From 40b7004078586e301731f332bcd4c24ce908f5d8 Mon Sep 17 00:00:00 2001 From: Renata Ravanelli Date: Tue, 20 May 2025 14:14:59 -0300 Subject: [PATCH 1/2] Switch Jenkins image tracking to registry tag due to Samples Operator deprecation Starting with OpenShift 4.13, the Cluster Samples Operator has been downsized and no longer provides updates for non-S2I images like Jenkins. The `latest` tracked tag was pointing to an image that hadn't been updated in over two years. This commit updates the image reference to follow the specific registry tag directly (registry.redhat.io/ocp-tools-4/jenkins-rhel9:v4.17.0), ensuring we get the latest maintained version going forward. To archive this we need to create our own ImageStreams for both the Jenkins base image and the Jenkins agent image, replacing the deprecated Samples Operator content. Signed-off-by: Renata Ravanelli --- deploy | 5 ++-- manifests/jenkins-images.yaml | 34 ++++++++++++++++++++++++++++ manifests/jenkins-s2i.yaml | 39 ++++++++++++-------------------- manifests/jenkins-with-cert.yaml | 10 ++++---- manifests/jenkins.yaml | 12 ++++------ 5 files changed, 58 insertions(+), 42 deletions(-) create mode 100644 manifests/jenkins-images.yaml diff --git a/deploy b/deploy index cc05d0bb9..70f128a61 100755 --- a/deploy +++ b/deploy @@ -47,7 +47,7 @@ def get_username(): def process_template(args): - templates = ['pipeline.yaml', 'jenkins-s2i.yaml'] + templates = ['pipeline.yaml', 'jenkins-images.yaml', 'jenkins-s2i.yaml'] params = {} if args.pipeline: @@ -57,8 +57,7 @@ def process_template(args): params.update(params_from_git_refspec(args.pipecfg, 'PIPECFG')) if has_additional_root_ca(args): templates += ['jenkins-with-cert.yaml'] - params['JENKINS_S2I_SRC_IMAGESTREAM_NAME'] = "jenkins:latest" - params['JENKINS_S2I_SRC_IMAGESTREAM_NAMESPACE'] = get_current_namespace(args) + params['JENKINS_IMAGE_STREAM_TAG'] = "upstream" print("Parameters:") for k, v in params.items(): diff --git a/manifests/jenkins-images.yaml b/manifests/jenkins-images.yaml new file mode 100644 index 000000000..fa41389c6 --- /dev/null +++ b/manifests/jenkins-images.yaml @@ -0,0 +1,34 @@ +apiVersion: template.openshift.io/v1 +kind: Template +metadata: + name: jenkins-images-template +objects: + - apiVersion: image.openshift.io/v1 + kind: ImageStream + metadata: + name: jenkins-agent-base + spec: + tags: + - name: latest + from: + kind: DockerImage + name: registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9:v4.17.0 + importPolicy: + scheduled: true + referencePolicy: + type: Local + + - apiVersion: image.openshift.io/v1 + kind: ImageStream + metadata: + name: jenkins + spec: + tags: + - name: latest + from: + kind: DockerImage + name: registry.redhat.io/ocp-tools-4/jenkins-rhel9:v4.17.0 + importPolicy: + scheduled: true + referencePolicy: + type: Local diff --git a/manifests/jenkins-s2i.yaml b/manifests/jenkins-s2i.yaml index b3f7062fc..03ddf15f4 100644 --- a/manifests/jenkins-s2i.yaml +++ b/manifests/jenkins-s2i.yaml @@ -12,36 +12,33 @@ parameters: - description: Git branch/tag reference for Jenkins S2I name: JENKINS_S2I_REF value: main - - description: Source imagestream - name: JENKINS_S2I_SRC_IMAGESTREAM_NAME - value: jenkins:scheduled-upgrade-redeploy - - description: Namespace of source imagestream - name: JENKINS_S2I_SRC_IMAGESTREAM_NAMESPACE - value: openshift + - description: Name of the ImageStreamTag to be used for the Jenkins image. + name: JENKINS_IMAGE_STREAM_TAG + value: latest # Here's what the flow looks like when no cert is required: # # ┌──────────────────────────────────────────────┐ ┌─────────────┐ ┌─────────────┐ # │ imagestream │ │ buildconfig │ │ imagestream │ -# │ openshift/jenkins:scheduled-upgrade-redeploy ├──►│ jenkins-s2i ├──►│ jenkins:2 │ +# │ jenkins:latest ├──►│ jenkins-s2i ├──►│ jenkins:2 │ # └──────────────────────────────────────────────┘ └─────────────┘ └─────────────┘ # # ┌────────────────────────────────────────────────┐ # │ imagestream │ -# │ openshift/jenkins-agent-base:scheduled-upgrade │ +# │ jenkins-agent-base:latest │ # └────────────────────────────────────────────────┘ # # And with cert required (see `jenkins-with-cert.yaml`): # -# ┌──────────────────────────────────────────────┐ ┌───────────────────┐ ┌────────────────┐ ┌─────────────┐ ┌─────────────┐ -# │ imagestream │ │ buildconfig │ │ imagestream │ │ buildconfig │ │ imagestream │ -# │ openshift/jenkins:scheduled-upgrade-redeploy ├──►│ jenkins-with-cert ├──►│ jenkins:latest ├──►│ jenkins-s2i ├──►│ jenkins:2 │ -# └──────────────────────────────────────────────┘ └───────────────────┘ └────────────────┘ └─────────────┘ └─────────────┘ +# ┌──────────────────────────────────────────────┐ ┌───────────────────┐ ┌──────────────────┐ ┌─────────────┐ ┌─────────────┐ +# │ imagestream │ │ buildconfig │ │ imagestream │ │ buildconfig │ │ imagestream │ +# │ jenkins:latest ├──►│ jenkins-with-cert ├──►│ jenkins:upstream ├──►│ jenkins-s2i ├──►│ jenkins:2 │ +# └──────────────────────────────────────────────┘ └───────────────────┘ └──────────────────┘ └─────────────┘ └─────────────┘ # -# ┌────────────────────────────────────────────────┐ ┌──────────────────────────────┐ ┌───────────────────────────┐ -# │ imagestream │ │ buildconfig │ │ imagestream │ -# │ openshift/jenkins-agent-base:scheduled-upgrade ├──►│ jenkins-agent-base-with-cert ├──►│ jenkins-agent-base:latest │ -# └────────────────────────────────────────────────┘ └──────────────────────────────┘ └───────────────────────────┘ +# ┌────────────────────────────────────────────────┐ ┌──────────────────────────────┐ ┌─────────────────────────────┐ +# │ imagestream │ │ buildconfig │ │ imagestream │ +# │ jenkins-agent-base:scheduled-upgrade ├──►│ jenkins-agent-base-with-cert ├──►│ jenkins-agent-base:upstream │ +# └────────────────────────────────────────────────┘ └──────────────────────────────┘ └─────────────────────────────┘ objects: @@ -70,8 +67,7 @@ objects: sourceStrategy: from: kind: ImageStreamTag - name: ${JENKINS_S2I_SRC_IMAGESTREAM_NAME} - namespace: ${JENKINS_S2I_SRC_IMAGESTREAM_NAMESPACE} + name: jenkins:${JENKINS_IMAGE_STREAM_TAG} env: - name: JENKINS_UC_DOWNLOAD value: 'https://archives.jenkins.io' @@ -82,10 +78,3 @@ objects: name: jenkins:2 successfulBuildsHistoryLimit: 2 failedBuildsHistoryLimit: 2 - - ### JENKINS AGENT ### - - - apiVersion: v1 - kind: ImageStream - metadata: - name: jenkins-agent-base diff --git a/manifests/jenkins-with-cert.yaml b/manifests/jenkins-with-cert.yaml index ba464d770..53867a79e 100644 --- a/manifests/jenkins-with-cert.yaml +++ b/manifests/jenkins-with-cert.yaml @@ -32,13 +32,12 @@ objects: dockerStrategy: from: kind: ImageStreamTag - name: jenkins:scheduled-upgrade-redeploy - namespace: openshift + name: jenkins:latest forcePull: true output: to: kind: ImageStreamTag - name: jenkins:latest + name: jenkins:upstream successfulBuildsHistoryLimit: 2 failedBuildsHistoryLimit: 2 triggers: @@ -63,13 +62,12 @@ objects: dockerStrategy: from: kind: ImageStreamTag - name: jenkins-agent-base:scheduled-upgrade - namespace: openshift + name: jenkins-agent-base:latest forcePull: true output: to: kind: ImageStreamTag - name: jenkins-agent-base:latest + name: jenkins-agent-base:upstream successfulBuildsHistoryLimit: 2 failedBuildsHistoryLimit: 2 triggers: diff --git a/manifests/jenkins.yaml b/manifests/jenkins.yaml index 65d9a8fcf..610ed56c9 100644 --- a/manifests/jenkins.yaml +++ b/manifests/jenkins.yaml @@ -100,7 +100,7 @@ objects: -Dfile.encoding=UTF-8 -Dorg.jenkinsci.plugins.durabletask.BourneShellScript.HEARTBEAT_CHECK_INTERVAL=900 -Dorg.jenkinsci.plugins.durabletask.BourneShellScript.LAUNCH_DIAGNOSTICS=true - -Dorg.csanchez.jenkins.plugins.kubernetes.pipeline.PodTemplateStepExecution.defaultImage=image-registry.openshift-image-registry.svc:5000/${AGENT_NAMESPACE}/jenkins-agent-base:latest + -Dorg.csanchez.jenkins.plugins.kubernetes.pipeline.PodTemplateStepExecution.defaultImage=image-registry.openshift-image-registry.svc:5000/${NAMESPACE}/jenkins-agent-base:${JENKINS_IMAGE_STREAM_TAG} -Dorg.csanchez.jenkins.plugins.kubernetes.pipeline.PodTemplateStepExecution.defaultContainer.defaultCpuRequest=1 -Dorg.csanchez.jenkins.plugins.kubernetes.pipeline.PodTemplateStepExecution.defaultContainer.defaultMemoryRequest=512Mi -Dorg.csanchez.jenkins.plugins.kubernetes.pipeline.PodTemplateStepExecution.defaultContainer.defaultCpuLimit=1 @@ -172,7 +172,7 @@ objects: - jenkins from: kind: ImageStreamTag - name: ${JENKINS_IMAGE_STREAM_TAG} + name: jenkins:2 namespace: ${NAMESPACE} lastTriggeredImage: "" type: ImageChange @@ -255,12 +255,8 @@ parameters: - description: The OpenShift Namespace where the Jenkins ImageStream resides. displayName: Jenkins ImageStream Namespace name: NAMESPACE - value: openshift + value: fedora-coreos-pipeline # DELTA: add separate agent namespace parameter -- description: The OpenShift Namespace where the Jenkins Agent ImageStream resides. - displayName: Jenkins Agent ImageStream Namespace - name: AGENT_NAMESPACE - value: openshift - description: Whether to perform memory intensive, possibly slow, synchronization with the Jenkins Update Center on start. If true, the Jenkins core update monitor and site warnings monitor are disabled. @@ -270,7 +266,7 @@ parameters: - description: Name of the ImageStreamTag to be used for the Jenkins image. displayName: Jenkins ImageStreamTag name: JENKINS_IMAGE_STREAM_TAG - value: jenkins:2 + value: upstream - description: When a fatal error occurs, an error log is created with information and the state obtained at the time of the fatal error. displayName: Fatal Error Log File From 6cb26c30681c4e86d233a4dad73fdf9fb634bf8c Mon Sep 17 00:00:00 2001 From: Renata Ravanelli Date: Tue, 20 May 2025 15:49:09 -0300 Subject: [PATCH 2/2] HACKING: Update documentation to reflect changes - Update documentation to reflect changes - Add note about how to work with the Fedora Staging pipecfg. Signed-off-by: Renata Ravanelli --- HACKING.md | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/HACKING.md b/HACKING.md index 6022780a9..3eece9576 100644 --- a/HACKING.md +++ b/HACKING.md @@ -532,12 +532,6 @@ using a development cluster, it normally isn't, and you can drop it. For the Fedora prod cluster, use `ocs-storagecluster-ceph-rbd` as shown above. -If using an additional root CA certificate, then you will also need to -specify the `AGENT_NAMESPACE` parameter to yours, e.g.: - -``` - --param=AGENT_NAMESPACE=fedora-coreos-pipeline \ -``` Now, create the Jenkins configmap: @@ -586,6 +580,10 @@ This will create: 3. the Jenkins agent BuildConfig (if a root CA cert was provided), 4. the jenkins-config configmap. +Note: If you are working with the Fedora staging pipeline, specify the +`staging` branch for the pipecfg: `--pipecfg +https://github.com/coreos/fedora-coreos-pipeline@staging`. + If a root CA cert was provided, we need to build the base images that will bake in the cert in the controller and agent: @@ -600,6 +598,12 @@ We can now start an S2I build of the Jenkins controller: oc start-build --follow jenkins-s2i ``` +If you added the root CA: +``` +oc start-build jenkins-s2i --follow -e JENKINS_IMAGE_STREAM_TAG=upstream +``` + + Once the Jenkins controller image is built, Jenkins should start up (verify with `oc get pods`). Once the pod is marked READY, you should be able to login to the Jenkins UI at https://jenkins-$NAMESPACE.$CLUSTER_URL/