Operator uses wrong credentials when GitHub Authentication is configured

[lhupfeldt]

We have configured GitHub Auth in JCASC. Jenkins is started correctly and the GitHub auth is working correctly after Jenkins has started, but afterwards the operator can no longer communicate with Jenkins API, gettting this error:

2024-01-29T09:48:55.696Z WARN controller-jenkins Reconcile loop failed 10 times with the same errors, giving up: couldn't poll data from Jenkins API, invalid status code returned: 401

We can login in the Jenkins UI with the operator service user and other users with GitHub access. The github token of the operator service user kan be used to access the Jenkins API.

We are running operator and jenkins in separate namespaces. We have configured the jenkins-operator-credentials-jenkins in both namespaces. We have tried setting the tokenCreationTime in the future as suggested in #392.

I seems the operator is not using the configured credentials.

This may be the same issue as #949

Everything works correctly with Jenkins local authentication.

Additional information

Kubernetes version: v1.26.11+rke2r1 Jenkins Operator version: 0.8.0-beta2 and 0.8.0

[brokenpip3]

it's a well know issue, check https://github.com/jenkinsci/kubernetes-operator/issues/834, any external source of auth will break the operator login since it's using a "local" user. The fix is spawning a token from a robot user that you need you create inside your sso (can be github, ldap, saml etc), spawn an api-key and change the api key in the jenkins-operator-credentials-<CR> credentials so the operator will use that api key to login in jenkins (I never tried with user and password instead of the api key but probably will work as well).

tldr: you need a robot account