Chapter 4. Important changes to OpenShift Jenkins images
OpenShift Container Platform 4.11 moves the OpenShift Jenkins and OpenShift Agent Base images to the ocp-tools-4
repository at registry.redhat.io
. It also removes the OpenShift Jenkins Maven and NodeJS Agent images from its payload:
-
OpenShift Container Platform 4.11 moves the OpenShift Jenkins and OpenShift Agent Base images to the
ocp-tools-4
repository atregistry.redhat.io
so that Red Hat can produce and update the images outside the OpenShift Container Platform lifecycle. Previously, these images were in the OpenShift Container Platform install payload and theopenshift4
repository atregistry.redhat.io
. -
OpenShift Container Platform 4.10 deprecated the OpenShift Jenkins Maven and NodeJS Agent images. OpenShift Container Platform 4.11 removes these images from its payload. Red Hat no longer produces these images, and they are not available from the
ocp-tools-4
repository atregistry.redhat.io
. Red Hat maintains the 4.10 and earlier versions of these images for any significant bug fixes or security CVEs, following the OpenShift Container Platform lifecycle policy.
These changes support the OpenShift Container Platform 4.10 recommendation to use multiple container Pod Templates with the Jenkins Kubernetes Plugin.
4.1. Relocation of OpenShift Jenkins images
OpenShift Container Platform 4.11 makes significant changes to the location and availability of specific OpenShift Jenkins images. Additionally, you can configure when and how to update these images.
What stays the same with the OpenShift Jenkins images?
-
The Cluster Samples Operator manages the
ImageStream
andTemplate
objects for operating the OpenShift Jenkins images. -
By default, the Jenkins
DeploymentConfig
object from the Jenkins pod template triggers a redeployment when the Jenkins image changes. By default, this image is referenced by thejenkins:2
image stream tag of Jenkins image stream in theopenshift
namespace in theImageStream
YAML file in the Samples Operator payload. -
If you upgrade from OpenShift Container Platform 4.10 and earlier to 4.11, the deprecated
maven
andnodejs
pod templates are still in the default image configuration. -
If you upgrade from OpenShift Container Platform 4.10 and earlier to 4.11, the
jenkins-agent-maven
andjenkins-agent-nodejs
image streams still exist in your cluster. To maintain these image streams, see the following section, "What happens with thejenkins-agent-maven
andjenkins-agent-nodejs
image streams in theopenshift
namespace?"
What changes in the support matrix of the OpenShift Jenkins image?
Each new image in the ocp-tools-4
repository in the registry.redhat.io
registry supports multiple versions of OpenShift Container Platform. When Red Hat updates one of these new images, it is simultaneously available for all versions. This availability is ideal when Red Hat updates an image in response to a security advisory. Initially, this change applies to OpenShift Container Platform 4.11 and later. It is planned that this change will eventually apply to OpenShift Container Platform 4.9 and later.
Previously, each Jenkins image supported only one version of OpenShift Container Platform and Red Hat might update those images sequentially over time.
What additions are there with the OpenShift Jenkins and Jenkins Agent Base ImageStream and ImageStreamTag objects?
By moving from an in-payload image stream to an image stream that references non-payload images, OpenShift Container Platform can define additional image stream tags. Red Hat has created a series of new image stream tags to go along with the existing "value": "jenkins:2"
and "value": "image-registry.openshift-image-registry.svc:5000/openshift/jenkins-agent-base-rhel8:latest"
image stream tags present in OpenShift Container Platform 4.10 and earlier. These new image stream tags address some requests to improve how the Jenkins-related image streams are maintained.
