Just an update for anyone with the particular problem I had with Spinnaker: the docs https://spinnaker.io/setup/ci/jenkins/ indicate that Spinnaker can only connect to Jenkins if:
1. csrf=true on the Spinnaker connection to Jenkins 2. Jenkins's 'strict' crumb issuer is installed rather than the default issuer and set to *not* check the session So that would imply that even with an Api token you still need to get and pass a crumb for API calls (and by default a valid session as well?!) If anyone can clarify the current state of Jenkins w.r.t. crumbs, passwords, api-tokens and sessions, and how these relate to the legacy auth endpoint, the crumb issuer endpoint and API endpoints, it would be much appreciated. The docs don't seem to reflect reality, at least not for my install from the Jenkins Helm chart. On Friday, August 28, 2020 at 6:57:20 PM UTC+1 Simon Turner wrote: > The docs at > https://www.jenkins.io/doc/book/system-administration/authenticating-scripted-clients/ > > and https://www.jenkins.io/doc/book/using/remote-access-api/ both > strongly imply that you don't need to supply a crumb when calling the API > from scripted clients, if you use an API token. They both illustrate > curl/wget calls with API tokens and no crumb header, and the latter says > "API tokens are preferred *instead of* crumbs for CSRF protection" > > This seems to be true for GET requests - I can make a GET to > $JENKINS_URL/job/myjob/changes with a valid user/ApiToken and it succeeds. > However, when I POST to trigger that job, I get "HTTP ERROR 403 No valid > crumb was included in the request" > > (Problem for me is that this seems to break Spinnaker's ability to trigger > Jenkins jobs unless I disable CSRF completely, which obviously I don't want > to do.) > > Is it by design that even an ApiToken must be combined with a crumb to do > POSTs? Can this be disabled? Is this anything to do with > https://www.jenkins.io/doc/upgrade-guide/2.204/#upgrading-to-jenkins-lts-2-204-6 > ? > > I'm on Jenkins 2.235.5 <https://jenkins.io/> > > Thanks > > > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/436ef871-f047-4de3-84c2-1e149c8265a0n%40googlegroups.com.
