Switch Jenkins image tracking to registry tag due to Samples Operator deprecation

Starting with OpenShift 4.13, the Cluster Samples Operator has been
downsized and no longer provides updates for non-S2I images like
Jenkins. The `latest` tracked tag was pointing to an image that hadn't been
updated in over two years. This commit updates the image reference to
follow the specific registry tag directly
(registry.redhat.io/ocp-tools-4/jenkins-rhel9:v4.17.0), ensuring we get
the latest maintained version going forward.

To archive this we need to create our own ImageStreams for both the
Jenkins base image and the Jenkins agent image, replacing the deprecated
Samples Operator content.

Signed-off-by: Renata Ravanelli <rravanel@redhat.com>

Author: ravanelli

deploy

@@ -47,7 +47,7 @@ def get_username():
 
 
 def process_template(args):
-    templates = ['pipeline.yaml', 'jenkins-s2i.yaml']
+    templates = ['pipeline.yaml', 'jenkins-images.yaml', 'jenkins-s2i.yaml']
 
     params = {}
     if args.pipeline:
@@ -57,8 +57,6 @@ def process_template(args):
         params.update(params_from_git_refspec(args.pipecfg, 'PIPECFG'))
     if has_additional_root_ca(args):
         templates += ['jenkins-with-cert.yaml']
-        params['JENKINS_S2I_SRC_IMAGESTREAM_NAME'] = "jenkins:latest"
-        params['JENKINS_S2I_SRC_IMAGESTREAM_NAMESPACE'] = get_current_namespace(args)
 
     print("Parameters:")
     for k, v in params.items():

manifests/jenkins-images.yaml

@@ -0,0 +1,34 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+  name: jenkins-images-template
+objects:
+  - apiVersion: image.openshift.io/v1
+    kind: ImageStream
+    metadata:
+      name: jenkins-agent-base
+    spec:
+      tags:
+        - name: upstream
+          from:
+            kind: DockerImage
+            name: registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9:v4.17.0
+          importPolicy:
+            scheduled: true
+          referencePolicy:
+            type: Local
+
+  - apiVersion: image.openshift.io/v1
+    kind: ImageStream
+    metadata:
+      name: jenkins
+    spec:
+      tags:
+        - name: upstream
+          from:
+            kind: DockerImage
+            name: registry.redhat.io/ocp-tools-4/jenkins-rhel9:v4.17.0
+          importPolicy:
+            scheduled: true
+          referencePolicy:
+            type: Local

manifests/jenkins-s2i.yaml

@@ -12,36 +12,17 @@ parameters:
   - description: Git branch/tag reference for Jenkins S2I
     name: JENKINS_S2I_REF
     value: main
-  - description: Source imagestream
-    name: JENKINS_S2I_SRC_IMAGESTREAM_NAME
-    value: jenkins:scheduled-upgrade-redeploy
-  - description: Namespace of source imagestream
-    name: JENKINS_S2I_SRC_IMAGESTREAM_NAMESPACE
-    value: openshift
 
-# Here's what the flow looks like when no cert is required:
 #
-# ┌──────────────────────────────────────────────┐   ┌─────────────┐   ┌─────────────┐
-# │ imagestream                                  │   │ buildconfig │   │ imagestream │
-# │ openshift/jenkins:scheduled-upgrade-redeploy ├──►│ jenkins-s2i ├──►│ jenkins:2   │
-# └──────────────────────────────────────────────┘   └─────────────┘   └─────────────┘
+# ┌──────────────────┐   ┌───────────────────┐   ┌──────────────────┐   ┌─────────────┐   ┌────────────────┐
+# │ imagestream      │   │ buildconfig       │   │ imagestream      │   │ buildconfig │   │ imagestream    │
+# │ jenkins:upstream ├──►│ jenkins-with-cert ├──►│ jenkins:withcert ├──►│ jenkins-s2i ├──►│ jenkins:latest │
+# └──────────────────┘   └───────────────────┘   └──────────────────┘   └─────────────┘   └────────────────┘
 #
-# ┌────────────────────────────────────────────────┐
-# │ imagestream                                    │
-# │ openshift/jenkins-agent-base:scheduled-upgrade │
-# └────────────────────────────────────────────────┘
-#
-# And with cert required (see `jenkins-with-cert.yaml`):
-#
-# ┌──────────────────────────────────────────────┐   ┌───────────────────┐   ┌────────────────┐   ┌─────────────┐   ┌─────────────┐
-# │ imagestream                                  │   │ buildconfig       │   │ imagestream    │   │ buildconfig │   │ imagestream │
-# │ openshift/jenkins:scheduled-upgrade-redeploy ├──►│ jenkins-with-cert ├──►│ jenkins:latest ├──►│ jenkins-s2i ├──►│ jenkins:2   │
-# └──────────────────────────────────────────────┘   └───────────────────┘   └────────────────┘   └─────────────┘   └─────────────┘
-#
-# ┌────────────────────────────────────────────────┐   ┌──────────────────────────────┐   ┌───────────────────────────┐
-# │ imagestream                                    │   │ buildconfig                  │   │ imagestream               │
-# │ openshift/jenkins-agent-base:scheduled-upgrade ├──►│ jenkins-agent-base-with-cert ├──►│ jenkins-agent-base:latest │
-# └────────────────────────────────────────────────┘   └──────────────────────────────┘   └───────────────────────────┘
+# ┌─────────────────────────────┐   ┌──────────────────────────────┐   ┌───────────────────────────┐
+# │ imagestream                 │   │ buildconfig                  │   │ imagestream               │
+# │ jenkins-agent-base:upstream ├──►│ jenkins-agent-base-with-cert ├──►│ jenkins-agent-base:latest │
+# └─────────────────────────────┘   └──────────────────────────────┘   └───────────────────────────┘
 
 objects:
 
@@ -70,22 +51,14 @@ objects:
         sourceStrategy:
           from:
             kind: ImageStreamTag
-            name: ${JENKINS_S2I_SRC_IMAGESTREAM_NAME}
-            namespace: ${JENKINS_S2I_SRC_IMAGESTREAM_NAMESPACE}
+            name: jenkins:withcert
           env:
             - name: JENKINS_UC_DOWNLOAD
               value: 'https://archives.jenkins.io'
           forcePull: true
       output:
         to:
           kind: ImageStreamTag
-          name: jenkins:2
+          name: jenkins:latest
       successfulBuildsHistoryLimit: 2
       failedBuildsHistoryLimit: 2
-
-  ### JENKINS AGENT ###
-
-  - apiVersion: v1
-    kind: ImageStream
-    metadata:
-      name: jenkins-agent-base

manifests/jenkins-with-cert.yaml

@@ -20,7 +20,11 @@ objects:
           FROM overridden
           COPY cert/data /etc/pki/ca-trust/source/anchors/root-ca.crt
           USER root
-          RUN update-ca-trust
+          RUN if grep 'dummy' /etc/pki/ca-trust/source/anchors/root-ca.crt; then \
+                  rm /etc/pki/ca-trust/source/anchors/root-ca.crt; \
+              else \
+                  update-ca-trust; \
+              fi
           # restore previous user ID
           # https://github.com/openshift/jenkins/blob/7bae76f4412d28c18ed2b33aaf73306734b7f6d5/2/Dockerfile.rhel8#L107
           USER 1001
@@ -32,13 +36,12 @@ objects:
         dockerStrategy:
           from:
             kind: ImageStreamTag
-            name: jenkins:scheduled-upgrade-redeploy
-            namespace: openshift
+            name: jenkins:upstream
           forcePull: true
       output:
         to:
           kind: ImageStreamTag
-          name: jenkins:latest
+          name: jenkins:withcert
       successfulBuildsHistoryLimit: 2
       failedBuildsHistoryLimit: 2
       triggers:
@@ -54,7 +57,11 @@ objects:
         dockerfile: |
           FROM overridden
           COPY cert/data /etc/pki/ca-trust/source/anchors/root-ca.crt
-          RUN update-ca-trust
+          RUN if grep 'dummy' /etc/pki/ca-trust/source/anchors/root-ca.crt; then \
+                  rm /etc/pki/ca-trust/source/anchors/root-ca.crt; \
+              else \
+                  update-ca-trust; \
+              fi
         secrets:
           - destinationDir: cert
             secret:
@@ -63,8 +70,7 @@ objects:
         dockerStrategy:
           from:
             kind: ImageStreamTag
-            name: jenkins-agent-base:scheduled-upgrade
-            namespace: openshift
+            name: jenkins-agent-base:upstream
           forcePull: true
       output:
         to:

manifests/jenkins.yaml

@@ -100,7 +100,7 @@ objects:
               -Dfile.encoding=UTF-8
               -Dorg.jenkinsci.plugins.durabletask.BourneShellScript.HEARTBEAT_CHECK_INTERVAL=900
               -Dorg.jenkinsci.plugins.durabletask.BourneShellScript.LAUNCH_DIAGNOSTICS=true
-              -Dorg.csanchez.jenkins.plugins.kubernetes.pipeline.PodTemplateStepExecution.defaultImage=image-registry.openshift-image-registry.svc:5000/${AGENT_NAMESPACE}/jenkins-agent-base:latest
+              -Dorg.csanchez.jenkins.plugins.kubernetes.pipeline.PodTemplateStepExecution.defaultImage=image-registry.openshift-image-registry.svc:5000/${NAMESPACE}/jenkins-agent-base:latest
               -Dorg.csanchez.jenkins.plugins.kubernetes.pipeline.PodTemplateStepExecution.defaultContainer.defaultCpuRequest=1
               -Dorg.csanchez.jenkins.plugins.kubernetes.pipeline.PodTemplateStepExecution.defaultContainer.defaultMemoryRequest=512Mi
               -Dorg.csanchez.jenkins.plugins.kubernetes.pipeline.PodTemplateStepExecution.defaultContainer.defaultCpuLimit=1
@@ -172,8 +172,7 @@ objects:
         - jenkins
         from:
           kind: ImageStreamTag
-          name: ${JENKINS_IMAGE_STREAM_TAG}
-          namespace: ${NAMESPACE}
+          name: jenkins:latest
         lastTriggeredImage: ""
       type: ImageChange
     - type: ConfigChange
@@ -255,22 +254,13 @@ parameters:
 - description: The OpenShift Namespace where the Jenkins ImageStream resides.
   displayName: Jenkins ImageStream Namespace
   name: NAMESPACE
-  value: openshift
-# DELTA: add separate agent namespace parameter
-- description: The OpenShift Namespace where the Jenkins Agent ImageStream resides.
-  displayName: Jenkins Agent ImageStream Namespace
-  name: AGENT_NAMESPACE
-  value: openshift
+  value: fedora-coreos-pipeline
 - description: Whether to perform memory intensive, possibly slow, synchronization
     with the Jenkins Update Center on start.  If true, the Jenkins core update monitor
     and site warnings monitor are disabled.
   displayName: Disable memory intensive administrative monitors
   name: DISABLE_ADMINISTRATIVE_MONITORS
   value: "false"
-- description: Name of the ImageStreamTag to be used for the Jenkins image.
-  displayName: Jenkins ImageStreamTag
-  name: JENKINS_IMAGE_STREAM_TAG
-  value: jenkins:2
 - description: When a fatal error occurs, an error log is created with information
     and the state obtained at the time of the fatal error.
   displayName: Fatal Error Log File