Plugin downloads fail with chart 3.5.10 and image lts-jdk11

[chris-vest]

Describe the bug

When the init container starts up to download the plugins, the following happens:

infra-jenkins-0 init remove all plugins from shared volume
infra-jenkins-0 init download plugins
infra-jenkins-0 init Unable to resolve plugin URL https://updates.jenkins.io/latest/analysis-core.hpi, or download plugin analysis-core to file: status code: 404, reason phrase: Not Found
infra-jenkins-0 init Downloading from mirrors failed, falling back to https://archives.jenkins.io/
infra-jenkins-0 init Unable to resolve plugin URL https://archives.jenkins.io/plugins/analysis-core/latest/analysis-core.hpi, or download plugin analysis-core to file: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
infra-jenkins-0 init Unable to resolve dependencies for analysis-core
infra-jenkins-0 init Unable to resolve plugin URL https://updates.jenkins.io/latest/configuration-as-code-support.hpi, or download plugin configuration-as-code-support to file: status code: 404, reason phrase: Not Found
infra-jenkins-0 init Downloading from mirrors failed, falling back to https://archives.jenkins.io/
infra-jenkins-0 init Unable to resolve plugin URL https://archives.jenkins.io/plugins/configuration-as-code-support/latest/configuration-as-code-support.hpi, or download plugin configuration-as-code-support to file: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
infra-jenkins-0 init Unable to resolve dependencies for configuration-as-code-support
infra-jenkins-0 init Unable to resolve plugin URL https://updates.jenkins.io/latest/findbugs.hpi, or download plugin findbugs to file: status code: 404, reason phrase: Not Found
infra-jenkins-0 init Downloading from mirrors failed, falling back to https://archives.jenkins.io/
infra-jenkins-0 init Unable to resolve plugin URL https://archives.jenkins.io/plugins/findbugs/latest/findbugs.hpi, or download plugin findbugs to file: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
infra-jenkins-0 init Unable to resolve dependencies for findbugs
infra-jenkins-0 init Unable to resolve plugin URL https://updates.jenkins.io/latest/pmd.hpi, or download plugin pmd to file: status code: 404, reason phrase: Not Found
infra-jenkins-0 init Downloading from mirrors failed, falling back to https://archives.jenkins.io/
infra-jenkins-0 init Unable to resolve plugin URL https://archives.jenkins.io/plugins/pmd/latest/pmd.hpi, or download plugin pmd to file: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
infra-jenkins-0 init Unable to resolve dependencies for pmd
infra-jenkins-0 init Unable to resolve plugin URL https://updates.jenkins.io/latest/warnings.hpi, or download plugin warnings to file: status code: 404, reason phrase: Not Found
infra-jenkins-0 init Downloading from mirrors failed, falling back to https://archives.jenkins.io/
infra-jenkins-0 init Unable to resolve plugin URL https://archives.jenkins.io/plugins/warnings/latest/warnings.hpi, or download plugin warnings to file: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
infra-jenkins-0 init Unable to resolve dependencies for warnings
infra-jenkins-0 init Unable to resolve plugin URL https://updates.jenkins.io/latest/pmd.hpi, or download plugin pmd to file: status code: 404, reason phrase: Not Found
infra-jenkins-0 init Downloading from mirrors failed, falling back to https://archives.jenkins.io/
