-
Notifications
You must be signed in to change notification settings - Fork 233
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Jenkins Operator Active Directory #47
Comments
Hi, I would like to re-open this issue. I know that AD/LDAP can be configured via groovy scripts or casc plugin. In my case, if LDAP is configured jenkins-operator user is not able to do anything via API, even if that user has admin rights in "Project-based Matrix Authorization Strategy". Logs from operator: Logs from jenkins pod: Do you have some idea/advice on how to resolve this problem? Or how did you resolve your case? |
Hi, I added user for jenkins-operator to AD and then modified jenkins-operator-credentials-<cr_name> secret with new credentials. That did the trick for me. Cheers. |
Hi @Michalosu, You can change username by edit secret https://github.com/jenkinsci/kubernetes-operator/blob/master/docs/getting-started.md#jenkins-login-credentials. Cheers |
Hi there , that doc link points to 404 , do you have up to date documentation to use ldap/ad creds ? |
Hi @bechampion We don't have the docs how to use LDAP but it is possible. Please be aware:
Cheers |
Is it possible to modify the 'jenkins-operator' username as part of the Jenkins Pod Deployment? It is non-trivial to add jenkins-operator to our directory service. |
@chrisgrove-keysight You can, just edit secret created by the operator:
|
To clarify - I want to set the user value before the credential is created. We need to deploy several Jenkins instances. I would prefer setting the user jenkins-operator-credentials-<cr_name> as part of the deployment compared to editing the credential secret after the pod is launched. |
@chrisgrove-keysight Currently it is not possible. Please create a issue to allow set user name in Jenkins CR. |
I'm using keycloak and able to login with jenkins-operator credentials into the console, but I'm still getting this in operator logs:
Is there any option to get extended log ? |
|
@tomaszsek I'm using 2.204.5, this is not a "crumbs issue" |
@admssa Did you edit the:
with credentials from AD? |
I'm not using LDAP. I'm using keycloak OpenID-connect and keycoak plugin.
|
@admssa Did you give admin access to |
Sure. It has admin access |
The last thing what can be wrong is that the user name in keycoak is different or it can be email or something else. |
@tomaszsek I suspect the operator can't authenticate and try to get access as anonymous. Then gets 403. Authentication through keycloak is performed on the redirected page, this may be an issue if gojenkins request doesn't follow this redirection. Anyway, In its current state, jenkins-opertor auth is a black box for me. I can't investigate it with current logs level. I don't even know were to it tries to connect. Unfortunately, I don’t know 'go' well enough to extended logging or to analyse requests in gojenkins functions. |
This may be related -> #133 (comment) If |
We are running into similar issues after setting up Azure AD auth. Login via UI works fine, but operator can't talk to the API anymore after configuring it. I can even log in as the configured jenkins-operator user, but for unknown reasons the operator is failing with API access. |
Hi guys, For example: |
Hi,
Does operator supports active directory credentials? I setup Azure Active Directory security realm with matrix based security.
Everything is setup properly. I'm able to login but when some change is being triggered i.e
jenkins-operator-user-configuration pipeline doesn't start. Message is displayed in logs
Reconcile loop failed: couldn't poll data from Jenkins API, invalid status code returned: 403
I played around with jenkins-operator-credentials but no success.
Thanks.
The text was updated successfully, but these errors were encountered: