krisstern
commented
1 year ago Hi @pushker001 is this the issue you planned to work on in preparation for GSoC 2023?
Closed gulecroc closed 6 months ago
krisstern
commented
1 year ago Hi @pushker001 is this the issue you planned to work on in preparation for GSoC 2023?
pushker001
commented
1 year ago Yes
On Wed, 1 Feb 2023, 9:03 pm Kris Stern, @.***> wrote:
Hi @pushker001 https://github.com/pushker001 is this the issue you planned to work on in preparation for GSoC 2023?
— Reply to this email directly, view it on GitHub https://github.com/jenkinsci/configuration-as-code-plugin/issues/2185#issuecomment-1412259190, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMDMG4UFRJU6BYN7VLMU4O3WVJ64TANCNFSM6AAAAAATJXW7A4 . You are receiving this because you were mentioned.Message ID: @.***>
pushker001
commented
1 year ago I am interested in the issue and have started working on it
krisstern
commented
1 year ago @pushker001 I think the best way to approach the problem would be to try and reproduce the error as described above. Then we incrementally make changes to patch the bug until the error is gone. So you can start right away. Once you have reproduced the error please ping me here.
pushker001
commented
1 year ago @krisstern How I can do these reproduction steps in my gitpod can you guide me regarding this I am stuck here
krisstern
commented
1 year ago Let me set up my GitPod over the weekend too so I could check on your work more closely.
However, you should start by Installing Jenkins with the following helm chart values:
controller:
additionalPlugins:
# Authorization
- role-strategy:569.v7476f8e4fe29
containerEnv:
- name: CASC_MERGE_STRATEGY
value: "override"
JCasC:
defaultConfig: true
authorizationStrategy: |-
roleBased:
roles:
global:
- assignments:
- "guillaume_lecroc"
name: "admin"
pattern: ".*"
permissions:
- "Overall/Administer"
configScripts:
jenkins-casc-config: |-
jenkins:
projectNamingStrategy:
roleBased:
forceExistingJobs: falseAnd supposedly two configuration files will be created as follows:
jenkins:
authorizationStrategy:
roleBased:
roles:
global:
- assignments:
- "guillaume_lecroc"
name: "admin"
pattern: ".*"
permissions:
- "Overall/Administer"
securityRealm:
# I omit IOC configuration
disableRememberMe: false
mode: NORMAL
numExecutors: 0
labelString: ""
projectNamingStrategy: "standard"
markupFormatter:
plainText
clouds:
- kubernetes:
containerCapStr: "10"
defaultsProviderTemplate: ""
connectTimeout: "5"
readTimeout: "15"
jenkinsUrl: "http://jenkinsci.jenkinsci.svc.cluster.local:8080"
jenkinsTunnel: "jenkinsci-agent.jenkinsci.svc.cluster.local:50000"
maxRequestsPerHostStr: "32"
name: "kubernetes"
namespace: "jenkinsci"
serverUrl: "https://kubernetes.default"
podLabels:
- key: "jenkins/jenkinsci-jenkins-agent"
value: "true"
templates:
- name: "default"
namespace: "jenkinsci"
id: ec9481133f16b4bfc8be7ba738f0c6d698e96e979bb73abd5c6089ad5ee48fde
containers:
- name: "jnlp"
alwaysPullImage: false
args: "^${computer.jnlpmac} ^${computer.name}"
command:
envVars:
- envVar:
key: "JENKINS_URL"
value: "http://jenkinsci.jenkinsci.svc.cluster.local:8080/"
image: "jenkins/inbound-agent:4.11.2-4"
privileged: "false"
resourceLimitCpu: 512m
resourceLimitMemory: 512Mi
resourceRequestCpu: 512m
resourceRequestMemory: 512Mi
runAsUser:
runAsGroup:
ttyEnabled: false
workingDir: /home/jenkins/agent
idleMinutes: 0
instanceCap: 2147483647
label: "jenkinsci-jenkins-agent "
nodeUsageMode: "NORMAL"
podRetention: Never
showRawYaml: true
serviceAccount: "default"
slaveConnectTimeoutStr: "100"
yamlMergeStrategy: override
crumbIssuer:
standard:
excludeClientIPFromCrumb: true
security:
apiToken:
creationOfLegacyTokenEnabled: false
tokenGenerationOnCreationEnabled: false
usageStatisticsEnabled: true
unclassified:
location:
adminAddress:
url: myUrljenkins:
projectNamingStrategy:
roleBased:
forceExistingJobs: falseHey, @krisstern I am trying to install Jenkins using the helm chart values I have created a values.yml file in which I have put the above value I am trying to install Jenkins using the command helm install my-jenkins jenkinsci/jenkins -f values.yaml but the installation failed. can you help me regarding this
krisstern
commented
1 year ago Hey @pushker001 Could you please share the relevant stack trace?