infra-jenkins-0 init Unable to resolve plugin URL https://archives.jenkins.io/plugins/pmd/latest/pmd.hpi, or download plugin pmd to file: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
infra-jenkins-0 init Unable to resolve plugin URL https://updates.jenkins.io/latest/analysis-core.hpi, or download plugin analysis-core to file: status code: 404, reason phrase: Not Found
infra-jenkins-0 init Downloading from mirrors failed, falling back to https://archives.jenkins.io/
infra-jenkins-0 init Unable to resolve plugin URL https://archives.jenkins.io/plugins/analysis-core/latest/analysis-core.hpi, or download plugin analysis-core to file: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
infra-jenkins-0 init Unable to resolve plugin URL https://updates.jenkins.io/latest/warnings.hpi, or download plugin warnings to file: status code: 404, reason phrase: Not Found
infra-jenkins-0 init Downloading from mirrors failed, falling back to https://archives.jenkins.io/
infra-jenkins-0 init Unable to resolve plugin URL https://archives.jenkins.io/plugins/warnings/latest/warnings.hpi, or download plugin warnings to file: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
infra-jenkins-0 init Unable to download pmd
infra-jenkins-0 init Tried downloading github from https://get.jenkins.io/plugins/github/1.33.1/github.hpi (attempt 1 of 3)
infra-jenkins-0 init Tried downloading aws-java-sdk from https://ftp.belnet.be/mirror/jenkins/plugins/aws-java-sdk/1.11.995/aws-java-sdk.hpi (attempt 1 of 3)
infra-jenkins-0 init Tried downloading configuration-as-code from https://get.jenkins.io/plugins/configuration-as-code/1.51/configuration-as-code.hpi (attempt 1 of 3)
infra-jenkins-0 init Tried downloading all-changes from https://get.jenkins.io/plugins/all-changes/1.5/all-changes.hpi (attempt 1 of 3)
infra-jenkins-0 init Tried downloading email-ext from https://get.jenkins.io/plugins/email-ext/2.83/email-ext.hpi (attempt 1 of 3)
infra-jenkins-0 init Tried downloading dependency-track from https://mirror.gruenehoelle.nl/jenkins/plugins/dependency-track/3.1.1/dependency-track.hpi (attempt 1 of 3)
infra-jenkins-0 init Tried downloading workflow-durable-task-step from https://get.jenkins.io/plugins/workflow-durable-task-step/2.39/workflow-durable-task-step.hpi (attempt 1 of 3)
infra-jenkins-0 init Tried downloading build-history-metrics-plugin from https://get.jenkins.io/plugins/build-history-metrics-plugin/1.2/build-history-metrics-plugin.hpi (attempt 1 of 3)
infra-jenkins-0 init Tried downloading junit from https://get.jenkins.io/plugins/junit/1.52/junit.hpi (attempt 1 of 3)
infra-jenkins-0 init Tried downloading authentication-tokens from https://get.jenkins.io/plugins/authentication-tokens/1.4/authentication-tokens.hpi (attempt 1 of 3)
infra-jenkins-0 init Tried downloading jdk-tool from https://get.jenkins.io/plugins/jdk-tool/1.5/jdk-tool.hpi (attempt 1 of 3)
infra-jenkins-0 init Tried downloading font-awesome-api from https://get.jenkins.io/plugins/font-awesome-api/5.15.3-4/font-awesome-api.hpi (attempt 1 of 3)
infra-jenkins-0 init Tried downloading PrioritySorter from https://ftp.belnet.be/mirror/jenkins/plugins/PrioritySorter/4.0.0/PrioritySorter.hpi (attempt 1 of 3)
infra-jenkins-0 init Tried downloading blueocean-pipeline-api-impl from https://get.jenkins.io/plugins/blueocean-pipeline-api-impl/1.24.8/blueocean-pipeline-api-impl.hpi (attempt 1 of 3)
infra-jenkins-0 init Tried downloading windows-slaves from https://ftp.belnet.be/mirror/jenkins/plugins/windows-slaves/1.8/windows-slaves.hpi (attempt 1 of 3)

