Comments (14)
Setting the CA as part of the cluster configuration doesn't seem that unreasonable to me (presumably you have to do other cluster configuration anyway), though the ability to use the default CA baked into a slave image makes sense.
from jenkins-client-plugin.
Currently, yes, i need to create a cluster configuration, but if i could disable the plugin adding the certificate-authority onto the command line, i could just do the below, and it would work, because the cluster2 is already trusted by the jenkins slave:
stages {
stage ('Do something') {
steps {
script {
openshift.withCluster("https://cluster2.corp:8443") {
openshift.withProject("test") {
//do something within project
}
}
}
}
}
}
But because there is no cluster configuration, and the above is running in cluster1, the plugin try's to connect to cluster2 with cluster1s certificate-authority.
from jenkins-client-plugin.
@garethahealy - remind me, if the CA is already baked in, does Java store it in a well known location of the file system, or does some env var need to be set?
If so, then when a URL is the value passed into withCluster
, we could just determine if the CA is baked in. If so, avoid setting the oc
option.
I'm also wondering if defaulting to the pod cert when an arbitrary URL is passed in makes sense. It is sort of a last ditch effort / assumption that the mounted cert would work. Perhaps we should default to skip tls verify, and if a user wants full SSL, create an appropriate jenkins cluster config, etc.
@bparees @jim-minter @coreydaley any thoughts there?
from jenkins-client-plugin.
Perhaps we should default to skip tls verify
we should never do that :)
As to whether we should be defaulting to the mounted pod cert(as we currently do), or just hoping/assuming the system certs in the image will suffice, I can see arguments for both. Allowing the user to explicitly indicate they want to use the image's system certs (ie they do not want the plugin to add a --certificate-authority
flag to the oc command) seems reasonable to me, I think that's what's being asked for here.
from jenkins-client-plugin.
Yeah it is just what to do when they do NOT specify that they want to use the image's certs. As you said, and as to what lead to me originally bringing it up, there are arguments both ways.
from jenkins-client-plugin.
Yeah it is just what to do when they do NOT specify that they want to use the image's certs.
since we've already established that if they don't specify anything, they get the mounted pod certs, i don't think we can change that (it could break people in unexpected ways), so i think the only path forward is to allow users to explicitly request that we do not use the mounted pod certs (so that oc falls back to the system certs)
from jenkins-client-plugin.
btw i don't think java is involved, this is all about what ca certs the oc client binary is going to use (either the ones provided as an arg to oc by the plugin, or the system defaults)
from jenkins-client-plugin.
from jenkins-client-plugin.
As @bparees has said, the certs are added at OS level via update-ca-trust
from jenkins-client-plugin.
ok thanks - I believe I've connected the dots
so, how to expose this option to the user via the client plugin surgary dsl syntax (that has been giving me a fair amount of heartburn this week ;-) ) ?
Any opinions folks?
Both withCredentials (formerly doAs) and withCluster have credentialIds ... do we just add a ignoreMountedCerts
flag on those?
from jenkins-client-plugin.
Both withCredentials (formerly doAs) and withCluster have credentialIds ... do we just add a ignoreMountedCerts flag on those?
sounds right to me. I was thinking "useSystemCerts" but we don't have to debate the name extensively.
from jenkins-client-plugin.
Another Red Hatter here at a customer. This is also a problem for us and the use case we have is for an external Jenkins talking to an openshift cluster and the Jenkins host OS trust store (/etc/pki/ca-trust/source/anchors/
) needs to be used for tls purposes. The default (/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
) makes no sense when jenkins is not running on openshift. A flag might not be needed if a reliable check can be done to see if jenkins is running on openshift or not, but we could work with a useSystemCerts
flag as well.
from jenkins-client-plugin.
For now opened https://trello.com/c/6AlVfZ2X/1511-2-allow-use-system-certs-ignore-mounted-certs-for-client-plugin-pipelineintegration
Before following the process and closing this out in favor of the card, I'll double check with @bparees - do we still want to consider this as an enhancement, or instead pivot and consider it a "shortcoming bordering on problem that needs to be fixed"
from jenkins-client-plugin.
it's an RFE. Especially since there appear to be valid workarounds (use a cluster configuration to set the cert to use)
from jenkins-client-plugin.
Related Issues (20)
- Question: What extra steps should i follow if my OCP4 cluster is using a proxy ? HOT 4
- exportable did not work on newer openshift clusters HOT 4
- Stream stdout to console for passthrough operations HOT 5
- Plugin incompatible with new-style clouds configuration. HOT 5
- Error after Warning HOT 7
- Can't get api token from com.openshift.jenkins.plugnis.OpenShiftTokenCredentials in pipeline HOT 5
- List of DSL methods required HOT 3
- Error to parse POM's HOT 4
- 'restart' subcommand is missing for rollout()
- Support current version of oc tool HOT 4
- Plugin installation broke credentials used by other plugins HOT 12
- Argument was classified as an image, image~source, or loaded template reference but should be git repo HOT 7
- Leftover oc processes after wait() calls HOT 7
- Plugin doesn't detect capabilities (--ignore-not-found) from recent OC versions HOT 8
- No credentials shown in cluster configuration dropdown HOT 6
- Job fails if there are spaces in the project name, using raw command HOT 9
- Error flags cannot be placed before plugin name on external Jenkins declarative pipeline HOT 2
- Unable to retrieve object names using kubernetes-plugin sidecar container HOT 5
- java.nio.file.NoSuchFileException after upgrade to 1.0.37 HOT 5
- Certificate options not escaped HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jenkins-client-plugin.