Chapter 4. Important changes to OpenShift Jenkins images


Red Hat OpenShift Service on AWS 4.11 moves the OpenShift Jenkins and OpenShift Agent Base images to the ocp-tools-4 repository at registry.redhat.io. It also removes the OpenShift Jenkins Maven and NodeJS Agent images from its payload:

  • Red Hat OpenShift Service on AWS 4.11 moves the OpenShift Jenkins and OpenShift Agent Base images to the ocp-tools-4 repository at registry.redhat.io so that Red Hat can produce and update the images outside the Red Hat OpenShift Service on AWS lifecycle. Previously, these images were in the Red Hat OpenShift Service on AWS install payload and the openshift4 repository at registry.redhat.io.
  • Red Hat OpenShift Service on AWS 4.10 deprecated the OpenShift Jenkins Maven and NodeJS Agent images. Red Hat OpenShift Service on AWS 4.11 removes these images from its payload. Red Hat no longer produces these images, and they are not available from the ocp-tools-4 repository at registry.redhat.io. Red Hat maintains the 4.10 and earlier versions of these images for any significant bug fixes or security CVEs, following the Red Hat OpenShift Service on AWS lifecycle policy.

These changes support the Red Hat OpenShift Service on AWS 4.10 recommendation to use multiple container Pod Templates with the Jenkins Kubernetes Plugin.

4.1. Relocation of OpenShift Jenkins images

Red Hat OpenShift Service on AWS 4.11 makes significant changes to the location and availability of specific OpenShift Jenkins images. Additionally, you can configure when and how to update these images.

What stays the same with the OpenShift Jenkins images?

  • The Cluster Samples Operator manages the ImageStream and Template objects for operating the OpenShift Jenkins images.
  • By default, the Jenkins DeploymentConfig object from the Jenkins pod template triggers a redeployment when the Jenkins image changes. By default, this image is referenced by the jenkins:2 image stream tag of Jenkins image stream in the openshift namespace in the ImageStream YAML file in the Samples Operator payload.
  • If you upgrade from Red Hat OpenShift Service on AWS 4.10 and earlier to 4.11, the deprecated maven and nodejs pod templates are still in the default image configuration.
  • If you upgrade from Red Hat OpenShift Service on AWS 4.10 and earlier to 4.11, the jenkins-agent-maven and jenkins-agent-nodejs image streams still exist in your cluster. To maintain these image streams, see the following section, "What happens with the jenkins-agent-maven and jenkins-agent-nodejs image streams in the openshift namespace?"

What changes in the support matrix of the OpenShift Jenkins image?

Each new image in the ocp-tools-4 repository in the registry.redhat.io registry supports multiple versions of Red Hat OpenShift Service on AWS. When Red Hat updates one of these new images, it is simultaneously available for all versions. This availability is ideal when Red Hat updates an image in response to a security advisory. Initially, this change applies to Red Hat OpenShift Service on AWS 4.11 and later. It is planned that this change will eventually apply to Red Hat OpenShift Service on AWS 4.9 and later.

Previously, each Jenkins image supported only one version of Red Hat OpenShift Service on AWS and Red Hat might update those images sequentially over time.

What additions are there with the OpenShift Jenkins and Jenkins Agent Base ImageStream and ImageStreamTag objects?

By moving from an in-payload image stream to an image stream that references non-payload images, Red Hat OpenShift Service on AWS can define additional image stream tags. Red Hat has created a series of new image stream tags to go along with the existing "value": "jenkins:2" and "value": "image-registry.openshift-image-registry.svc:5000/openshift/jenkins-agent-base-rhel8:latest" image stream tags present in Red Hat OpenShift Service on AWS 4.10 and earlier. These new image stream tags address some requests to improve how the Jenkins-related image streams are maintained.

About the new image stream tags:

ocp-upgrade-redeploy
To update your Jenkins image when you upgrade Red Hat OpenShift Service on AWS, use this image stream tag in your Jenkins deployment configuration. This image stream tag corresponds to the existing 2 image stream tag of the jenkins image stream and the latest image stream tag of the jenkins-agent-base-rhel8 image stream. It employs an image tag specific to only one SHA or image digest. When the ocp-tools-4 image changes, such as for Jenkins security advisories, Red Hat Engineering updates the Cluster Samples Operator payload.
user-maintained-upgrade-redeploy
To manually redeploy Jenkins after you upgrade Red Hat OpenShift Service on AWS, use this image stream tag in your Jenkins deployment configuration. This image stream tag uses the least specific image version indicator available. When you redeploy Jenkins, run the following command: $ oc import-image jenkins:user-maintained-upgrade-redeploy -n openshift. When you issue this command, the Red Hat OpenShift Service on AWS ImageStream controller accesses the registry.redhat.io image registry and stores any updated images in the OpenShift image registry’s slot for that Jenkins ImageStreamTag object. Otherwise, if you do not run this command, your Jenkins deployment configuration does not trigger a redeployment.
scheduled-upgrade-redeploy
To automatically redeploy the latest version of the Jenkins image when it is released, use this image stream tag in your Jenkins deployment configuration. This image stream tag uses the periodic importing of image stream tags feature of the Red Hat OpenShift Service on AWS image stream controller, which checks for changes in the backing image. If the image changes, for example, due to a recent Jenkins security advisory, Red Hat OpenShift Service on AWS triggers a redeployment of your Jenkins deployment configuration. See "Configuring periodic importing of image stream tags" in the following "Additional resources."

What happens with the jenkins-agent-maven and jenkins-agent-nodejs image streams in the openshift namespace?

The OpenShift Jenkins Maven and NodeJS Agent images for Red Hat OpenShift Service on AWS were deprecated in 4.10, and are removed from the Red Hat OpenShift Service on AWS install payload in 4.11. They do not have alternatives defined in the ocp-tools-4 repository. However, you can work around this by using the sidecar pattern described in the "Jenkins agent" topic mentioned in the following "Additional resources" section.

However, the Cluster Samples Operator does not delete the jenkins-agent-maven and jenkins-agent-nodejs image streams created by prior releases, which point to the tags of the respective Red Hat OpenShift Service on AWS payload images on registry.redhat.io. Therefore, you can pull updates to these images by running the following commands:

$ oc import-image jenkins-agent-nodejs -n openshift
$ oc import-image jenkins-agent-maven -n openshift

4.2. Customizing the Jenkins image stream tag

To override the default upgrade behavior and control how the Jenkins image is upgraded, you set the image stream tag value that your Jenkins deployment configurations use.

The default upgrade behavior is the behavior that existed when the Jenkins image was part of the install payload. The image stream tag names, 2 and ocp-upgrade-redeploy, in the jenkins-rhel.json image stream file use SHA-specific image references. Therefore, when those tags are updated with a new SHA, the Red Hat OpenShift Service on AWS image change controller automatically redeploys the Jenkins deployment configuration from the associated templates, such as jenkins-ephemeral.json or jenkins-persistent.json.

For new deployments, to override that default value, you change the value of the JENKINS_IMAGE_STREAM_TAG in the jenkins-ephemeral.json Jenkins template. For example, replace the 2 in "value": "jenkins:2" with one of the following image stream tags:

  • ocp-upgrade-redeploy, the default value, updates your Jenkins image when you upgrade Red Hat OpenShift Service on AWS.
  • user-maintained-upgrade-redeploy requires you to manually redeploy Jenkins by running $ oc import-image jenkins:user-maintained-upgrade-redeploy -n openshift after upgrading Red Hat OpenShift Service on AWS.
  • scheduled-upgrade-redeploy periodically checks the given <image>:<tag> combination for changes and upgrades the image when it changes. The image change controller pulls the changed image and redeploys the Jenkins deployment configuration provisioned by the templates. For more information about this scheduled import policy, see the "Adding tags to image streams" in the following "Additional resources."
Note

To override the current upgrade value for existing deployments, change the values of the environment variables that correspond to those template parameters.

Prerequisites

  • You are running OpenShift Jenkins on Red Hat OpenShift Service on AWS 4.
  • You know the namespace where OpenShift Jenkins is deployed.

Procedure

  • Set the image stream tag value, replacing <namespace> with namespace where OpenShift Jenkins is deployed and <image_stream_tag> with an image stream tag:

    Example

    $ oc patch dc jenkins -p '{"spec":{"triggers":[{"type":"ImageChange","imageChangeParams":{"automatic":true,"containerNames":["jenkins"],"from":{"kind":"ImageStreamTag","namespace":"<namespace>","name":"jenkins:<image_stream_tag>"}}}]}}'

    Tip

    Alternatively, to edit the Jenkins deployment configuration YAML, enter $ oc edit dc/jenkins -n <namespace> and update the value: 'jenkins:<image_stream_tag>' line.

4.3. Additional resources

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.