Upgrade Jenkins to 2.245.2 (#171)

* Upgrade Jenkins to 2.245.2 * chore: ignore pebble trivy warning * debug * test: wait jenkins ready before test * test: wait jenkins ready before test * test: use fixtures * test: revert wait_jenkins_ready fixture * test: fix lint * test: debug * test: fix timeout errors & groovy pipeline plugin string match * test: fix lint * test: debug * test: increase timeout * test: wait and block till active * test: fix cloud descriptor name * test: revert debug * chore: remove patched CVEs in trivyignore * chore: remove vscode artefact * chore: add pebble CVEs to trivyignore * chore: update CVEs * chore: add concurrency to tests --------- Co-authored-by: Yanks Yoon <[email protected]>
canonical · Jun 26, 2024 · d791eea · d791eea
1 parent a1c030c
commit d791eea
Show file tree

Hide file tree

Showing 7 changed files with 61 additions and 35 deletions.
diff --git a/.github/workflows/integration_test.yaml b/.github/workflows/integration_test.yaml
@@ -3,6 +3,10 @@ name: Integration tests
 on:
   pull_request:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   integration-tests:
     uses: canonical/operator-workflows/.github/workflows/integration_test.yaml@main

diff --git a/.trivyignore b/.trivyignore
@@ -1,11 +1,7 @@
-# Fixed in 5.3.33
-CVE-2024-22259
-# Fixed in 5.7.12
-CVE-2024-22257
-CVE-2024-22262
-# Jenkins Plugin Manager CVEs
-CVE-2016-1000027
-CVE-2023-5072
-CVE-2024-23898
-# Other
+# Pebble CVEs
+CVE-2024-24790
 CVE-2023-45288
+# Jenkins plugin manager CVEs
+CVE-2023-5072
+# Jenkins CVEs
+CVE-2016-1000027
diff --git a/jenkins_rock/rockcraft.yaml b/jenkins_rock/rockcraft.yaml
@@ -45,7 +45,7 @@ parts:
       - default-jre-headless
       - git
     build-environment:
-      - JENKINS_VERSION: 2.452.1
+      - JENKINS_VERSION: 2.452.2
       - JENKINS_PLUGIN_MANAGER_VERSION: 2.12.13
     override-build: |
       mkdir -p ${CRAFT_PART_INSTALL}/{srv/jenkins/,etc/default/jenkins/}

diff --git a/tests/integration/conftest.py b/tests/integration/conftest.py
@@ -15,6 +15,7 @@
 import kubernetes.stream
 import pytest
 import pytest_asyncio
+import requests
 from juju.action import Action
 from juju.application import Application
 from juju.client._definitions import FullStatus, UnitStatus
@@ -519,10 +520,17 @@ async def jenkins_with_proxy_client_fixture(
 
 @pytest_asyncio.fixture(scope="function", name="app_with_allowed_plugins")
 async def app_with_allowed_plugins_fixture(
-    application: Application,
+    application: Application, web_address: str
 ) -> AsyncGenerator[Application, None]:
     """Jenkins charm with plugins configured."""
     await application.set_config({"allowed-plugins": ",".join(ALLOWED_PLUGINS)})
+    model: Model = application.model
+    await model.wait_for_idle(apps=[application.name], wait_for_active=True)
+    await model.block_until(
+        lambda: requests.get(web_address, timeout=10).status_code == 403,
+        timeout=60 * 10,
+        wait_period=10,
+    )
     yield application
     await application.reset_config(to_default=["allowed-plugins"])
 

diff --git a/tests/integration/helpers.py b/tests/integration/helpers.py
@@ -12,6 +12,7 @@
 import jenkinsapi.jenkins
 import kubernetes.client
 import requests
+import tenacity
 from juju.application import Application
 from juju.model import Model
 from juju.unit import Unit
@@ -24,6 +25,11 @@
 logger = logging.getLogger(__name__)
 
 
+@tenacity.retry(
+    wait=tenacity.wait_exponential(multiplier=2, max=60),
+    reraise=True,
+    stop=tenacity.stop_after_attempt(5),
+)
 async def install_plugins(
     unit_web_client: UnitWebClient,
     plugins: typing.Iterable[str],
@@ -450,18 +456,8 @@ def create_secret_file_credentials(
             }},
         }}"""
     }
-
-    accept_header = (
-        "text/html,"
-        "application/xhtml+xml,"
-        "application/xml;q=0.9,"
-        "image/avif,image/webp,"
-        "image/apng,"
-        "*/*;q=0.8,"
-        "application/signed-exchange;v=b3;q=0.9'"
-    )
     headers = {
-        "Accept": accept_header,
+        "Accept": "*/*",
     }
 
     with open(kube_config, "rb") as kube_config_file:
@@ -493,7 +489,7 @@ def create_kubernetes_cloud(
 
     payload = {
         "name": kubernetes_test_cloud_name,
-        "type": "org.csanchez.jenkins.plugins.kubernetes.KubernetesCloud",
+        "cloudDescriptorName": "org.csanchez.jenkins.plugins.kubernetes.KubernetesCloud",
         "json": f"""
         {{
             "name": "{kubernetes_test_cloud_name}",
@@ -522,7 +518,7 @@ def create_kubernetes_cloud(
 
     logger.debug("Creating jenkins kubernets cloud, params: %s %s", headers, payload)
     res = unit_web_client.client.requester.post_url(
-        url=url, headers=headers, data=payload, timeout=30
+        url=url, headers=headers, data=payload, timeout=60 * 5
     )
     logger.debug("Cloud created, %s", res.status_code)
 

diff --git a/tests/integration/requirements.txt b/tests/integration/requirements.txt
@@ -2,3 +2,4 @@ Jinja2>=3,<4
 lightkube==0.15.1
 pytest-playwright==0.4.4
 python-keycloak>=3,<4
+tenacity==8.4.2
diff --git a/tests/integration/test_plugins.py b/tests/integration/test_plugins.py
@@ -3,13 +3,15 @@
 
 """Integration tests for jenkins-k8s-operator charm."""
 
+import functools
 import json
 import logging
 import typing
 
 import jenkinsapi.plugin
 import pytest
 import requests
+import urllib3.exceptions
 from jinja2 import Environment, FileSystemLoader
 from juju.application import Application
 from pytest_operator.plugin import OpsTest
@@ -39,14 +41,27 @@ async def test_plugins_remove_delay(
     """
     arrange: given a Jenkins with plugins being installed through UI.
     act: when update_status_hook is fired.
-    assert: the plugin removal is delayed warning is logged until plugin installation is settled.
+    assert: the plugin removal delayed warning is logged until plugin installation is settled.
     """
     post_data = {f"plugin.{plugin}.default": "on" for plugin in ALLOWED_PLUGINS}
     post_data["dynamic_load"] = ""
-    res = unit_web_client.client.requester.post_url(
-        f"{unit_web_client.web}/manage/pluginManager/install", data=post_data
-    )
-    assert res.status_code == 200, "Failed to request plugins install"
+
+    def _install_plugins_via_web_api() -> bool:
+        """Install plugins via pluginManager API.
+
+        Returns:
+            Whether the plugin installation request has succeeded.
+        """
+        try:
+            res = unit_web_client.client.requester.post_url(
+                f"{unit_web_client.web}/manage/pluginManager/install", data=post_data
+            )
+            return res.ok
+        except (requests.exceptions.RequestException, urllib3.exceptions.HTTPError):
+            logger.exception("Failed to post plugin installations.")
+            return False
+
+    await wait_for(_install_plugins_via_web_api)
 
     async def has_temp_files():
         """Check if tempfiles exist in Jenkins plugins directory.
@@ -458,8 +473,10 @@ async def test_groovy_libs_plugin(unit_web_client: UnitWebClient):
     res = unit_web_client.client.requester.get_url(f"{unit_web_client.web}/manage/configure")
 
     config_page = str(res.content, "utf-8")
+    # The string is now "Global Trusted Pipeline Libraries" and
+    # "Global Untrusted Pipeline Libraries" for v727.ve832a_9244dfa_
     assert (
-        "Global Pipeline Libraries" in config_page
+        "Pipeline Libraries" in config_page
     ), f"Groovy libs configuration option not found. {config_page}"
 
 
@@ -580,10 +597,14 @@ async def test_kubernetes_plugin(unit_web_client: UnitWebClient, kube_config: st
     """
     # Use plain credentials to be able to create secret-file/secret-text credentials
     await install_plugins(unit_web_client, ("kubernetes", "plain-credentials"))
-    credentials_id = create_secret_file_credentials(unit_web_client, kube_config)
-    assert credentials_id
-    kubernetes_cloud_name = create_kubernetes_cloud(unit_web_client, credentials_id)
-    assert kubernetes_cloud_name
+    credentials_id = await wait_for(
+        functools.partial(create_secret_file_credentials, unit_web_client, kube_config)
+    )
+    assert credentials_id, "Failed to create credentials id"
+    kubernetes_cloud_name = await wait_for(
+        functools.partial(create_kubernetes_cloud, unit_web_client, credentials_id)
+    )
+    assert kubernetes_cloud_name, "Failed to create kubernetes cloud"
     job = unit_web_client.client.create_job(
         "kubernetes_plugin_test",
         gen_test_pipeline_with_custom_script_xml(kubernetes_test_pipeline_script()),