Issue

I am using CasC for masters and requires HTTP Proxy configured to install plugins
I am using CasC for masters and using Plugin Catalog with specific URLs

CasC plugin installation fails with SNI:

WARNING c.c.j.c.i.o.j.n.c.DefaultChannelFuture: An exception was thrown by ChannelFutureListener.
java.net.ConnectException: HostnameVerifier exception

CasC plugin installation fails with a timeout when using a Proxy:

SEVERE	c.c.j.c.i.ExtensionInstaller#logErrors: Errors on catalog install: [Expanding configuration -> view-job-filters -> Getting plugin ->  Downloading ->  Unable to download plugin from [https://jenkins-updates.cloudbees.com/download/plugins/view-job-filters/2.3/view-job-filters.hpi]. Connection timed out: jenkins-updates.cloudbees.com/1.2.3.4:443 to https://jenkins-updates.cloudbees.com/download/plugins/view-job-filters/2.3/view-job-filters.hpi]
SEVERE	c.c.j.c.i.ExtensionInstaller#logErrors: Errors on catalog install: [Expanding configuration -> view-job-filters -> Getting plugin ->  Downloading ->  Unable to download plugin from [https://jenkins-updates.cloudbees.com/download/plugins/view-job-filters/2.3/view-job-filters.hpi]. No response received after 60000]

CasC plugin installation fails because of redirections:

Errors on catalog install: [Expanding configuration -> view-job-filters -> Getting plugin -> Downloading -> Response from server was not 200 Successful: 302. ]

Environment

CloudBees CI (CloudBees Core) on modern cloud platforms - Managed Master < 2.263.2.2
CloudBees CI (CloudBees Core) on traditional platforms - Client Master < 2.263.2.2
CloudBees Jenkins Platform - Client Master < 2.263.2.2
Configuration as Code (CasC) for Masters

Related Issue(s)

FNDJEN-2186: Upgrade AsyncHttpClient Library (to support SNI)
FNDJEN-3066: Allow redirects for plugin downloading in Installation Manager
FNDJEN-3070: Plugins from an https server with SNI certificates cannot be downloaded in Plugin Catalog through Installation Manager
FNDJEN-3187: Proxy reconfiguration for casc installation (fixed in 2.249.3.1)

Explanation

Configuration as Code (CasC) for Masters allows to optionally define:

a list of plugins that should be installed for a master via plugins.yaml
a catalog of plugins available to the master for installation via plugin-catalog.yaml

Those features however are impacted by known issues:

using the Jenkins HTTP Proxy is not reliable, at least until version 2.249.3.1
the current HTTP client implementation does not support SNI
the current HTTP client implementation does not support redirections

The 2 latter examples make it impossible for example to download plugin versions from https://updates.jenkins.io.

Resolution

The fix for FNDJEN-3070 fixes all issues (redirection / SNI / Proxy) and is available since CloudBees CI 2.263.2.2.

The solution is to upgrade to 2.263.2.2 or later.

Workaround

HTTP Proxy

If an HTTP Proxy configuration is required, upgrade to version 2.249.3.3 or later.

Also make sure that the Jenkins HTTP Proxy configuration is added to the jenkins.yaml. For example:

jenkins:
  proxy:
    name: "proxy.example.com"
    noProxyHost: |-
      *.svc.cluster.local
      no.proxy.example1.com
      no.proxy.example2.com
    port: 8080

Redirection

As a workaround, if using an Update Site or Plugin Catalog URLs that cause redirections, use the final URL.

SNI

As a workaround, if using an Update Site or Plugin Catalog URLs that require SNI, use http instead of https.

Other considerations

Plugin Catalog limitations in CasC

Considerations for Plugin Installs when using CasC for masters