Re: Jenkins Kubernetes agents fail handshake with master.

2018-04-09 Thread Carlos Sanchez 
Are you running jenkins with SSL enabled ? or are you running jenkins
non-ssl and then enabling ssl at ingress level
The plugin will connect internally to the cluster so typically no SSL url
is used



On Sun, Apr 8, 2018 at 10:37 PM, Ryan Timoney 
wrote:

> I've got Jenkins running on an instance on Google Compute Engine. I've got
> a Kubernetes cluster set up on GKE to run agents on. I followed the steps
> here:  https://cloud.google.com/solutions/configuring-
> jenkins-kubernetes-engin
>  The
> master successfully creates pods, but the SSL handshake always fails with
> this error:
>
> Error in provisioning; agent=KubernetesSlave name: jenkins-t4lpw, 
> template=PodTemplate{inheritFrom='', name='jenkins', namespace='', 
> instanceCap=5, label='debian-8', nodeSelector='', nodeUsageMode=NORMAL, 
> workspaceVolume=org.csanchez.jenkins.plugins.kubernetes.volumes.workspace.EmptyDirWorkspaceVolume@22c413cb,
>  containers=[ContainerTemplate{name='build-agent', 
> image='jenkins/jnlp-slave', workingDir='/home/jenkins', command='/bin/sh -c', 
> args='cat', ttyEnabled=true, resourceRequestCpu='', resourceRequestMemory='', 
> resourceLimitCpu='', resourceLimitMemory='', 
> livenessProbe=org.csanchez.jenkins.plugins.kubernetes.ContainerLivenessProbe@76480942}]}.
>  Container jnlp exited with error 255. Logs:   at 
> sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> at 
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
> at 
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
> at 
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
> at 
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
> at 
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
> at 
> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
> at 
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
> at 
> sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:162)
> at 
> org.jenkinsci.remoting.engine.JnlpAgentEndpointResolver.resolve(JnlpAgentEndpointResolver.java:189)
> ... 2 more
> Caused by: sun.security.validator.ValidatorException: PKIX path building 
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to 
> find valid certification path to requested target
> at 
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
> at 
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
> at sun.security.validator.Validator.validate(Validator.java:260)
> at 
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> at 
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> at 
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> at 
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
> ... 13 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable 
> to find valid certification path to requested target
> at 
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
> at 
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> at 
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
> ... 19 more
>
>
> I know the SSL cert used by my master is valid, so I don't know what the
> issue is. I've tried using a local IP and providing a cert signed by my own
> CA, then making a new image off of gcr.io/cloud-solutions-
> images/jenkins-k8s-slave:v4 that imports the CA into the jave keystore,
> but I still get the same error.
>
> Is there any way to pass the  --httpsKeyStore argument to Jenkins agents
> that are run on GKE? If that isn't the problem, where should I look in my
> config?
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/jenkinsci-users/6c9bc8b9-731b-4fcb-8eb1-c0e8f4973b52%40googlegroups.
> com
>

Jenkins Kubernetes agents fail handshake with master.

2018-04-08 Thread Ryan Timoney 
I've got Jenkins running on an instance on Google Compute Engine. I've got 
a Kubernetes cluster set up on GKE to run agents on. I followed the steps 
here:  
https://cloud.google.com/solutions/configuring-jenkins-kubernetes-engin 
 The 
master successfully creates pods, but the SSL handshake always fails with 
this error:

Error in provisioning; agent=KubernetesSlave name: jenkins-t4lpw, 
template=PodTemplate{inheritFrom='', name='jenkins', namespace='', 
instanceCap=5, label='debian-8', nodeSelector='', nodeUsageMode=NORMAL, 
workspaceVolume=org.csanchez.jenkins.plugins.kubernetes.volumes.workspace.EmptyDirWorkspaceVolume@22c413cb,
 containers=[ContainerTemplate{name='build-agent', image='jenkins/jnlp-slave', 
workingDir='/home/jenkins', command='/bin/sh -c', args='cat', ttyEnabled=true, 
resourceRequestCpu='', resourceRequestMemory='', resourceLimitCpu='', 
resourceLimitMemory='', 
livenessProbe=org.csanchez.jenkins.plugins.kubernetes.ContainerLivenessProbe@76480942}]}.
 Container jnlp exited with error 255. Logs:   at 
sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at 
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
at 
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at 
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at 
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at 
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at 
sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:162)
at 
org.jenkinsci.remoting.engine.JnlpAgentEndpointResolver.resolve(JnlpAgentEndpointResolver.java:189)
... 2 more
Caused by: sun.security.validator.ValidatorException: PKIX path building 
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to 
find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at 
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:260)
at 
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at 
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at 
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at 
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
... 13 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable 
to find valid certification path to requested target
at 
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at 
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 19 more


I know the SSL cert used by my master is valid, so I don't know what the 
issue is. I've tried using a local IP and providing a cert signed by my own 
CA, then making a new image off of 
gcr.io/cloud-solutions-images/jenkins-k8s-slave:v4 that imports the CA into 
the jave keystore, but I still get the same error.

Is there any way to pass the  --httpsKeyStore argument to Jenkins agents 
that are run on GKE? If that isn't the problem, where should I look in my 
config?

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/6c9bc8b9-731b-4fcb-8eb1-c0e8f4973b52%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.