Skip to content

WIP: handle ingress certificate signed by custom ca (duplicated for fixing) #1098

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
akram wants to merge 1 commit into from
Closed

WIP: handle ingress certificate signed by custom ca (duplicated for fixing) #1098

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions 2/Dockerfile.localdev
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM quay.io/openshift/origin-cli
FROM quay.io/openshift/origin-cli:4.2

# Jenkins image for OpenShift
#
Expand All @@ -18,7 +18,7 @@ ENV JENKINS_VERSION=2 \
HOME=/var/lib/jenkins \
JENKINS_HOME=/var/lib/jenkins \
JENKINS_UC=https://updates.jenkins.io \
OPENSHIFT_JENKINS_IMAGE_VERSION=4.0 \
OPENSHIFT_JENKINS_IMAGE_VERSION=4.2 \
LANG=en_US.UTF-8 \
LC_ALL=en_US.UTF-8 \
INSTALL_JENKINS_VIA_RPMS=false
Expand All @@ -27,7 +27,7 @@ LABEL k8s.io.description="Jenkins is a continuous integration server" \
k8s.io.display-name="Jenkins 2" \
openshift.io.expose-services="8080:http" \
openshift.io.tags="jenkins,jenkins2,ci" \
io.jenkins.version="2.204.1" \
io.jenkins.version="2.222.1" \
io.openshift.s2i.scripts-url=image:///usr/libexec/s2i

# 8080 for main web interface, 50000 for slave agents
Expand Down
8 changes: 4 additions & 4 deletions 2/Dockerfile.rhel7
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ ENV JENKINS_VERSION=2 \
HOME=/var/lib/jenkins \
JENKINS_HOME=/var/lib/jenkins \
JENKINS_UC=https://updates.jenkins.io \
OPENSHIFT_JENKINS_IMAGE_VERSION=4.0 \
OPENSHIFT_JENKINS_IMAGE_VERSION=4.2 \
LANG=en_US.UTF-8 \
LC_ALL=en_US.UTF-8 \
INSTALL_JENKINS_VIA_RPMS=false
Expand All @@ -29,13 +29,13 @@ LABEL io.k8s.description="Jenkins is a continuous integration server" \
io.k8s.display-name="Jenkins 2" \
io.openshift.tags="jenkins,jenkins2,ci" \
io.openshift.expose-services="8080:http" \
io.jenkins.version="2.204.1" \
io.jenkins.version="2.222.1" \
io.openshift.s2i.scripts-url=image:///usr/libexec/s2i

# Labels consumed by Red Hat build service
LABEL com.redhat.component="openshift-jenkins-2-container" \
name="openshift4/ose-jenkins" \
version="4.3" \
version="4.2" \
architecture="x86_64"

# 8080 for main web interface, 50000 for slave agents
Expand All @@ -46,7 +46,7 @@ EXPOSE 8080 50000
# /usr/lib64/jenkins will subsequently get redirected to /usr/lib/jenkins; it is confirmed that the 3.7 jenkins RHEL images
# do *NOT* have a /usr/lib64/jenkins path
RUN ln -s /usr/lib/jenkins /usr/lib64/jenkins && \
INSTALL_PKGS="dejavu-sans-fonts wget rsync gettext git tar zip unzip openssl bzip2 dumb-init java-1.8.0-openjdk java-1.8.0-openjdk-devel" && \
INSTALL_PKGS="dejavu-sans-fonts wget rsync gettext git tar zip unzip openssl bzip2 dumb-init java-11-openjdk java-11-openjdk-devel " && \
yum install -y $INSTALL_PKGS && \
rpm -V $INSTALL_PKGS && \
yum clean all && \
Expand Down
4 changes: 2 additions & 2 deletions 2/contrib/jenkins/install-jenkins-core-plugins.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,8 @@ if [[ "${INSTALL_JENKINS_VIA_RPMS}" == "false" ]]; then
if [ "$#" == "1" ]; then
YUM_FLAGS="$1"
fi
yum -y $YUM_FLAGS --setopt=tsflags=nodocs install jenkins-2.204.1-1.1
rpm -V jenkins-2.204.1-1.1
yum -y $YUM_FLAGS --setopt=tsflags=nodocs install jenkins-2.222.1
rpm -V jenkins-2.222.1
yum clean all
/usr/local/bin/install-plugins.sh $PLUGIN_LIST
else
Expand Down
40 changes: 20 additions & 20 deletions 2/contrib/openshift/base-plugins.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,21 @@

# OpenShift Plugins
openshift-login:1.0.23
openshift-client:1.0.32
openshift-sync:1.0.44
openshift-sync:1.0.45


# kubernetes plugin - https://wiki.jenkins-ci.org/display/JENKINS/Kubernetes+Plugin
# 1.7.1 fixed https://jenkins.io/security/advisory/2018-06-04/#SECURITY-883
# 1.12.0 fixed https://jenkins.io/security/advisory/2018-07-30/#SECURITY-1016
# 1.12.8 fixed the https://issues.jenkins-ci.org/browse/JENKINS-53260 we introduced
# 1.18.2 upgrade to support OpenJdk11
kubernetes:1.18.2
credentials:2.2.0
docker-commons:1.14
pipeline-model-definition:1.3.7
# 1.25.2 enhance http proxy handleing
kubernetes:1.25.2
credentials:2.3.5
docker-commons:1.16
pipeline-model-definition:1.6.0
pipeline-model-api:1.6.0

# we leverage this plugin in the openshift-client DSL groovy shim
lockable-resources:2.5
Expand Down Expand Up @@ -46,42 +49,42 @@ lockable-resources:2.5
# processed sec adv https://jenkins.io/security/advisory/2019-07-31/
# processed sec adv https://jenkins.io/security/advisory/2019-08-28/
# processed sec adv https://jenkins.io/security/advisory/2019-10-01/#SECURITY-1590
#

config-file-provider:3.5
htmlpublisher:1.21
job-dsl:1.72
mailer:1.21
mailer:1.30
parameterized-trigger:2.35.2
pipeline-build-step:2.7
pipeline-input-step:2.8
script-security:1.66
pipeline-build-step:2.12
pipeline-input-step:2.11
script-security:1.71
google-oauth-plugin:1.0.0

ant:1.10
pam-auth:1.6
git-client:3.0.0
git-client:3.2.1

credentials-binding:1.19
junit:1.26.1
workflow-support:2.18
git:3.9.3
git:4.2.2
mercurial:2.3
subversion:2.10.3
subversion:2.13.1
github:1.29.2
github-branch-source:2.3.6
workflow-cps:2.73
workflow-cps:2.80
workflow-cps-global-lib:2.15
token-macro:2.8
token-macro:2.12
workflow-remote-loader:1.5

# Legacy stuff
mapdb-api:1.0.9.0

matrix-project:1.14
ssh-credentials:1.17.2
ssh-credentials:1.18.1

# Pipeline Utility Steps Plugin - https://wiki.jenkins-ci.org/display/JENKINS/Pipeline+Utility+Steps+Plugin
pipeline-utility-steps:2.1.0
pipeline-utility-steps:2.5.0

# some plugins helpful for global shared libs were broken out of workflow aggregator
pipeline-github-lib:1.0
Expand All @@ -93,9 +96,6 @@ matrix-auth:2.2
# with k8s plugin
blueocean:1.10.2

# Pipeline plugin - https://wiki.jenkins-ci.org/display/JENKINS/Pipeline+Plugin
# 2.5 now includes pipeline-model-definition (declaritive pipeline)
# 2.4 brought in pipeline-milestone-step
workflow-aggregator:2.6

# Monitoring plugins
Expand Down
5 changes: 5 additions & 0 deletions 2/contrib/openshift/configuration/logging.properties
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Jenkins logging configuration for OpenShift

.level=INFO
handlers=java.util.logging.ConsoleHandler
java.util.logging.SimpleFormatter.format=%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS %4$-7s %2$s %5$s%6$s%n
21 changes: 19 additions & 2 deletions 2/contrib/s2i/run
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -192,6 +192,14 @@ if [[ -z "${JAVA_TOOL_OPTIONS}" ]]; then
export JAVA_TOOL_OPTIONS
fi

# update system java keystore with custom ca bundle from jenkins-trust-ca-bundle configmap
# ca bundle is injected by network operator via the configmap jenkins-trusted-ca-bundle
# see certificate-injection-using-operators_configuring-a-custom-pki in the documentation
system_ca_bundle_crt="/etc/pki/ca-trust/source/anchors/ca-bundle.crt"
if [ -f "${system_ca_bundle_crt}" ]; then
/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth ${JENKINS_HOME}/ca-anchors-keystore
fi

# assume k8s/docker memory limit was set if memory.limit_in_bytes < 1TiB
if [[ "${CONTAINER_MEMORY_IN_BYTES}" -lt $((2**40)) ]]; then
# set this JVM's -Xmx and -Xms if not set already (not propagated to any
Expand All @@ -201,7 +209,7 @@ if [[ "${CONTAINER_MEMORY_IN_BYTES}" -lt $((2**40)) ]]; then
# uncapped; -Xms unspecified (JVM default is 1/64 of -Xmx).

if [[ -z "$CONTAINER_HEAP_PERCENT" ]]; then
CONTAINER_HEAP_PERCENT=0.50
CONTAINER_HEAP_PERCENT=0.50
fi

CONTAINER_HEAP_MAX=$(echo "${CONTAINER_MEMORY_IN_MB} ${CONTAINER_HEAP_PERCENT}" | awk '{ printf "%d", $1 * $2 }')
Expand Down Expand Up @@ -462,9 +470,17 @@ fi
if [[ -z "${JENKINS_JAVA_OPTIONS}" ]]; then
# a discover was made upstream that if the monitor plugin is installed, it creates httpsession's via its filter, which impact the login plugin bearer token support,
# so the displayed-counters setting turns that off
JENKINS_JAVA_OPTIONS="$JAVA_GC_OPTS $JAVA_INITIAL_HEAP_PARAM $JAVA_MAX_HEAP_PARAM $JAVA_CORE_LIMIT $JAVA_DIAGNOSTICS -Dfile.encoding=UTF8 -Djavamelody.displayed-counters=log,error $JENKINS_ACCESSLOG $FATAL_ERROR_OPTION"
JENKINS_JAVA_OPTIONS="$JAVA_GC_OPTS $JAVA_INITIAL_HEAP_PARAM $JAVA_MAX_HEAP_PARAM $JAVA_CORE_LIMIT $JAVA_DIAGNOSTICS "
JENKINS_JAVA_OPTIONS="$JENKINS_JAVA_OPTIONS -Dfile.encoding=UTF8 -Djavamelody.displayed-counters=log,error $JENKINS_ACCESSLOG $FATAL_ERROR_OPTION"
JENKINS_JAVA_OPTIONS="$JENKINS_JAVA_OPTIONS -Djava.util.logging.config.file=$JENKINS_HOME/logging.properties"
# Add default truststore if custom ca is loaded under ${JENKINS_HOME}/ca-anchors-keystore
if [ -f "${JENKINS_HOME}/ca-anchors-keystore" ]; then
JENKINS_JAVA_OPTIONS="$JENKINS_JAVA_OPTIONS -Djavax.net.ssl.trustStore=${JENKINS_HOME}/ca-anchors-keystore"
fi
fi

JAVA_HTTP_PROXY_OPTIONS="-Djdk.http.auth.tunneling.disabledSchemes= -Djdk.http.auth.proxying.disabledSchemes="

