search

jenkinsci / helm-charts

Jenkins helm charts
https://artifacthub.io/packages/helm/jenkinsci/jenkins
Apache License 2.0
562 stars 890 forks source link

Can not set googleOAuth2, get error hudson.security.csrf.DefaultCrumbIssuer is missing its descriptor #674

Closed patsevanton closed 2 years ago

patsevanton commented 2 years ago

Describe the bug

When use auth by googleOAuth2, get error hudson.security.csrf.DefaultCrumbIssuer is missing its descriptor

Version of Helm and Kubernetes

- Helm: v3.7.0
- Kubernetes: v1.21.5

Chart version

jenkins-4.1.13

What happened?

JCasC:
    defaultConfig: true
    configScripts: {}
    securityRealm: |-
      googleOAuth2:
        clientId:"xxx-xxx.apps.googleusercontent.com"
        clientSecret:"xxx-xxx"
    authorizationStrategy: |-
      loggedInUsersCanDoAnything:
        allowAnonymousRead: false

Configure script try connect to Jenkins, but get error hudson.security.csrf.DefaultCrumbIssuer is missing its descriptor. Because Jenkins use googleOAuth2 auth.


### What you expected to happen?

I expect Jenkins configured correctly.

### How to reproduce it

```markdown
helm upgrade --install --atomic jenkins -f jenkins-values.yaml jenkins/jenkins

Anything else we need to know?

Full log pod jenkins-0

Defaulted container "jenkins" out of: jenkins, config-reload, init (init)
Running from: /usr/share/jenkins/jenkins.war
2022-08-03 07:17:25.775+0000 [id=1] INFO    org.eclipse.jetty.util.log.Log#initialized: Logging initialized @516ms to org.eclipse.jetty.util.log.JavaUtilLog
2022-08-03 07:17:25.881+0000 [id=1] INFO    winstone.Logger#logInternal: Beginning extraction from war file
2022-08-03 07:17:25.915+0000 [id=1] WARNING o.e.j.s.handler.ContextHandler#setContextPath: Empty contextPath
2022-08-03 07:17:25.998+0000 [id=1] INFO    org.eclipse.jetty.server.Server#doStart: jetty-9.4.45.v20220203; built: 2022-02-03T09:14:34.105Z; git: 4a0c91c0be53805e3fcffdcdcc9587d5301863db; jvm 11.0.15+10
2022-08-03 07:17:26.301+0000 [id=1] INFO    o.e.j.w.StandardDescriptorProcessor#visitServlet: NO JSP Support for /, did not find org.eclipse.jetty.jsp.JettyJspServlet
2022-08-03 07:17:26.357+0000 [id=1] INFO    o.e.j.s.s.DefaultSessionIdManager#doStart: DefaultSessionIdManager workerName=node0
2022-08-03 07:17:26.357+0000 [id=1] INFO    o.e.j.s.s.DefaultSessionIdManager#doStart: No SessionScavenger set, using defaults
2022-08-03 07:17:26.358+0000 [id=1] INFO    o.e.j.server.session.HouseKeeper#startScavenging: node0 Scavenging every 660000ms
2022-08-03 07:17:26.905+0000 [id=1] INFO    hudson.WebAppMain#contextInitialized: Jenkins home directory: /var/jenkins_home found at: EnvVars.masterEnvVars.get("JENKINS_HOME")
2022-08-03 07:17:27.114+0000 [id=1] INFO    o.e.j.s.handler.ContextHandler#doStart: Started w.@53bf7094{Jenkins v2.346.2,/,file:///var/jenkins_cache/war/,AVAILABLE}{/var/jenkins_cache/war}
2022-08-03 07:17:27.159+0000 [id=1] INFO    o.e.j.server.AbstractConnector#doStart: Started ServerConnector@6025e1b6{HTTP/1.1, (http/1.1)}{0.0.0.0:8080}
2022-08-03 07:17:27.159+0000 [id=1] INFO    org.eclipse.jetty.server.Server#doStart: Started @1902ms
2022-08-03 07:17:27.164+0000 [id=23]    INFO    winstone.Logger#logInternal: Winstone Servlet Engine running: controlPort=disabled
2022-08-03 07:17:27.461+0000 [id=30]    INFO    jenkins.InitReactorRunner$1#onAttained: Started initialization
2022-08-03 07:17:27.682+0000 [id=30]    INFO    jenkins.InitReactorRunner$1#onAttained: Listed all plugins
2022-08-03 07:17:31.130+0000 [id=28]    INFO    jenkins.InitReactorRunner$1#onAttained: Prepared all plugins
2022-08-03 07:17:31.169+0000 [id=28]    INFO    jenkins.InitReactorRunner$1#onAttained: Started all plugins
2022-08-03 07:17:31.179+0000 [id=29]    INFO    jenkins.InitReactorRunner$1#onAttained: Augmented all extensions
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.codehaus.groovy.vmplugin.v7.Java7$1 (file:/var/jenkins_cache/war/WEB-INF/lib/groovy-all-2.4.21.jar) to constructor java.lang.invoke.MethodHandles$Lookup(java.lang.Class,int)
WARNING: Please consider reporting this to the maintainers of org.codehaus.groovy.vmplugin.v7.Java7$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
2022-08-03 07:17:32.469+0000 [id=29]    INFO    jenkins.InitReactorRunner$1#onAttained: System config loaded