Version of Helm and Kubernetes:

Helm Version:

$ helm version
version.BuildInfo{Version:"v3.5.1", GitCommit:"32c22239423b3b4ba6706d450bd044baffdcf9e6", GitTreeState:"clean", GoVersion:"go1.15.7"}

Kubernetes Version:

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.3", GitCommit:"2e7996e3e2712684bc73f0dec0200d64eec7fe40", GitTreeState:"clean", BuildDate:"2020-05-20T12:52:00Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"20+", GitVersion:"v1.20.7-eks-d88609", GitCommit:"d886092805d5cc3a47ed5cf0c43de38ce442dfcb", GitTreeState:"clean", BuildDate:"2021-07-31T00:29:12Z", GoVersion:"go1.15.12", Compiler:"gc", Platform:"linux/amd64"}

Which version of the chart:

3.5.10

What happened:

Upon deployment, the init container starts up and attempts to download the plugins, however seems to fail with the following:

infra-jenkins-0 init Unable to resolve plugin URL https://archives.jenkins.io/plugins/warnings/latest/warnings.hpi, or download plugin warnings to file: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

What you expected to happen:

I would have expected the init container to download the plugins successfully, without ssl errors.

How to reproduce it (as minimally and precisely as possible):

values.yaml:

        # For FQDN resolving of the master service. Change this value to match your existing configuration.
        # ref: https://github.com/kubernetes/dns/blob/master/docs/specification.md
        clusterZone: "cluster.local"

        controller:
          componentName: "jenkins-master"
          image: "jenkins/jenkins"
          imagePullSecretName: "dockerhub-auth"
          tag: "jdk11"
          numExecutors: 1
          customJenkinsLabels: [master]
          adminUser: "org-jenkins"
          resources:
            requests:
              cpu: "50m"
              memory: "2500Mi"
            limits:
              cpu: "1"
              memory: "2500Mi"
          javaOpts: "-XX:+UseContainerSupport -XX:MaxRAMPercentage=90 -server -Djenkins.install.runSetupWizard=false -Dhudson.model.ParametersAction.keepUndefinedParameters=true"
          jenkinsOpts: "--sessionTimeout=1440 --sessionEviction=86400"
          usePodSecurityContext: true
          serviceType: ClusterIP
          healthProbes: false

          initContainerEnv:
            - name: JAVA_OPTS
              value: >-
                -Djavax.net.ssl.trustStore="/opt/java/openjdk/lib/security/cacerts"
                -Djavax.net.ssl.trustStorePassword=""

          installPlugins:
          - ace-editor
          - all-changes
          - analysis-core
          - ansicolor
          - ant
          - antisamy-markup-formatter
          - apache-httpcomponents-client-4-api
          - authentication-tokens
          - authorize-project
          - aws-java-sdk
          - badge
          - blueocean
          - bouncycastle-api
          - branch-api
          - build-blocker-plugin
          - build-history-metrics-plugin
          - build-metrics
          - build-monitor-plugin
          - build-pipeline-plugin
          - build-timeout
          - build-with-parameters
          - buildtriggerbadge
          - cloudbees-folder
          - command-launcher
          - conditional-buildstep
          - config-file-provider
          - configuration-as-code:1.51
          - configuration-as-code-support
          - copyartifact
          - credentials-binding
          - credentials
          - dashboard-view
          - delivery-pipeline-plugin
          - dependency-check-jenkins-plugin
          - dependency-track
          - display-url-api
          - docker-commons
          - docker-workflow
          - durable-task
          - email-ext
          - envinject-api
          - envinject
          - environment-script
          - external-monitor-job
          - favorite
          - findbugs
          - flexible-publish
          - ghprb
          - git-client
          - git-server
          - git
          - github-api
          - github-branch-source
          - github-oauth
          - github
          - global-build-stats
          - global-slack-notifier
          - greenballs
          - groovy-postbuild
          - groovy
          - handlebars
          - handy-uri-templates-2-api
          - htmlpublisher
          - icon-shim
          - image-gallery
          - ivy
          - jackson2-api
          - jacoco
          - javadoc
          - jdk-tool
          - jenkins-design-language
          - jira
          - job-dsl
          - jobConfigHistory
          - join
          - jquery-detached
          - jquery
          - jsch
          - junit
          - kubernetes-credentials
          - kubernetes
          - ldap
          - lockable-resources
          - log-parser
          - mailer
          - mapdb-api
          - matrix-auth
          - matrix-project
          - maven-plugin
          - metrics
          - momentjs
          - pam-auth
          - parameterized-trigger
          - pipeline-build-step
          - pipeline-graph-analysis
          - pipeline-input-step
          - pipeline-milestone-step
          - pipeline-model-api
          - pipeline-model-declarative-agent
          - pipeline-model-definition
          - pipeline-model-extensions
          - pipeline-rest-api
          - pipeline-stage-step
          - pipeline-stage-tags-metadata
          - pipeline-stage-view
          - plain-credentials
          - plugin-usage-plugin
          - pmd
          - postbuild-task
          - postbuildscript
          - PrioritySorter
          - prometheus
          - pubsub-light
          - rebuild
          - resource-disposer
          - run-condition
          - s3
          - scm-api
          - script-security
          - sse-gateway
          - ssh-agent
          - ssh-credentials
          - ssh-slaves
          - slack
          - startup-trigger-plugin
          - structs
          - swarm
          - throttle-concurrents
          - timestamper
          - token-macro
          - translation
          - trilead-api
          - variant
          - view-job-filters
          - violations
          - warnings
          - windows-slaves
          - workflow-aggregator
          - workflow-api
          - workflow-basic-steps
          - workflow-cps-global-lib
          - workflow-cps
          - workflow-durable-task-step
          - workflow-job
          - workflow-multibranch
          - workflow-scm-step
          - workflow-step-api
          - workflow-support
          - ws-cleanup
          - xunit

