diff --git a/2/Dockerfile.localdev b/2/Dockerfile.localdev index 79da138ca..9884021d8 100644 --- a/2/Dockerfile.localdev +++ b/2/Dockerfile.localdev @@ -1,4 +1,4 @@ -FROM quay.io/openshift/origin-cli +FROM quay.io/openshift/origin-cli:4.2 # Jenkins image for OpenShift # @@ -18,7 +18,7 @@ ENV JENKINS_VERSION=2 \ HOME=/var/lib/jenkins \ JENKINS_HOME=/var/lib/jenkins \ JENKINS_UC=https://updates.jenkins.io \ - OPENSHIFT_JENKINS_IMAGE_VERSION=4.0 \ + OPENSHIFT_JENKINS_IMAGE_VERSION=4.2 \ LANG=en_US.UTF-8 \ LC_ALL=en_US.UTF-8 \ INSTALL_JENKINS_VIA_RPMS=false @@ -27,7 +27,7 @@ LABEL k8s.io.description="Jenkins is a continuous integration server" \ k8s.io.display-name="Jenkins 2" \ openshift.io.expose-services="8080:http" \ openshift.io.tags="jenkins,jenkins2,ci" \ - io.jenkins.version="2.204.1" \ + io.jenkins.version="2.222.1" \ io.openshift.s2i.scripts-url=image:///usr/libexec/s2i # 8080 for main web interface, 50000 for slave agents diff --git a/2/Dockerfile.rhel7 b/2/Dockerfile.rhel7 index 1e7a05e91..6272fe381 100644 --- a/2/Dockerfile.rhel7 +++ b/2/Dockerfile.rhel7 @@ -16,7 +16,7 @@ ENV JENKINS_VERSION=2 \ HOME=/var/lib/jenkins \ JENKINS_HOME=/var/lib/jenkins \ JENKINS_UC=https://updates.jenkins.io \ - OPENSHIFT_JENKINS_IMAGE_VERSION=4.0 \ + OPENSHIFT_JENKINS_IMAGE_VERSION=4.2 \ LANG=en_US.UTF-8 \ LC_ALL=en_US.UTF-8 \ INSTALL_JENKINS_VIA_RPMS=false @@ -29,13 +29,13 @@ LABEL io.k8s.description="Jenkins is a continuous integration server" \ io.k8s.display-name="Jenkins 2" \ io.openshift.tags="jenkins,jenkins2,ci" \ io.openshift.expose-services="8080:http" \ - io.jenkins.version="2.204.1" \ + io.jenkins.version="2.222.1" \ io.openshift.s2i.scripts-url=image:///usr/libexec/s2i # Labels consumed by Red Hat build service LABEL com.redhat.component="openshift-jenkins-2-container" \ name="openshift4/ose-jenkins" \ - version="4.3" \ + version="4.2" \ architecture="x86_64" # 8080 for main web interface, 50000 for slave agents @@ -46,7 +46,7 @@ EXPOSE 8080 50000 # /usr/lib64/jenkins will subsequently get redirected to /usr/lib/jenkins; it is confirmed that the 3.7 jenkins RHEL images # do *NOT* have a /usr/lib64/jenkins path RUN ln -s /usr/lib/jenkins /usr/lib64/jenkins && \ - INSTALL_PKGS="dejavu-sans-fonts wget rsync gettext git tar zip unzip openssl bzip2 dumb-init java-1.8.0-openjdk java-1.8.0-openjdk-devel" && \ + INSTALL_PKGS="dejavu-sans-fonts wget rsync gettext git tar zip unzip openssl bzip2 dumb-init java-11-openjdk java-11-openjdk-devel " && \ yum install -y $INSTALL_PKGS && \ rpm -V $INSTALL_PKGS && \ yum clean all && \ diff --git a/2/contrib/jenkins/install-jenkins-core-plugins.sh b/2/contrib/jenkins/install-jenkins-core-plugins.sh index c02deac1f..d2b864c98 100755 --- a/2/contrib/jenkins/install-jenkins-core-plugins.sh +++ b/2/contrib/jenkins/install-jenkins-core-plugins.sh @@ -11,8 +11,8 @@ if [[ "${INSTALL_JENKINS_VIA_RPMS}" == "false" ]]; then if [ "$#" == "1" ]; then YUM_FLAGS="$1" fi - yum -y $YUM_FLAGS --setopt=tsflags=nodocs install jenkins-2.204.1-1.1 - rpm -V jenkins-2.204.1-1.1 + yum -y $YUM_FLAGS --setopt=tsflags=nodocs install jenkins-2.222.1 + rpm -V jenkins-2.222.1 yum clean all /usr/local/bin/install-plugins.sh $PLUGIN_LIST else diff --git a/2/contrib/openshift/base-plugins.txt b/2/contrib/openshift/base-plugins.txt index 94fd8b0e2..9c0da96ec 100644 --- a/2/contrib/openshift/base-plugins.txt +++ b/2/contrib/openshift/base-plugins.txt @@ -1,7 +1,8 @@ + # OpenShift Plugins openshift-login:1.0.23 openshift-client:1.0.32 -openshift-sync:1.0.44 +openshift-sync:1.0.45 # kubernetes plugin - https://wiki.jenkins-ci.org/display/JENKINS/Kubernetes+Plugin @@ -9,10 +10,12 @@ openshift-sync:1.0.44 # 1.12.0 fixed https://jenkins.io/security/advisory/2018-07-30/#SECURITY-1016 # 1.12.8 fixed the https://issues.jenkins-ci.org/browse/JENKINS-53260 we introduced # 1.18.2 upgrade to support OpenJdk11 -kubernetes:1.18.2 -credentials:2.2.0 -docker-commons:1.14 -pipeline-model-definition:1.3.7 +# 1.25.2 enhance http proxy handleing +kubernetes:1.25.2 +credentials:2.3.5 +docker-commons:1.16 +pipeline-model-definition:1.6.0 +pipeline-model-api:1.6.0 # we leverage this plugin in the openshift-client DSL groovy shim lockable-resources:2.5 @@ -46,42 +49,42 @@ lockable-resources:2.5 # processed sec adv https://jenkins.io/security/advisory/2019-07-31/ # processed sec adv https://jenkins.io/security/advisory/2019-08-28/ # processed sec adv https://jenkins.io/security/advisory/2019-10-01/#SECURITY-1590 -# config-file-provider:3.5 htmlpublisher:1.21 job-dsl:1.72 -mailer:1.21 +mailer:1.30 parameterized-trigger:2.35.2 -pipeline-build-step:2.7 -pipeline-input-step:2.8 -script-security:1.66 +pipeline-build-step:2.12 +pipeline-input-step:2.11 +script-security:1.71 +google-oauth-plugin:1.0.0 ant:1.10 pam-auth:1.6 -git-client:3.0.0 +git-client:3.2.1 credentials-binding:1.19 junit:1.26.1 workflow-support:2.18 -git:3.9.3 +git:4.2.2 mercurial:2.3 -subversion:2.10.3 +subversion:2.13.1 github:1.29.2 github-branch-source:2.3.6 -workflow-cps:2.73 +workflow-cps:2.80 workflow-cps-global-lib:2.15 -token-macro:2.8 +token-macro:2.12 workflow-remote-loader:1.5 # Legacy stuff mapdb-api:1.0.9.0 matrix-project:1.14 -ssh-credentials:1.17.2 +ssh-credentials:1.18.1 # Pipeline Utility Steps Plugin - https://wiki.jenkins-ci.org/display/JENKINS/Pipeline+Utility+Steps+Plugin -pipeline-utility-steps:2.1.0 +pipeline-utility-steps:2.5.0 # some plugins helpful for global shared libs were broken out of workflow aggregator pipeline-github-lib:1.0 @@ -93,9 +96,6 @@ matrix-auth:2.2 # with k8s plugin blueocean:1.10.2 -# Pipeline plugin - https://wiki.jenkins-ci.org/display/JENKINS/Pipeline+Plugin -# 2.5 now includes pipeline-model-definition (declaritive pipeline) -# 2.4 brought in pipeline-milestone-step workflow-aggregator:2.6 # Monitoring plugins diff --git a/2/contrib/openshift/configuration/logging.properties b/2/contrib/openshift/configuration/logging.properties new file mode 100644 index 000000000..31cc9d7e5 --- /dev/null +++ b/2/contrib/openshift/configuration/logging.properties @@ -0,0 +1,5 @@ +# Jenkins logging configuration for OpenShift + +.level=INFO +handlers=java.util.logging.ConsoleHandler +java.util.logging.SimpleFormatter.format=%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS %4$-7s %2$s %5$s%6$s%n diff --git a/2/contrib/s2i/run b/2/contrib/s2i/run index 2f3028fe6..199dc4e58 100755 --- a/2/contrib/s2i/run +++ b/2/contrib/s2i/run @@ -192,6 +192,14 @@ if [[ -z "${JAVA_TOOL_OPTIONS}" ]]; then export JAVA_TOOL_OPTIONS fi +# update system java keystore with custom ca bundle from jenkins-trust-ca-bundle configmap +# ca bundle is injected by network operator via the configmap jenkins-trusted-ca-bundle +# see certificate-injection-using-operators_configuring-a-custom-pki in the documentation +system_ca_bundle_crt="/etc/pki/ca-trust/source/anchors/ca-bundle.crt" +if [ -f "${system_ca_bundle_crt}" ]; then + /usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth ${JENKINS_HOME}/ca-anchors-keystore +fi + # assume k8s/docker memory limit was set if memory.limit_in_bytes < 1TiB if [[ "${CONTAINER_MEMORY_IN_BYTES}" -lt $((2**40)) ]]; then # set this JVM's -Xmx and -Xms if not set already (not propagated to any @@ -201,7 +209,7 @@ if [[ "${CONTAINER_MEMORY_IN_BYTES}" -lt $((2**40)) ]]; then # uncapped; -Xms unspecified (JVM default is 1/64 of -Xmx). if [[ -z "$CONTAINER_HEAP_PERCENT" ]]; then - CONTAINER_HEAP_PERCENT=0.50 + CONTAINER_HEAP_PERCENT=0.50 fi CONTAINER_HEAP_MAX=$(echo "${CONTAINER_MEMORY_IN_MB} ${CONTAINER_HEAP_PERCENT}" | awk '{ printf "%d", $1 * $2 }') @@ -462,9 +470,17 @@ fi if [[ -z "${JENKINS_JAVA_OPTIONS}" ]]; then # a discover was made upstream that if the monitor plugin is installed, it creates httpsession's via its filter, which impact the login plugin bearer token support, # so the displayed-counters setting turns that off - JENKINS_JAVA_OPTIONS="$JAVA_GC_OPTS $JAVA_INITIAL_HEAP_PARAM $JAVA_MAX_HEAP_PARAM $JAVA_CORE_LIMIT $JAVA_DIAGNOSTICS -Dfile.encoding=UTF8 -Djavamelody.displayed-counters=log,error $JENKINS_ACCESSLOG $FATAL_ERROR_OPTION" + JENKINS_JAVA_OPTIONS="$JAVA_GC_OPTS $JAVA_INITIAL_HEAP_PARAM $JAVA_MAX_HEAP_PARAM $JAVA_CORE_LIMIT $JAVA_DIAGNOSTICS " + JENKINS_JAVA_OPTIONS="$JENKINS_JAVA_OPTIONS -Dfile.encoding=UTF8 -Djavamelody.displayed-counters=log,error $JENKINS_ACCESSLOG $FATAL_ERROR_OPTION" + JENKINS_JAVA_OPTIONS="$JENKINS_JAVA_OPTIONS -Djava.util.logging.config.file=$JENKINS_HOME/logging.properties" + # Add default truststore if custom ca is loaded under ${JENKINS_HOME}/ca-anchors-keystore + if [ -f "${JENKINS_HOME}/ca-anchors-keystore" ]; then + JENKINS_JAVA_OPTIONS="$JENKINS_JAVA_OPTIONS -Djavax.net.ssl.trustStore=${JENKINS_HOME}/ca-anchors-keystore" + fi fi +JAVA_HTTP_PROXY_OPTIONS="-Djdk.http.auth.tunneling.disabledSchemes= -Djdk.http.auth.proxying.disabledSchemes=" + # Deal with embedded escaped spaces in JENKINS_JAVA_OVERRIDES. # JENKINS_JAVA_OVERRIDES='-Dfoo -Dbar' => append -Dfoo -Dbar to java invocation # JENKINS_JAVA_OVERRIDES='-Dfoo\ bar' => append '-Dfoo bar' to java invocation @@ -475,6 +491,7 @@ if [[ $# -lt 1 ]] || [[ "$1" == "--"* ]]; then set -x exec java $JENKINS_JAVA_OPTIONS -Duser.home=${HOME} \ -Djavamelody.application-name=${JENKINS_SERVICE_NAME} \ + -Dhudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION=true \ "${JENKINS_JAVA_OVERRIDES_ARRAY[@]}" \ -jar /usr/lib/jenkins/jenkins.war $JENKINS_OPTS "$@" fi diff --git a/openshift/templates/jenkins-ephemeral-monitored.json b/openshift/templates/jenkins-ephemeral-monitored.json index 826099527..6bf9b0ed5 100644 --- a/openshift/templates/jenkins-ephemeral-monitored.json +++ b/openshift/templates/jenkins-ephemeral-monitored.json @@ -41,6 +41,16 @@ } } }, + { + "kind": "ConfigMap", + "apiVersion": "v1", + "metadata": { + "name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle", + "labels": { + "config.openshift.io/inject-trusted-cabundle": "true" + } + } + }, { "kind": "DeploymentConfig", "apiVersion": "v1", @@ -151,6 +161,10 @@ { "name": "${JENKINS_SERVICE_NAME}-data", "mountPath": "/var/lib/jenkins" + }, + { + "name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle", + "mountPath": "/etc/pki/ca-trust/source/anchors" } ], "terminationMessagePath": "/dev/termination-log", @@ -168,6 +182,13 @@ "emptyDir": { "medium": "" } + }, + { + "name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle", + "configMap": { + "name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle", + "optional": true + } } ], "restartPolicy": "Always", diff --git a/openshift/templates/jenkins-ephemeral.json b/openshift/templates/jenkins-ephemeral.json index b7c0275fa..5cbcf2c0e 100644 --- a/openshift/templates/jenkins-ephemeral.json +++ b/openshift/templates/jenkins-ephemeral.json @@ -41,6 +41,16 @@ } } }, + { + "kind": "ConfigMap", + "apiVersion": "v1", + "metadata": { + "name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle", + "labels": { + "config.openshift.io/inject-trusted-cabundle": "true" + } + } + }, { "kind": "DeploymentConfig", "apiVersion": "v1", @@ -151,6 +161,10 @@ { "name": "${JENKINS_SERVICE_NAME}-data", "mountPath": "/var/lib/jenkins" + }, + { + "name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle", + "mountPath": "/etc/pki/ca-trust/source/anchors" } ], "terminationMessagePath": "/dev/termination-log", @@ -168,6 +182,13 @@ "emptyDir": { "medium": "" } + }, + { + "name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle", + "configMap": { + "name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle", + "optional": true + } } ], "restartPolicy": "Always", diff --git a/openshift/templates/jenkins-persistent-monitored.json b/openshift/templates/jenkins-persistent-monitored.json index 8a51e656c..c5291e219 100644 --- a/openshift/templates/jenkins-persistent-monitored.json +++ b/openshift/templates/jenkins-persistent-monitored.json @@ -58,6 +58,16 @@ } } }, + { + "kind": "ConfigMap", + "apiVersion": "v1", + "metadata": { + "name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle", + "labels": { + "config.openshift.io/inject-trusted-cabundle": "true" + } + } + }, { "kind": "DeploymentConfig", "apiVersion": "v1", @@ -172,6 +182,10 @@ { "name": "${JENKINS_SERVICE_NAME}-data", "mountPath": "/var/lib/jenkins" + }, + { + "name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle", + "mountPath": "/etc/pki/ca-trust/source/anchors" } ], "terminationMessagePath": "/dev/termination-log", @@ -189,6 +203,13 @@ "persistentVolumeClaim": { "claimName": "${JENKINS_SERVICE_NAME}" } + }, + { + "name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle", + "configMap": { + "name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle", + "optional": true + } } ], "restartPolicy": "Always", diff --git a/openshift/templates/jenkins-persistent.json b/openshift/templates/jenkins-persistent.json index 9bcbbc88e..399a38b29 100644 --- a/openshift/templates/jenkins-persistent.json +++ b/openshift/templates/jenkins-persistent.json @@ -41,6 +41,16 @@ } } }, + { + "kind": "ConfigMap", + "apiVersion": "v1", + "metadata": { + "name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle", + "labels": { + "config.openshift.io/inject-trusted-cabundle": "true" + } + } + }, { "kind": "PersistentVolumeClaim", "apiVersion": "v1", @@ -172,6 +182,10 @@ { "name": "${JENKINS_SERVICE_NAME}-data", "mountPath": "/var/lib/jenkins" + }, + { + "name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle", + "mountPath": "/etc/pki/ca-trust/source/anchors" } ], "terminationMessagePath": "/dev/termination-log", @@ -189,6 +203,13 @@ "persistentVolumeClaim": { "claimName": "${JENKINS_SERVICE_NAME}" } + }, + { + "name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle", + "configMap": { + "name": "${JENKINS_SERVICE_NAME}-trusted-ca-bundle", + "optional": true + } } ], "restartPolicy": "Always",