opendevstack · BraisVQ · Mar 19, 2025 · Mar 19, 2025 · Mar 24, 2025 · Apr 23, 2025
diff --git a/.github/workflows/continuous-integration-workflow.yml b/.github/workflows/continuous-integration-workflow.yml
@@ -34,7 +34,7 @@ jobs:
           --imagename ods-jenkins-agent-base-ubi8 \
           --dockerdir jenkins/agent-base \
           --dockerfile Dockerfile.ubi8 \
-          --build-arg SNYK_DISTRIBUTION_URL="https://github.com/snyk/snyk/releases/download/v1.1097.0/snyk-linux"
+          --build-arg SNYK_DISTRIBUTION_URL="https://github.com/snyk/snyk/releases/download/v1.1295.4/snyk-linux"
       - name: Push UBI8 docker image
         if: success() && github.repository == 'opendevstack/ods-core' && github.event_name == 'push'
         shell: bash

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,7 @@
 ### Changed
 - Updated Aqua CLI ([#1325](https://github.com/opendevstack/ods-core/pull/1325)) & ([#1332](https://github.com/opendevstack/ods-core/pull/1332))
 - Fix Jenkins pipeline removal issue and update to golang 1.24 ([#1331](https://github.com/opendevstack/ods-core/issues/1331))
+- Update Jenkins to rhel9 and 4.16 tag ([#1336](https://github.com/opendevstack/ods-core/pull/1336))
 
 ### Fixed
 

diff --git a/configuration-sample/ods-core.env.sample b/configuration-sample/ods-core.env.sample
@@ -216,41 +216,56 @@ CONFLUENCE_URL=http://192.168.56.31:8090
 # Base image for Jenkins master.
 # For UBI8-based images (OpenShift 4):
 # - RHEL variant: https://catalog.redhat.com/software/containers/ocp-tools-4/jenkins-rhel8/5fe1f38288e9c2f788526306
-# -      Example: registry.redhat.io/ocp-tools-4/jenkins-rhel8:v4.14.0
-# -      Last tested: registry.redhat.io/ocp-tools-4/jenkins-rhel8:v4.14.0-1723454631
+# -      Example: registry.redhat.io/ocp-tools-4/jenkins-rhel8:v4.15.0
 # - Community variant: https://quay.io/repository/openshift/origin-jenkins?tab=tags
 # -           Example: quay.io/openshift/origin-jenkins:4.6
-JENKINS_MASTER_BASE_FROM_IMAGE=registry.redhat.io/ocp-tools-4/jenkins-rhel8:v4.14.0-1723454631
-
-# Dockerfile to use for Jenkins master.
-# Use "Dockerfile.ubi8" for both OpenShift 3.11 and 4  (UBI8 base image)
-JENKINS_MASTER_DOCKERFILE_PATH=Dockerfile.ubi8
+# For UBI9-based images (OpenShift 4):
+# - RHEL variant: https://catalog.redhat.com/software/containers/ocp-tools-4/jenkins-rhel9/65dc9063b7db2e8b83a5b299
+# -      Example: registry.redhat.io/ocp-tools-4/jenkins-rhel8:v4.16.0
+# -      Last tested: registry.redhat.io/ocp-tools-4/jenkins-rhel9:v4.16.0-1739898511
+JENKINS_MASTER_BASE_FROM_IMAGE=registry.redhat.io/ocp-tools-4/jenkins-rhel9:v4.16.0-1739898511
+
+# Use "Dockerfile.ubi9" for OpenShift 4  (UBI9 base image)
+# Quay image is not being maintained anymore and do not have a UBI9/RHEL9 variant
+# In case this image is being used it is recomended to use the Redhat registry rhel9 image instead
+# For more informtion see:
+# https://github.com/openshift/jenkins/issues/1829
+# https://github.com/openshift/jenkins/issues/1766
+JENKINS_MASTER_DOCKERFILE_PATH=Dockerfile.ubi9
 
