Bug 1826174 - Jenkins oAuth template fails when the ingress custom certificate is signed by an intermediate CA
Summary: Jenkins oAuth template fails when the ingress custom certificate is signed by...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Jenkins
Version: 4.4
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.4.z
Assignee: Akram Ben Aissi
QA Contact: Jitendar Singh
URL:
Whiteboard:
Depends On: 1804345
Blocks: 1824987 1826172
TreeView+ depends on / blocked
 
Reported: 2020-04-21 07:36 UTC by jawed
Modified: 2023-09-14 05:55 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1804345
Environment:
Last Closed: 2020-06-23 00:57:24 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift jenkins pull 1050 0 None closed [release-4.4] Bug 1826174: handle ingress certificate signed by custom ca 2021-01-26 16:07:11 UTC
Red Hat Product Errata RHBA-2020:2580 0 None None None 2020-06-23 00:57:42 UTC

Internal Links: 1858214

Comment 4 Jitendar Singh 2020-06-18 05:45:24 UTC
[jsingh@localhost templates]$ oc get cm
NAME                        DATA   AGE
jenkins-1-ca                1      28s
jenkins-1-global-ca         1      28s
jenkins-1-sys-config        0      28s
jenkins-trusted-ca-bundle   1      9s

--------------------------------------------

pipeline build working - verified

=---------------------------------------------

VERIFIED

Comment 5 Jitendar Singh 2020-06-18 07:38:07 UTC
==============================================================================================================================
all details about the creation of the full certificate chain:
0) Pre-steps to hold the entire custom CA structure:
~~~
[RootCA]
$ cd /path/to/safe/storage/customCA
$ mkdir -p example.net.ca/root-ca/{certreqs,certs,crl,newcerts,private}
$ cd example.net.ca/root-ca
$ chmod 700 private
$ touch root-ca.index
$ echo 00 > root-ca.crlnum
$ openssl rand -hex 16 > root-ca.serial
[IntermediateCA]
$ cd /path/to/safe/storage/customCA
$ mkdir -p example.net.ca/intermed-ca/{certreqs,certs,crl,newcerts,private}
$ cd example.net.ca/intermed-ca
$ chmod 700 private
$ touch intermed-ca.index
$ echo 00 > intermed-ca.crlnum
$ openssl rand -hex 16 > intermed-ca.serial
~~~
1) Create RootCA config file as follows:
~~~
$ cd example.net.ca/root-ca
$ cat root-ca.cnf 
#
# OpenSSL configuration for the Root Certification Authority.
#
#
# This definition doesn't work if HOME isn't defined.
CA_HOME                 = .
RANDFILE                = $ENV::CA_HOME/private/.rnd
#
# Default Certification Authority
[ ca ]
default_ca              = root_ca
#
# Root Certification Authority
[ root_ca ]
dir                     = $ENV::CA_HOME
certs                   = $dir/certs
serial                  = $dir/root-ca.serial
database                = $dir/root-ca.index
new_certs_dir           = $dir/newcerts
certificate             = $dir/root-ca.cert.pem
private_key             = $dir/private/root-ca.key.pem
default_days            = 1826 # Five years
crl                     = $dir/root-ca.crl
crl_dir                 = $dir/crl
crlnumber               = $dir/root-ca.crlnum
name_opt                = multiline, align
cert_opt                = no_pubkey
copy_extensions         = copy
crl_extensions          = crl_ext
default_crl_days        = 180
default_md              = sha256
preserve                = no
email_in_dn             = no
policy                  = policy
unique_subject          = no
#
# Distinguished Name Policy for CAs
[ policy ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = supplied
organizationalUnitName  = optional
commonName              = supplied
#
# Root CA Request Options
[ req ]
default_bits            = 4096
default_keyfile         = private/root-ca.key.pem
encrypt_key             = yes
default_md              = sha256
string_mask             = utf8only
utf8                    = yes
prompt                  = no
req_extensions          = root-ca_req_ext
distinguished_name      = distinguished_name
subjectAltName          = @subject_alt_name
#
# Root CA Request Extensions
[ root-ca_req_ext ]
subjectKeyIdentifier    = hash
subjectAltName          = @subject_alt_name
#
# Distinguished Name (DN)
[ distinguished_name ]
organizationName        = example.net
commonName              = example.net Root Certification Authority
#
# Root CA Certificate Extensions
[ root-ca_ext ]
basicConstraints        = critical, CA:true
keyUsage                = critical, keyCertSign, cRLSign
nameConstraints         = critical, @name_constraints
subjectKeyIdentifier    = hash
subjectAltName          = @subject_alt_name
authorityKeyIdentifier  = keyid:always
issuerAltName           = issuer:copy
authorityInfoAccess     = @auth_info_access
crlDistributionPoints   = crl_dist
#
# Intermediate CA Certificate Extensions
[ intermed-ca_ext ]
basicConstraints        = critical, CA:true, pathlen:0
keyUsage                = critical, keyCertSign, cRLSign
subjectKeyIdentifier    = hash
subjectAltName          = @subject_alt_name
authorityKeyIdentifier  = keyid:always
issuerAltName           = issuer:copy
authorityInfoAccess     = @auth_info_access
crlDistributionPoints   = crl_dist
#
# CRL Certificate Extensions
[ crl_ext ]
authorityKeyIdentifier  = keyid:always
issuerAltName           = issuer:copy
#
# Certificate Authorities Alternative Names
[ subject_alt_name ]
URI                     = http://ca.example.net/
email                   = certmaster
#
# Name Constraints
[ name_constraints ]
permitted;DNS.1         = example.net
permitted;email.1       = example.net
#
# Certificate download addresses for the root CA
[ auth_info_access ]
caIssuers;URI           = http://ca.example.net/certs/example.net_Root_Certification_Authority.cert.pem
#
# CRL Download address for the root CA
[ crl_dist ]
fullname                = URI:http://ca.example.net/crl/example.net_Root_Certification_Authority.crl
# EOF
~~~
2) Make sure the config is active:
~~~
$ export OPENSSL_CONF=./root-ca.cnf
~~~
3) Generate CSR & Key:
~~~
$ openssl req -new -out root-ca.req.pem
$ chmod 400 private/root-ca.key.pem
~~~
4) Self-sign the Root certificate:
~~~
$ openssl rand -hex 16 > root-ca.serial
$ openssl ca -selfsign -in root-ca.req.pem -out root-ca.cert.pem -extensions root-ca_ext -startdate `date +%y%m%d000000Z -u -d -1day` -enddate `date +%y%m%d000000Z -u -d +10years+1day`
~~~
5) (Optional) Verify the cert:
~~~
$ openssl x509 -in ./root-ca.cert.pem -noout -text -certopt no_version,no_pubkey,no_sigdump -nameopt multiline
$ openssl verify -verbose -CAfile root-ca.cert.pem root-ca.cert.pem
~~~
6) Create IntermediateCA config file as follows:
~~~
$ cd example.net.ca/intermed-ca
$ cat intermed-ca.cnf 
#
# OpenSSL configuration for the Intermediate Certification Authority.
#
#
# This definition doesn't work if HOME isn't defined.
CA_HOME                 = .
RANDFILE                = $ENV::CA_HOME/private/.rnd
oid_section             = new_oids
#
# XMPP address Support
[ new_oids ]
xmppAddr          = 1.3.6.1.5.5.7.8.5
dnsSRV            = 1.3.6.1.5.5.7.8.7
#
# Default Certification Authority
[ ca ]
default_ca              = intermed_ca
#
# Intermediate Certification Authority
[ intermed_ca ]
dir                     = $ENV::CA_HOME
certs                   = $dir/certs
serial                  = $dir/intermed-ca.serial
database                = $dir/intermed-ca.index
new_certs_dir           = $dir/newcerts
certificate             = $dir/intermed-ca.cert.pem
private_key             = $dir/private/intermed-ca.key.pem
default_days            = 730 # Two years
crl                     = $dir/crl/intermed-ca.crl
crl_dir                 = $dir/crl
crlnumber               = $dir/intermed-ca.crlnum
name_opt                = multiline, align
cert_opt                = no_pubkey
copy_extensions         = copy
crl_extensions          = crl_ext
default_crl_days        = 30
default_md              = sha256
preserve                = no
email_in_dn             = no
policy                  = policy
unique_subject          = no
#
# Distinguished Name Policy
[ policy ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
#
# Distinguished Name Policy for Personal Certificates
[ user_policy ]
countryName             = supplied
stateOrProvinceName     = optional
localityName            = supplied
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = supplied
#xmppAddr               = optional # Added to SubjAltName by req
#
# Intermediate CA request options
[ req ]
default_bits            = 3072
default_keyfile         = private/intermed-ca.key.pem
encrypt_key             = yes
default_md              = sha256
string_mask             = utf8only
utf8                    = yes
prompt                  = no
req_extensions          = req_ext
distinguished_name      = distinguished_name
subjectAltName          = subject_alt_name
#
# Intermediate CA Request Extensions
[ req_ext ]
subjectKeyIdentifier    = hash
subjectAltName          = @subject_alt_name
#
# Distinguished Name (DN)
[ distinguished_name ]
organizationName        = example.net
commonName              = example.net Intermediate Certification Authority
#
# Server Certificate Extensions
[ server_ext ]
basicConstraints        = CA:FALSE
keyUsage                = critical, digitalSignature, keyEncipherment
extendedKeyUsage        = critical, serverAuth, clientAuth
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always
issuerAltName           = issuer:copy
authorityInfoAccess     = @auth_info_access
crlDistributionPoints   = crl_dist
#
# Client Certificate Extensions
[ client_ext ]
basicConstraints        = CA:FALSE
keyUsage                = critical, digitalSignature
extendedKeyUsage        = critical, clientAuth
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always
issuerAltName           = issuer:copy
authorityInfoAccess     = @auth_info_access
crlDistributionPoints   = crl_dist
#
# User Certificate Extensions
[ user_ext ]
basicConstraints        = CA:FALSE
keyUsage                = critical, digitalSignature
extendedKeyUsage        = critical, clientAuth, emailProtection
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always
issuerAltName           = issuer:copy
authorityInfoAccess     = @auth_info_access
crlDistributionPoints   = crl_dist
#
# CRL Certificate Extensions
[ crl_ext ]
authorityKeyIdentifier  = keyid:always
issuerAltName           = issuer:copy
#
# Certificate Authorities Alternative Names
[ subject_alt_name ]
URI                     = http://ca.example.net/
email                   = certmaster
#
# Certificate download addresses for the intermediate CA
[ auth_info_access ]
caIssuers;URI           = http://ca.example.net/certs/example.net_Intermediate_Certification_Authority.cert.pem
#
# CRL Download address for the intermediate CA
[ crl_dist ]
fullname                = URI:http://ca.example.net/crl/example.net_Intermediate_Certification_Authority.crl
# EOF
~~~
7) Switch to the proper config:
~~~
$ export OPENSSL_CONF=./intermed-ca.cnf
~~~
8) Generate CSR & Key:
~~~
$ openssl req -new -out intermed-ca.req.pem
$ chmod 400 private/intermed-ca.key.pem
~~~
9) Sign the IntermediateCA with the RootCA:
~~~
$ cp intermed-ca.req.pem /path/to/safe/storage/customCA/example.net.ca/root-ca/certreqs/
$ cd /path/to/safe/storage/customCA/example.net.ca/root-ca/
$ export OPENSSL_CONF=./root-ca.cnf
$ openssl rand -hex 16 > root-ca.serial
$ openssl ca -in certreqs/intermed-ca.req.pem -out certs/intermed-ca.cert.pem -extensions intermed-ca_ext -startdate `date +%y%m%d000000Z -u -d -1day` -enddate `date +%y%m%d000000Z -u -d +5years+1day`
$ cp certs/intermed-ca.cert.pem /path/to/safe/storage/customCA/example.net.ca/intermed-ca/
~~~
10) (Optional) Verify the cert:
~~~
$ openssl x509 -in certs/intermed-ca.cert.pem -noout -text -certopt no_version,no_pubkey,no_sigdump -nameopt multiline
$ openssl verify -verbose -CAfile root-ca.cert.pem certs/intermed-ca.cert.pem
~~~
11) Create the custom Ingress wildcard certificate for our cluster:
~~~
$ cd /path/to/safe/storage/customCA/example.net.ca/intermed-ca
$ export OPENSSL_CONF=./intermed-ca.cnf
$ INGRESS_DOMAIN="$(oc get ingress.config/cluster -o 'jsonpath={.spec.domain}')"
$ openssl genrsa -out example.key 2048
$ openssl req -new -key example.key -out example.csr -subj "/C=US/ST=NC/L=Raleigh/O=OCP4/OU=IT/CN=*.$INGRESS_DOMAIN"
$ mv example.csr ./certreqs/
~~~
12) Sign the Server Cert with the IntermediateCA:
~~~
$ openssl rand -hex 16 > intermed-ca.serial
$ openssl ca -in ./certreqs/example.csr -out ./certs/example.pem -extensions server_ext
~~~