# Deal with embedded escaped spaces in JENKINS_JAVA_OVERRIDES.
# JENKINS_JAVA_OVERRIDES='-Dfoo -Dbar' => append -Dfoo -Dbar to java invocation
# JENKINS_JAVA_OVERRIDES='-Dfoo\ bar' => append '-Dfoo bar' to java invocation
Expand All @@ -475,6 +491,7 @@ if [[ $# -lt 1 ]] || [[ "$1" == "--"* ]]; then
set -x
exec java $JENKINS_JAVA_OPTIONS -Duser.home=${HOME} \
-Djavamelody.application-name=${JENKINS_SERVICE_NAME} \
-Dhudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION=true \
"${JENKINS_JAVA_OVERRIDES_ARRAY[@]}" \
-jar /usr/lib/jenkins/jenkins.war $JENKINS_OPTS "$@"
fi
Expand Down
21 changes: 21 additions & 0 deletions openshift/templates/jenkins-ephemeral-monitored.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,16 @@
}
}
},
{
"kind": "ConfigMap",
"apiVersion": "v1",
"metadata": {
"name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle",
"labels": {
"config.openshift.io/inject-trusted-cabundle": "true"
}
}
},
{
"kind": "DeploymentConfig",
"apiVersion": "v1",
Expand Down Expand Up @@ -151,6 +161,10 @@
{
"name": "${JENKINS_SERVICE_NAME}-data",
"mountPath": "/var/lib/jenkins"
},
{
"name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle",
"mountPath": "/etc/pki/ca-trust/source/anchors"
}
],
"terminationMessagePath": "/dev/termination-log",
Expand All @@ -168,6 +182,13 @@
"emptyDir": {
"medium": ""
}
},
{
"name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle",
"configMap": {
"name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle",
"optional": true
}
}
],
"restartPolicy": "Always",
Expand Down
21 changes: 21 additions & 0 deletions openshift/templates/jenkins-ephemeral.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,16 @@
}
}
},
{
"kind": "ConfigMap",
"apiVersion": "v1",
"metadata": {
"name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle",
"labels": {
"config.openshift.io/inject-trusted-cabundle": "true"
}
}
},
{
"kind": "DeploymentConfig",
"apiVersion": "v1",
Expand Down Expand Up @@ -151,6 +161,10 @@
{
"name": "${JENKINS_SERVICE_NAME}-data",
"mountPath": "/var/lib/jenkins"
},
{
"name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle",
"mountPath": "/etc/pki/ca-trust/source/anchors"
}
],
"terminationMessagePath": "/dev/termination-log",
Expand All @@ -168,6 +182,13 @@
"emptyDir": {
"medium": ""
}
},
{
"name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle",
"configMap": {
"name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle",
"optional": true
}
}
],
"restartPolicy": "Always",
Expand Down
21 changes: 21 additions & 0 deletions openshift/templates/jenkins-persistent-monitored.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,16 @@
}
}
},
{
"kind": "ConfigMap",
"apiVersion": "v1",
"metadata": {
"name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle",
"labels": {
"config.openshift.io/inject-trusted-cabundle": "true"
}
}
},
{
"kind": "DeploymentConfig",
"apiVersion": "v1",
Expand Down Expand Up @@ -172,6 +182,10 @@
{
"name": "${JENKINS_SERVICE_NAME}-data",
"mountPath": "/var/lib/jenkins"
},
{
"name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle",
"mountPath": "/etc/pki/ca-trust/source/anchors"
}
],
"terminationMessagePath": "/dev/termination-log",
Expand All @@ -189,6 +203,13 @@
"persistentVolumeClaim": {
"claimName": "${JENKINS_SERVICE_NAME}"
}
},
{
"name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle",
"configMap": {
"name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle",
"optional": true
}
}
],
"restartPolicy": "Always",
Expand Down
21 changes: 21 additions & 0 deletions openshift/templates/jenkins-persistent.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,16 @@
}
}
},
{
"kind": "ConfigMap",
"apiVersion": "v1",
"metadata": {
"name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle",
"labels": {
"config.openshift.io/inject-trusted-cabundle": "true"
}
}
},
{
"kind": "PersistentVolumeClaim",
"apiVersion": "v1",
Expand Down Expand Up @@ -172,6 +182,10 @@
{
"name": "${JENKINS_SERVICE_NAME}-data",
"mountPath": "/var/lib/jenkins"
},
{
"name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle",
"mountPath": "/etc/pki/ca-trust/source/anchors"
}
],
"terminationMessagePath": "/dev/termination-log",
Expand All @@ -189,6 +203,13 @@
"persistentVolumeClaim": {
"claimName": "${JENKINS_SERVICE_NAME}"
}
},
{
"name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle",
"configMap": {
"name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle",
"optional": true
}
}
],
"restartPolicy": "Always",
Expand Down