2022-08-03 07:17:33.132+0000 [id=29]    WARNING i.j.p.casc.BaseConfigurator#createAttribute: Can't handle class org.csanchez.jenkins.plugins.kubernetes.PodTemplate#listener: type is abstract but not Describable.
2022-08-03 07:17:33.176+0000 [id=29]    SEVERE  jenkins.InitReactorRunner$1#onTaskFailed: Failed ConfigurationAsCode.init
io.jenkins.plugins.casc.ConfiguratorException: Item isn't a Mapping
    at io.jenkins.plugins.casc.model.CNode.asMapping(CNode.java:18)
    at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:265)
    at io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.configure(DataBoundConfigurator.java:82)
    at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$doConfigure$16668e2$1(HeteroDescribableConfigurator.java:277)
    at io.vavr.CheckedFunction0.lambda$unchecked$52349c75$1(CheckedFunction0.java:247)
    at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.doConfigure(HeteroDescribableConfigurator.java:277)
    at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$null$2(HeteroDescribableConfigurator.java:86)
    at io.vavr.control.Option.map(Option.java:392)
    at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$configure$3(HeteroDescribableConfigurator.java:86)
    at io.vavr.Tuple2.apply(Tuple2.java:238)
    at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.configure(HeteroDescribableConfigurator.java:83)
    at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.check(HeteroDescribableConfigurator.java:92)
    at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.check(HeteroDescribableConfigurator.java:55)
    at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:350)
    at io.jenkins.plugins.casc.BaseConfigurator.check(BaseConfigurator.java:286)
    at io.jenkins.plugins.casc.ConfigurationAsCode.lambda$checkWith$8(ConfigurationAsCode.java:776)
    at io.jenkins.plugins.casc.ConfigurationAsCode.invokeWith(ConfigurationAsCode.java:712)
Caused: io.jenkins.plugins.casc.ConfiguratorException: jenkins: error configuring 'jenkins' with class io.jenkins.plugins.casc.core.JenkinsConfigurator configurator
    at io.jenkins.plugins.casc.ConfigurationAsCode.invokeWith(ConfigurationAsCode.java:718)
    at io.jenkins.plugins.casc.ConfigurationAsCode.checkWith(ConfigurationAsCode.java:776)
    at io.jenkins.plugins.casc.ConfigurationAsCode.configureWith(ConfigurationAsCode.java:761)
    at io.jenkins.plugins.casc.ConfigurationAsCode.configureWith(ConfigurationAsCode.java:637)
    at io.jenkins.plugins.casc.ConfigurationAsCode.configure(ConfigurationAsCode.java:306)
    at io.jenkins.plugins.casc.ConfigurationAsCode.init(ConfigurationAsCode.java:298)
Caused: java.lang.reflect.InvocationTargetException
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:566)
    at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:109)
Caused: java.lang.Error
    at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:115)
    at hudson.init.TaskMethodFinder$TaskImpl.run(TaskMethodFinder.java:185)
    at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:305)
    at jenkins.model.Jenkins$5.runTask(Jenkins.java:1158)
    at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:222)
    at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:121)
    at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:68)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at java.base/java.lang.Thread.run(Thread.java:829)
2022-08-03 07:17:33.180+0000 [id=22]    SEVERE  hudson.util.BootFailure#publish: Failed to initialize Jenkins
io.jenkins.plugins.casc.ConfiguratorException: Item isn't a Mapping
    at io.jenkins.plugins.casc.model.CNode.asMapping(CNode.java:18)
    at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:265)
    at io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.configure(DataBoundConfigurator.java:82)
    at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$doConfigure$16668e2$1(HeteroDescribableConfigurator.java:277)
    at io.vavr.CheckedFunction0.lambda$unchecked$52349c75$1(CheckedFunction0.java:247)
    at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.doConfigure(HeteroDescribableConfigurator.java:277)
    at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$null$2(HeteroDescribableConfigurator.java:86)
    at io.vavr.control.Option.map(Option.java:392)
    at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$configure$3(HeteroDescribableConfigurator.java:86)
    at io.vavr.Tuple2.apply(Tuple2.java:238)
