Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can not set googleOAuth2, get error hudson.security.csrf.DefaultCrumbIssuer is missing its descriptor #674

Closed
patsevanton opened this issue Aug 3, 2022 · 6 comments
Closed

Can not set googleOAuth2, get error hudson.security.csrf.DefaultCrumbIssuer is missing its descriptor #674

patsevanton opened this issue Aug 3, 2022 · 6 comments
Labels
bug Something isn't working

Comments

@patsevanton
Copy link

patsevanton commented Aug 3, 2022
edited
Loading

Describe the bug

When use auth by googleOAuth2, get error hudson.security.csrf.DefaultCrumbIssuer is missing its descriptor

Version of Helm and Kubernetes

- Helm: v3.7.0
- Kubernetes: v1.21.5

Chart version

jenkins-4.1.13

What happened?

JCasC:
    defaultConfig: true
    configScripts: {}
    securityRealm: |-
      googleOAuth2:
        clientId:"xxx-xxx.apps.googleusercontent.com"
        clientSecret:"xxx-xxx"
    authorizationStrategy: |-
      loggedInUsersCanDoAnything:
        allowAnonymousRead: false

Configure script try connect to Jenkins, but get error hudson.security.csrf.DefaultCrumbIssuer is missing its descriptor.
Because Jenkins use googleOAuth2 auth.



### What you expected to happen?

I expect Jenkins configured correctly.