 # Base image for Jenkins agent base.
 # For UBI8-based images (OpenShift 4):
 # - RHEL variant: https://catalog.redhat.com/software/containers/ocp-tools-4/jenkins-agent-base-rhel8/6241e3457847116cf8577aea
-# -      Example: registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8:v4.14.0
-# -      Last tested: registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8:v4.14.0-1723453106
+# -      Example: registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8:v4.15.0
 # - Community variant: https://quay.io/repository/openshift/origin-jenkins-agent-base?tab=tags
 # -           Example: quay.io/openshift/origin-jenkins-agent-base:4.6
-JENKINS_AGENT_BASE_FROM_IMAGE=registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8:v4.14.0-1723453106
+# For UBI9-based images (OpenShift 4):
+# - RHEL variant: https://catalog.redhat.com/software/containers/ocp-tools-4/jenkins-agent-base-rhel9/65dc9063b7db2e8b83a5b29e
+# -      Example: registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9:v4.16.0
+# -      Last tested: registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9:v4.16.0-1739896346
+JENKINS_AGENT_BASE_FROM_IMAGE=registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9:v4.16.0-1739896346
 
 # Dockerfile to use for Jenkins agents.
-# Use "Dockerfile.ubi8" for both OpenShift 3.11 and 4  (UBI8 base image)
-JENKINS_AGENT_DOCKERFILE_PATH=Dockerfile.ubi8
+# Use "Dockerfile.ubi9" for OpenShift 4  (UBI9 base image)
+# Quay image is not being maintained anymore and do not have a UBI9/RHEL9 variant
+# In case this image is being used it is recomended to use the Redhat registry rhel9 image instead
+# For more informtion see:
+# https://github.com/openshift/jenkins/issues/1829
+# https://github.com/openshift/jenkins/issues/1766
+JENKINS_AGENT_DOCKERFILE_PATH=Dockerfile.ubi9
 
 # Snyk CLI binary distribution url
 # Leave empty to avoid installing Snyk.
 # Releases are published at https://github.com/snyk/snyk/releases.
-# Latest tested version is v1.1292.4.
-JENKINS_AGENT_BASE_SNYK_DISTRIBUTION_URL=https://github.com/snyk/snyk/releases/download/v1.1292.4/snyk-linux
+# Latest tested version is v1.1295.4.
+JENKINS_AGENT_BASE_SNYK_DISTRIBUTION_URL=https://github.com/snyk/snyk/releases/download/v1.1295.4/snyk-linux
 
 # AquaSec CLI binary distribution url
 # Leave empty to avoid installing AquaSec.
 # Releases are published at https://download.aquasec.com/scanner
 # Check Aqua versions backward compatibility at https://docs.aquasec.com/docs/version-compatibility-of-components#section-backward-compatibility-across-two-major-versions
 # To Download the aquaSec scanner cli and check their documentaion requires a valid account on aquasec.com
-# Latest tested version is 2022.4.720
+# Latest tested version is 2022.4.759
 # Example: https://<USER>:<PASSWORD>@download.aquasec.com/scanner/2022.4.759/scannercli
 JENKINS_AGENT_BASE_AQUASEC_SCANNERCLI_URL=
 

@@ -2,17 +2,17 @@ FROM quay.io/openshift/origin-jenkins-agent-base
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
-ENV SONAR_SCANNER_VERSION=6.2.1.4610 \
-    CNES_REPORT_VERSION=5.0.0 \
+ENV SONAR_SCANNER_VERSION=7.0.2.4839 \
+    CNES_REPORT_VERSION=5.0.1 \
     COSIGN_VERSION=2.4.3 \
     TAILOR_VERSION=1.3.4 \
-    SOPS_VERSION=3.9.0 \
-    HELM_VERSION=3.15.4 \
-    HELM_PLUGIN_DIFF_VERSION=3.9.9 \
-    HELM_PLUGIN_SECRETS_VERSION=4.6.1 \
-    GIT_LFS_VERSION=3.5.1 \
+    SOPS_VERSION=3.9.4 \
+    HELM_VERSION=3.17.1 \
+    HELM_PLUGIN_DIFF_VERSION=3.10.0 \
+    HELM_PLUGIN_SECRETS_VERSION=4.6.3 \
+    GIT_LFS_VERSION=3.6.1 \
     IMGPKG_VERSION=0.44.0 \
-    TRIVY_VERSION=0.54.1 \
+    TRIVY_VERSION=0.60.0 \
     YQ_VERSION=4.45.1 \
     JAVA_GC_OPTS="-XX:+UseParallelGC -XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=10 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90"
 
@@ -21,7 +21,7 @@ ARG SNYK_DISTRIBUTION_URL
 ARG AQUASEC_SCANNERCLI_URL
 
 # Add UBI repositories.
-COPY yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo
+COPY yum.repos.d/ubi8.repo /etc/yum.repos.d/ubi.repo
 
 COPY ensure_java_jre_is_adequate.sh /usr/local/bin/
 COPY ./set-default-java.sh /etc/profile.d/set-default-java.sh

@@ -0,0 +1,161 @@
+FROM quay.io/openshift/origin-jenkins-agent-base
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+ENV SONAR_SCANNER_VERSION=7.0.2.4839 \
+    CNES_REPORT_VERSION=5.0.1 \
+    COSIGN_VERSION=2.4.3 \
+    TAILOR_VERSION=1.3.4 \
+    SOPS_VERSION=3.9.4 \
+    HELM_VERSION=3.17.1 \
+    HELM_PLUGIN_DIFF_VERSION=3.10.0 \
+    HELM_PLUGIN_SECRETS_VERSION=4.6.3 \
+    GIT_LFS_VERSION=3.6.1 \
+    IMGPKG_VERSION=0.44.0 \
+    TRIVY_VERSION=0.60.0 \
+    YQ_VERSION=4.45.1 \
+    JAVA_GC_OPTS="-XX:+UseParallelGC -XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=10 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90"
+
+ARG APP_DNS
+ARG SNYK_DISTRIBUTION_URL
+ARG AQUASEC_SCANNERCLI_URL
+
+# Add UBI repositories.
+COPY yum.repos.d/ubi9.repo /etc/yum.repos.d/ubi.repo
+
+COPY ensure_java_jre_is_adequate.sh /usr/local/bin/
+COPY ./set-default-java.sh /etc/profile.d/set-default-java.sh
+
+RUN cd /etc/yum.repos.d && rm -f localdev-* ci-rpm-mirrors.repo \
+    && ensure_java_jre_is_adequate.sh \
+    && yum -y install make glibc-langpack-en openssl skopeo \
+    && yum -y update \
+    && yum clean all \
+    && rm -rf /var/cache/yum/* \
+    && skopeo --version
+
+# Copy use java scripts.
+COPY use-j*.sh /usr/local/bin/
+RUN chmod +x /usr/local/bin/use-j*.sh && \
+    chmod ugo+s /usr/local/bin/use-j*.sh && \
+    sh -c 'chmod ugo+s $(which alternatives)' && \
+    ls -la /usr/local/bin/use-j*.sh && \
+    echo "--- STARTS JDK 17 TESTS ---" && \
+    use-j17.sh && \
+    echo "--- ENDS JDK 17 TESTS ---"
+
+COPY ./import_certs.sh /usr/local/bin/import_certs.sh
+COPY ./fix_java_certs_permissions.sh /usr/local/bin/fix_java_certs_permissions.sh
+RUN import_certs.sh && fix_java_certs_permissions.sh
+
+# Install Sonar Scanner.
+RUN cd /tmp \
+    && curl -sSLO https://repo1.maven.org/maven2/org/sonarsource/scanner/cli/sonar-scanner-cli/${SONAR_SCANNER_VERSION}/sonar-scanner-cli-${SONAR_SCANNER_VERSION}.zip \
+    && unzip sonar-scanner-cli-${SONAR_SCANNER_VERSION}.zip \
+    && mv sonar-scanner-${SONAR_SCANNER_VERSION} /usr/local/sonar-scanner-cli \
+    && rm -rf sonar-scanner-cli-${SONAR_SCANNER_VERSION}.zip \
+    && /usr/local/sonar-scanner-cli/bin/sonar-scanner --version
+ENV PATH=/usr/local/sonar-scanner-cli/bin:$PATH
+
+# Add sq cnes report jar.
+RUN cd /tmp \
+    && curl -sSL https://github.com/cnescatlab/sonar-cnes-report/releases/download/${CNES_REPORT_VERSION}/sonar-cnes-report-${CNES_REPORT_VERSION}.jar -o cnesreport.jar \
+    && mkdir /usr/local/cnes \
+    && mv cnesreport.jar /usr/local/cnes/cnesreport.jar \
+    && chmod 777 /usr/local/cnes/cnesreport.jar
+
+# Install sigstore/cosign
+RUN cd /tmp \
+    && curl -sSLO https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64 \
+    && mv /tmp/cosign-linux-amd64 /usr/local/bin/cosign \
+    && chmod 755 /usr/local/bin/cosign \
+    && cosign version
+
+# Install Tailor.
+RUN cd /tmp \
+    && curl -sSLO https://github.com/opendevstack/tailor/releases/download/v${TAILOR_VERSION}/tailor-linux-amd64 \
+    && mv tailor-linux-amd64 /usr/local/bin/tailor \
+    && chmod a+x /usr/local/bin/tailor \
+    && tailor version
+
+# Install Helm.
+RUN cd /tmp \
+    && dnf install -y https://github.com/mozilla/sops/releases/download/v${SOPS_VERSION}/sops-${SOPS_VERSION}-1.x86_64.rpm \
+    && mkdir -p /tmp/helm \
+    && curl -sSLO https://get.helm.sh/helm-v${HELM_VERSION}-linux-amd64.tar.gz \
+    && tar -zxvf helm-v${HELM_VERSION}-linux-amd64.tar.gz -C /tmp/helm \
+    && mv /tmp/helm/linux-amd64/helm /usr/local/bin/helm \
+    && chmod a+x /usr/local/bin/helm \
+    && helm version \
+    && helm env \
+    && helm plugin install https://github.com/databus23/helm-diff --version v${HELM_PLUGIN_DIFF_VERSION} \
+    && helm plugin install https://github.com/jkroepke/helm-secrets --version v${HELM_PLUGIN_SECRETS_VERSION} \
+    && sops --version \
+    && rm -rf /tmp/helm /tmp/helm-v${HELM_VERSION}-linux-amd64.tar.gz
+
+# Install imgpkg.
+RUN cd /tmp \
+    && curl -sSLO https://github.com/carvel-dev/imgpkg/releases/download/v${IMGPKG_VERSION}/imgpkg-linux-amd64 \
+    && mv imgpkg-linux-amd64 /usr/local/bin/imgpkg \
+    && chmod a+x /usr/local/bin/imgpkg \
+    && imgpkg --version
+
+# Install yq.
+RUN cd /tmp \
+    && curl -sSLO https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_amd64 \
+    && mv yq_linux_amd64 /usr/local/bin/yq \
+    && chmod a+x /usr/local/bin/yq \
+    && yq --version
+
+# Install GIT-LFS extension https://git-lfs.github.com/.
+RUN cd /tmp \
+    && mkdir -p /tmp/git-lfs \
+    && curl -sSLO https://github.com/git-lfs/git-lfs/releases/download/v${GIT_LFS_VERSION}/git-lfs-linux-amd64-v${GIT_LFS_VERSION}.tar.gz \
+    && tar -zxvf git-lfs-linux-amd64-v${GIT_LFS_VERSION}.tar.gz -C /tmp/git-lfs \
+    && bash /tmp/git-lfs/git-lfs-${GIT_LFS_VERSION}/install.sh \
+    && git lfs version \
+    && rm -rf /tmp/git-lfs*
+
+# Optionally install snyk.
+RUN if [ -z $SNYK_DISTRIBUTION_URL ] ; then echo 'Skipping snyk installation!' ; else echo 'Installing snyk... getting binary from' $SNYK_DISTRIBUTION_URL \
+    && curl -sSL $SNYK_DISTRIBUTION_URL --output snyk \
+    && mv snyk /usr/local/bin \
+    && chmod +rwx /usr/local/bin/snyk \
+    && mkdir -p $HOME/.config/configstore/ \
+    && chmod -R g+rw $HOME/.config/configstore/ \
+    && echo 'Snyk CLI version:' \
+    && snyk --version \
+    && echo 'Snyk installation completed!'; \
+    fi
+
+# Optionally install Aquasec.
+RUN if [ -z $AQUASEC_SCANNERCLI_URL ] ; then echo 'Skipping AquaSec installation!' ; else echo 'Installing AquaSec... getting binary from' $AQUASEC_SCANNERCLI_URL \
+    && curl -sSL $AQUASEC_SCANNERCLI_URL --output aquasec \
+    && mv aquasec /usr/local/bin \
+    && chmod +rwx /usr/local/bin/aquasec \
+    && echo 'AquaSec CLI version:' \
+    && aquasec version \
+    && echo 'AquaSec installation completed!'; \
+    fi
+
+# Install Trivy.
+RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v$TRIVY_VERSION \
+    && echo 'Trivy CLI version:' \
+    && trivy version
+
+# Set java proxy var.
+COPY set_java_proxy.sh /tmp/set_java_proxy.sh
+RUN . /tmp/set_java_proxy.sh && echo $JAVA_OPTS
+
+# Customize entrypoint.
+COPY fix_openshift_run_jnlp_client.sh /usr/local/bin/fix_openshift_run_jnlp_client.sh
+RUN mv /usr/local/bin/run-jnlp-client /usr/local/bin/openshift-run-jnlp-client \
+    && fix_openshift_run_jnlp_client.sh /usr/local/bin/openshift-run-jnlp-client
+
+COPY ods-run-jnlp-client.sh /usr/local/bin/run-jnlp-client
+
+# Fix permissions.
+RUN mkdir -p /home/jenkins/.config && chmod -R g+w /home/jenkins/.config \
+    && mkdir -p /home/jenkins/.cache && chmod -R g+w /home/jenkins/.cache \
+    && mkdir -p /home/jenkins/.sonar && chmod -R g+w /home/jenkins/.sonar \
+    && mkdir -p /tmp/aqua && chmod -R g+w /tmp/aqua
@@ -0,0 +1,62 @@
+[ubi-9-baseos]
+name = Red Hat Universal Base Image 9 (RPMs) - BaseOS
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/baseos/os
+enabled = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-9-baseos-debug]
+name = Red Hat Universal Base Image 9 (Debug RPMs) - BaseOS
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/baseos/debug
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-9-baseos-source]
+name = Red Hat Universal Base Image 9 (Source RPMs) - BaseOS
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/baseos/source/SRPMS
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-9-appstream]
+name = Red Hat Universal Base Image 9 (RPMs) - AppStream
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/appstream/os
+enabled = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-9-appstream-debug]
+name = Red Hat Universal Base Image 9 (Debug RPMs) - AppStream
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/appstream/debug
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-9-appstream-source]
+name = Red Hat Universal Base Image 9 (Source RPMs) - AppStream
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/appstream/source/SRPMS
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-9-codeready-builder]
+name = Red Hat Universal Base Image 9 (RPMs) - CodeReady Builder
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/codeready-builder/os
+enabled = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-9-codeready-builder-debug]
+name = Red Hat Universal Base Image 9 (Debug RPMs) - CodeReady Builder
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/codeready-builder/debug
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-9-codeready-builder-source]
+name = Red Hat Universal Base Image 9 (Source RPMs) - CodeReady Builder
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/codeready-builder/source/SRPMS
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
@@ -15,7 +15,7 @@ ENV JENKINS_JAVA_OVERRIDES="-Dhudson.tasks.MailSender.SEND_TO_UNKNOWN_USERS=true
 USER root
 
 # Add UBI repositories.
-COPY yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo
+COPY yum.repos.d/ubi8.repo /etc/yum.repos.d/ubi.repo
 
 COPY ./scripts_for_usr-local-bin/* /usr/local/bin/
 RUN rpm --import https://pkg.jenkins.io/redhat-stable/jenkins.io.key \
@@ -28,7 +28,7 @@ RUN rpm --import https://pkg.jenkins.io/redhat-stable/jenkins.io.key \
     && clean_yum_cache.sh
 
 # Copy configuration and plugins.
-COPY plugins.ubi8.txt /opt/openshift/configuration/plugins.txt
+COPY plugins.txt /opt/openshift/configuration/plugins.txt
 RUN /usr/local/bin/install-plugins.sh /opt/openshift/configuration/plugins.txt \
     && rm -r /opt/openshift/configuration/jobs/OpenShift* || true \
     && touch /var/lib/jenkins/configured \