My system is OKD 3.11, Jenkins latest running in its own project.
My company uses an internal CA authority. And everything is signed by it. Which is a pain in itself, but I am trying to get my OKD cluster to build projects with Jenkins. I have it creating pods and such, but when the JNPL container starts, it fails with the oh so frustrating
java.io.IOException: Failed to connect to https://jenkins.apps.lab.mycompany.com/tcpSlaveAgentListener/: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.jenkinsci.remoting.engine.JnlpAgentEndpointResolver.resolve(JnlpAgentEndpointResolver.java:197)
at hudson.remoting.Engine.innerRun(Engine.java:523)
at hudson.remoting.Engine.run(Engine.java:474)
My question is, how do I inject the root CA into the jvm keystore that the pod is using? I really hope you don't tell me that I have to build a custom docker image. I really hope there's a way to just import the stupid thing into the existing one to keep maintenance down.
My Jenkinsfile
pipeline {
agent {
kubernetes {
label 'sample-app'
yamlFile 'KubernetesBuildPod.yaml'
}
}
options {
skipDefaultCheckout(true) // to avoid force checkouts on every node in a first stage
disableConcurrentBuilds() // to avoid concurrent builds on same nodes
}
stages {
stage('Build') {
steps {
checkout scm
sh 'ls -alh'
}
}
}
}
and the pod yaml
apiVersion: v1
kind: Pod
metadata:
labels:
component: ci
spec:
# Use service account that can deploy to all namespaces
serviceAccountName: jenkins
containers:
- name: gcc-cmake
image: rikorose/gcc-cmake:latest
command:
- cat
tty: true
and the pod template in the jenkins config.