-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch jenkins OIDC from Amazon federate to GitHub #506
Comments
Approach 1: Use github-oauth plugin [Recommended]Jenkins has multiple plugins that it uses for its efficiency, integration with other tools and even basic functioning. One such plugin that can be used to integrated GitHub with jenkins as a OIDC is github-oauth plugin. Pros:
Cons:
Approach 2: Use existing keycloak set upGithub is not an identity provider. Hence an intermediate broker is required to break the identity. We recently integrated keycloak with nightly plyagrounds to use GitHub as an OIDC. This approach proposes to use the same set up for jenkins authentication as well. Create a new realm for jenkins exclusively. Pros:
Cons:
Approach 3: Use basic authHave user and password basic authentication. Strictly not recommended. |
Did a small POC with approach 1 and seems to be working without any issue. Easy integration as well without any complications or major changes. Adding @prudhvigodithi @rishabh6788 @peterzhuamazon @Divyaasm to get some input on the approaches. |
Posting more details about GitHub Oauth app. Required if we move with approach 1 and 2. Following the set up mentioned here: https://plugins.jenkins.io/github-oauth/
While creating GitHub Oauth apps, looks like we cannot have more than one authorizarion call-back URLs. See documentation here.
GitHub Apps on the other hand does support multiple callback URLs. However, jenkins does not have a way to specify the redirect_uri option. The PR is open for add this feature but is stale at this point. jenkinsci/github-oauth-plugin#198. Related jenkins issue: https://issues.jenkins.io/browse/JENKINS-43214 As of Nov 18,2024 we have 2 endpoints: beta and prod. However in future with #382 there might be more. Assuming all of them need to use GH as OIDC and after researching for solutions, we have below options:
|
Hi everyone,
Option A:If we want to move ahead with this approach, the action items on our end would be:
Option B:If not, another approach would be:
@rishabh6788 @prudhvigodithi @peterzhuamazon @getsaurabh02 let me know if you guys have preferences. Moving fast we can goahead with option B and then once we have upgraded jenkins and hopefully that feature gets merged officially in github-oauth repo we can switch to Option A. Thanks! |
Second to @Divyaasm that Option 1 has the issue of existing windows runner failure. If we entirely move to potential GitHub Actions + GitHub ARC then this might not needed. Thanks. |
Thank you for the inputs @Divyaasm and @peterzhuamazon |
Just to update, |
The authentication for https://build.ci.opensearch.org/ has been switched from internal auth to GitHub using GitHub-oauth plugin. The GitHub OAuth apps are currently residing in my developer account. Will be transferring the ownership of the same to opensearch-project org based on new process. See opensearch-project/.github#236 Thanks! |
Is your feature request related to a problem? Please describe
Coming from opensearch-project/opensearch-build#5171
The first milestone is to make release process CI executable by anyone including external community. As of today, the jenkins CI at https://build.ci.opensearch.org/ using Amazon Federate, an internal authentication service to authenticate users.
Describe the solution you'd like
Possible options:
Describe alternatives you've considered
Keep using amazon federate and ask the users with right access to execute workflows everytime.
Additional context
We recently integrated nightly playgrounds https://playground.nightly.opensearch.org/ with GitHub as OIDC.
Though GitHub is not an OpenID Connect Provider, mediator such as keycloak can be used to break the identity and manage access accordingly.
The text was updated successfully, but these errors were encountered: