_SIGNATURE_POLICY_PATH: /var/run/configs/openshift.io/build-system/policy.json
BUILD_STORAGE_CONF_PATH: /var/run/configs/openshift.io/build-system/storage.conf
BUILD_STORAGE_DRIVER: overlay
BUILD_ISOLATION: chroot
BUILD_BLOBCACHE_DIR: /var/cache/blobs
HTTP_PROXY:
HTTPS_PROXY:
NO_PROXY:
Mounts:
/etc/pki/ca-trust/extracted/pem from build-proxy-ca-bundles (rw)
/tmp/build from buildworkdir (rw)
/var/cache/blobs from build-blob-cache (rw)
/var/lib/containers/cache from buildcachedir (rw)
/var/lib/containers/storage from container-storage-root (rw)
/var/run/configs/openshift.io/build-system from build-system-configs (ro)
/var/run/configs/openshift.io/certs from build-ca-bundles (rw)
/var/run/secrets/kubernetes.io/serviceaccount from builder-token-zq27b (ro)
/var/run/secrets/openshift.io/pull from builder-dockercfg-mdg5d-pull (ro)
/var/run/secrets/openshift.io/push from builder-dockercfg-mdg5d-push (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
buildcachedir:
Type: HostPath (bare host directory volume)
Path: /var/lib/containers/cache
HostPathType:
buildworkdir:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium:
SizeLimit: <unset>
builder-dockercfg-mdg5d-push:
Type: Secret (a volume populated by a Secret)
SecretName: builder-dockercfg-mdg5d
Optional: false
builder-dockercfg-mdg5d-pull:
Type: Secret (a volume populated by a Secret)
SecretName: builder-dockercfg-mdg5d
Optional: false
build-system-configs:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: jenkins-1-sys-config
Optional: false
build-ca-bundles:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: jenkins-1-ca
Optional: false
build-proxy-ca-bundles:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: jenkins-1-global-ca
Optional: false
container-storage-root:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium:
SizeLimit: <unset>
build-blob-cache:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium:
SizeLimit: <unset>
builder-token-zq27b:
Type: Secret (a volume populated by a Secret)
SecretName: builder-token-zq27b
Optional: false
QoS Class: BestEffort
Node-Selectors: kubernetes.io/os=linux
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 52s default-scheduler Successfully assigned jitsingh/jenkins-1-build to ip-10-0-50-255.us-east-2.compute.internal
Normal Pulled 50s kubelet, ip-10-0-50-255.us-east-2.compute.internal Container image "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0c9afa4b0e8ed0a929d78f54e116aadebd6d7ceaf85dc551ddbbc48f85020b2d" already present on machine
Normal Created 50s kubelet, ip-10-0-50-255.us-east-2.compute.internal Created container git-clone
Normal Started 49s kubelet, ip-10-0-50-255.us-east-2.compute.internal Started container git-clone
Normal Pulled 46s kubelet, ip-10-0-50-255.us-east-2.compute.internal Container image "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0c9afa4b0e8ed0a929d78f54e116aadebd6d7ceaf85dc551ddbbc48f85020b2d" already present on machine
Normal Created 45s kubelet, ip-10-0-50-255.us-east-2.compute.internal Created container manage-dockerfile
Normal Started 45s kubelet, ip-10-0-50-255.us-east-2.compute.internal Started container manage-dockerfile
Normal Pulled 45s kubelet, ip-10-0-50-255.us-east-2.compute.internal Container image "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0c9afa4b0e8ed0a929d78f54e116aadebd6d7ceaf85dc551ddbbc48f85020b2d" already present on machine
Normal Created 44s kubelet, ip-10-0-50-255.us-east-2.compute.internal Created container docker-build
Normal Started 44s kubelet, ip-10-0-50-255.us-east-2.compute.internal Started container docker-build
jsingh@localhost ~/go/src/github.com/redhat-developer/jenkins/openshift/templates ➦ 1c19ede oc status
In project jitsingh on server https://api.wxj181-5422.qe.devcluster.openshift.com:6443
svc/jenkins-jnlp - 172.30.217.21:50000
https://jenkins-jitsingh.apps.wxj181-5422.qe.devcluster.openshift.com (redirects) (svc/jenkins)
dc/jenkins deploys istag/jenkins:latest <-
bc/jenkins docker builds https://github.com/jitendar-singh/jenkins.git on istag/origin-cli:latest
build #1 running for about a minute - 51b5550: Fix the local build (Jitendar Singh <jsingh>)
deployment #1 waiting on image or update
View details with 'oc describe <resource>/<name>' or list everything with 'oc get all'.
