[JEP-230] [JENKINS-55582] Convert instance-identity to a detached plugin

[jglick]

See JEP-230, especially as of jenkinsci/jep#389. Continues work done in #5304 and #6570.

Sanity testing: start Jenkins from scratch; accept default plugins; check that /instance-identity/ endpoint works; create an inbound TCP agent (need to first enable TCP port) and connect; run a Pipeline build on it. Disable instance-identity despite stern warnings and restart—the agent will not work, and there are also various errors from sshd and github plugins. Enable it again and restart—back to normal. Enable SSHD and use the CLI in -ssh mode and via ssh.

Proposed changelog entries

• The instance-identity module has been converted to a detached plugin.

Proposed upgrade guidelines

Normally the new plugin will be automatically installed. If you use an “as-code” installation mechanism like a text file with a list of plugins, you may need to add instance-identity (version 3.1 or later) in order to restore this functionality. In particular, inbound agents using TCP (but not WebSocket) transport require this plugin to be installed. There may be other cases, which can be identified by use of APIs in the jenkins.model.identity package rather than directly accessing org.jenkinsci.main.modules.instance_identity.

Maintainer checklist

Before the changes are marked as ready-for-merge:

• There are at least 2 approvals for the pull request and no outstanding requests for change
• Conversations in the pull request are over OR it is explicit that a reviewer does not block the change
• Changelog entries in the PR title and/or Proposed changelog entries are accurate, human-readable, and in the imperative mood
• Proper changelog labels are set so that the changelog can be generated automatically
• If the change needs additional upgrade steps from users, upgrade-guide-needed label is set and there is a Proposed upgrade guidelines section in the PR title. (example)
• If it would make sense to backport the change to LTS, a Jira issue must exist, be a Bug or Improvement, and be labeled as lts-candidate to be considered (see query).

[jglick]

Once this is released, bom-weekly can get it.

[jglick]

Though if I understand correctly from jenkinsci/bom#671 jenkinsci/bom#570 (comment) jenkinsci/bom#681, it cannot be added until this PR is in the oldest supported line, so that will be a while. In the meantime the handful of plugins using this dep can specify 3.1.

[jglick]

jenkinsci/sshd-plugin#75

[jglick]

dep of current instance-identity

[daniel-beck]

jenkins/core/src/main/java/jenkins/security/ResourceDomainConfiguration.java

Lines 148 to 190 in f9912f5

	// Send a request to /instance-identity/ at the resource root URL and check whether it is this Jenkins
	try {
	URLConnection urlConnection = new URL(resourceRootUrlString + "instance-identity/").openConnection();
	if (urlConnection instanceof HttpURLConnection) {
	HttpURLConnection httpURLConnection = (HttpURLConnection) urlConnection;
	int responseCode = httpURLConnection.getResponseCode();
	if (responseCode == 200) {
	String identityHeader = urlConnection.getHeaderField("X-Instance-Identity");
	if (identityHeader == null) {
	return FormValidation.warning(Messages.ResourceDomainConfiguration_NotJenkins());
	}
	// URL points to a Jenkins instance
	RSAPublicKey publicKey = InstanceIdentityProvider.RSA.getPublicKey();
	if (publicKey != null) {
	String identity = Base64.getEncoder().encodeToString(publicKey.getEncoded());
	if (identity.equals(identityHeader)) {
	return FormValidation.ok(Messages.ResourceDomainConfiguration_ThisJenkins());
	}
	return FormValidation.warning(Messages.ResourceDomainConfiguration_OtherJenkins());
	} // the current instance has no public key
	return FormValidation.warning(Messages.ResourceDomainConfiguration_SomeJenkins());
	}
	// response is error
	String responseMessage = httpURLConnection.getResponseMessage();
	if (responseCode == 404) {
	String responseBody = String.join("", IOUtils.readLines(httpURLConnection.getErrorStream(), StandardCharsets.UTF_8));
	if (responseMessage.contains(ERROR_RESPONSE) || responseBody.contains(ERROR_RESPONSE)) {
	return FormValidation.ok(Messages.ResourceDomainConfiguration_ResourceResponse());
	}
	}
	return FormValidation.error(Messages.ResourceDomainConfiguration_FailedIdentityCheck(responseCode, responseMessage));
	}
	return FormValidation.error(Messages.ResourceDomainConfiguration_Invalid()); // unlikely to ever be hit
	} catch (MalformedURLException ex) {
	// Not expected to be hit
	LOGGER.log(Level.FINE, "MalformedURLException occurred during instance identity check for " + resourceRootUrlString, ex);
	return FormValidation.error(Messages.ResourceDomainConfiguration_Exception(ex.getMessage()));
	} catch (IOException ex) {
	LOGGER.log(Level.FINE, "IOException occurred during instance identity check for " + resourceRootUrlString, ex);
	return FormValidation.warning(Messages.ResourceDomainConfiguration_IOException(ex.getMessage()));
	}
	}

will need an alternative approach for detecting whether "there" is "here".

[jglick]

will need an alternative approach for detecting whether "there" is "here"

Not going to bother with that. If you avoid installing instance-identity (which is very unlikely in GUI mode) then you would just not get this bit of form validation.

[jglick]

Note: split point may need to be updated just before merge.

[jglick]

(have been trying to keep this up to date when merging in master, but whoever finally merges this PR should double-check)

[oleg-nenashev]

+1 for pushing it forward

[timja]

This PR is now ready for merge, after ~24 hours, we will merge it if there's no negative feedback.

Thanks!

[jglick]

Whoever is merging, please bear in mind #6585 (comment)

[timja]

Caused ATH failure: jenkinsci/acceptance-test-harness#796

[basil]

Likely cause of JENKINS-70206.

[daniel-beck]

Caused (sort of)/revealed JENKINS-75145.