search

jenkinsci / helm-charts

Jenkins helm charts
https://artifacthub.io/packages/helm/jenkinsci/jenkins
Apache License 2.0
561 stars 884 forks source link

Incorrect keystore mountpoint fails pod startup #488

Open bassplay3r opened 2 years ago

bassplay3r commented 2 years ago

Describe the bug I'm moving from the version 2 of the chart to version 3. I've noticed the keystore mountpoint has changed in the tpl which breaks controller pod startup

Version of Helm and Kubernetes:

Helm Version:

version.BuildInfo{Version:"v3.7.1", GitCommit:"1d11fcb5d3f3bf00dbe6fe31b8412839a96b3dc4", GitTreeState:"clean", GoVersion:"go1.16.9"}

Kubernetes Version:

Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.1", GitCommit:"b7394102d6ef778017f2ca4046abbaa23b88c290", GitTreeState:"clean", BuildDate:"2019-04-08T17:11:31Z", GoVersion:"go1.12.1", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.3", GitCommit:"2e7996e3e2712684bc73f0dec0200d64eec7fe40", GitTreeState:"clean", BuildDate:"2020-05-20T12:43:34Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64"}

Which version of the chart: jenkins-3.8.3.tgz

What happened: Jenkins controller pod fails to start

2021-10-19 13:54:26.427+0000 [id=1]     INFO    winstone.Logger#logInternal: Jetty shutdown successfully
java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory
        at winstone.Launcher.spawnListener(Launcher.java:226)
        at winstone.Launcher.<init>(Launcher.java:180)
        at winstone.Launcher.main(Launcher.java:369)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at Main._main(Main.java:375)
        at Main.main(Main.java:151)
Caused by: winstone.WinstoneException: No SSL key store found at /var/jenkins_keystore/keystore.jks
        at winstone.AbstractSecuredConnectorFactory.configureSsl(AbstractSecuredConnectorFactory.java:66)
        at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:53)
        at winstone.Launcher.spawnListener(Launcher.java:220)
        ... 8 more

I'm seeing the mountpoint includes the filename keystore.jks, 

    Mounts:
      /run/secrets/chart-admin-password from admin-secret (ro,path="jenkins-admin-password")
      /run/secrets/chart-admin-username from admin-secret (ro,path="jenkins-admin-user")
      /usr/share/jenkins/ref/plugins/ from plugin-dir (rw)
      /var/jenkins_config from jenkins-config (ro)
      /var/jenkins_home from jenkins-home (rw)
      /var/jenkins_keystore/keystore.jks from jenkins-https-keystore (rw) <---
      /var/run/secrets/kubernetes.io/serviceaccount from trident-ci-jenkins-token-k2cxn (ro)

This causes the keystore path of /var/jenkins_keystore/keystore.jks to be a directory. The keystore is then accessible via /var/jenkins_keystore/keystore.jks/..data/keystore.jks

bellizzi@BELLIZZI-PC:~$ k -n trident-ci-production exec -it trident-ci-jenkins-0 -- keytool -list  -keystore /var/jenkins_keystore/keystore.jks/..data/keystore.jks -storepass <redacted>
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 4 entries
<redacted>

Trying to use the expect path of /var/jenkins_keystore/keystore.jks returns a failure 

bellizzi@BELLIZZI-PC:~$ k -n trident-ci-production exec -it trident-ci-jenkins-0 -- keytool -list  -keystore /var/jenkins_keystore/keystore.jks -storepass <redacted>
keytool error: java.lang.Exception: Keystore file does not exist: /var/jenkins_keystore/keystore.jks
command terminated with exit code 1
bellizzi@BELLIZZI-PC:~$

What you expected to happen: I would expect the mountpoint to be /var/jenkins_keystore so the pod could access the keystore as /var/jenkins_keystore/keystore.jks

How to reproduce it (as minimally and precisely as possible): Create a keystore Add to the charts values file 

    httpsKeyStore:
      enable: true
      httpPort: 8081
      path: "/var/jenkins_keystore"
      fileName: "keystore.jks"
      password: "<redacted>"
      jenkinsKeyStoreBase64Encoded: |
        <base64 keystore data>

Deploy the chart run the keytool commands previously stated

Anything else we need to know:

bassplay3r commented 2 years ago

FYI if I edit the statefulset after deployment and correct the mountpoints by removing the /keystore.jks from it, it works

torstenwalter commented 2 years ago

@bassplay3r Could you create a PR for it? The problem should be here https://github.com/jenkinsci/helm-charts/blob/23695c9/charts/jenkins/templates/jenkins-controller-statefulset.yaml#L228-L230. I have not checked if we have a unit test for it. If not it would be great to add one.

bassplay3r commented 2 years ago

I'm happy to create a PR but I'm a unittest n00b so may need some help there

bassplay3r commented 2 years ago

So I tried to create a branch so I could create a PR from it, which is the only flow I know, and I'm not allow to push to the repo

lemeurherve commented 2 years ago

@bassplay3r to contribute you'll have to fork this repository, create a branch on your fork, commit your changes and push them, then you'll be able to create a pull request on this repository.

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.