==================================================================================================================================

jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc new-project jitsingh
Now using project "jitsingh" on server "https://api.wxj181-5422.qe.devcluster.openshift.com:6443".

You can add applications to this project with the 'new-app' command. For example, try:

    oc new-app django-psql-example

to build a new example application in Python. Or use kubectl to deploy a simple Kubernetes application:

    kubectl create deployment hello-node --image=gcr.io/hello-minikube-zero-install/hello-node

 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc create -f jenkins-ephemeral.json
template.template.openshift.io/jenkins-ephemeral created
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc get is
No resources found.
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc get pods
No resources found.
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc new-build https://github.com/jitendar-singh/jenkins.git --context-dir=2/
--> Found container image 8b61dd8 (11 hours old) from quay.io for "quay.io/openshift/origin-cli"

    OpenShift Client 
    ---------------- 
    OpenShift is a platform for developing, building, and deploying containerized applications.

    Tags: openshift, cli

    * An image stream tag will be created as "origin-cli:latest" that will track the source image
    * A Docker build using source code from https://github.com/jitendar-singh/jenkins.git will be created
      * The resulting image will be pushed to image stream tag "jenkins:latest"
      * Every time "origin-cli:latest" changes a new build will be triggered

--> Creating resources with label build=jenkins ...
    imagestream.image.openshift.io "origin-cli" created
    imagestream.image.openshift.io "jenkins" created
    buildconfig.build.openshift.io "jenkins" created
--> Success
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc new-app jenkins-ephemeral -p NAMESPACE=$(oc project -q) -p JENKINS_IMAGE_STREAM_TAG=jenkins:latest
--> Deploying template "jitsingh/jenkins-ephemeral" to project jitsingh

     Jenkins (Ephemeral)
     ---------
     Jenkins service, without persistent storage.
     
     WARNING: Any data stored will be lost upon pod destruction. Only use this template for testing.

     A Jenkins service has been created in your project.  Log into Jenkins with your OpenShift account.  The tutorial at https://github.com/openshift/origin/blob/master/examples/jenkins/README.md contains more information about using this template.

     * With parameters:
        * Jenkins Service Name=jenkins
        * Jenkins JNLP Service Name=jenkins-jnlp
        * Enable OAuth in Jenkins=true
        * Memory Limit=1Gi
        * Jenkins ImageStream Namespace=jitsingh
        * Disable memory intensive administrative monitors=false
        * Jenkins ImageStreamTag=jenkins:latest
        * Allows use of Jenkins Update Center repository with invalid SSL certificate=false

--> Creating resources ...
    route.route.openshift.io "jenkins" created
    configmap "jenkins-trusted-ca-bundle" created
    deploymentconfig.apps.openshift.io "jenkins" created
    serviceaccount "jenkins" created
    rolebinding.authorization.openshift.io "jenkins_edit" created
    service "jenkins-jnlp" created
    service "jenkins" created
--> Success
    Access your application via route 'jenkins-jitsingh.apps.wxj181-5422.qe.devcluster.openshift.com' 
    Run 'oc status' to view your app.
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc get pods 
NAME              READY   STATUS    RESTARTS   AGE
jenkins-1-build   1/1     Running   0          26s
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc describe pods/jenkins-1-build
Name:               jenkins-1-build
Namespace:          jitsingh
Priority:           0
PriorityClassName:  <none>
Node:               ip-10-0-50-255.us-east-2.compute.internal/10.0.50.255
Start Time:         Thu, 18 Jun 2020 12:43:10 +0530
Labels:             openshift.io/build.name=jenkins-1
Annotations:        k8s.v1.cni.cncf.io/networks-status:
                      [{
                          "name": "openshift-sdn",
                          "interface": "eth0",
                          "ips": [
                              "10.129.2.28"
                          ],
                          "dns": {},
                          "default-route": [
                              "10.129.2.1"
                          ]
                      }]
                    openshift.io/build.name: jenkins-1
                    openshift.io/scc: privileged
Status:             Running
IP:                 10.129.2.28
Controlled By:      Build/jenkins-1
Init Containers:
  git-clone:
    Container ID:  cri-o://338ccd641b2c44747409b718d99b6d12c6035bd7d23a2585380ff9144bbffa57
    Image:         quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0c9afa4b0e8ed0a929d78f54e116aadebd6d7ceaf85dc551ddbbc48f85020b2d
    Image ID:      quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0c9afa4b0e8ed0a929d78f54e116aadebd6d7ceaf85dc551ddbbc48f85020b2d
    Port:          <none>
    Host Port:     <none>
    Command:
      openshift-git-clone
    Args:
      --loglevel=0
    State:          Terminated
      Reason:       Completed
      Exit Code:    0
      Started:      Thu, 18 Jun 2020 12:43:12 +0530
      Finished:     Thu, 18 Jun 2020 12:43:16 +0530
    Ready:          True
    Restart Count:  0
    Environment:
      BUILD:                        {"kind":"Build","apiVersion":"build.openshift.io/v1","metadata":{"name":"jenkins-1","namespace":"jitsingh","selfLink":"/apis/build.openshift.io/v1/namespaces/jitsingh/builds/jenkins-1","uid":"4d90cf73-139a-4a10-8f7d-9f56c0938d00","resourceVersion":"158107","creationTimestamp":"2020-06-18T07:13:10Z","labels":{"build":"jenkins","buildconfig":"jenkins","openshift.io/build-config.name":"jenkins","openshift.io/build.start-policy":"Serial"},"annotations":{"openshift.io/build-config.name":"jenkins","openshift.io/build.number":"1"},"ownerReferences":[{"apiVersion":"build.openshift.io/v1","kind":"BuildConfig","name":"jenkins","uid":"ff03320f-161a-404f-93c7-9234c6db9fdd","controller":true}]},"spec":{"serviceAccount":"builder","source":{"type":"Git","git":{"uri":"https://github.com/jitendar-singh/jenkins.git"},"contextDir":"2"},"strategy":{"type":"Docker","dockerStrategy":{"from":{"kind":"DockerImage","name":"quay.io/openshift/origin-cli@sha256:e4e40d4fd585029f7287f7bcdb45067c696d126869a3d817891049cd5039f04d"},"pullSecret":{"name":"builder-dockercfg-mdg5d"}}},"output":{"to":{"kind":"DockerImage","name":"image-registry.openshift-image-registry.svc:5000/jitsingh/jenkins:latest"},"pushSecret":{"name":"builder-dockercfg-mdg5d"}},"resources":{},"postCommit":{},"nodeSelector":null,"triggeredBy":[{"message":"Build configuration change"}]},"status":{"phase":"New","outputDockerImageReference":"image-registry.openshift-image-registry.svc:5000/jitsingh/jenkins:latest","config":{"kind":"BuildConfig","namespace":"jitsingh","name":"jenkins"},"output":{}}}
                                    
