Jenkins Operator Active Directory

[s1apped]

Hi,

Does operator supports active directory credentials? I setup Azure Active Directory security realm with matrix based security.
Everything is setup properly. I'm able to login but when some change is being triggered i.e
jenkins-operator-user-configuration pipeline doesn't start. Message is displayed in logs
Reconcile loop failed: couldn't poll data from Jenkins API, invalid status code returned: 403

I played around with jenkins-operator-credentials but no success.

Thanks.

[tomaszsek]

https://github.com/jenkinsci/kubernetes-operator/blob/master/docs/security.md#jenkins-access-control

[Michalosu]

Hi,

I would like to re-open this issue. I know that AD/LDAP can be configured via groovy scripts or casc plugin. In my case, if LDAP is configured jenkins-operator user is not able to do anything via API, even if that user has admin rights in "Project-based Matrix Authorization Strategy".

Logs from operator:
2019-07-22T13:00:13.175Z WARN controller-jenkins jenkins/jenkins_controller.go:167 Reconcile loop failed: couldn't poll data from Jenkins API, invalid status code returned: 500 {"cr": "misio-jenkins"}

Logs from jenkins pod:
Jul 22, 2019 12:54:40 PM jenkins.security.BasicHeaderApiTokenAuthenticator authenticate WARNING: API token matched for user jenkins-operator but the impersonation failed org.acegisecurity.userdetails.UsernameNotFoundException: User jenkins-operator not found in directory.

Do you have some idea/advice on how to resolve this problem? Or how did you resolve your case?
Currently, operator username is hardcoded in the code. What do you think about parametrizing this name? To have the possibility to change it in the yaml of CRD.

[s1apped]

Hi,

I added user for jenkins-operator to AD and then modified jenkins-operator-credentials-<cr_name> secret with new credentials.
Using groovy scripts I gave this user admin rights in "Azure AD Matrix Authorization Strategy"

That did the trick for me.

Cheers.

[tomaszsek]

Hi @Michalosu,

You can change username by edit secret https://github.com/jenkinsci/kubernetes-operator/blob/master/docs/getting-started.md#jenkins-login-credentials.

Cheers

[bechampion]

Hi there , that doc link points to 404 , do you have up to date documentation to use ldap/ad creds ?

[tomaszsek]

Hi @bechampion

We don't have the docs how to use LDAP but it is possible. Please be aware:

Any change to Security Realm or Authorization requires that user called jenkins-operator must have admin rights because Jenkins Operator calls Jenkins API.

Cheers

[chrisgrove-keysight]

Is it possible to modify the 'jenkins-operator' username as part of the Jenkins Pod Deployment? It is non-trivial to add jenkins-operator to our directory service.

[tomaszsek]

@chrisgrove-keysight You can, just edit secret created by the operator:

kubectl get secret jenkins-operator-credentials-<cr_name> -o 'jsonpath={.data.user}' | base64 -d
kubectl get secret jenkins-operator-credentials-<cr_name> -o 'jsonpath={.data.password}' | base64 -d

[chrisgrove-keysight]

To clarify - I want to set the user value before the credential is created. We need to deploy several Jenkins instances. I would prefer setting the user jenkins-operator-credentials-<cr_name> as part of the deployment compared to editing the credential secret after the pod is launched.

[tomaszsek]

@chrisgrove-keysight Currently it is not possible. Please create a issue to allow set user name in Jenkins CR.

[admssa]

I'm using keycloak and able to login with jenkins-operator credentials into the console, but I'm still getting this in operator logs:

2020-03-29T19:16:11.860Z	WARN	controller-jenkins	jenkins/jenkins_controller.go:171	Reconcile loop failed: couldn't poll data from Jenkins API, invalid status code returned: 403	{"cr": "jenkins"}

2020-03-30T08:39:46.260Z	INFO	controller-jenkins	jenkins/handler.go:41	*v1.ConfigMap/jenkins-configuration has been updated	{"cr": "jenkins"}
2020-03-30T08:39:46.424Z	WARN	controller-jenkins	jenkins/jenkins_controller.go:152	Reconcile loop failed 10 times with the same error, giving up: couldn't poll data from Jenkins API, invalid status code returned: 403	{"cr": "jenkins"}

Is there any option to get extended log ?