          overwritePlugins: true
          overwritePluginsFromImage: true
          installLatestSpecifiedPlugins: true

          scriptApproval:
            - staticMethod java.time.ZoneId of java.lang.String
            - staticMethod java.time.LocalDateTime now java.time.ZoneId
            - method groovy.lang.GroovyObject getProperty java.lang.String
            - method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object
            - method groovy.lang.GroovyObject setProperty java.lang.String java.lang.Object
            - staticField javaposse.jobdsl.dsl.views.jobfilter.MatchType EXCLUDE_MATCHED
            - staticField javaposse.jobdsl.dsl.views.jobfilter.Status ABORTED
            - staticField javaposse.jobdsl.dsl.views.jobfilter.Status DISABLED
            - staticField javaposse.jobdsl.dsl.views.jobfilter.Status STABLE
            - staticMethod Common getGitCredentials
            - staticMethod java.time.LocalDateTime now java.time.ZoneId
            - staticMethod java.time.ZoneId of java.lang.String
            - method groovy.lang.GroovyObject getProperty java.lang.String
            - method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object
            - method groovy.lang.GroovyObject setProperty java.lang.String java.lang.Object

          JCasC:
            enabled: true
            defaultConfig: false
            authorizationStrategy: |-
              projectMatrix:
                permissions:
                - "Agent/Build:org-jenkins"
                - "Agent/Configure:org-jenkins"
                - "Agent/Connect:org-jenkins"
                - "Agent/Create:org-jenkins"
                - "Job/Read:anonymous"
                - "Job/Read:orgdevelopment*developers"
                - "Metrics/View:anonymous"
                - "Metrics/View:orgdevelopment*developers"
                - "Overall/Administer:orgdevelopment*Infrastructure"
                - "Overall/Administer:orgdevelopment*engineering-efficiency"
                - "Overall/Administer:orgdevelopment*jenkins-administrators"
                - "Overall/Read:anonymous"
                - "Overall/Read:org-jenkins"
                - "Overall/Read:orgdevelopment*developers"
                - "Overall/Read:orgdevelopment*jenkins-read-only"
                - "View/Read:anonymous"
                - "View/Read:orgdevelopment*developers"
            securityRealm: |-
              github:
                clientID: ""
                clientSecret: ""
                githubApiUri: "https://api.github.com"
                githubWebUri: "https://github.com"
                oauthScopes: "read:org,user:email"
            configScripts:
              welcome-message: |
                jenkins:
                  systemMessage: Infrastructure Jenkins
              settings: |
                jenkins:
                  agentProtocols:
                  - "JNLP3-connect"
                  - "JNLP4-connect"
                  - "Ping"
                  clouds:
                  - kubernetes:
                    ...