### How to reproduce it

```markdown
helm upgrade --install --atomic jenkins -f jenkins-values.yaml jenkins/jenkins

Anything else we need to know?

Full log pod jenkins-0

Defaulted container "jenkins" out of: jenkins, config-reload, init (init)
Running from: /usr/share/jenkins/jenkins.war
2022-08-03 07:17:25.775+0000 [id=1]	INFO	org.eclipse.jetty.util.log.Log#initialized: Logging initialized @516ms to org.eclipse.jetty.util.log.JavaUtilLog
2022-08-03 07:17:25.881+0000 [id=1]	INFO	winstone.Logger#logInternal: Beginning extraction from war file
2022-08-03 07:17:25.915+0000 [id=1]	WARNING	o.e.j.s.handler.ContextHandler#setContextPath: Empty contextPath
2022-08-03 07:17:25.998+0000 [id=1]	INFO	org.eclipse.jetty.server.Server#doStart: jetty-9.4.45.v20220203; built: 2022-02-03T09:14:34.105Z; git: 4a0c91c0be53805e3fcffdcdcc9587d5301863db; jvm 11.0.15+10
2022-08-03 07:17:26.301+0000 [id=1]	INFO	o.e.j.w.StandardDescriptorProcessor#visitServlet: NO JSP Support for /, did not find org.eclipse.jetty.jsp.JettyJspServlet
2022-08-03 07:17:26.357+0000 [id=1]	INFO	o.e.j.s.s.DefaultSessionIdManager#doStart: DefaultSessionIdManager workerName=node0
2022-08-03 07:17:26.357+0000 [id=1]	INFO	o.e.j.s.s.DefaultSessionIdManager#doStart: No SessionScavenger set, using defaults
2022-08-03 07:17:26.358+0000 [id=1]	INFO	o.e.j.server.session.HouseKeeper#startScavenging: node0 Scavenging every 660000ms
2022-08-03 07:17:26.905+0000 [id=1]	INFO	hudson.WebAppMain#contextInitialized: Jenkins home directory: /var/jenkins_home found at: EnvVars.masterEnvVars.get("JENKINS_HOME")
2022-08-03 07:17:27.114+0000 [id=1]	INFO	o.e.j.s.handler.ContextHandler#doStart: Started w.@53bf7094{Jenkins v2.346.2,/,file:///var/jenkins_cache/war/,AVAILABLE}{/var/jenkins_cache/war}
2022-08-03 07:17:27.159+0000 [id=1]	INFO	o.e.j.server.AbstractConnector#doStart: Started ServerConnector@6025e1b6{HTTP/1.1, (http/1.1)}{0.0.0.0:8080}
2022-08-03 07:17:27.159+0000 [id=1]	INFO	org.eclipse.jetty.server.Server#doStart: Started @1902ms
2022-08-03 07:17:27.164+0000 [id=23]	INFO	winstone.Logger#logInternal: Winstone Servlet Engine running: controlPort=disabled
2022-08-03 07:17:27.461+0000 [id=30]	INFO	jenkins.InitReactorRunner$1#onAttained: Started initialization
2022-08-03 07:17:27.682+0000 [id=30]	INFO	jenkins.InitReactorRunner$1#onAttained: Listed all plugins
2022-08-03 07:17:31.130+0000 [id=28]	INFO	jenkins.InitReactorRunner$1#onAttained: Prepared all plugins
2022-08-03 07:17:31.169+0000 [id=28]	INFO	jenkins.InitReactorRunner$1#onAttained: Started all plugins
2022-08-03 07:17:31.179+0000 [id=29]	INFO	jenkins.InitReactorRunner$1#onAttained: Augmented all extensions
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.codehaus.groovy.vmplugin.v7.Java7$1 (file:/var/jenkins_cache/war/WEB-INF/lib/groovy-all-2.4.21.jar) to constructor java.lang.invoke.MethodHandles$Lookup(java.lang.Class,int)
WARNING: Please consider reporting this to the maintainers of org.codehaus.groovy.vmplugin.v7.Java7$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
2022-08-03 07:17:32.469+0000 [id=29]	INFO	jenkins.InitReactorRunner$1#onAttained: System config loaded
2022-08-03 07:17:33.132+0000 [id=29]	WARNING	i.j.p.casc.BaseConfigurator#createAttribute: Can't handle class org.csanchez.jenkins.plugins.kubernetes.PodTemplate#listener: type is abstract but not Describable.
2022-08-03 07:17:33.176+0000 [id=29]	SEVERE	jenkins.InitReactorRunner$1#onTaskFailed: Failed ConfigurationAsCode.init
io.jenkins.plugins.casc.ConfiguratorException: Item isn't a Mapping
	at io.jenkins.plugins.casc.model.CNode.asMapping(CNode.java:18)
	at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:265)
	at io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.configure(DataBoundConfigurator.java:82)
	at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$doConfigure$16668e2$1(HeteroDescribableConfigurator.java:277)
	at io.vavr.CheckedFunction0.lambda$unchecked$52349c75$1(CheckedFunction0.java:247)
	at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.doConfigure(HeteroDescribableConfigurator.java:277)
	at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$null$2(HeteroDescribableConfigurator.java:86)
	at io.vavr.control.Option.map(Option.java:392)
	at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$configure$3(HeteroDescribableConfigurator.java:86)
	at io.vavr.Tuple2.apply(Tuple2.java:238)
	at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.configure(HeteroDescribableConfigurator.java:83)
	at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.check(HeteroDescribableConfigurator.java:92)
	at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.check(HeteroDescribableConfigurator.java:55)
	at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:350)
	at io.jenkins.plugins.casc.BaseConfigurator.check(BaseConfigurator.java:286)
	at io.jenkins.plugins.casc.ConfigurationAsCode.lambda$checkWith$8(ConfigurationAsCode.java:776)
	at io.jenkins.plugins.casc.ConfigurationAsCode.invokeWith(ConfigurationAsCode.java:712)
Caused: io.jenkins.plugins.casc.ConfiguratorException: jenkins: error configuring 'jenkins' with class io.jenkins.plugins.casc.core.JenkinsConfigurator configurator
	at io.jenkins.plugins.casc.ConfigurationAsCode.invokeWith(ConfigurationAsCode.java:718)
	at io.jenkins.plugins.casc.ConfigurationAsCode.checkWith(ConfigurationAsCode.java:776)
	at io.jenkins.plugins.casc.ConfigurationAsCode.configureWith(ConfigurationAsCode.java:761)
	at io.jenkins.plugins.casc.ConfigurationAsCode.configureWith(ConfigurationAsCode.java:637)
	at io.jenkins.plugins.casc.ConfigurationAsCode.configure(ConfigurationAsCode.java:306)
	at io.jenkins.plugins.casc.ConfigurationAsCode.init(ConfigurationAsCode.java:298)
Caused: java.lang.reflect.InvocationTargetException
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:109)
Caused: java.lang.Error
	at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:115)
	at hudson.init.TaskMethodFinder$TaskImpl.run(TaskMethodFinder.java:185)
	at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:305)
	at jenkins.model.Jenkins$5.runTask(Jenkins.java:1158)
	at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:222)
	at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:121)
	at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:68)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:829)
2022-08-03 07:17:33.180+0000 [id=22]	SEVERE	hudson.util.BootFailure#publish: Failed to initialize Jenkins
io.jenkins.plugins.casc.ConfiguratorException: Item isn't a Mapping
	at io.jenkins.plugins.casc.model.CNode.asMapping(CNode.java:18)
	at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:265)
	at io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.configure(DataBoundConfigurator.java:82)
	at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$doConfigure$16668e2$1(HeteroDescribableConfigurator.java:277)
	at io.vavr.CheckedFunction0.lambda$unchecked$52349c75$1(CheckedFunction0.java:247)
	at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.doConfigure(HeteroDescribableConfigurator.java:277)
	at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$null$2(HeteroDescribableConfigurator.java:86)
	at io.vavr.control.Option.map(Option.java:392)
	at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$configure$3(HeteroDescribableConfigurator.java:86)
	at io.vavr.Tuple2.apply(Tuple2.java:238)
	at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.configure(HeteroDescribableConfigurator.java:83)
	at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.check(HeteroDescribableConfigurator.java:92)
	at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.check(HeteroDescribableConfigurator.java:55)
	at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:350)
	at io.jenkins.plugins.casc.BaseConfigurator.check(BaseConfigurator.java:286)
	at io.jenkins.plugins.casc.ConfigurationAsCode.lambda$checkWith$8(ConfigurationAsCode.java:776)
	at io.jenkins.plugins.casc.ConfigurationAsCode.invokeWith(ConfigurationAsCode.java:712)
Caused: io.jenkins.plugins.casc.ConfiguratorException: jenkins: error configuring 'jenkins' with class io.jenkins.plugins.casc.core.JenkinsConfigurator configurator
	at io.jenkins.plugins.casc.ConfigurationAsCode.invokeWith(ConfigurationAsCode.java:718)
	at io.jenkins.plugins.casc.ConfigurationAsCode.checkWith(ConfigurationAsCode.java:776)
	at io.jenkins.plugins.casc.ConfigurationAsCode.configureWith(ConfigurationAsCode.java:761)
	at io.jenkins.plugins.casc.ConfigurationAsCode.configureWith(ConfigurationAsCode.java:637)
	at io.jenkins.plugins.casc.ConfigurationAsCode.configure(ConfigurationAsCode.java:306)
	at io.jenkins.plugins.casc.ConfigurationAsCode.init(ConfigurationAsCode.java:298)
Caused: java.lang.reflect.InvocationTargetException
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:109)
Caused: java.lang.Error
	at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:115)
	at hudson.init.TaskMethodFinder$TaskImpl.run(TaskMethodFinder.java:185)
	at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:305)
	at jenkins.model.Jenkins$5.runTask(Jenkins.java:1158)
	at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:222)
	at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:121)
	at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:68)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:829)
Caused: org.jvnet.hudson.reactor.ReactorException
	at org.jvnet.hudson.reactor.Reactor.execute(Reactor.java:291)
	at jenkins.InitReactorRunner.run(InitReactorRunner.java:49)
	at jenkins.model.Jenkins.executeReactor(Jenkins.java:1193)
	at jenkins.model.Jenkins.<init>(Jenkins.java:983)
	at hudson.model.Hudson.<init>(Hudson.java:86)
	at hudson.model.Hudson.<init>(Hudson.java:82)
	at hudson.WebAppMain$3.run(WebAppMain.java:247)
Caused: hudson.util.HudsonFailedToLoad
	at hudson.WebAppMain$3.run(WebAppMain.java:264)
2022-08-03 07:17:33.191+0000 [id=22]	INFO	hudson.lifecycle.Lifecycle#onStatusUpdate: Stopping Jenkins
2022-08-03 07:17:33.221+0000 [id=22]	INFO	jenkins.model.Jenkins$16#onAttained: Started termination
2022-08-03 07:17:33.250+0000 [id=22]	INFO	jenkins.model.Jenkins$16#onAttained: Completed termination
2022-08-03 07:17:33.250+0000 [id=22]	INFO	jenkins.model.Jenkins#_cleanUpDisconnectComputers: Starting node disconnection
2022-08-03 07:17:33.255+0000 [id=22]	INFO	jenkins.model.Jenkins#_cleanUpShutdownPluginManager: Stopping plugin manager
2022-08-03 07:17:33.278+0000 [id=22]	INFO	jenkins.model.Jenkins#_cleanUpPersistQueue: Persisting build queue
2022-08-03 07:17:33.287+0000 [id=22]	INFO	jenkins.model.Jenkins#_cleanUpAwaitDisconnects: Waiting for node disconnection completion
2022-08-03 07:17:33.288+0000 [id=22]	INFO	hudson.lifecycle.Lifecycle#onStatusUpdate: Jenkins stopped
@patsevanton patsevanton added the bug Something isn't working label Aug 3, 2022
@timja
Copy link
Member

