Bug 2003204 - Jenkins all new container images (openshift4/ose-jenkins) not supporting '-e JENKINS_PASSWORD=password' ENV which was working for old container images
Summary: Jenkins all new container images (openshift4/ose-jenkins) not supporting '-e ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Jenkins
Version: 4.8
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: ---
: 4.10.0
Assignee: Akram Ben Aissi
QA Contact: Jitendar Singh
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-09-10 15:17 UTC by Mayur Deore
Modified: 2023-09-15 01:14 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-10 16:09:11 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Error on console (32.98 KB, image/png)
2021-09-10 15:17 UTC, Mayur Deore
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github openshift jenkins pull 1345 0 None Merged Bug 2003204: Fix jbcrypt_path lookup and add openshift enable oauth env support 2022-01-10 06:04:45 UTC
Github openshift jenkins pull 1352 0 None Merged Bug 2003204: Fix the admin startup on ephemeral volume initial password case 2022-01-10 06:04:48 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:09:58 UTC

Description Mayur Deore 2021-09-10 15:17:15 UTC
Created attachment 1822163 [details]
Error on console

Description of problem:
In the following command, ENV Variable is getting passed to the container but on the console, it was showing an invalid username and password for 'user: admin', 'password: password'.
~~~
$ oc new-app -e JENKINS_PASSWORD=password --docker-image=registry.redhat.io/openshift4/ose-jenkins:v4.6.0-202108202025.p0.git.57c7cb1.assembly.stream
OR
$ oc new-app -e JENKINS_PASSWORD=password --docker-image=registry.redhat.io/openshift4/ose-jenkins:v4.8.0-202108312109.p0.git.8f554e2.assembly.stream
OR
$ oc new-app -e JENKINS_PASSWORD=password --docker-image=registry.redhat.io/openshift4/ose-jenkins:v4.6.0-202108112026.p0.git.57c7cb1
~~~
~~~
[quicklab@upi-0 ~]$ oc rsh pod/ose-jenkins-9dc76b9f6-88xxh
sh-4.4$ env | grep JENKINS_PASSWORD
JENKINS_PASSWORD=password
~~~
This same method was working fine for old images in which it was accepting 'username: admin' and 'password: password'. One example is listed below.
~~~
$ oc new-app -e JENKINS_PASSWORD=password --docker-image=registry.redhat.io/openshift4/ose-jenkins:v4.6.0-202104151601.p0
~~~  

Version-Release number of selected component (if applicable):
- v4.6.0-202108202025.p0.git.57c7cb1.assembly.stream (latest, Published 2 days ago)
- v4.8.0-202108312109.p0.git.8f554e2.assembly.stream
- v4.6.0-202108112026.p0.git.57c7cb1

How reproducible:
 We can run this image using `oc new-app` command and exposing the service URL then try to log in on console using `username:admin`, `password:password`

Steps to Reproduce:
1. $ oc new-app -e JENKINS_PASSWORD=password --docker-image=registry.redhat.io/openshift4/ose-jenkins:v4.8.0-202108312109.p0.git.8f554e2.assembly.stream
2. $ oc expose service/ose-jenkins
3. $ oc get route
5. Open that URL in the browser, and Try login with 'username: admin' and 'password: password'

Actual results:
We will get 'Invalid username or password' on the console with 'username: admin' and 'password: password'

Expected results:
We should get a dashboard of jenkins.

Additional info:
- ENV Variable 'JENKINS_PASSWORD' is used to set password for Jenkins 'admin' user. 
- Facing the same issue with other passwords also like 'admin123#'.

Comment 2 Akram Ben Aissi 2021-09-23 11:24:08 UTC
Hi Mayur,

4 months ago, we upgrade the Jenkins image to an earlier version of Jenkins that deprecated the use of acegi and thus changed the password obfuscation algorithm.
I can that what you are seeing is probably a side effect of it.
https://github.com/openshift/jenkins/commit/2fed2dd020564bcbadbd74687214daa9b923f18e

Can you try bcrypting the admin password before passing it as an environment variable?

Comment 3 Mayur Deore 2021-09-23 21:09:17 UTC
Hi Akram,

Thanks for the update.

If possible can you please share the steps that I can use and share with Cu too if get accepted for bcrypting? 

Also, Is there any way to fix this? 