                  crumbIssuer:
                    standard:
                      excludeClientIPFromCrumb: true
                  disableRememberMe: false
                  globalNodeProperties:
                  labelString: "master"
                  markupFormatter: "plainText"
                  mode: EXCLUSIVE
                  myViewsTabBar: "standard"
                  numExecutors: 1
                  primaryView:
                    all:
                      name: "all"
                  projectNamingStrategy: "standard"
                  quietPeriod: 5
                  remotingSecurity:
                    enabled: true
                  scmCheckoutRetryCount: 0
                  slaveAgentPort: 50000
                  updateCenter:
                    sites:
                    - id: "default"
                      url: "https://updates.jenkins.io/update-center.json"
                security:
                  apiToken:
                    creationOfLegacyTokenEnabled: false
                    tokenGenerationOnCreationEnabled: false
                    usageStatisticsEnabled: true
                  envInject:
                    enableLoadingFromMaster: false
                    enablePermissions: false
                    hideInjectedVars: false
                  globalJobDslSecurityConfiguration:
                    useScriptSecurity: false
                  sSHD:
                    port: 1044
                unclassified:
                  ansiColorBuildWrapper:
                    colorMaps:
                    - black: "#000000"
                      blackB: "#4C4C4C"
                      blue: "#1E90FF"
                      blueB: "#4682B4"
                      cyan: "#00CDCD"
                      cyanB: "#00FFFF"
                      green: "#00CD00"
                      greenB: "#00FF00"
                      magenta: "#CD00CD"
                      magentaB: "#FF00FF"
                      name: "xterm"
                      red: "#CD0000"
                      redB: "#FF0000"
                      white: "#E5E5E5"
                      whiteB: "#FFFFFF"
                      yellow: "#CDCD00"
                      yellowB: "#FFFF00"
                    - black: "#000000"
                      blackB: "#555555"
                      blue: "#0000AA"
                      blueB: "#5555FF"
                      cyan: "#00AAAA"
                      cyanB: "#55FFFF"
                      defaultBackground: 0
                      defaultForeground: 7
                      green: "#00AA00"
                      greenB: "#55FF55"
                      magenta: "#AA00AA"
                      magentaB: "#FF55FF"
                      name: "vga"
                      red: "#AA0000"
                      redB: "#FF5555"
                      white: "#AAAAAA"
                      whiteB: "#FFFFFF"
                      yellow: "#AA5500"
                      yellowB: "#FFFF55"
                    - black: "black"
                      blackB: "black"
                      blue: "blue"
                      blueB: "blue"
                      cyan: "cyan"
                      cyanB: "cyan"
                      green: "green"
                      greenB: "green"
                      magenta: "magenta"
                      magentaB: "magenta"
                      name: "css"
                      red: "red"
                      redB: "red"
                      white: "white"
                      whiteB: "white"
                      yellow: "yellow"
                      yellowB: "yellow"
                    - black: "#2E3436"
                      blackB: "#2E3436"
                      blue: "#3465A4"
                      blueB: "#3465A4"
                      cyan: "#06989A"
                      cyanB: "#06989A"
                      defaultBackground: 0
                      defaultForeground: 7
                      green: "#4E9A06"
                      greenB: "#4E9A06"
                      magenta: "#75507B"
                      magentaB: "#75507B"
                      name: "gnome-terminal"
                      red: "#CC0000"
                      redB: "#CC0000"
                      white: "#D3D7CF"
                      whiteB: "#D3D7CF"
                      yellow: "#C4A000"
                      yellowB: "#C4A000"
                  badgePlugin:
                    disableFormatHTML: false
                  buildMonitorView:
                    permissionToCollectAnonymousUsageStatistics: false
                  buildStepOperation:
                    enabled: false
                  email-ext:
                    adminRequiredForTemplateTesting: false
                    allowUnregisteredEnabled: false
                    charset: "UTF-8"
                    debugMode: false
                    defaultBody: "$PROJECT_NAME - Build # $BUILD_NUMBER - $BUILD_STATUS:\r\n\r\nCheck\
                      \ console output at $BUILD_URL to view the results."
                    defaultContentType: "text/plain"
                    defaultSubject: "$PROJECT_NAME - Build # $BUILD_NUMBER - $BUILD_STATUS!"
                    maxAttachmentSize: -1
                    maxAttachmentSizeMb: 0
                    precedenceBulk: false
                    watchingEnabled: false
                  ghprbTrigger:
                    extensions:
                    - ghprbSimpleStatus:
                        addTestResults: false
                        showMatrixStatus: false
                  gitHubPluginConfig:
                    configs:
                    - credentialsId: "jenkins-github"
                      manageHooks: false
                    hookUrl: "https://infra-jenkins.dev.org.co.uk/github-webhook/"
                  gitSCM:
                    createAccountBasedOnEmail: false
                    globalConfigEmail: "jenkins@org.com"
                    globalConfigName: "jenkins"
                  globalSlackNotifier:
                    failureMessage: "Build failure!"
                    failureRoom: "infrastructure-builds"
                    notifyOnAborted: false
                    notifyOnFail: false
                    notifyOnNotBuilt: false
                    notifyOnSuccess: false
                    notifyOnUnstable: false
                  ivyBuildTrigger:
                    extendedVersionMatching: false
                  location:
                    adminAddress: "productionalerts@org.com"
                    url: "https://infra-jenkins.dev.org.co.uk/"
                  logParser:
                    legacyFormatting: false
                  mailer:
                    authentication:
                      password: ""
                      username: ""
                    charset: "UTF-8"
                    defaultSuffix: "@org.com"
                    smtpHost: "email-smtp.eu-west-1.amazonaws.com"
                    smtpPort: "587"
                    useSsl: false
                  mavenModuleSet:
                    localRepository: "default"
                  pollSCM:
                    pollingThreadCount: 10
                  prometheusConfiguration:
                    collectingMetricsPeriodInSeconds: 120
                    countAbortedBuilds: true
                    countFailedBuilds: true
                    countNotBuiltBuilds: true
                    countSuccessfulBuilds: true
                    countUnstableBuilds: true
                    defaultNamespace: ""
                    fetchTestResults: true
                    jobAttributeName: "jenkins_job"
                    path: "prometheus"
                    processingDisabledBuilds: false
                    useAuthenticatedEndpoint: false
                  shell:
                    shell: "/bin/bash"
                  slackNotifier:
                    botUser: false
                    room: "infrastructure-builds"
                    sendAsText: false
                    teamDomain: "org-team"
                    tokenCredentialId: "28815a77-e7df-4b15-a47a-dbb2fd33f0aa"
                  timestamper:
                    allPipelines: false
                    elapsedTimeFormat: "'<b>'HH:mm:ss.S'</b> '"
                    systemTimeFormat: "'<b>'HH:mm:ss'</b> '"
                  upstream:
                    globalUpstreamFilterStrategy: UseOldest
                tool:
                  git:
                    installations:
                    - home: "git"
                      name: "Default"

