Switch Jenkins image tracking to registry tag due to Samples Operator… … deprecation #1151
Conversation
ravanelli
changed the title
ravanelli
force-pushed
the
pr/fix_stg
branch
2 times, most recently
from
2ea2426 to
6af98f5
Compare
manifests/jenkins-s2i.yaml
Outdated
| spec: | ||
| lookupPolicy: | ||
| # this allows e.g. the pipeline to directly reference the imagestream | ||
| local: true | ||
| tags: | ||
| - name: latest | ||
| from: | ||
| kind: DockerImage | ||
| name: ${JENKINS_AGENT_PULL_SPEC} | ||
| forcePull: true |
There was a problem hiding this comment.
Hmm, this is defining the latest tag but in the jenkins-with-cert flow, the build there also outputs to latest. Let's change it to be e.g. upstream.
There was a problem hiding this comment.
To differ the with-cert flow I decided to add upstream for both images, in this way we keep it the same.
There was a problem hiding this comment.
The more I think about this the more I think it would actually simplify if we just used the same exact workflow in the case where we need the cert AND the case where we don't. We wouldn't need to play musical chairs with tags and things could be a lot more straightforward.
Maybe in the case where we don't need the cert we just create an empty secret? We'd need to figure out some way to either add in a dummy cert that doesn't do any harm when we run update-ca-trust OR we figure out how to just create an empty secret and somehow in the container build we detect that and do nothing.
There was a problem hiding this comment.
Of course, if you are tired of working on this (I know I would be) we can leave it the way it is (and I'll do a further review), but man, upstream sure is a weird tag to use here. The problem is the musical chairs makes it hard to choose tag names that are meaningful.
There was a problem hiding this comment.
To be honestly I added a dummy secret to run the tests, and it worked, I think update-ca-trust only cares about the file and not the content. As long we can live with a dummy secret, I think that's ok. Let's define what we want first, so I can change it after
… deprecation Starting with OpenShift 4.13, the Cluster Samples Operator has been downsized and no longer provides updates for non-S2I images like Jenkins. The `latest` tracked tag was pointing to an image that hadn't been updated in over two years. This commit updates the image reference to follow the specific registry tag directly (registry.redhat.io/ocp-tools-4/jenkins-rhel9:v4.17.0), ensuring we get the latest maintained version going forward. To archive this we need to create our own ImageStreams for both the Jenkins base image and the Jenkins agent image, replacing the deprecated Samples Operator content. Signed-off-by: Renata Ravanelli <rravanel@redhat.com>
- Update documentation to reflect changes - Add note about how to work with the Fedora Staging pipecfg. Signed-off-by: Renata Ravanelli <rravanel@redhat.com>
| @@ -255,12 +255,8 @@ parameters: | |||
| - description: The OpenShift Namespace where the Jenkins ImageStream resides. | |||
| displayName: Jenkins ImageStream Namespace | |||
| name: NAMESPACE | |||
| value: openshift | |||
| value: fedora-coreos-pipeline | |||
| # DELTA: add separate agent namespace parameter | |||
There was a problem hiding this comment.
Delete
| # DELTA: add separate agent namespace parameter |
| - description: The OpenShift Namespace where the Jenkins ImageStream resides. | ||
| displayName: Jenkins ImageStream Namespace | ||
| name: NAMESPACE | ||
| value: openshift | ||
| value: fedora-coreos-pipeline |
There was a problem hiding this comment.
Probably not needed anymore since we'll be operating in our own namespace?
There was a problem hiding this comment.
which means we can also delete namespace: ${NAMESPACE} above in this file.
| kind: ImageStream | ||
| metadata: | ||
| name: jenkins |
There was a problem hiding this comment.
Now we have two imagestreams named jenkins. The other one is on line 50 of jenkins-s2i.yaml. I think one of them has to go.
manifests/jenkins-s2i.yaml
Outdated
| spec: | ||
| lookupPolicy: | ||
| # this allows e.g. the pipeline to directly reference the imagestream | ||
| local: true | ||
| tags: | ||
| - name: latest | ||
| from: | ||
| kind: DockerImage | ||
| name: ${JENKINS_AGENT_PULL_SPEC} | ||
| forcePull: true |
There was a problem hiding this comment.
The more I think about this the more I think it would actually simplify if we just used the same exact workflow in the case where we need the cert AND the case where we don't. We wouldn't need to play musical chairs with tags and things could be a lot more straightforward.
Maybe in the case where we don't need the cert we just create an empty secret? We'd need to figure out some way to either add in a dummy cert that doesn't do any harm when we run update-ca-trust OR we figure out how to just create an empty secret and somehow in the container build we detect that and do nothing.
Added jenkins-stg-agent-base.yaml to work around limitations in the Staging environment. Also updated documentation to note the unreliability of the Staging registry and instructed users to use their own agent image.