jsingh@localhost ~/go/src/github.com/redhat-developer/jenkins/openshift/templates ➦ 1c19ede oc get pods
NAME READY STATUS RESTARTS AGE
jenkins-1-build 1/1 Running 0 79s
jsingh@localhost ~/go/src/github.com/redhat-developer/jenkins/openshift/templates ➦ 1c19ede oc status
In project jitsingh on server https://api.wxj181-5422.qe.devcluster.openshift.com:6443
svc/jenkins-jnlp - 172.30.217.21:50000
https://jenkins-jitsingh.apps.wxj181-5422.qe.devcluster.openshift.com (redirects) (svc/jenkins)
dc/jenkins deploys istag/jenkins:latest <-
bc/jenkins docker builds https://github.com/jitendar-singh/jenkins.git on istag/origin-cli:latest
build #1 running for about a minute - 51b5550: Fix the local build (Jitendar Singh <jsingh>)
deployment #1 waiting on image or update
View details with 'oc describe <resource>/<name>' or list everything with 'oc get all'.
jsingh@localhost ~/go/src/github.com/redhat-developer/jenkins/openshift/templates ➦ 1c19ede oc get cm
NAME DATA AGE
jenkins-1-ca 1 94s
jenkins-1-global-ca 1 94s
jenkins-1-sys-config 0 94s
jenkins-trusted-ca-bundle 1 76s
jsingh@localhost ~/go/src/github.com/redhat-developer/jenkins/openshift/templates ➦ 1c19ede oc get pods -w
NAME READY STATUS RESTARTS AGE
jenkins-1-build 1/1 Running 0 102s
jenkins-1-build 0/1 Completed 0 8m36s
jenkins-1-build 0/1 Completed 0 8m36s
jenkins-1-deploy 0/1 Pending 0 0s
jenkins-1-deploy 0/1 Pending 0 0s
jenkins-1-deploy 0/1 ContainerCreating 0 0s
jenkins-1-deploy 0/1 ContainerCreating 0 2s
jenkins-1-deploy 1/1 Running 0 3s
jenkins-1-build 0/1 Completed 0 8m41s
jenkins-1-sk7nc 0/1 Pending 0 0s
jenkins-1-sk7nc 0/1 Pending 0 0s
jenkins-1-sk7nc 0/1 ContainerCreating 0 0s
jenkins-1-sk7nc 0/1 ContainerCreating 0 2s
jenkins-1-sk7nc 0/1 ContainerCreating 0 6s
jenkins-1-sk7nc 0/1 Running 0 41s
jenkins-1-sk7nc 1/1 Running 0 2m19s
jenkins-1-deploy 0/1 Completed 0 2m24s
jenkins-1-deploy 0/1 Completed 0 2m24s
^C% ✘ jsingh@localhost ~/go/src/github.com/redhat-developer/jenkins/openshift/templates ➦ 1c19ede oc get routes
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
jenkins jenkins-jitsingh.apps.wxj181-5422.qe.devcluster.openshift.com jenkins <all> edge/Redirect None
jsingh@localhost ~/go/src/github.com/redhat-developer/jenkins/openshift/templates ➦ 1c19ede oc get ca
error: the server doesn't have a resource type "ca"
✘ jsingh@localhost ~/go/src/github.com/redhat-developer/jenkins/openshift/templates ➦ 1c19ede oc get cm
NAME DATA AGE
jenkins-1-ca 1 11m
jenkins-1-global-ca 1 11m
jenkins-1-sys-config 0 11m
jenkins-trusted-ca-bundle 1 11m
jsingh@localhost ~/go/src/github.com/redhat-developer/jenkins/openshift/templates ➦ 1c19ede oc new-app -f https://raw.githubusercontent.com/openshift/origin/master/examples/jenkins/pipeline/maven-pipeline.yaml
--> Deploying template "jitsingh/maven-pipeline" for "https://raw.githubusercontent.com/openshift/origin/master/examples/jenkins/pipeline/maven-pipeline.yaml" to project jitsingh
* With parameters:
* Application Name=openshift-jee-sample
* Source URL=https://github.com/openshift/openshift-jee-sample.git
* Source Ref=master
* GitHub Webhook Secret=KpxJ0R2R8WFn0uPeXowT6cwCOXM03dps3BG8aVg3 # generated
* Generic Webhook Secret=USnq1J6aaeQaMmePWCcmOKUy6nYnnogxbmOmIdq1 # generated
--> Creating resources ...
imagestream.image.openshift.io "openshift-jee-sample" created
imagestream.image.openshift.io "wildfly" created
buildconfig.build.openshift.io "openshift-jee-sample" created
buildconfig.build.openshift.io "openshift-jee-sample-docker" created
deploymentconfig.apps.openshift.io "openshift-jee-sample" created
service "openshift-jee-sample" created
route.route.openshift.io "openshift-jee-sample" created
--> Success
Use 'oc start-build openshift-jee-sample' to start a build.