      LANG:                         en_US.utf8
      SOURCE_REPOSITORY:            https://github.com/jitendar-singh/jenkins.git
      SOURCE_URI:                   https://github.com/jitendar-singh/jenkins.git
      SOURCE_CONTEXT_DIR:           2
      BUILD_REGISTRIES_CONF_PATH:   /var/run/configs/openshift.io/build-system/registries.conf
      BUILD_REGISTRIES_DIR_PATH:    /var/run/configs/openshift.io/build-system/registries.d
      BUILD_SIGNATURE_POLICY_PATH:  /var/run/configs/openshift.io/build-system/policy.json
      BUILD_STORAGE_CONF_PATH:      /var/run/configs/openshift.io/build-system/storage.conf
      BUILD_BLOBCACHE_DIR:          /var/cache/blobs
      HTTP_PROXY:                   
      HTTPS_PROXY:                  
      NO_PROXY:                     
    Mounts:
      /etc/pki/ca-trust/extracted/pem from build-proxy-ca-bundles (rw)
      /tmp/build from buildworkdir (rw)
      /var/cache/blobs from build-blob-cache (rw)
      /var/run/configs/openshift.io/build-system from build-system-configs (ro)
      /var/run/configs/openshift.io/certs from build-ca-bundles (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from builder-token-zq27b (ro)
  manage-dockerfile:
    Container ID:  cri-o://62019732ce24ec2cd0f592ffe2b36c8e551aeab8e188b96dadf7ea504033a026
    Image:         quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0c9afa4b0e8ed0a929d78f54e116aadebd6d7ceaf85dc551ddbbc48f85020b2d
    Image ID:      quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0c9afa4b0e8ed0a929d78f54e116aadebd6d7ceaf85dc551ddbbc48f85020b2d
    Port:          <none>
    Host Port:     <none>
    Command:
      openshift-manage-dockerfile
    Args:
      --loglevel=0
    State:          Terminated
      Reason:       Completed
      Exit Code:    0
      Started:      Thu, 18 Jun 2020 12:43:17 +0530
      Finished:     Thu, 18 Jun 2020 12:43:17 +0530
    Ready:          True
    Restart Count:  0
    Environment:
      BUILD:                        {"kind":"Build","apiVersion":"build.openshift.io/v1","metadata":{"name":"jenkins-1","namespace":"jitsingh","selfLink":"/apis/build.openshift.io/v1/namespaces/jitsingh/builds/jenkins-1","uid":"4d90cf73-139a-4a10-8f7d-9f56c0938d00","resourceVersion":"158107","creationTimestamp":"2020-06-18T07:13:10Z","labels":{"build":"jenkins","buildconfig":"jenkins","openshift.io/build-config.name":"jenkins","openshift.io/build.start-policy":"Serial"},"annotations":{"openshift.io/build-config.name":"jenkins","openshift.io/build.number":"1"},"ownerReferences":[{"apiVersion":"build.openshift.io/v1","kind":"BuildConfig","name":"jenkins","uid":"ff03320f-161a-404f-93c7-9234c6db9fdd","controller":true}]},"spec":{"serviceAccount":"builder","source":{"type":"Git","git":{"uri":"https://github.com/jitendar-singh/jenkins.git"},"contextDir":"2"},"strategy":{"type":"Docker","dockerStrategy":{"from":{"kind":"DockerImage","name":"quay.io/openshift/origin-cli@sha256:e4e40d4fd585029f7287f7bcdb45067c696d126869a3d817891049cd5039f04d"},"pullSecret":{"name":"builder-dockercfg-mdg5d"}}},"output":{"to":{"kind":"DockerImage","name":"image-registry.openshift-image-registry.svc:5000/jitsingh/jenkins:latest"},"pushSecret":{"name":"builder-dockercfg-mdg5d"}},"resources":{},"postCommit":{},"nodeSelector":null,"triggeredBy":[{"message":"Build configuration change"}]},"status":{"phase":"New","outputDockerImageReference":"image-registry.openshift-image-registry.svc:5000/jitsingh/jenkins:latest","config":{"kind":"BuildConfig","namespace":"jitsingh","name":"jenkins"},"output":{}}}
                                    
      LANG:                         en_US.utf8
      SOURCE_REPOSITORY:            https://github.com/jitendar-singh/jenkins.git
      SOURCE_URI:                   https://github.com/jitendar-singh/jenkins.git
      SOURCE_CONTEXT_DIR:           2
      BUILD_REGISTRIES_CONF_PATH:   /var/run/configs/openshift.io/build-system/registries.conf
      BUILD_REGISTRIES_DIR_PATH:    /var/run/configs/openshift.io/build-system/registries.d
      BUILD_SIGNATURE_POLICY_PATH:  /var/run/configs/openshift.io/build-system/policy.json
      BUILD_STORAGE_CONF_PATH:      /var/run/configs/openshift.io/build-system/storage.conf
      BUILD_BLOBCACHE_DIR:          /var/cache/blobs
      HTTP_PROXY:                   
      HTTPS_PROXY:                  
      NO_PROXY:                     
    Mounts:
      /etc/pki/ca-trust/extracted/pem from build-proxy-ca-bundles (rw)
      /tmp/build from buildworkdir (rw)
      /var/cache/blobs from build-blob-cache (rw)
      /var/run/configs/openshift.io/build-system from build-system-configs (ro)
      /var/run/configs/openshift.io/certs from build-ca-bundles (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from builder-token-zq27b (ro)
Containers:
  docker-build:
    Container ID:  cri-o://fe503fddaa194dd4c6b829dce61c03869543359d780f4daa5d23b0011d0aaac1
    Image:         quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0c9afa4b0e8ed0a929d78f54e116aadebd6d7ceaf85dc551ddbbc48f85020b2d
    Image ID:      quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0c9afa4b0e8ed0a929d78f54e116aadebd6d7ceaf85dc551ddbbc48f85020b2d
    Port:          <none>
    Host Port:     <none>
    Command:
      openshift-docker-build
    Args:
      --loglevel=0
    State:          Running
      Started:      Thu, 18 Jun 2020 12:43:18 +0530
    Ready:          True
    Restart Count:  0
    Environment:
      BUILD:                        {"kind":"Build","apiVersion":"build.openshift.io/v1","metadata":{"name":"jenkins-1","namespace":"jitsingh","selfLink":"/apis/build.openshift.io/v1/namespaces/jitsingh/builds/jenkins-1","uid":"4d90cf73-139a-4a10-8f7d-9f56c0938d00","resourceVersion":"158107","creationTimestamp":"2020-06-18T07:13:10Z","labels":{"build":"jenkins","buildconfig":"jenkins","openshift.io/build-config.name":"jenkins","openshift.io/build.start-policy":"Serial"},"annotations":{"openshift.io/build-config.name":"jenkins","openshift.io/build.number":"1"},"ownerReferences":[{"apiVersion":"build.openshift.io/v1","kind":"BuildConfig","name":"jenkins","uid":"ff03320f-161a-404f-93c7-9234c6db9fdd","controller":true}]},"spec":{"serviceAccount":"builder","source":{"type":"Git","git":{"uri":"https://github.com/jitendar-singh/jenkins.git"},"contextDir":"2"},"strategy":{"type":"Docker","dockerStrategy":{"from":{"kind":"DockerImage","name":"quay.io/openshift/origin-cli@sha256:e4e40d4fd585029f7287f7bcdb45067c696d126869a3d817891049cd5039f04d"},"pullSecret":{"name":"builder-dockercfg-mdg5d"}}},"output":{"to":{"kind":"DockerImage","name":"image-registry.openshift-image-registry.svc:5000/jitsingh/jenkins:latest"},"pushSecret":{"name":"builder-dockercfg-mdg5d"}},"resources":{},"postCommit":{},"nodeSelector":null,"triggeredBy":[{"message":"Build configuration change"}]},"status":{"phase":"New","outputDockerImageReference":"image-registry.openshift-image-registry.svc:5000/jitsingh/jenkins:latest","config":{"kind":"BuildConfig","namespace":"jitsingh","name":"jenkins"},"output":{}}}
                                    
      LANG:                         en_US.utf8
      SOURCE_REPOSITORY:            https://github.com/jitendar-singh/jenkins.git
      SOURCE_URI:                   https://github.com/jitendar-singh/jenkins.git
      SOURCE_CONTEXT_DIR:           2
      PUSH_DOCKERCFG_PATH:          /var/run/secrets/openshift.io/push
      PULL_DOCKERCFG_PATH:          /var/run/secrets/openshift.io/pull
      BUILD_REGISTRIES_CONF_PATH:   /var/run/configs/openshift.io/build-system/registries.conf
      BUILD_REGISTRIES_DIR_PATH:    /var/run/configs/openshift.io/build-system/registries.d
      BUILD_SIGNATURE_POLICY_PATH:  /var/run/configs/openshift.io/build-system/policy.json
      BUILD_STORAGE_CONF_PATH:      /var/run/configs/openshift.io/build-system/storage.conf
      BUILD_STORAGE_DRIVER:         overlay
      BUILD_ISOLATION:              chroot
      BUILD_BLOBCACHE_DIR:          /var/cache/blobs
      HTTP_PROXY:                   
      HTTPS_PROXY:                  
      NO_PROXY:                     
    Mounts:
      /etc/pki/ca-trust/extracted/pem from build-proxy-ca-bundles (rw)
      /tmp/build from buildworkdir (rw)
      /var/cache/blobs from build-blob-cache (rw)
      /var/lib/containers/cache from buildcachedir (rw)
      /var/lib/containers/storage from container-storage-root (rw)
      /var/run/configs/openshift.io/build-system from build-system-configs (ro)
      /var/run/configs/openshift.io/certs from build-ca-bundles (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from builder-token-zq27b (ro)
      /var/run/secrets/openshift.io/pull from builder-dockercfg-mdg5d-pull (ro)
      /var/run/secrets/openshift.io/push from builder-dockercfg-mdg5d-push (ro)
Conditions:
  Type              Status
  Initialized       True 
  Ready             True 
  ContainersReady   True 
  PodScheduled      True 
Volumes:
  buildcachedir:
    Type:          HostPath (bare host directory volume)
    Path:          /var/lib/containers/cache
    HostPathType:  
  buildworkdir:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:     
    SizeLimit:  <unset>
  builder-dockercfg-mdg5d-push:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  builder-dockercfg-mdg5d
    Optional:    false
  builder-dockercfg-mdg5d-pull:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  builder-dockercfg-mdg5d
    Optional:    false
  build-system-configs:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      jenkins-1-sys-config
    Optional:  false
  build-ca-bundles:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      jenkins-1-ca
    Optional:  false
  build-proxy-ca-bundles:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      jenkins-1-global-ca
    Optional:  false
  container-storage-root:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:     
    SizeLimit:  <unset>
  build-blob-cache:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:     
    SizeLimit:  <unset>
  builder-token-zq27b:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  builder-token-zq27b
    Optional:    false
QoS Class:       BestEffort
Node-Selectors:  kubernetes.io/os=linux
Tolerations:     node.kubernetes.io/not-ready:NoExecute for 300s
                 node.kubernetes.io/unreachable:NoExecute for 300s
Events:
  Type    Reason     Age   From                                                Message
  ----    ------     ----  ----                                                -------
  Normal  Scheduled  52s   default-scheduler                                   Successfully assigned jitsingh/jenkins-1-build to ip-10-0-50-255.us-east-2.compute.internal
  Normal  Pulled     50s   kubelet, ip-10-0-50-255.us-east-2.compute.internal  Container image "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0c9afa4b0e8ed0a929d78f54e116aadebd6d7ceaf85dc551ddbbc48f85020b2d" already present on machine
  Normal  Created    50s   kubelet, ip-10-0-50-255.us-east-2.compute.internal  Created container git-clone
  Normal  Started    49s   kubelet, ip-10-0-50-255.us-east-2.compute.internal  Started container git-clone
  Normal  Pulled     46s   kubelet, ip-10-0-50-255.us-east-2.compute.internal  Container image "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0c9afa4b0e8ed0a929d78f54e116aadebd6d7ceaf85dc551ddbbc48f85020b2d" already present on machine
  Normal  Created    45s   kubelet, ip-10-0-50-255.us-east-2.compute.internal  Created container manage-dockerfile
  Normal  Started    45s   kubelet, ip-10-0-50-255.us-east-2.compute.internal  Started container manage-dockerfile
  Normal  Pulled     45s   kubelet, ip-10-0-50-255.us-east-2.compute.internal  Container image "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0c9afa4b0e8ed0a929d78f54e116aadebd6d7ceaf85dc551ddbbc48f85020b2d" already present on machine
  Normal  Created    44s   kubelet, ip-10-0-50-255.us-east-2.compute.internal  Created container docker-build
  Normal  Started    44s   kubelet, ip-10-0-50-255.us-east-2.compute.internal  Started container docker-build
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc status
In project jitsingh on server https://api.wxj181-5422.qe.devcluster.openshift.com:6443

