-1

I am using the latest HELM stable/jenkins charts installed on my single node cluster for testing.

  1. Install NFS provisioner.
helm repo add stable https://kubernetes-charts.storage.googleapis.com
helm install nfs-client-provisioner stable/nfs-client-provisioner --version 1.2.8 --set nfs.server=*** --set nfs.path=/k8snfs --set storageClass.name=nfs --wait
  1. Install stable/jenkins. Only custom values were serviceType and storageClass.
helm install jenkins stable/jenkins -f newJenkins.values -n jenkins

The newJenkins.values has the following.

master:
  adminPassword: admin
  serviceType: NodePort
  initContainerEnv:
    - name: http_proxy
      value: "http://***:80"
    - name: https_proxy
      value: "http://***:80"
    - name: no_proxy
      value: "***"
  containerEnv:
    - name: http_proxy
      value: "http://***:80"
    - name: https_proxy
      value: "http://***:80"
    - name: no_proxy
      value: "***"
  javaOpts: >-
    -Dhttp.proxyHost=***
    -Dhttp.proxyPort=80
    -Dhttps.proxyHost=***
    -Dhttps.proxyPort=80
persistence:
  storageClass: nfs
  1. Login to Jenkins and Create Jenkins credential of "Kubernetes Service Account".
  2. Under "Configure Clouds", I leave all defaults and press "Test Connection". Test fails.
  3. In the credentials dropdown, I chose 'secret-text' and pressed button again. Still fail.

The error reported was.

Error testing connection https://kubernetes.default: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

When I check in the pod logs, the only error I see it the following.

2020-05-06 01:35:13.173+0000 [id=19]    INFO    o.c.j.p.k.KubernetesClientProvider$SaveableListenerImpl#onChange: Invalidating Kubernetes client: kubernetes null

I've been googling for a while and many sites mention service account settings, but nothing works.

$ kubectl version --short
Client Version: v1.12.7+1.2.3.el7
Server Version: v1.12.7+1.2.3.el7
$ helm version --short
v3.1.0+gb29d20b

Is there another step?

Greg
  • 473
  • 1
  • 4
  • 13

1 Answers1

0

That error is a common error message reported by the Java Virtual Machine. This is caused when the Java environment does not have information about the HTTPS server to verify that it is a valid website. Sometimes the certificate is provided by an internal Root CA or is a Self-Signed Certificate. This sometimes can confuse the JVM as it is not one of the ones on the Java “trusted” list who can provide these certificates.

Try to add your Java Options in values.yaml file should look like this: 

  javaOpts: >-
    -Dhttp.proxyHost=***
    -Dhttp.proxyPort=80
    -Dhttps.proxyHost=***
    -Dhttps.proxyPort=80
    -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacert 
    -Djavax.net.ssl.trustStorePassword=changeit

EDIT:

Try to change location of authority file, add debug option (-Djavax.net.debug=ssl) for seeing more detail view of logs. Normally without that parameter we wont be able to see more details log: 

  javaOpts: >-
    -Dhttp.proxyHost=***
    -Dhttp.proxyPort=80
    -Dhttps.proxyHost=***
    -Dhttps.proxyPort=80
    -Djavax.net.ssl.trustStore=$JAVA_HOME/lib/security/cacerts
    -Djavax.net.ssl.trustStorePassword=changeit
    -Djavax.net.debug=ssl

If security is not a core concern in this box, you may in Jenkins web UI go to Manage Jenkins > Manage Plugins > tab Available and search for "skip-certificate-check" plugin.

On installing this, the issue should be fixed. Use this plugin with caution, since it is not advised from security perspective.

Also the repo stable is going to be deprecated very soon and is not being updated. I suggest use jenkins chart from Helm Hub.

Please take a look: certification-path-jenkins, adding-ca-cert, adding-path-certs.

Malgorzata
  • 6,409
  • 1
  • 10
  • 27