    at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.configure(HeteroDescribableConfigurator.java:83)
    at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.check(HeteroDescribableConfigurator.java:92)
    at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.check(HeteroDescribableConfigurator.java:55)
    at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:350)
    at io.jenkins.plugins.casc.BaseConfigurator.check(BaseConfigurator.java:286)
    at io.jenkins.plugins.casc.ConfigurationAsCode.lambda$checkWith$8(ConfigurationAsCode.java:776)
    at io.jenkins.plugins.casc.ConfigurationAsCode.invokeWith(ConfigurationAsCode.java:712)
Caused: io.jenkins.plugins.casc.ConfiguratorException: jenkins: error configuring 'jenkins' with class io.jenkins.plugins.casc.core.JenkinsConfigurator configurator
    at io.jenkins.plugins.casc.ConfigurationAsCode.invokeWith(ConfigurationAsCode.java:718)
    at io.jenkins.plugins.casc.ConfigurationAsCode.checkWith(ConfigurationAsCode.java:776)
    at io.jenkins.plugins.casc.ConfigurationAsCode.configureWith(ConfigurationAsCode.java:761)
    at io.jenkins.plugins.casc.ConfigurationAsCode.configureWith(ConfigurationAsCode.java:637)
    at io.jenkins.plugins.casc.ConfigurationAsCode.configure(ConfigurationAsCode.java:306)
    at io.jenkins.plugins.casc.ConfigurationAsCode.init(ConfigurationAsCode.java:298)
Caused: java.lang.reflect.InvocationTargetException
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:566)
    at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:109)
Caused: java.lang.Error
    at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:115)
    at hudson.init.TaskMethodFinder$TaskImpl.run(TaskMethodFinder.java:185)
    at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:305)
    at jenkins.model.Jenkins$5.runTask(Jenkins.java:1158)
    at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:222)
    at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:121)
    at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:68)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at java.base/java.lang.Thread.run(Thread.java:829)
Caused: org.jvnet.hudson.reactor.ReactorException
    at org.jvnet.hudson.reactor.Reactor.execute(Reactor.java:291)
    at jenkins.InitReactorRunner.run(InitReactorRunner.java:49)
    at jenkins.model.Jenkins.executeReactor(Jenkins.java:1193)
    at jenkins.model.Jenkins.<init>(Jenkins.java:983)
    at hudson.model.Hudson.<init>(Hudson.java:86)
    at hudson.model.Hudson.<init>(Hudson.java:82)
    at hudson.WebAppMain$3.run(WebAppMain.java:247)
Caused: hudson.util.HudsonFailedToLoad
    at hudson.WebAppMain$3.run(WebAppMain.java:264)
2022-08-03 07:17:33.191+0000 [id=22]    INFO    hudson.lifecycle.Lifecycle#onStatusUpdate: Stopping Jenkins
2022-08-03 07:17:33.221+0000 [id=22]    INFO    jenkins.model.Jenkins$16#onAttained: Started termination
2022-08-03 07:17:33.250+0000 [id=22]    INFO    jenkins.model.Jenkins$16#onAttained: Completed termination
2022-08-03 07:17:33.250+0000 [id=22]    INFO    jenkins.model.Jenkins#_cleanUpDisconnectComputers: Starting node disconnection
2022-08-03 07:17:33.255+0000 [id=22]    INFO    jenkins.model.Jenkins#_cleanUpShutdownPluginManager: Stopping plugin manager
2022-08-03 07:17:33.278+0000 [id=22]    INFO    jenkins.model.Jenkins#_cleanUpPersistQueue: Persisting build queue
2022-08-03 07:17:33.287+0000 [id=22]    INFO    jenkins.model.Jenkins#_cleanUpAwaitDisconnects: Waiting for node disconnection completion
2022-08-03 07:17:33.288+0000 [id=22]    INFO    hudson.lifecycle.Lifecycle#onStatusUpdate: Jenkins stopped
timja commented 2 years ago

get error hudson.security.csrf.DefaultCrumbIssuer is missing its descriptor is just a warning

patsevanton commented 2 years ago

I added Full log pod jenkins-0

timja commented 2 years ago

This is your error:

2022-08-03 07:17:33.176+0000 [id=29]    SEVERE  jenkins.InitReactorRunner$1#onTaskFailed: Failed ConfigurationAsCode.init
io.jenkins.plugins.casc.ConfiguratorException: Item isn't a Mapping

Not sure from a quick look but the yaml won't be quite right most likely

patsevanton commented 2 years ago

Hmm. May be. I will recheck.

patsevanton commented 2 years ago

Fixed. Work jenkins-values-google-login.yaml

---
controller:
  tag: "2.346.2-jdk11"
  imagePullPolicy: "IfNotPresent"
  numExecutors: 0

  additionalPlugins:
    - google-login:1.6
    - job-dsl:1.81