About the new image stream tags:
ocp-upgrade-redeploy
-
To update your Jenkins image when you upgrade OpenShift Container Platform, use this image stream tag in your Jenkins deployment configuration. This image stream tag corresponds to the existing
2
image stream tag of thejenkins
image stream and thelatest
image stream tag of thejenkins-agent-base-rhel8
image stream. It employs an image tag specific to only one SHA or image digest. When theocp-tools-4
image changes, such as for Jenkins security advisories, Red Hat Engineering updates the Cluster Samples Operator payload. user-maintained-upgrade-redeploy
-
To manually redeploy Jenkins after you upgrade OpenShift Container Platform, use this image stream tag in your Jenkins deployment configuration. This image stream tag uses the least specific image version indicator available. When you redeploy Jenkins, run the following command:
$ oc import-image jenkins:user-maintained-upgrade-redeploy -n openshift
. When you issue this command, the OpenShift Container PlatformImageStream
controller accesses theregistry.redhat.io
image registry and stores any updated images in the OpenShift image registry’s slot for that JenkinsImageStreamTag
object. Otherwise, if you do not run this command, your Jenkins deployment configuration does not trigger a redeployment. scheduled-upgrade-redeploy
- To automatically redeploy the latest version of the Jenkins image when it is released, use this image stream tag in your Jenkins deployment configuration. This image stream tag uses the periodic importing of image stream tags feature of the OpenShift Container Platform image stream controller, which checks for changes in the backing image. If the image changes, for example, due to a recent Jenkins security advisory, OpenShift Container Platform triggers a redeployment of your Jenkins deployment configuration. See "Configuring periodic importing of image stream tags" in the following "Additional resources."
What happens with the jenkins-agent-maven
and jenkins-agent-nodejs
image streams in the openshift
namespace?
The OpenShift Jenkins Maven and NodeJS Agent images for OpenShift Container Platform were deprecated in 4.10, and are removed from the OpenShift Container Platform install payload in 4.11. They do not have alternatives defined in the ocp-tools-4
repository. However, you can work around this by using the sidecar pattern described in the "Jenkins agent" topic mentioned in the following "Additional resources" section.
However, the Cluster Samples Operator does not delete the jenkins-agent-maven
and jenkins-agent-nodejs
image streams created by prior releases, which point to the tags of the respective OpenShift Container Platform payload images on registry.redhat.io
. Therefore, you can pull updates to these images by running the following commands:
$ oc import-image jenkins-agent-nodejs -n openshift
$ oc import-image jenkins-agent-maven -n openshift
4.2. Customizing the Jenkins image stream tag
To override the default upgrade behavior and control how the Jenkins image is upgraded, you set the image stream tag value that your Jenkins deployment configurations use.
The default upgrade behavior is the behavior that existed when the Jenkins image was part of the install payload. The image stream tag names, 2
and ocp-upgrade-redeploy
, in the jenkins-rhel.json
image stream file use SHA-specific image references. Therefore, when those tags are updated with a new SHA, the OpenShift Container Platform image change controller automatically redeploys the Jenkins deployment configuration from the associated templates, such as jenkins-ephemeral.json
or jenkins-persistent.json
.
For new deployments, to override that default value, you change the value of the JENKINS_IMAGE_STREAM_TAG
in the jenkins-ephemeral.json
Jenkins template. For example, replace the 2
in "value": "jenkins:2"
with one of the following image stream tags:
-
ocp-upgrade-redeploy
, the default value, updates your Jenkins image when you upgrade OpenShift Container Platform. -
user-maintained-upgrade-redeploy
requires you to manually redeploy Jenkins by running$ oc import-image jenkins:user-maintained-upgrade-redeploy -n openshift
after upgrading OpenShift Container Platform. -
scheduled-upgrade-redeploy
periodically checks the given<image>:<tag>
combination for changes and upgrades the image when it changes. The image change controller pulls the changed image and redeploys the Jenkins deployment configuration provisioned by the templates. For more information about this scheduled import policy, see the "Adding tags to image streams" in the following "Additional resources."
To override the current upgrade value for existing deployments, change the values of the environment variables that correspond to those template parameters.
Prerequisites
- You are running OpenShift Jenkins on OpenShift Container Platform 4.16.
- You know the namespace where OpenShift Jenkins is deployed.
Procedure
Set the image stream tag value, replacing
<namespace>
with namespace where OpenShift Jenkins is deployed and<image_stream_tag>
with an image stream tag:Example
$ oc patch dc jenkins -p '{"spec":{"triggers":[{"type":"ImageChange","imageChangeParams":{"automatic":true,"containerNames":["jenkins"],"from":{"kind":"ImageStreamTag","namespace":"<namespace>","name":"jenkins:<image_stream_tag>"}}}]}}'
TipAlternatively, to edit the Jenkins deployment configuration YAML, enter
$ oc edit dc/jenkins -n <namespace>
and update thevalue: 'jenkins:<image_stream_tag>'
line.