Use 'oc start-build openshift-jee-sample-docker' to start a build.
Access your application via route 'openshift-jee-sample-jitsingh.apps.wxj181-5422.qe.devcluster.openshift.com'
Run 'oc status' to view your app.
jsingh@localhost ~/go/src/github.com/redhat-developer/jenkins/openshift/templates ➦ 1c19ede oc get pods -w
NAME READY STATUS RESTARTS AGE
jenkins-1-build 0/1 Completed 0 13m
jenkins-1-deploy 0/1 Completed 0 5m9s
jenkins-1-sk7nc 1/1 Running 0 5m5s
^C% ✘ jsingh@localhost ~/go/src/github.com/redhat-developer/jenkins/openshift/templates ➦ 1c19ede oc start-build openshift-jee-sample
build.build.openshift.io/openshift-jee-sample-1 started
jsingh@localhost ~/go/src/github.com/redhat-developer/jenkins/openshift/templates ➦ 1c19ede oc get pods -w
NAME READY STATUS RESTARTS AGE
jenkins-1-build 0/1 Completed 0 14m
jenkins-1-deploy 0/1 Completed 0 5m38s
jenkins-1-sk7nc 1/1 Running 0 5m34s
maven-hvd6d 0/1 Pending 0 0s
maven-hvd6d 0/1 Pending 0 0s
maven-hvd6d 0/1 ContainerCreating 0 0s
maven-hvd6d 0/1 ContainerCreating 0 3s
maven-hvd6d 1/1 Running 0 3s
maven-hvd6d 1/1 Terminating 0 52s
maven-hvd6d 1/1 Terminating 0 52s
openshift-jee-sample-docker-1-build 0/1 Pending 0 0s
openshift-jee-sample-docker-1-build 0/1 Pending 0 0s
openshift-jee-sample-docker-1-build 0/1 Init:0/2 0 0s
maven-hvd6d 0/1 Terminating 0 53s
maven-hvd6d 0/1 Terminating 0 54s
maven-hvd6d 0/1 Terminating 0 55s
openshift-jee-sample-docker-1-build 0/1 Init:0/2 0 2s
openshift-jee-sample-docker-1-build 0/1 Init:0/2 0 3s
openshift-jee-sample-docker-1-build 0/1 Init:1/2 0 4s
openshift-jee-sample-docker-1-build 0/1 PodInitializing 0 5s
openshift-jee-sample-docker-1-build 1/1 Running 0 6s
openshift-jee-sample-docker-1-build 0/1 Completed 0 94s
openshift-jee-sample-docker-1-build 0/1 Completed 0 94s
openshift-jee-sample-docker-1-build 0/1 Completed 0 101s
openshift-jee-sample-1-deploy 0/1 Pending 0 0s
openshift-jee-sample-1-deploy 0/1 Pending 0 0s
openshift-jee-sample-1-deploy 0/1 ContainerCreating 0 0s
openshift-jee-sample-1-deploy 0/1 ContainerCreating 0 2s
openshift-jee-sample-1-jmxkw 0/1 Pending 0 0s
openshift-jee-sample-1-jmxkw 0/1 Pending 0 0s
openshift-jee-sample-1-jmxkw 0/1 ContainerCreating 0 0s
openshift-jee-sample-1-deploy 1/1 Running 0 3s
openshift-jee-sample-1-jmxkw 0/1 ContainerCreating 0 1s
openshift-jee-sample-1-jmxkw 0/1 ContainerCreating 0 11s
openshift-jee-sample-1-jmxkw 0/1 Running 0 49s
openshift-jee-sample-1-jmxkw 1/1 Running 0 81s
openshift-jee-sample-1-deploy 0/1 Completed 0 85s
openshift-jee-sample-1-deploy 0/1 Completed 0 85s
openshift-jee-sample-1-deploy 0/1 Completed 0 90s
^C%
====================================================================================
jsingh@localhost ~/go/src/github.com/redhat-developer/jenkins/openshift/templates ➦ 1c19ede oc get cm
NAME DATA AGE
jenkins-1-ca 1 24m
jenkins-1-global-ca 1 24m
jenkins-1-sys-config 0 24m
jenkins-trusted-ca-bundle 1 23m
openshift-jee-sample-docker-1-ca 1 8m53s
openshift-jee-sample-docker-1-global-ca 1 8m53s
openshift-jee-sample-docker-1-sys-config 0 8m53s
========================================================================
verified on 4.4.9
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2580 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |