search

jenkinsci / configuration-as-code-plugin

Jenkins Configuration as Code Plugin
https://plugins.jenkins.io/configuration-as-code
MIT License
2.69k stars 718 forks source link

aws cognito auth fails when activating this plugin #2195

Open htgurukul opened 1 year ago

htgurukul commented 1 year ago

Jenkins and plugins versions report

Environment ```text Paste the output here ```

What Operating System are you using (both controller, and any agents involved in the problem)?

kubernetes deployment of jenkins fails when authentication enabled with aws cognito. however without this plugin my auth works well with cognito

Reproduction steps

jenkins auth with aws cognito

Expected Results

should work jenkins auth with aws cognito

Actual Results

failing

Anything else?

No response

htgurukul commented 1 year ago

Actually I am using attached values.yml and tried to add casc section . But when jenkins comes up it has no cognito authentication enabled. I think this configuration is not working.

controller:
  # Used for label app.kubernetes.io/component
  jenkinsUrl: https://189-6.in.ngrok.io/jenkins
  jenkinsAdminEmail: bauwa@buwal.com
  componentName: "jenkins-controller"
  image: "jenkins/jenkins"
  tag: "2.375.2"
  imagePullPolicy: "Always"
  adminUser: "ht"
  adminPassword: "ht123"
  jenkinsUriPrefix: "/jenkins"
  resources:
    requests:
      cpu: "50m"
      memory: "256Mi"
    limits:
      cpu: "1000m"
      memory: "2096Mi"
  installPlugins:
    - kubernetes:1.31.3
    - workflow-aggregator:2.6
    - git:5.0.0
    - configuration-as-code:1569.vb_72405b_80249

  additionalPlugins:
    - aws-java-sdk:1.12.89-292.v2712528e879c
    - blueocean:1.25.8
    - aws-credentials:191.vcb_f183ce58b_9
    - credentials:1189.vf61b_a_5e2f62e
    - matrix-auth:3.0.1
    - dashboard-view:2.19
    - oic-auth:1.8
    - periodicbackup:1.8
    - amazon-ecr:1.73.v741d474abe74
    - docker-workflow:1.29
    - pipeline-utility-steps:2.13.0
    - pipeline-github-lib:38.v445716ea_edda_
    - pipeline-aws:1.43
    - build-monitor-plugin:1.9+build.201606131328
    - job-dsl:1.81
  serviceType: NodePort
  overwritePlugins: false
  JCasC:
    enabled: true
    defaultConfig: false
    configUrls: []
    # - https://acme.org/jenkins.yaml
    # Remote URL:s for configuration files.
    configScripts:
      add-cred: |
         credentials:
          system:
           domainCredentials:
           - credentials:
             - usernamePassword:
                id: "falling"
                password: "{AQAAABAAAAAQf68nbgXec6Kc34hwIngowUV23e5884ShYcvVlaeF3uM=}"
                scope: GLOBAL
                username: "chal"
             - string:
                id: "secuBH"
                scope: GLOBAL
                secret: "{AQAAABAAAAAQqK+wc2hbI77cmsj61/mVWXRWlyvNEVjnU3bxJFJbrZo=}"
      jen-config: |
         jenkins:
           systemMessage: "FROM CaaS"
           authorizationStrategy:
           globalMatrix:
           permissions:
           - "GROUP:Overall/Administer:jen_admin"
           - "GROUP:Overall/Read:authenticated"
           - "USER:Overall/Administer:ht"
           securityRealm:
             oic:
              clientId: "skdhksjdfshhcktgu78kmr"
              clientSecret: "skdfkjsnvksnjvndjvndnvdfntfbon1hujj6"
              wellKnownOpenIDConfigurationUrl: ""
              userInfoServerUrl: "https://myurl.com/oauth2/userInfo"
              tokenFieldToCheckKey: ""
              tokenFieldToCheckValue: ""
              fullNameFieldName: ""
              groupsFieldName: "cognito:groups"
              disableSslVerification: false
              logoutFromOpenidProvider: "https://myurl.com/logout?client_id=skdhksjdfshhcktgu78kmr&logout_uri=https://189-6.in.ngrok.io/jenkins/OicLogout&"
              endSessionEndpoint: ""
              postLogoutRedirectUrl: "https://189-6.in.ngrok.io/jenkins/OicLogout"
              escapeHatchEnabled: true
              escapeHatchUsername: "minikube"
              escapeHatchSecret: "minikube123"
              escapeHatchGroup: "jen_admin"
              automanualconfigure: ""
              emailFieldName: "email"
              userNameField: "username"
              tokenServerUrl: "https://myurl.com/oauth2/token"
              authorizationServerUrl: "https://myurl.com/oauth2/authorize"
              scopes: "openid profile email"
agent:
  enabled: true
jenkinsHome: "/var/jenkins_home"
javaOpts: "-Djava.io.tmpdir=/var/jenkins_tmp -DJENKINS_HOME=/var/jenkins_home"
usePodSecurityContext: true
# Note that `runAsUser`, `fsGroup`, and `securityContextCapabilities` are
# being deprecated and replaced by `podSecurityContextOverride`.
# Set runAsUser to 1000 to let Jenkins run as non-root user 'jenkins' which exists in 'jenkins/jenkins' docker image.
# When setting runAsUser to a different value than 0 also set fsGroup to the same value:
runAsUser: 1000
fsGroup: 1000
# containerSecurityContext:
#   runAsUser: 1000
#   runAsGroup: 1000
#   readOnlyRootFilesystem: true
#   allowPrivilegeEscalation: false

nodeSelector:
  jenkins: enable

## Install Default RBAC roles and bindings
rbac:
  create: true
  readSecrets: false

serviceAccount:
  create: true
  # The name of the service account is autogenerated by default
  name:
  annotations: {}
  imagePullSecretName: