[temurin-compliance] Enable Parameterized Remote Trigger plugin to trigger jobs on Temurin-compliance Jenkins server

Summary

To automate and expedite the launch of TCK test pipelines on https://ci.eclipse.org/temurin-compliance/ from https://ci.adoptopenjdk.net/ (which has the https://www.jenkins.io/doc/pipeline/steps/Parameterized-Remote-Trigger/ installed).

Steps to reproduce

n/a

What is the current bug behavior?

(What actually happens)

What is the expected correct behavior?

Be able to trigger https://ci.eclipse.org/temurin-compliance/job/AQA_Test_Pipeline/ from the public Jenkins server https://ci.adoptopenjdk.net/ if a certain flag is set in the build pipelines (if build successful and triggerTCK flag is true).

Relevant logs and/or screenshots

Need to know which credentials can be used to trigger jobs.

added IT-prioritylow IT-severitylow ~24521 statetodo team:releng labels

assigned to @fgurr

This plugin will be installed during the upgrade to the latest Jenkins LTS version.

Also wondering what credentials I should use to trigger jobs FROM ci.adoptopenjdk.net TO ci.eclipse.org/temurin-compliance ? Plugin already installed on ci.adoptopenjdk.net server

Once the plugin is installed, access tokens can be configured on a job or global level.

changed title from Enable Parameterized Remote Trigger plugin to trigger jobs on Temurin-compliance Jenkins server to [temurin-compliance] Enable Parameterized Remote Trigger plugin to trigger jobs on Temurin-compliance Jenkins server

I misunderstood the functionality of the parameterized remote trigger plugin. I expected it to be required on the server side, which is not the case.

Also wondering what credentials I should use to trigger jobs FROM ci.adoptopenjdk.net TO ci.eclipse.org/temurin-compliance ? Plugin already installed on ci.adoptopenjdk.net server

You can set an authentication token in the job configuration of a build (Build Triggers -> Trigger builds remotely (e.g. from scripts)) on https://ci.eclipse.org/temurin-compliance. You should add the authentication token as a Jenkins credential on https://ci.adoptopenjdk.net.

removed statetodo label

added statereview label

Yes, and apologies, this may not have been the correct place to add this request, but I wanted to make you aware of our intent (and the plugin installed on temurin-compliance server may also be useful for something in the future, so not unwanted).

Eclispe jenkins server has password based access. So to trigger a job on it we need to first log in to the server and then build the job. For this to happen from a remote server, we need to provide credentials to it. As we would like to trigger the job from adoptium weekly/automatically a new specific functional/bot user may need to be created and correspondingly set the crendtials/token. The related blog I found https://www.tothenew.com/blog/jenkins-parameterized-remote-trigger-plugin/

Simply update the job configuration with trigger builds remotely enabled won't work. I have tried "https://myuserid:mytoken@ci.eclipse.org/temurin-compliance/job/Sophia_test/buildWithParameters?token=RemoteTrigger", which will alway redirect me to eclipse jenkins log in page if i have not logged in. If running in command line with curl will always get 401 Unauthorized issue.

Parameterized Remote Trigger Plugin trigger the build on a remote Jenkins Server by calling the URL on the remote server, which is exactly same as running curl with URL. So will hit the same issue.

On the EF Temurin-Compliance Jenkins instance please create an API token for your user under "Accounts icon" -> Configure -> API Token -> Add New token.

Test with curl:

curl -u "<user>:<api-token>" https://ci.eclipse.org/temurin-compliance/job/Sophia_test/buildWithParameters?token=RemoteTrigger -X POST

On https://ci.adoptopenjdk.net/ please create a Jenkins credential to store the API token.

We will discuss internally if it's possible to create an API token for a bot user.

This issue is 2 years old. Is it still relevant to keep it open?

It is still relevant as we would like to shift away from using a personal token of sophia.gwf@gmail.com for launching the remote jobs.

See console output: https://ci.adoptium.net/job/build-scripts/job/jobs/job/jdk21u/job/jdk21u-linux-s390x-temurin/101/console

08:05:32  Remote trigger: sanity.jck,extended.jck,special.jck
[Pipeline] parallel
[Pipeline] { (Branch: sanity.jck,extended.jck,special.jck)
[Pipeline] catchError
[Pipeline] {
[Pipeline] triggerRemoteJob
08:05:32  ################################################################################################################
08:05:32    Parameterized Remote Trigger Configuration:
08:05:32      - job:                     AQA_Test_Pipeline 
08:05:32      - remoteJenkinsName:       temurin-compliance
08:05:32      - parameters:              {SDK_RESOURCE=customized, CUSTOMIZED_SDK_URL=https://ci.adoptium.net/job/build-scripts/job/jobs/job/jdk21u/job/jdk21u-linux-s390x-temurin/101//artifact/workspace/target/OpenJDK21U-jdk_s390x_linux_hotspot_21.0.5_9-ea.tar.gz, PLATFORMS=s390x_linux, cause=Remote triggered by job https://ci.adoptium.net/job/build-scripts/job/jobs/job/jdk21u/job/jdk21u-linux-s390x-temurin/101/, APPLICATION_OPTIONS=customJtx=/home/jenkins/jck_run/jdk21/linux/temurin.jtx, NUM_MACHINES=1, LABEL_ADDITION=, PIPELINE_DISPLAY_NAME=jdk21 : jdk-21.0.5+9_adopt : s390x_linux : sanity.jck,extended.jck,special.jck, SETUP_JCK_RUN=false, TARGETS=sanity.jck,extended.jck,special.jck, JCK_GIT_REPO=git@github.com:temurin-compliance/JCK21-unzipped.git, JDK_VERSIONS=21, PARALLEL=None}
08:05:32      - blockBuildUntilComplete: false
08:05:32      - connectionRetryLimit:    5
08:05:32      - trustAllCertificates:    false
08:05:32  ################################################################################################################
08:05:35  Triggering parameterized remote job 'https://ci.eclipse.org/temurin-compliance/job/AQA_Test_Pipeline'
08:05:35    Using globally defined 'Token Authentication' as user 'sophia.gwf@gmail.com'
08:05:35  Triggering remote job now.
``

Thanks for the update. We don't have a process to set up a Jenkins bot user yet, so for now, the personal token is the only way.

If there is no process to set up a Jenkins bot user is it possible to set a functional ID with a token? If that is also not possible we are asking to use a personal token of someone in Eclipse Foundation, which is more reasonable, safer and more stable.

https://github.com/temurin-compliance/temurin-compliance/issues/621

@fgurr @mbarbero Is there some way we can find a way of getting a token that isn't tied to one of our users? It's always risky to have automation dependent on individuals' IDs so I feel we really need a different solution here.

As Sophia says, even if that is an EF infra team member's generated token with the required restricted access then that - from my perspective - would definitely be preferable as a solution instead of it being with a third part under the agreements for this project.

We have found a way to create a bot user (email: tc-trigger-bot@eclipse.org). I will share the authentication token with @saddisonxls securely.

added statewip label and removed statereview label

added statereview label and removed statewip label

Thanks Fred. All good. Close it.

removed statereview label

closed

marked this issue as related to #5729 (closed)

added wg:Adoptium label