    - allure-jenkins-plugin:2.30.2
    - ws-cleanup:0.42
    - build-timeout:1.21
    - timestamper:1.18
    - google-storage-plugin:1.5.6
    - permissive-script-security:0.7
    - ansicolor:1.0.2
    - google-oauth-plugin:1.0.6

  javaOpts: '-Dpermissive-script-security.enabled=true'

  JCasC:
    configScripts:
      jenkins-configuration: |
        jenkins:
          systemMessage: This Jenkins is configured and managed 'as code' by Managed Cloud team.
      job-config: |
        jobs:
          - script: >
              pipelineJob('job1') {
                logRotator(120, -1, 1, -1)
                authenticationToken('secret')
                definition {
                  cps {
                    script("""\
                      pipeline {
                        agent any
                        parameters {
                            string(name: 'Variable', defaultValue: '', description: 'Variable', trim: true)
                        }
                        options {
                          timestamps()
                          ansiColor('xterm')  
                          timeout(time: 10, unit: 'MINUTES')
                        }
                        stages {
                          stage ('build') {
                            steps {
                              cleanWs()
                              echo "hello job1"
                            }
                          }
                        }
                      }""".stripIndent())
                    sandbox()
                  }
                }
              }
          - script: >
              pipelineJob('job2') {
                logRotator(120, -1, 1, -1)
                authenticationToken('secret')
                definition {
                  cps {
                    script("""\
                      pipeline {
                        agent any
                        parameters {
                            string(name: 'Variable', defaultValue: '', description: 'Variable', trim: true)
                        }
                        options {
                          timestamps()
                          ansiColor('xterm')  
                          timeout(time: 10, unit: 'MINUTES')
                        }
                        stages {
                          stage ('test') {
                            steps {
                              cleanWs()
                              echo "hello job2"
                            }
                          }
                        }
                      }""".stripIndent())
                    sandbox()
                  }
                }
              }
      views: |
        jenkins:
          views:
            - all:
                name: "all"
            - list:
                columns:
                - "status"
                - "weather"
                - "jobName"
                - "lastSuccess"
                - "lastFailure"
                - "lastDuration"
                - "buildButton"
                jobNames:
                - "job1"
                name: "stage"
            - list:
                columns:
                - "status"
                - "weather"
                - "jobName"
                - "lastSuccess"
                - "lastFailure"
                - "lastDuration"
                - "buildButton"
                jobNames:
                - "job2"
                name: "test"
          viewsTabBar: "standard"
    securityRealm: |-
      googleOAuth2:
        clientId: "xxx-xxx.apps.googleusercontent.com"
        clientSecret: "xxx-xxx"
        domain: ""
    authorizationStrategy: |-
      loggedInUsersCanDoAnything:
        allowAnonymousRead: false

  ingress:
    enabled: true
    ingressClassName: nginx
    apiVersion: networking.k8s.io/v1
    annotations:
      cert-manager.io/cluster-issuer: "letsencrypt-prod"
    hostName: xxxx
    tls:
     - secretName: jenkins-tls
       hosts:
         - xxxx
soham-chakraborty1 commented 2 years ago

A question @patsevanton, have you found a way to encrypt the clientId and clientSecret and pass the encrypted values in the values.yaml file? Not with any external operator or project, but with whatever is given in the helm chart. I am trying to achieve that but my attempts are failing so far.

I will create a bug if you haven't found out a way, but wanted to ask first.