Because README.md is still showing that we can use 'JENKINS_PASSWORD' ENV to set passwords for 'admin' for the default admin password. 
https://github.com/openshift/jenkins#environment-variables

Comment 8 Akram Ben Aissi 2021-11-15 15:19:40 UTC
@jkaur and Mayur ; I have reproduced the issue last week and started to work on it https://github.com/openshift/jenkins/pull/1334/files

Right now, it seems that the default password is not saved when setting the JENKINS_PASSWORD env var, the bcyrpt comparison was failing.
A first issue was related to unfound jar during first startup compared to subsequent startups.
We are still investigating it and will update the bz.

Comment 9 Mayur Deore 2021-11-16 15:29:58 UTC
Hello Akram, Corey,

Thank you for your update. Please do keep the work progress updated on BZ for reference.
I will share the current updates with the customer. 

Thanks,
Mayur

Comment 10 Akram Ben Aissi 2021-11-18 13:57:12 UTC
Hi Mayur,


I have been actively working on this issue for the last 2 days. The good news is that we have a proper fix for it now. The PR is just pending approval.
After doing more tests, I have also seen that the support of the OPENSHIFT_ENABLE_OAUTH variable was certainly broken, but the environment so I also fixed it in another PR. I may merge the 2 PRs together.

I will be working in having an automated e2e test for it between today and tomorrow as this is a pre-requisite for the PR merge, and I will do the requirements for the release.


https://github.com/openshift/jenkins/pull/1334
https://github.com/openshift/jenkins/pull/1345

Akram

Comment 11 Mayur Deore 2021-11-19 17:30:43 UTC
Hi Akram,

I am glad that we get the fix for this.

Thank you so much for actively working on this. I really appreciate the time and effort you put into this. 

Thanks,
Mayur

Comment 17 Jitendar Singh 2022-01-10 06:17:05 UTC
VERIFIED
able to login to jenkins console
=============
 jitsingh@fedora  ~  oc new-project jenkins-test
Now using project "jenkins-test" on server "https://api.app-svc-4.10-011001.devcluster.openshift.com:6443".

You can add applications to this project with the 'new-app' command. For example, try:

    oc new-app rails-postgresql-example

to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application:

    kubectl create deployment hello-node --image=k8s.gcr.io/serve_hostname

 jitsingh@fedora  ~  oc new-app -e JENKINS_PASSWORD=password --docker-image=registry.redhat.io/openshift4/ose-jenkins@sha256:5326101b01e013f94b2f5cd9aa88cd949f8114329eebcc150aaf40f3d535b1a6
Flag --docker-image has been deprecated, Deprecated flag use --image
--> Found container image 64f6876 (3 weeks old) from registry.redhat.io for "registry.redhat.io/openshift4/ose-jenkins@sha256:5326101b01e013f94b2f5cd9aa88cd949f8114329eebcc150aaf40f3d535b1a6"

    Jenkins 2 
    --------- 
    Jenkins is a continuous integration server

    Tags: jenkins, jenkins2, ci

    * An image stream tag will be created as "ose-jenkins:latest" that will track this image

--> Creating resources ...
    imagestream.image.openshift.io "ose-jenkins" created
    deployment.apps "ose-jenkins" created
    service "ose-jenkins" created
--> Success
    Application is not exposed. You can expose services to the outside world by executing one or more of the commands below:
     'oc expose service/ose-jenkins' 
    Run 'oc status' to view your app.
 jitsingh@fedora  ~  oc expose service/ose-jenkins
route.route.openshift.io/ose-jenkins exposed
 jitsingh@fedora  ~  oc get routes
NAME          HOST/PORT                                                                    PATH   SERVICES      PORT       TERMINATION   WILDCARD
ose-jenkins   ose-jenkins-jenkins-test.apps.app-svc-4.10-011001.devcluster.openshift.com          ose-jenkins   8080-tcp                 None
 jitsingh@fedora  ~  oc get pods -w
NAME                           READY   STATUS    RESTARTS   AGE
ose-jenkins-59cd8f67fc-8hnhz   1/1     Running   0          38s
^C%                                                                                                                                                                                            ✘ jitsingh@fedora  ~  oc rsh ose-jenkins-59cd8f67fc-8hnhz
sh-4.4$ env | grep JENKINS_PASSWORD
JENKINS_PASSWORD=password
sh-4.4$ exit
exit
============================================

Comment 20 errata-xmlrpc 2022-03-10 16:09:11 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056

Comment 21 Red Hat Bugzilla 2023-09-15 01:14:57 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days


Note You need to log in before you can comment on or make changes to this bug.