helm-charts icon indicating copy to clipboard operation
helm-charts copied to clipboard

Published 20 hours ago verified publisher icon jenkinsci

Incorrect keystore mountpoint fails pod startup

Open bassplay3r opened this issue 3 years ago • 6 comments

Describe the bug I'm moving from the version 2 of the chart to version 3. I've noticed the keystore mountpoint has changed in the tpl which breaks controller pod startup

Version of Helm and Kubernetes:

Helm Version:

version.BuildInfo{Version:"v3.7.1", GitCommit:"1d11fcb5d3f3bf00dbe6fe31b8412839a96b3dc4", GitTreeState:"clean", GoVersion:"go1.16.9"}

Kubernetes Version:

Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.1", GitCommit:"b7394102d6ef778017f2ca4046abbaa23b88c290", GitTreeState:"clean", BuildDate:"2019-04-08T17:11:31Z", GoVersion:"go1.12.1", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.3", GitCommit:"2e7996e3e2712684bc73f0dec0200d64eec7fe40", GitTreeState:"clean", BuildDate:"2020-05-20T12:43:34Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64"}

Which version of the chart: jenkins-3.8.3.tgz

What happened: Jenkins controller pod fails to start

2021-10-19 13:54:26.427+0000 [id=1]     INFO    winstone.Logger#logInternal: Jetty shutdown successfully
java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory
        at winstone.Launcher.spawnListener(Launcher.java:226)
        at winstone.Launcher.<init>(Launcher.java:180)
        at winstone.Launcher.main(Launcher.java:369)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at Main._main(Main.java:375)
        at Main.main(Main.java:151)
Caused by: winstone.WinstoneException: No SSL key store found at /var/jenkins_keystore/keystore.jks
        at winstone.AbstractSecuredConnectorFactory.configureSsl(AbstractSecuredConnectorFactory.java:66)
        at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:53)
        at winstone.Launcher.spawnListener(Launcher.java:220)
        ... 8 more

I'm seeing the mountpoint includes the filename keystore.jks,

    Mounts:
      /run/secrets/chart-admin-password from admin-secret (ro,path="jenkins-admin-password")
      /run/secrets/chart-admin-username from admin-secret (ro,path="jenkins-admin-user")
      /usr/share/jenkins/ref/plugins/ from plugin-dir (rw)
      /var/jenkins_config from jenkins-config (ro)
      /var/jenkins_home from jenkins-home (rw)
      /var/jenkins_keystore/keystore.jks from jenkins-https-keystore (rw) <---
      /var/run/secrets/kubernetes.io/serviceaccount from trident-ci-jenkins-token-k2cxn (ro)

This causes the keystore path of /var/jenkins_keystore/keystore.jks to be a directory. The keystore is then accessible via /var/jenkins_keystore/keystore.jks/..data/keystore.jks

bellizzi@BELLIZZI-PC:~$ k -n trident-ci-production exec -it trident-ci-jenkins-0 -- keytool -list  -keystore /var/jenkins_keystore/keystore.jks/..data/keystore.jks -storepass <redacted>
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 4 entries
<redacted>

Trying to use the expect path of /var/jenkins_keystore/keystore.jks returns a failure

bellizzi@BELLIZZI-PC:~$ k -n trident-ci-production exec -it trident-ci-jenkins-0 -- keytool -list  -keystore /var/jenkins_keystore/keystore.jks -storepass <redacted>
keytool error: java.lang.Exception: Keystore file does not exist: /var/jenkins_keystore/keystore.jks
command terminated with exit code 1
bellizzi@BELLIZZI-PC:~$

What you expected to happen: I would expect the mountpoint to be /var/jenkins_keystore so the pod could access the keystore as /var/jenkins_keystore/keystore.jks

How to reproduce it (as minimally and precisely as possible): Create a keystore Add to the charts values file

    httpsKeyStore:
      enable: true
      httpPort: 8081
      path: "/var/jenkins_keystore"
      fileName: "keystore.jks"
      password: "<redacted>"
      jenkinsKeyStoreBase64Encoded: |
        <base64 keystore data>

Deploy the chart run the keytool commands previously stated

Anything else we need to know:

bassplay3r avatar Oct 19 '21 14:10 bassplay3r

FYI if I edit the statefulset after deployment and correct the mountpoints by removing the /keystore.jks from it, it works

bassplay3r avatar Oct 19 '21 17:10 bassplay3r

@bassplay3r Could you create a PR for it? The problem should be here https://github.com/jenkinsci/helm-charts/blob/23695c9/charts/jenkins/templates/jenkins-controller-statefulset.yaml#L228-L230. I have not checked if we have a unit test for it. If not it would be great to add one.

torstenwalter avatar Oct 20 '21 06:10 torstenwalter

I'm happy to create a PR but I'm a unittest n00b so may need some help there

bassplay3r avatar Oct 20 '21 12:10 bassplay3r

So I tried to create a branch so I could create a PR from it, which is the only flow I know, and I'm not allow to push to the repo

bassplay3r avatar Oct 20 '21 13:10 bassplay3r

@bassplay3r to contribute you'll have to fork this repository, create a branch on your fork, commit your changes and push them, then you'll be able to create a pull request on this repository.

lemeurherve avatar Oct 20 '21 15:10 lemeurherve

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

stale[bot] avatar Apr 16 '22 10:04 stale[bot]