          sidecars:
            configAutoReload:
              enabled: true

          nodeSelector:
            org.co.uk/node-type: jenkins-server
          priorityClass: jenkins-server
          podAnnotations:
            prometheus.io/path: /prometheus
            prometheus.io/port: "8080"
            prometheus.io/scrape: "true"

          customConfigMap: false
          overwriteConfig: true
          overwriteJobs: false

          ingress:
            enabled: true
            apiVersion: "extensions/v1beta1"
            annotations:
              cert-manager.io/cluster-issuer: letsencrypt
              kubernetes.io/ingress.class: nginx-internal
              kubernetes.io/tls-acme: "true"
            hostName: infra-jenkins-upgrade.dev.org.co.uk
            tls:
            - secretName: infra-jenkins-upgrade-tls
              hosts:
                - infra-jenkins-upgrade.dev.org.co.uk

          backendconfig:
            enabled: false

          route:
            enabled: false

          prometheus:
            enabled: false

          agent:
            enabled: false

        persistence:
          enabled: true
          storageClass: gp2
          annotations:
            "helm.sh/resource-policy": keep
          accessMode: "ReadWriteOnce"
          size: "100Gi"
          volumes:
          - name: jenkins-secrets
            secret:
              defaultMode: 420
              secretName: infra-jenkins-secrets
          mounts:
          - mountPath: /var/jenkins_secrets
            name: jenkins-secrets
            readOnly: true

        networkPolicy:
          enabled: false

        rbac:
          create: true

        serviceAccount:
          create: true
          name: infra-jenkins

        serviceAccountAgent:
          create: true
          name: infra-jenkins-agent

        backup:
          enabled: false

Anything else we need to know:

I tried with both the jdk11 and lts-jdk11 Jenkins instances.

Initially I ran the upgrade without this configuration, but then added it later after confirming that this is the correct path to the truststore in the lts-jdk11 base image:

          initContainerEnv:
            - name: JAVA_OPTS
              value: >-
                -Djavax.net.ssl.trustStore="/opt/java/openjdk/lib/security/cacerts"
                -Djavax.net.ssl.trustStorePassword=""

I have a feeling that there's something obvious I'm missing, but I can't figure out what that is. Any help appreciated.

[torstenwalter]

Do you have the root certificate in your trust store which is required to access the plugin download page?

If you created a trust store with just your own certificate and nothing else then you only trust websites which are using that one.

[chris-vest]

Do you have the root certificate in your trust store which is required to access the plugin download page?

If you created a trust store with just your own certificate and nothing else then you only trust websites which are using that one.

I only set the javax.net.ssl.trustStore after trying without that configuration, but failed both ways.

Do I need to create a trust store for this to work? With version 2.1.0 of the chart I didn't need to do anything with trust stores.

[torstenwalter]

I just saw that you tried to configure a trust store that's why I pointed it out:

                -Djavax.net.ssl.trustStore="/opt/java/openjdk/lib/security/cacerts"
                -Djavax.net.ssl.trustStorePassword=""

It should work without.

[chris-vest]

I've tried this with lots of different images, and all of them fail - that's without setting anything related to the trustStore. Any help would be appreciated. :pray:

[mcr-paulanand]

I think you need to set the cacerts password. The default password for cacerts is changeit.

                -Djavax.net.ssl.trustStore="/opt/java/openjdk/lib/security/cacerts"
                -Djavax.net.ssl.trustStorePassword="changeit"

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

[kvanzuijlen]

@timja can be closed