svc/jenkins-jnlp - 172.30.217.21:50000
https://jenkins-jitsingh.apps.wxj181-5422.qe.devcluster.openshift.com (redirects) (svc/jenkins)
  dc/jenkins deploys istag/jenkins:latest <-
    bc/jenkins docker builds https://github.com/jitendar-singh/jenkins.git on istag/origin-cli:latest 
      build #1 running for about a minute - 51b5550: Fix the local build (Jitendar Singh <jsingh>)
    deployment #1 waiting on image or update

View details with 'oc describe <resource>/<name>' or list everything with 'oc get all'.
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc get pods
NAME              READY   STATUS    RESTARTS   AGE
jenkins-1-build   1/1     Running   0          79s
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc status
In project jitsingh on server https://api.wxj181-5422.qe.devcluster.openshift.com:6443

svc/jenkins-jnlp - 172.30.217.21:50000
https://jenkins-jitsingh.apps.wxj181-5422.qe.devcluster.openshift.com (redirects) (svc/jenkins)
  dc/jenkins deploys istag/jenkins:latest <-
    bc/jenkins docker builds https://github.com/jitendar-singh/jenkins.git on istag/origin-cli:latest 
      build #1 running for about a minute - 51b5550: Fix the local build (Jitendar Singh <jsingh>)
    deployment #1 waiting on image or update

View details with 'oc describe <resource>/<name>' or list everything with 'oc get all'.
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc get cm
NAME                        DATA   AGE
jenkins-1-ca                1      94s
jenkins-1-global-ca         1      94s
jenkins-1-sys-config        0      94s
jenkins-trusted-ca-bundle   1      76s
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc get pods -w
NAME              READY   STATUS    RESTARTS   AGE
jenkins-1-build   1/1     Running   0          102s
jenkins-1-build   0/1     Completed   0          8m36s
jenkins-1-build   0/1     Completed   0          8m36s
jenkins-1-deploy   0/1     Pending     0          0s
jenkins-1-deploy   0/1     Pending     0          0s
jenkins-1-deploy   0/1     ContainerCreating   0          0s
jenkins-1-deploy   0/1     ContainerCreating   0          2s
jenkins-1-deploy   1/1     Running             0          3s
jenkins-1-build    0/1     Completed           0          8m41s
jenkins-1-sk7nc    0/1     Pending             0          0s
jenkins-1-sk7nc    0/1     Pending             0          0s
jenkins-1-sk7nc    0/1     ContainerCreating   0          0s
jenkins-1-sk7nc    0/1     ContainerCreating   0          2s
jenkins-1-sk7nc    0/1     ContainerCreating   0          6s
jenkins-1-sk7nc    0/1     Running             0          41s
jenkins-1-sk7nc    1/1     Running             0          2m19s
jenkins-1-deploy   0/1     Completed           0          2m24s
jenkins-1-deploy   0/1     Completed           0          2m24s
^C%                                                                                                                                                                                            ✘ jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc get routes
NAME      HOST/PORT                                                       PATH   SERVICES   PORT    TERMINATION     WILDCARD
jenkins   jenkins-jitsingh.apps.wxj181-5422.qe.devcluster.openshift.com          jenkins    <all>   edge/Redirect   None
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc get ca
error: the server doesn't have a resource type "ca"
 ✘ jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc get cm
NAME                        DATA   AGE
jenkins-1-ca                1      11m
jenkins-1-global-ca         1      11m
jenkins-1-sys-config        0      11m
jenkins-trusted-ca-bundle   1      11m
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc new-app -f https://raw.githubusercontent.com/openshift/origin/master/examples/jenkins/pipeline/maven-pipeline.yaml                                       
--> Deploying template "jitsingh/maven-pipeline" for "https://raw.githubusercontent.com/openshift/origin/master/examples/jenkins/pipeline/maven-pipeline.yaml" to project jitsingh