[tomaszsek]

I'm using keycloak and able to login with jenkins-operator credentials into the console, but I'm still getting this in operator logs:

2020-03-29T19:16:11.860Z	WARN	controller-jenkins	jenkins/jenkins_controller.go:171	Reconcile loop failed: couldn't poll data from Jenkins API, invalid status code returned: 403	{"cr": "jenkins"}

2020-03-30T08:39:46.260Z	INFO	controller-jenkins	jenkins/handler.go:41	*v1.ConfigMap/jenkins-configuration has been updated	{"cr": "jenkins"}
2020-03-30T08:39:46.424Z	WARN	controller-jenkins	jenkins/jenkins_controller.go:152	Reconcile loop failed 10 times with the same error, giving up: couldn't poll data from Jenkins API, invalid status code returned: 403	{"cr": "jenkins"}

Is there any option to get extended log ?

@admssa Please look at #303

[admssa]

@tomaszsek I'm using 2.204.5, this is not a "crumbs issue"

[tomaszsek]

@admssa Did you edit the:

kubectl get secret jenkins-operator-credentials-<cr_name> -o 'jsonpath={.data.user}' | base64 -d
kubectl get secret jenkins-operator-credentials-<cr_name> -o 'jsonpath={.data.password}' | base64 -d

with credentials from AD?

[admssa]

I'm not using LDAP. I'm using keycloak OpenID-connect and keycoak plugin.
As I mentioned i created jenkins-operator user in my realm(with password from the secret). And yes, i'm able to login with this user credentials through keycloak.
On Jenkins side, everything works fine. But it seems operator can't login in this way.

      keycloakSecurityRealm:
        keycloakJson: |-
          {
            "realm": "{{ tech_realm }}",
            "auth-server-url": "https://auth.{{ main_zone_domain }}/",
            "ssl-required": "external",
            "resource": "Jenkins",
            "public-client": true,
            "confidential-port": 0
          }
        keycloakRespectAccessTokenTimeout: true
        keycloakValidate: false

[tomaszsek]

@admssa Did you give admin access to jenkins-operator user through configuration?

[admssa]

Sure. It has admin access

[tomaszsek]

The last thing what can be wrong is that the user name in keycoak is different or it can be email or something else.

[admssa]

@tomaszsek I suspect the operator can't authenticate and try to get access as anonymous. Then gets 403. Authentication through keycloak is performed on the redirected page, this may be an issue if gojenkins request doesn't follow this redirection.

Anyway, In its current state, jenkins-opertor auth is a black box for me. I can't investigate it with current logs level. I don't even know were to it tries to connect. Unfortunately, I don’t know 'go' well enough to extended logging or to analyse requests in gojenkins functions.

[apogrebnyak]

This may be related -> #133 (comment)

If token and tokenCreationTime are deleted, then communication will be broken, and you will see the same crumbs message even with releases prior to 2.222.1

[ncrothe]

We are running into similar issues after setting up Azure AD auth. Login via UI works fine, but operator can't talk to the API anymore after configuring it. I can even log in as the configured jenkins-operator user, but for unknown reasons the operator is failing with API access.
Pure stab in the dark: Could it be due to the OAuth-ness of it, typically leading to a redirect to the Auth provider's page? I.e. on UI I see jenkins is sending me to Azure AD to login before it comes back. How does that flow work on the API level, is there a redirect as well and is that being followed etc. by the operator code?

[yakirtzad]

Hi guys,
Please check in configure global security in the Jenkins ENV that your jenkins-operator user has been configured with administer privileges.

For example:
"USER:Overall/Administer:jenkins-operator"