timja commented Aug 3, 2022

get error hudson.security.csrf.DefaultCrumbIssuer is missing its descriptor is just a warning

@patsevanton
Copy link
Author

I added Full log pod jenkins-0

@timja
Copy link
Member

timja commented Aug 3, 2022

This is your error:

2022-08-03 07:17:33.176+0000 [id=29]	SEVERE	jenkins.InitReactorRunner$1#onTaskFailed: Failed ConfigurationAsCode.init
io.jenkins.plugins.casc.ConfiguratorException: Item isn't a Mapping

Not sure from a quick look but the yaml won't be quite right most likely

@patsevanton
Copy link
Author

Hmm. May be. I will recheck.

@patsevanton
Copy link
Author

patsevanton commented Aug 21, 2022
edited
Loading

Fixed. Work jenkins-values-google-login.yaml

---
controller:
  tag: "2.346.2-jdk11"
  imagePullPolicy: "IfNotPresent"
  numExecutors: 0

  additionalPlugins:
    - google-login:1.6
    - job-dsl:1.81
    - allure-jenkins-plugin:2.30.2
    - ws-cleanup:0.42
    - build-timeout:1.21
    - timestamper:1.18
    - google-storage-plugin:1.5.6
    - permissive-script-security:0.7
    - ansicolor:1.0.2
    - google-oauth-plugin:1.0.6

  javaOpts: '-Dpermissive-script-security.enabled=true'

  JCasC:
    configScripts:
      jenkins-configuration: |
        jenkins:
          systemMessage: This Jenkins is configured and managed 'as code' by Managed Cloud team.
      job-config: |
        jobs:
          - script: >
              pipelineJob('job1') {
                logRotator(120, -1, 1, -1)
                authenticationToken('secret')
                definition {
                  cps {
                    script("""\
                      pipeline {
                        agent any
                        parameters {
                            string(name: 'Variable', defaultValue: '', description: 'Variable', trim: true)
                        }
                        options {
                          timestamps()
                          ansiColor('xterm')  
                          timeout(time: 10, unit: 'MINUTES')
                        }
                        stages {
                          stage ('build') {
                            steps {
                              cleanWs()
                              echo "hello job1"
                            }
                          }
                        }
                      }""".stripIndent())
                    sandbox()
                  }
                }
              }
          - script: >
              pipelineJob('job2') {
                logRotator(120, -1, 1, -1)
                authenticationToken('secret')
                definition {
                  cps {
                    script("""\
                      pipeline {
                        agent any
                        parameters {
                            string(name: 'Variable', defaultValue: '', description: 'Variable', trim: true)
                        }
                        options {
                          timestamps()
                          ansiColor('xterm')  
                          timeout(time: 10, unit: 'MINUTES')
                        }
                        stages {
                          stage ('test') {
                            steps {
                              cleanWs()
                              echo "hello job2"
                            }
                          }
                        }
                      }""".stripIndent())
                    sandbox()
                  }
                }
              }
      views: |
        jenkins:
          views:
            - all:
                name: "all"
            - list:
                columns:
                - "status"
                - "weather"
                - "jobName"
                - "lastSuccess"
                - "lastFailure"
                - "lastDuration"
                - "buildButton"
                jobNames:
                - "job1"
                name: "stage"
            - list:
                columns:
                - "status"
                - "weather"
                - "jobName"
                - "lastSuccess"
                - "lastFailure"
                - "lastDuration"
                - "buildButton"
                jobNames:
                - "job2"
                name: "test"
          viewsTabBar: "standard"
    securityRealm: |-
      googleOAuth2:
        clientId: "xxx-xxx.apps.googleusercontent.com"
        clientSecret: "xxx-xxx"
        domain: ""
    authorizationStrategy: |-
      loggedInUsersCanDoAnything:
        allowAnonymousRead: false

  ingress:
    enabled: true
    ingressClassName: nginx
    apiVersion: networking.k8s.io/v1
    annotations:
      cert-manager.io/cluster-issuer: "letsencrypt-prod"
    hostName: xxxx
    tls:
     - secretName: jenkins-tls
       hosts:
         - xxxx

@soham-chakraborty1 soham-chakraborty1 mentioned this issue Aug 30, 2022
Closed
@soham-chakraborty1
Copy link

A question @patsevanton, have you found a way to encrypt the clientId and clientSecret and pass the encrypted values in the values.yaml file? Not with any external operator or project, but with whatever is given in the helm chart. I am trying to achieve that but my attempts are failing so far.

I will create a bug if you haven't found out a way, but wanted to ask first.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@patsevanton @timja @soham-chakraborty1