atiato (14) [Avatar] Offline
#1
I'm facing this issue with Jenkins:

I followed the Book- logged in Jenkins with openshift admin user.

from Book MEAP version below 6.12 figure it is mentioned If you go back to the Dev Build job and click Build Now, Build will fail with below error:

Starting the "Trigger OpenShift Build" step with build config "todo-app-flask-mongo" from the project "dev".
com.openshift.restclient.authorization.ResourceForbiddenException: Resource Forbidden
at com.openshift.internal.restclient.okhttp.ResponseCodeInterceptor.createOpenShiftException(ResponseCodeInterceptor.java:106)
at com.openshift.internal.restclient.okhttp.ResponseCodeInterceptor.intercept(ResponseCodeInterceptor.java:65)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:170)
at okhttp3.RealCall.execute(RealCall.java:60)
at com.openshift.internal.restclient.DefaultClient.execute(DefaultClient.java:25smilie
at com.openshift.internal.restclient.DefaultClient.execute(DefaultClient.java:222)
at com.openshift.internal.restclient.DefaultClient.execute(DefaultClient.java:210)
at com.openshift.internal.restclient.DefaultClient.get(DefaultClient.java:333)
at com.openshift.jenkins.plugins.pipeline.model.RetryIClient.lambda$get$5(RetryIClient.java:174)
at com.openshift.jenkins.plugins.pipeline.model.RetryIClient.retry(RetryIClient.java:72)
at com.openshift.jenkins.plugins.pipeline.model.RetryIClient.get(RetryIClient.java:174)
at com.openshift.jenkins.plugins.pipeline.model.IOpenShiftBuilder.coreLogic(IOpenShiftBuilder.java:223)
at com.openshift.jenkins.plugins.pipeline.model.IOpenShiftPlugin.doItCore(IOpenShiftPlugin.java:309)
at com.openshift.jenkins.plugins.pipeline.model.IOpenShiftPlugin.doIt(IOpenShiftPlugin.java:327)
at com.openshift.jenkins.plugins.pipeline.OpenShiftBaseStep.perform(OpenShiftBaseStep.java:81)
at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:779)
at hudson.model.Build$BuildExecution.build(Build.java:206)
at hudson.model.Build$BuildExecution.doRun(Build.java:163)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:534)
at hudson.model.Run.execute(Run.java:172smilie
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
at hudson.model.ResourceController.execute(ResourceController.java:9smilie
at hudson.model.Executor.run(Executor.java:405)
ERROR: "Trigger OpenShift Build" failed
Warning: you have no plugins providing access control for builds, so falling back to legacy behavior of permitting any downstream builds to be triggered
Finished: FAILURE
atiato (14) [Avatar] Offline
#2
it works after adding the below :

# Grant Jenkins Access to Projects
oc policy add-role-to-user edit system:serviceaccount:cicd:jenkins -n dev
oc policy add-role-to-user edit system:serviceaccount:cicd:jenkins -n prod
oc policy add-role-to-user edit system:serviceaccount:cicd:jenkins -n test

Please add it inside the book , Thanks,
atiato (14) [Avatar] Offline
#3
Another issue appeared when running the pipeline :

the following output failed :

Starting the "Verify OpenShift Build" step with build config "todo-app-flask-mongo" from the project "dev".

Waiting on build "todo-app-flask-mongo-8" to complete followed by a new deployment ...

Operation will timeout after 60000 milliseconds





Exiting "Verify OpenShift Build" unsuccessfully; build "todo-app-flask-mongo-8" has completed with status: [Complete]. However, not all deployments with ImageChange triggers based on this build's output triggered off of the new image.

"Verify OpenShift Build" failed


Note that after I updated jenkins file with the following

checkForTriggeredDeployments: 'false'

then it successfully works.


John Osborne (13) [Avatar] Offline
#4
Thanks I'll investigate. The templates provided include the RoleBindings so that the users do not have to run the policy commands. I'll look into what went wrong.
atiato (14) [Avatar] Offline
#5
Hi ,

Did you check the issue ?

thanks,
Omar Atia
John Osborne (13) [Avatar] Offline
#6
Yes! I think I finally figured it out. I had trouble with this one because some people were able it and some people were not.

I'm about to patch the template now so that those commands don't need to be in the text.
atiato (14) [Avatar] Offline
#7
Ok great , Thanks.
John Osborne (13) [Avatar] Offline
#8
I'm actually going to have to update the book with the commands. When you run "oc policy add-role-to-user" it's creating a RoleBinding API Object in the dev account that allows the jenkins serviceaccount to edit the project. However, when I'm adding the API Object to the template it's still getting put into the cicd project even though I explicity call it dev.

I'll just update the text to include the commands. I really appreciate your help on finding this!