     * With parameters:
        * Application Name=openshift-jee-sample
        * Source URL=https://github.com/openshift/openshift-jee-sample.git
        * Source Ref=master
        * GitHub Webhook Secret=KpxJ0R2R8WFn0uPeXowT6cwCOXM03dps3BG8aVg3 # generated
        * Generic Webhook Secret=USnq1J6aaeQaMmePWCcmOKUy6nYnnogxbmOmIdq1 # generated

--> Creating resources ...
    imagestream.image.openshift.io "openshift-jee-sample" created
    imagestream.image.openshift.io "wildfly" created
    buildconfig.build.openshift.io "openshift-jee-sample" created
    buildconfig.build.openshift.io "openshift-jee-sample-docker" created
    deploymentconfig.apps.openshift.io "openshift-jee-sample" created
    service "openshift-jee-sample" created
    route.route.openshift.io "openshift-jee-sample" created
--> Success
    Use 'oc start-build openshift-jee-sample' to start a build.
    Use 'oc start-build openshift-jee-sample-docker' to start a build.
    Access your application via route 'openshift-jee-sample-jitsingh.apps.wxj181-5422.qe.devcluster.openshift.com' 
    Run 'oc status' to view your app.
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc get pods -w
NAME               READY   STATUS      RESTARTS   AGE
jenkins-1-build    0/1     Completed   0          13m
jenkins-1-deploy   0/1     Completed   0          5m9s
jenkins-1-sk7nc    1/1     Running     0          5m5s
^C%                                                                                                                                                                                            ✘ jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc start-build openshift-jee-sample
build.build.openshift.io/openshift-jee-sample-1 started
 jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc get pods -w
NAME               READY   STATUS      RESTARTS   AGE
jenkins-1-build    0/1     Completed   0          14m
jenkins-1-deploy   0/1     Completed   0          5m38s
jenkins-1-sk7nc    1/1     Running     0          5m34s
maven-hvd6d        0/1     Pending     0          0s
maven-hvd6d        0/1     Pending     0          0s
maven-hvd6d        0/1     ContainerCreating   0          0s
maven-hvd6d        0/1     ContainerCreating   0          3s
maven-hvd6d        1/1     Running             0          3s
maven-hvd6d        1/1     Terminating         0          52s
maven-hvd6d        1/1     Terminating         0          52s
openshift-jee-sample-docker-1-build   0/1     Pending             0          0s
openshift-jee-sample-docker-1-build   0/1     Pending             0          0s
openshift-jee-sample-docker-1-build   0/1     Init:0/2            0          0s
maven-hvd6d                           0/1     Terminating         0          53s
maven-hvd6d                           0/1     Terminating         0          54s
maven-hvd6d                           0/1     Terminating         0          55s
openshift-jee-sample-docker-1-build   0/1     Init:0/2            0          2s
openshift-jee-sample-docker-1-build   0/1     Init:0/2            0          3s
openshift-jee-sample-docker-1-build   0/1     Init:1/2            0          4s
openshift-jee-sample-docker-1-build   0/1     PodInitializing     0          5s
openshift-jee-sample-docker-1-build   1/1     Running             0          6s
openshift-jee-sample-docker-1-build   0/1     Completed           0          94s
openshift-jee-sample-docker-1-build   0/1     Completed           0          94s
openshift-jee-sample-docker-1-build   0/1     Completed           0          101s
openshift-jee-sample-1-deploy         0/1     Pending             0          0s
openshift-jee-sample-1-deploy         0/1     Pending             0          0s
openshift-jee-sample-1-deploy         0/1     ContainerCreating   0          0s
openshift-jee-sample-1-deploy         0/1     ContainerCreating   0          2s
openshift-jee-sample-1-jmxkw          0/1     Pending             0          0s
openshift-jee-sample-1-jmxkw          0/1     Pending             0          0s
openshift-jee-sample-1-jmxkw          0/1     ContainerCreating   0          0s
openshift-jee-sample-1-deploy         1/1     Running             0          3s
openshift-jee-sample-1-jmxkw          0/1     ContainerCreating   0          1s
openshift-jee-sample-1-jmxkw          0/1     ContainerCreating   0          11s
openshift-jee-sample-1-jmxkw          0/1     Running             0          49s
openshift-jee-sample-1-jmxkw          1/1     Running             0          81s
openshift-jee-sample-1-deploy         0/1     Completed           0          85s
openshift-jee-sample-1-deploy         0/1     Completed           0          85s
openshift-jee-sample-1-deploy         0/1     Completed           0          90s
^C%                            
====================================================================================
                                              jsingh@localhost  ~/go/src/github.com/redhat-developer/jenkins/openshift/templates  ➦ 1c19ede  oc get cm
NAME                                       DATA   AGE
jenkins-1-ca                               1      24m
jenkins-1-global-ca                        1      24m
jenkins-1-sys-config                       0      24m
jenkins-trusted-ca-bundle                  1      23m
openshift-jee-sample-docker-1-ca           1      8m53s
openshift-jee-sample-docker-1-global-ca    1      8m53s
openshift-jee-sample-docker-1-sys-config   0      8m53s
========================================================================

verified on 4.4.9

Comment 7 errata-xmlrpc 2020-06-23 00:57:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2580

Comment 8 Red Hat Bugzilla 2023-09-14 05:55:43 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days


Note You need to log in before you can comment on or make changes to this bug.