OpenShift

Additional configuration for OpenShift

SecurityContext

OpenShift enforces Security Constraints Context (scc) when deploying an image. By default, container images run in restricted scc which prevents from setting a fixed user id to run with. You need to have ensure that you do not provide a securityContext with a runAsUser and that your image does not use a hardcoded user.

securityContext: {}

OpenShift Jenkins image

OpenShift provides a pre-configured Jenkins image containing 3 openshift plugins for jenkins (openshift-login-plugin, openshift-sync-plugin and openshift-client-plugin) which allows better jenkins integration with kubernetes and OpenShift.

The OpenShift Jenkins image requires additional configuration to be fully enabled.

Sample OpenShift CR

The following Custom Resource can be used to create a Jenkins instance using the
OpenShift Jenkins image and sets values for: - `image: ‘quay.io/openshift/origin-jenkins:latest’ : This is the OpenShift Jenkins image.

  • serviceAccount: to allow oauth authentication to work, the service account needs a specific annotation pointing to the route exposing the jenkins service. Here, the route is named jenkins-route

  • OPENSHIFT_ENABLE_OAUTH environment variable for the master container is set to true.

Here is a complete Jenkins CR allowing the deployment of the Jenkins OpenShift image.

apiVersion: jenkins.io/v1alpha2
kind: Jenkins
metadata:
  annotations:
    jenkins.io/openshift-mode: 'true'
  name: jenkins
spec:
  serviceAccount:
    annotations:
      serviceaccounts.openshift.io/oauth-redirectreference.jenkins: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"jenkins-route"}}'
  master:
    containers:
    - name: jenkins-master
      image: 'quay.io/openshift/origin-jenkins:latest'
      command:
      - /usr/bin/go-init
      - '-main'
      - /usr/libexec/s2i/run
      env:
      - name: OPENSHIFT_ENABLE_OAUTH
        value: 'true'
      - name: OPENSHIFT_ENABLE_REDIRECT_PROMPT
        value: 'true'
      - name: DISABLE_ADMINISTRATIVE_MONITORS
        value: 'false'
      - name: KUBERNETES_MASTER
        value: 'https://kubernetes.default:443'
      - name: KUBERNETES_TRUST_CERTIFICATES
        value: 'true'
      - name: JENKINS_SERVICE_NAME
        value: jenkins-operator-http-jenkins
      - name: JNLP_SERVICE_NAME
        value: jenkins-operator-slave-jenkins
      - name: JENKINS_UC_INSECURE
        value: 'false'
      - name: JENKINS_HOME
        value: /var/lib/jenkins
      - name: JAVA_OPTS
        value: >-
          -XX:+UnlockExperimentalVMOptions -XX:+UnlockExperimentalVMOptions
          -XX:+UseCGroupMemoryLimitForHeap -XX:MaxRAMFraction=1
          -Djenkins.install.runSetupWizard=false -Djava.awt.headless=true          
      imagePullPolicy: Always
  service:
    port: 8080
    type: ClusterIP
  slaveService:
    port: 50000
    type: ClusterIP

OpenShift OAuth integration

The creation of a Route is required for the integraiton of Jenkins with OpenShift oauth authentication. By default, the jenkins http service is named jenkins-operator-http-${jenkins-cr-name}

oc create route edge jenkins-route --service=jenkins-operator-http-jenkins

Note: the route name (jenkins-route) must match the pointed route on the serviceaccount annotation.

After the creation of the Route. It can be used to navigate to the Jenkins Login Page and login with your Openshift Credentials.

Last modified April 29, 2020