Skip to content
This repository has been archived by the owner on Feb 22, 2022. It is now read-only.

[stable/jenkins][improvement] - Add option to add scriptapproval hashes value on helm chart #23265

Closed
ricardojdsilva87 opened this issue Jul 20, 2020 · 8 comments
Closed

[stable/jenkins][improvement] - Add option to add scriptapproval hashes value on helm chart #23265

ricardojdsilva87 opened this issue Jul 20, 2020 · 8 comments

Comments

@ricardojdsilva87
Copy link

ricardojdsilva87 commented Jul 20, 2020
edited
Loading

Hello this would be a request for improvement,

We currently are running Jenkins with no persistent storage, with everything configured via CASC.
We have a few script that need to be approved at startup to be used right away. Thing here is even though the scripts are declared in the scriptApproval helm value, after every deployment the script asks to be approved again.

Doing some tests I've checked that the approvedSignatures xml tag is not as important as the approvedScriptHashes.
After every manual approval I've noticed that the hash is always the same (if the script doesn't change). Implementing this feature would bring more benefits than having just the approvedSignatures in place

The file where is set:
https://github.com/helm/charts/blob/master/stable/jenkins/templates/config.yaml#L129

Having something like the following would help alot:

image

This way every script approval could be managed directly under the Values file.
Thank you for the help
@ricardojdsilva87 ricardojdsilva87 changed the title [stable/jenkins] - Add option to add scriptapproval hashes value on helm chart [stable/jenkins][improvement] - Add option to add scriptapproval hashes value on helm chart Jul 20, 2020
@k8s-ci-robot
Copy link
Contributor

@wmcdona89: GitHub didn't allow me to assign the following users: jessicaodish.

Note that only helm members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

/assign @jessicaodish

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jessicaodish
Copy link

I will be working on a PR for this.

@wmcdona89
Copy link
Collaborator

@ricardojdsilva87 have you tried configuring via JCasC? It currently only supports signatures but perhaps it results in the desired behavior.

master:
  JCasC:
    configScripts:
      security-settings: |
        security:
          scriptApproval:
            approvedSignatures: []

@ricardojdsilva87
Copy link
Author

Hello @wmcdona89 ,
Thanks for the help, unfortunately having only the approvedSignatures in place won't do it. The approvedScriptHashes is also always needed.
Currently we have on the values.yaml file for the helm the following like mentioned in the helm documentation.

master:
  scriptApproval:
    - "script1"
    - "script2"
    - "script3"

With this the scriptApproval.xml file is created here:
https://github.com/helm/charts/blob/master/stable/jenkins/templates/config.yaml#L129

And copied to the final location here:
https://github.com/helm/charts/blob/master/stable/jenkins/templates/config.yaml#L215

Our setup is now based on an EFS storage and the Jenkins pod has ephemeral storage. This is what triggered this "issue" since before we had an EBS and we thought that just having this piece of code on the values.yaml file would be enough.

Thanks

@wmcdona89
Copy link
Collaborator

wmcdona89 commented Jul 30, 2020
edited
Loading

@ricardojdsilva87 what version of the script-security plugin are you using? I see v1.27 is hardcoded in the chart here. This version was released Feb 27, 2017 and v1.74 is the latest. Perhaps this is contributing to the issue.

Looking at one of my scriptApproval.xml files on Jenkins v2.222.4, I see only signatures. So perhaps hashes are only generated for more complex signatures. *These approvals were done through the UI (not the chart).

<?xml version='1.1' encoding='UTF-8'?>
<scriptApproval plugin="script-security@1.73">
  <approvedScriptHashes/>
  <approvedSignatures>
    <string>new java.lang.StringBuilder</string>
  </approvedSignatures>
  <aclApprovedSignatures/>
  <approvedClasspathEntries/>
  <pendingScripts/>
  <pendingSignatures/>
  <pendingClasspathEntries/>
</scriptApproval>

@ricardojdsilva87
Copy link
Author

Hello @wmcdona89 ,
The scriptApproval.xml file is generated with the 1.74 version that we have installed.
Probably it should work only for small signatures like the example you show. We have entire groovy scripts and basically what we where doing was to add on the approvedSignatures field the name. It seems like you say and an hash is generated in these kind of situations.
Thanks

@stale
Copy link

stale bot commented Aug 30, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

@stale stale bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 30, 2020
@scottrigby
Copy link
Member

📢 stable/jenkins has moved to https://github.com/jenkinsci/helm-charts. If still applicable, please reopen the issue there. Thanks!

@stale stale bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Sep 2, 2020
@ricardojdsilva87 ricardojdsilva87 mentioned this issue Sep 3, 2020
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@scottrigby @wmcdona89 @ricardojdsilva87 @k8s-ci-robot @jessicaodish