Open tomsunyu opened 3 years ago
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.
This might be a duplicate of https://github.com/jenkinsci/helm-charts/issues/435 (see https://github.com/jenkinsci/helm-charts/issues/435#issuecomment-1001520554).
I still see some "No valid crumb was included in the request" errors in the logs but JCasC (etc.) is working.
I still see some "No valid crumb was included in the request" errors in the logs but JCasC (etc.) is working.
Nvm, it was only working properly during the initial installation. A helm upgrade
didn't always update the configuration (depending on the changes - e.g., changes to additionalPlugins
did trigger a full rebuild and that succeeded).
A colleague already discovered https://github.com/jenkinsci/configuration-as-code-plugin/blob/68d1572a254bf39ff967d34e83c02b661ae4e6ab/docs/features/configurationReload.md.
It's disabled by default and secured via a token configured either by the environment variable CASC_RELOAD_TOKEN or the system property casc.reload.token. If both are set, the environment variable takes precedence.
This chart configures casc.reload.token
here:
And the URL is defined here:
In our case it likely doesn't work because we override the default via jenkins.initContainerEnv.JAVA_OPTS
(instead of jenkins.controller.javaOpts
- example).
One can also set it via jenkins.initContainerEnv.CASC_RELOAD_TOKEN
.
_Regarding the security: I do wonder whether it's smart to use $(POD_NAME)
by default... :o According to the documentation the token is there to secure the configuration reloading and the someSecretValue
example in the documentation also implies that it should be a secret value. I haven't analyzed this yet but if the config reloading URL is also accessible from outside the K8s cluster/namespace this could allow an attacker to load an arbitrary Jenkins configuration (edit: nvm, I thought one could also post the configuration via the payload but it's only for triggering a reload). (And even if it shouldn't be accessible from untrusted sources I'd recommend to use a random/secure token by default to avoid "accidents".)_
(Edit: That endpoint is indeed accessible from a public URL but given that it only allows to trigger a configuration reload and not to alter the configuration it should be acceptable (not ideal but seems like it's at most a potential DoS opportunity).)
And finally the full crumb error message for reference:
[2022-04-29 08:52:38] POST request sent to http://localhost:8080/reload-configuration-as-code/?casc-reload-token=jenkins-demo-0. Response: 403 Forbidden <html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 403 No valid crumb was included in the request</title>
</head>
<body><h2>HTTP ERROR 403 No valid crumb was included in the request</h2>
<table>
<tr><th>URI:</th><td>/reload-configuration-as-code/</td></tr>
<tr><th>STATUS:</th><td>403</td></tr>
<tr><th>MESSAGE:</th><td>No valid crumb was included in the request</td></tr>
<tr><th>SERVLET:</th><td>Stapler</td></tr>
</table>
<hr><a href="https://eclipse.org/jetty">Powered by Jetty:// 9.4.43.v20210629</a><hr/>
</body>
</html>
And this is what it should look like instead:
[2022-04-29 09:15:02] Working on ADDED configmap jenkins-helm/jenkins-demo-jenkins-jcasc-config
[2022-04-29 09:15:14] POST request sent to http://localhost:8080/reload-configuration-as-code/?casc-reload-token=jenkins-demo-0. Response: 200 OK
[2022-04-29 09:15:14] Working on ADDED configmap jenkins-helm/jenkins-demo-jenkins-config-k8s-cloud
[2022-04-29 09:15:14] POST request sent to http://localhost:8080/reload-configuration-as-code/?casc-reload-token=jenkins-demo-0. Response: 200 OK
[2022-04-29 09:15:14] Working on ADDED configmap jenkins-helm/jenkins-demo-jenkins-config-welcome-message
[2022-04-29 09:15:15] POST request sent to http://localhost:8080/reload-configuration-as-code/?casc-reload-token=jenkins-demo-0. Response: 200 OK
Can't log in to the jenkins, the install steps as follows:
helm repo add jenkins https://charts.jenkins.io
helm repo update
helm install jenkins-k8s jenkins/jenkins \
--namespace jenkins-ns \
--set controller.tag=2.346.2-jdk11 \
--set controller.serviceType=LoadBalancer \
--set controller.serviceExternalTrafficPolicy=Local \
--set controller.healthProbes=false \
--set controller.additionalPlugins[0]=strict-crumb-issuer \
--set controller.initializeOnce=true \
--set controller.sidecars.configAutoReload.enabled=false \
--set persistence.storageClass=local-path \
--set persistence.size=24Gi \
-f values.yaml
I had the above 403 issue upon login as well, and I fixed it. Sharing the solution here. The issue is with the set up of securityRealm. In documentation, it says to set up this block-
securityRealm: |-
local:
allowsSignup: false
enableCaptcha: false
users:
- id: "${chart-admin-username}"
name: "Jenkins Admin"
password: "${chart-admin-password}"
authorizationStrategy: |-
loggedInUsersCanDoAnything:
allowAnonymousRead: false
under JCasC:
But actually it should be under -
JCasC:
jenkins:
This is the only way it works. Got it from the configration-as-code plugin documentation- https://github.com/jenkinsci/configuration-as-code-plugin/blob/a6983ff60e0cf198ce02d7992bcba927197174db/demos/matrix-auth/README.md
After setting it like that, I'm able to login using the admin user, with no 403 crumb error.
@idlefella - Should I open a PR to fix the documentation?
Hi @hilafish I don't see why I'm mentioned here, I have made so far only a small contribution to that project :blush:
I think I searched for maintainers and you were the only one I could find at that time who relate to this section of the project. Oh well :)
When I login the jenkins webpage with the user admin, a problem occured: HTTP ERROR 403 No valid crumb was included in the request How to resolve the problem ?