Jenkins API token behaviour change (no longer valid with new Jenkins images after Jenkins restart?)

[adamrobe...@gmail.com]

Hi all, seeing strange behaviour with newer Jenkins image versions, API tokens, and Jenkins on Kubernetes.

 

We're using the Jenkins helm chart and API tokens so that our own microservice can talk to it - we've noticed a problem when upgrading the base Jenkins image beyond 2.153 however. It seems our tokens are invalidated after the Jenkins pod terminates.

 

Any version before this and our API tokens are fine (so we can do a wget from our pod to the jenkins service for example) but with newer versions it's always reporting an invalid password. I'd really like to up the Jenkins base version as I see lots of bug fixes and CVE fixes at the Jenkins changelog. Unfortunately jenkins/jenkins:lts has the same problem for us.

I know the API token behaviour changed many releases ago and so I'm wondering if any other internals have changed that could be causing this? I know If I create a new API token using the UI, I can use that completely fine, but we want to reuse the same token inbetween Jenkins restarts.

 

Has anybody seen this also?

 

Our requests were previously working with the following code, an example being

wget http://admin:atokenhere@my-jenkins:8080/user/admin/configure

Constructed with the pattern (in our Go code):

 

url := strings.Split(jenkinsURL, "://")[0] + "://" + jenkinsUser + ":" + seedAPIToken + "@" + strings.Split(jenkinsURL, "://")[1] +
"/user/admin/descriptorByName/jenkins.security.ApiTokenProperty/generateNewToken?newTokenName=temporary"
req, err := http.NewRequest("POST", url, nil)

I know of 

 

curl -X POST -s -u admin:$PASS -H `curl -s -u admin:$PASS $URL'crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'` $URL'me/descriptorByName/jenkins.security.ApiTokenProperty/generateNewToken' | jq -r .data.tokenValue via https://github.com/jenkins-x/jx/pull/2459 so I'm going to give this a try as well.

 

Would be great to figure out what exactly has changed and if the above is considered best practice, thanks!

[Daniel Beck]

> On 1. Feb 2019, at 14:59, adamrobe...@gmail.com wrote:
>
> we've noticed a problem when upgrading the base Jenkins image beyond 2.153 however

To clarify, the problem occurs from 2.154 on? If you only tried a later release, could you try to determine the release that broke it?