pushker001
commented
1 year ago See I have done the following things on my gitpod I have installed Helm Check the version of the helm Added the Jenkins Helm repository to my local Helm repository list Updated my local Helm repository list to ensure that I have the latest Jenkins chart Created values.yaml file in which I put the helm chart value you have been provided After that, I am trying to install Jenkins by running the following command
helm install my-jenkins jenkinsci/jenkins -f values.yamlspecifying the values file I have created but it showing this error
krisstern
commented
1 year ago Hi @pushker001 I think for a GitPod environment you will need to take extra steps like they describe here: https://www.gitpod.io/docs/configure/self-hosted/helm-deprecated/installation/on-kubernetes. Supposedly according to the post https://jimmyb.ninja/post/1607033505, you can have the following at the bottom of the values.yaml file:
docker-registry:
enabled: false
minio:
enabled: false
mysql:
enabled: falseSo do check out the two posts with links provided here to see if you are missing any config. I will try to see if I can get everything running with GitPod meanwhile.
krisstern
commented
1 year ago I think I can reproduce the warning mentioned previously:
But I kind of cheated cause I just ran
mvn hpi:runfrom within Gitpod because I don't think we need to use Kubernetes / Docker for tackling this issue necessarily. Also, I used SSH to bridge between my localhost:8080 with that of the one on Gitpod.
pushker001
commented
1 year ago Then, what exactly do we need to do to resolve the Kubernetes issue that I have told you about previously
krisstern
commented
1 year ago Hi @pushker001 Have you tried port forwarding?: https://www.gitpod.io/docs/configure/workspaces/ports#port-forwarding
krisstern
commented
1 year ago Hey, @krisstern I am trying to install Jenkins using the helm chart values I have created a values.yml file in which I have put the above value I am trying to install Jenkins using the command helm install my-jenkins jenkinsci/jenkins -f values.yaml but the installation failed. can you help me regarding this
BTW @pushker001 You cannot simply copy and paste the values given, since you will need to customise for your own setup.
krisstern
commented
1 year ago I have a feeling we don't really need to test via a Helm setup, but will need to simulate the situation by equivalent configurations for JCasC.
pushker001
commented
1 year ago Have you tried port forwarding?
Yes I am doing it on gitpod I using an access token to connect with ssh Here this is showing in my terminal
$ ssh 'pushker001-configuratio-th8pm80z7cq#uLR5NZoqm1QpMR4SisKz.teYY4Br5FiE@pushker001-configuratio-th8pm80z7cq.ssh.ws-us86.gitpod.io'
Welcome to Gitpod: Always ready to code. Try the following commands to get started:
gp tasks list List all your defined tasks in .gitpod.yml
gp tasks attach Attach your terminal to a workspace task
gp ports list Lists workspace ports and their states
gp stop Stop current workspace
gp help To learn about the gp CLI commandsHave you tried exposing the port using something like the following?:
gp ports expose 8080And since your linux instance is likely Ubuntu, try opening the firewall port like the below:
sudo ufw allow 8080/tcpMore relevant documentation can be found at https://www.ibm.com/docs/es/spectrum-scale/5.1.0?topic=firewall-examples-how-open-ports.
pushker001
commented
1 year ago Yes I have tried exposing the port it showing me this
gp ports expose 8080
Forwarding traffic: 0.0.0.0:8081 -> 127.0.0.1:8080
2023/02/14 17:32:25 tcpproxy: for incoming conn 192.168.19.8:39538, error dialing "127.0.0.1:8080": dial tcp 127.0.0.1:8080: connect: connection refused
2023/02/14 17:32:31 tcpproxy: for incoming conn 192.168.19.8:39546, error dialing "127.0.0.1:8080": dial tcp 127.0.0.1:8080: connect: connection refusedHi @pushker001,
As I am not on the same machine as yours, I cannot view what you saw https://8081-pushker001-configuratio-smqa7qdurwo.ws-us86.gitpod.io/.
Have you tried running the command mvn hpi:run in the terminal at the root of the configuration-as-code-plugin repo on Gitpod and see if anything shows up on port 8080? That worked for me.
pushker001
commented
1 year ago So you want that first I do exposing the port through commad
gp ports expose 8080Then I have to run mvn hpi: run command in the terminal?? Is that right?
krisstern
commented
1 year ago Hi @pushker001!
Let's try running mvn hpi:run first, if need be then expose the port.
pushker001
commented
1 year ago after running the above command it is showing this in the terminal
[WARNING] The POM for org.jenkins-ci.tools:maven-hpi-plugin:jar:3.32 is missing, no dependency information available
Downloading from incrementals: https://repo.jenkins-ci.org/incrementals/org/jenkins-ci/tools/maven-hpi-plugin/3.32/maven-hpi-plugin-3.32.jar
[WARNING] Failed to build parent project for io.jenkins.configuration-as-code:parent:pom:999999-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Build Order:
[INFO]
[INFO] Configuration as Code Parent [pom]
[INFO] Configuration as Code Plugin [hpi]
[INFO] Configuration as Code Test harness [jar]
[INFO] Configuration as Code Integration tests [jar]also, see this after running the above command port 8080 is opened https://8080-pushker001-configuratio-smqa7qdurwo.ws-us87.gitpod.io/
krisstern
commented
1 year ago Good to know @pushker001 So did it work as expected? If so, we could start reproducing the error using the new configurations, but we will need to customise the values for our settings.
krisstern
commented
1 year ago I think if you navigate to either http://127.0.0.1:8080/jenkins/ on a local browser or https://8080-pushker001-configuratio-smqa7qdurwo.ws-us87.gitpod.io/jenkins/ you will able to see what you expected.
pushker001
commented
1 year ago after running the bash mvn hpi:run command I don't need to expose the port what do next?
krisstern
commented
1 year ago If you see the following page showing up at either http://127.0.0.1:8080/jenkins/ or something similar to https://8080-pushker001-configuratio-smqa7qdurwo.ws-us87.gitpod.io/jenkins/ you are then good to go:
But if you see the following instead you should just click on the "Context Path" and be redirected to the above interface:
After that we will be all set to try and reproduce the issues reported in the description above, which is to configure the role-strategy plugin in the manner specified. To do this we will need to be able to know how to modify the configurations similarly using the web interface. Note that we can get close to the problem but not entire reproduce it because of the limitiations of Gitpod within our current knowledge of it. Please note the below:
To quote Mark's words:
(We can then...) define the configuration interactively from within the Jenkins administration pages, then use the "View configuration" button in the configuration as code page to show how the current configuration would be represented
pushker001
commented
1 year ago Hey @krisstern I am trying to configure the role strategy plugin in the manner that is specified but clicking on "Configure Global Security" it is showing me error see this http://localhost:8080/jenkins/configureSecurity/
krisstern
commented
1 year ago HI @pushker001 I cannot see what can only be seen locally at http://localhost:8080/jenkins/configureSecurity/. Could you copy and paste the relevant stack trace or take a screenshot of the error for us to see?
pushker001
commented
1 year ago This Interfece is showing in my browser
pushker001
commented
1 year ago I am trying to configure role strategy plugin it is showing me this error
krisstern
commented
1 year ago @pushker001 Could you tell us how did you configure the Role Strategy Plugin so we could try and reproduce the same result?
pushker001
commented
1 year ago @pushker001 Could you tell us how did you configure the Role Strategy Plugin so we could try and reproduce the same result?
Actually I am just following the step that is written in this Role strategy plugin I am trying to install plugin through the steps written in above link but when I click on configure security,above error is showing (localhost refused to connect)
pushker001
commented
1 year ago This Interfece is showing in my browser
This interface is showing in my browser is this ok with it?
pushker001
commented
1 year ago I click on anything it is showing me localhost refused to connect,see this and guide me.
krisstern
commented
1 year ago Have you been successful in installing the plugin? You can try going to Manage Jenkins > Manage Plugins > Available then look for the Role-based Authorization Strategy in the search bar, you should be able to see the following:
Then you install the plugin (try without restart). After which you go back to Manage Jenkins > Configure Global Security:
Then you should be able to choose the Role-based Strategy option under Authorization:
After that you go back to Manage Jenkins and you should be able to see a new warning, which says "The Restrict project naming configuration is not set to the Role-based Strategy. This can lead to problems as it allows users to create items, for which they have not the sufficient permissions to discover, read or configure.":
Let me know if you could reproduce this.
pushker001
commented
1 year ago hi @krisstern after clicking on Manage Plugins this interface is showing actually I click on any of the icons the same interface is showing
krisstern
commented
1 year ago Hi @pushker001 Maybe you could try to use JetBrains Gateway like I do and see if that works for you? Looks like your problem has been caused by some routing issues.
pushker001
commented
1 year ago This is showing when i try to connect gitpod with jetbrains
krisstern
commented
1 year ago @pushker001 I need more details from you before I can tell what is wrong. Did you start with a new workspace here?: https://gitpod.io/workspaces/. What I did was after I made sure I have Jetbrains Gateway installed, I used the URL https://github.com/jenkinsci/configuration-as-code-plugin to start a new workspace on GitPod, and followed the prompts to choose IntelliJ Idea as the editor, and then a suitable class. Then I chose "New Workspace". Then Gitpod would automaticaly start up Jetbrains Gateway.
pushker001
commented
1 year ago Hey @krisstern I have run the command mvn hpi:run port is not opening in jetbrain
pushker001
commented
1 year ago Hey @krisstern actually it works👍
pushker001
commented
1 year ago Hey @krisstern I am able to reproduce it what to do next
krisstern
commented
1 year ago Next you try to configure as close as possible like the OP stated here.
pushker001
commented
1 year ago Hey @krisstern how do export this configuration can you guide me ?
jenkins:
projectNamingStrategy:
roleBased:
forceExistingJobs: false@krisstern I have downloaded the configuration-as-a-code-plugin how to export the above configuration
krisstern
commented
1 year ago Hi @pushker001 Please go through the JCasC README.md first to see how we could configure Jenkins with a script or two. Also you may need to rebuild your Gitpod workspace as a result of your new configuration file(s) using gp rebuild (see https://www.gitpod.io/docs/references/gitpod-cli#rebuild) to pick up the changes.
krisstern
commented
1 year ago You will need to add the new configuration files to your Gitpod workspace with say the directory path /var/jenkins_home/casc_config where your new configuration files are located via the CASC_JENKINS_CONFIG environment variable.
I have a hunch this issue may or may not lead to a feature pull request, but maybe a documentation pull request is indeed possible. So beware of this.
pushker001
commented
1 year ago @krisstern I have installed the Configuratation as a code plugin in my localhost but after that in the document it is talking about the CASC_JENKINS_CONFIG environment variable and I am confused about what to do next after that
krisstern
commented
1 year ago On Linux or Mac, to export (or set) an environment variable, you only need to do something like the following to say export the directory as the path:
export CASC_JENKINS_CONFIG="/var/jenkins_home/casc_config"
Jenkins and plugins versions report
Environment
```text Jenkins: 2.375.1 OS: Linux - 5.4.0-135-generic --- ace-editor:1.1 apache-httpcomponents-client-4-api:4.5.13-138.v4e7d9a_7b_a_e61 authentication-tokens:1.4 blueocean:1.26.0 blueocean-bitbucket-pipeline:1.26.0 blueocean-commons:1.26.0 blueocean-config:1.26.0 blueocean-core-js:1.26.0 blueocean-dashboard:1.26.0 blueocean-display-url:2.4.1 blueocean-events:1.26.0 blueocean-git-pipeline:1.26.0 blueocean-github-pipeline:1.26.0 blueocean-i18n:1.26.0 blueocean-jwt:1.26.0 blueocean-personalization:1.26.0 blueocean-pipeline-api-impl:1.26.0 blueocean-pipeline-editor:1.26.0 blueocean-pipeline-scm-api:1.26.0 blueocean-rest:1.26.0 blueocean-rest-impl:1.26.0 blueocean-web:1.26.0 bootstrap5-api:5.2.1-3 bouncycastle-api:2.26 branch-api:2.1051.v9985666b_f6cc caffeine-api:2.9.3-65.v6a_47d0f4d1fe checks-api:1.8.1 cloudbees-bitbucket-branch-source:791.vb_eea_a_476405b cloudbees-folder:6.800.v71307ca_b_986b command-launcher:1.2 commons-lang3-api:3.12.0-36.vd97de6465d5b_ commons-text-api:1.10.0-27.vb_fa_3896786a_7 configuration-as-code:1569.vb_72405b_80249 credentials:1214.v1de940103927 credentials-binding:523.vd859a_4b_122e6 display-url-api:2.3.7 durable-task:503.v57154d18d478 echarts-api:5.4.0-1 favorite:2.4.1 font-awesome-api:6.2.1-1 git:4.13.0 git-client:3.13.1 github:1.36.0 github-api:1.303-400.v35c2d8258028 github-branch-source:1696.v3a_7603564d04 handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953 htmlpublisher:1.31 instance-identity:142.v04572ca_5b_265 ionicons-api:31.v4757b_6987003 jackson2-api:2.14.1-313.v504cdd45c18b jakarta-activation-api:2.0.1-2 jakarta-mail-api:2.0.1-2 javax-activation-api:1.2.0-5 javax-mail-api:1.6.2-5 jaxb:2.3.7-1 jdk-tool:1.0 jenkins-design-language:1.26.0 jjwt-api:0.11.5-77.v646c772fddb_0 jquery3-api:3.6.1-2 jsch:0.1.55.61.va_e9ee26616e7 junit:1166.va_436e268e972 kubernetes:3734.v562b_b_a_627ea_c kubernetes-client-api:5.12.2-193.v26a_6078f65a_9 kubernetes-credentials:0.9.0 locale:226.v008e1b_58cb_b_0 mailer:438.v02c7f0a_12fa_4 mapdb-api:1.0.9-28.vf251ce40855d matrix-project:785.v06b_7f47b_c631 metrics:4.2.13-420.vea_2f17932dd6 oic-auth:2.3 okhttp-api:4.9.3-108.v0feda04578cf pipeline-build-step:2.18 pipeline-graph-analysis:195.v5812d95a_a_2f9 pipeline-groovy-lib:629.vb_5627b_ee2104 pipeline-input-step:466.v6d0a_5df34f81 pipeline-milestone-step:101.vd572fef9d926 pipeline-model-api:2.2118.v31fd5b_9944b_5 pipeline-model-definition:2.2118.v31fd5b_9944b_5 pipeline-model-extensions:2.2118.v31fd5b_9944b_5 pipeline-stage-step:296.v5f6908f017a_5 pipeline-stage-tags-metadata:2.2118.v31fd5b_9944b_5 plain-credentials:139.ved2b_9cf7587b plugin-util-api:2.20.0 popper2-api:2.11.6-2 pubsub-light:1.17 role-strategy:569.v7476f8e4fe29 scm-api:631.v9143df5b_e4a_a script-security:1228.vd93135a_2fb_25 snakeyaml-api:1.33-90.v80dcb_3814d35 sse-gateway:1.26 ssh-credentials:305.v8f4381501156 sshd:3.236.ved5e1b_cb_50b_2 structs:324.va_f5d6774f3a_d subversion:2.16.0 token-macro:321.vd7cc1f2a_52c8 trilead-api:2.84.v72119de229b_7 variant:59.vf075fe829ccb workflow-aggregator:590.v6a_d052e5a_a_b_5 workflow-api:1200.v8005c684b_a_c6 workflow-basic-steps:994.vd57e3ca_46d24 workflow-cps:3583.v4f58de0d78d5 workflow-durable-task-step:1217.v38306d8fa_b_5c workflow-job:1254.v3f64639b_11dd workflow-multibranch:716.vc692a_e52371b_ workflow-scm-step:400.v6b_89a_1317c9a_ workflow-step-api:639.v6eca_cd8c04a_a_ workflow-support:839.v35e2736cfd5c ```What Operating System are you using (both controller, and any agents involved in the problem)?
After installing role-strategy plugin, Jenkins add a warning :
The Restrict project naming configuration is not set to the Role-based Strategy. This can lead to problems as it allows users to create items, for which they have not the sufficient permissions to discover, read or configure.I would like to set this settings with JCasC. If I export the configuration :
Then if a create a fresh installation with this configuration, Jenkins controller could not merge the default configuration with this one :
I tried to set
CASC_MERGE_STRATEGYtooverridetoo, same problem.I tried to set the configuration under
unclassified:I got an other error :
Reproduction steps
Install Jenkins with helm chart values :
This create two configuration file :
Expected Results
No merge error
Actual Results
Merge error
Anything else?
Workaround is to disable default configuration and provide only one file with correct merge