jenkinsci · tomaszsek · Apr 29, 2020 · Apr 29, 2020
@@ -0,0 +1,8 @@
+KUBERNETES_PROVIDER=crc
+DOCKER_ORGANIZATION=image-registry.openshift-image-registry.svc:5000/jenkins-operator
+DOCKER_REGISTRY=kubernetes-operator
+IMAGE_PULL_MODE=remote
+JENKINS_API_PORT=0
+JENKINS_API_USE_NODEPORT=false
+NAMESPACE=$(oc project -q)
+
@@ -7,64 +7,67 @@ metadata:
 spec:
   master:
     containers:
-      - name: jenkins-master
-        command:
-          - /usr/bin/go-init
-          - '-main'
-          - /usr/libexec/s2i/run
-        env:
-          - name: OPENSHIFT_ENABLE_OAUTH
-            value: 'true'
-          - name: OPENSHIFT_ENABLE_REDIRECT_PROMPT
-            value: 'true'
-          - name: DISABLE_ADMINISTRATIVE_MONITORS
-            value: 'false'
-          - name: KUBERNETES_MASTER
-            value: 'https://kubernetes.default:443'
-          - name: KUBERNETES_TRUST_CERTIFICATES
-            value: 'true'
-          - name: JENKINS_SERVICE_NAME
-            value: jenkins-operator-http-example
-          - name: JNLP_SERVICE_NAME
-            value: jenkins-operator-slave-example
-          - name: JENKINS_UC_INSECURE
-            value: 'false'
-          - name: JENKINS_HOME
-            value: /var/lib/jenkins
-          - name: JAVA_OPTS
-            value: >-
-              -XX:+UnlockExperimentalVMOptions -XX:+UnlockExperimentalVMOptions
-              -XX:+UseCGroupMemoryLimitForHeap -XX:MaxRAMFraction=1
-              -Djenkins.install.runSetupWizard=false -Djava.awt.headless=true
-        image: 'quay.io/openshift/origin-jenkins:latest'
-        imagePullPolicy: Always
-        livenessProbe:
-          httpGet:
-            path: /login
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 420
-          periodSeconds: 360
-          timeoutSeconds: 240
-        readinessProbe:
-          httpGet:
-            path: /login
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 3
-          periodSeconds: 0
-          timeoutSeconds: 240
-        resources:
-          limits:
-            cpu: 600m
-            memory: 4Gi
-          requests:
-            cpu: 500m
-            memory: 3Gi
+    - name: jenkins-master
+      command:
+      - /usr/bin/go-init
+      - '-main'
+      - /usr/libexec/s2i/run
+      env:
+      - name: OPENSHIFT_ENABLE_OAUTH
+        value: 'true'
+      - name: OPENSHIFT_ENABLE_REDIRECT_PROMPT
+        value: 'true'
+      - name: DISABLE_ADMINISTRATIVE_MONITORS
+        value: 'false'
+      - name: KUBERNETES_MASTER
+        value: 'https://kubernetes.default:443'
+      - name: KUBERNETES_TRUST_CERTIFICATES
+        value: 'true'
+      - name: JENKINS_SERVICE_NAME
+        value: jenkins-operator-http-jenkins
+      - name: JNLP_SERVICE_NAME
+        value: jenkins-operator-slave-jenkins
+      - name: JENKINS_UC_INSECURE
+        value: 'false'
+      - name: JENKINS_HOME
+        value: /var/lib/jenkins
+      - name: JAVA_OPTS
+        value: >-
+          -XX:+UnlockExperimentalVMOptions -XX:+UnlockExperimentalVMOptions
+          -XX:+UseCGroupMemoryLimitForHeap -XX:MaxRAMFraction=1
+          -Djenkins.install.runSetupWizard=false -Djava.awt.headless=true
+      image: 'quay.io/openshift/origin-jenkins:latest'
+      imagePullPolicy: Always
+      livenessProbe:
+        httpGet:
+          path: /login
+          port: 8080
+          scheme: HTTP
+        initialDelaySeconds: 420
+        periodSeconds: 360
+        timeoutSeconds: 240
+      readinessProbe:
+        httpGet:
+          path: /login
+          port: 8080
+          scheme: HTTP
+        initialDelaySeconds: 3
+        periodSeconds: 0
+        timeoutSeconds: 240
+      resources:
+        limits:
+          cpu: 600m
+          memory: 4Gi
+        requests:
+          cpu: 500m
+          memory: 3Gi
   service:
     port: 8080
     type: ClusterIP
   slaveService:
     port: 50000
     type: ClusterIP
-
+  serviceAccount:
+    annotations:
+      serviceaccounts.openshift.io/oauth-redirectreference.jenkins: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"jenkins-operator"}}'
+
@@ -767,7 +767,12 @@ func TestEnsureExtraRBAC(t *testing.T) {
 				Roles: []rbacv1.RoleRef{},
 			},
 		}
-		reconciler := New(configuration.Configuration{Client: fakeClient, Jenkins: jenkins, Scheme: scheme.Scheme}, nil, client.JenkinsAPIConnectionSettings{})
+		config := configuration.Configuration{
+			Client:  fakeClient,
+			Jenkins: jenkins,
+			Scheme:  scheme.Scheme,
+		}
+		reconciler := New(config, log.Log, client.JenkinsAPIConnectionSettings{})
 		metaObject := resources.NewResourceObjectMeta(jenkins)
 
 		// when
@@ -803,7 +808,12 @@ func TestEnsureExtraRBAC(t *testing.T) {
 				},
 			},
 		}
-		reconciler := New(configuration.Configuration{Client: fakeClient, Jenkins: jenkins, Scheme: scheme.Scheme}, nil, client.JenkinsAPIConnectionSettings{})
+		config := configuration.Configuration{
+			Client:  fakeClient,
+			Jenkins: jenkins,
+			Scheme:  scheme.Scheme,
+		}
+		reconciler := New(config, log.Log, client.JenkinsAPIConnectionSettings{})
 		metaObject := resources.NewResourceObjectMeta(jenkins)
 
 		// when
@@ -845,7 +855,12 @@ func TestEnsureExtraRBAC(t *testing.T) {
 				},
 			},
 		}
-		reconciler := New(configuration.Configuration{Client: fakeClient, Jenkins: jenkins, Scheme: scheme.Scheme}, nil, client.JenkinsAPIConnectionSettings{})
+		config := configuration.Configuration{
+			Client:  fakeClient,
+			Jenkins: jenkins,
+			Scheme:  scheme.Scheme,
+		}
+		reconciler := New(config, log.Log, client.JenkinsAPIConnectionSettings{})
 		metaObject := resources.NewResourceObjectMeta(jenkins)
 
 		// when
@@ -888,7 +903,12 @@ func TestEnsureExtraRBAC(t *testing.T) {
 				},
 			},
 		}
-		reconciler := New(configuration.Configuration{Client: fakeClient, Jenkins: jenkins, Scheme: scheme.Scheme}, log.Log, client.JenkinsAPIConnectionSettings{})
+		config := configuration.Configuration{
+			Client:  fakeClient,
+			Jenkins: jenkins,
+			Scheme:  scheme.Scheme,
+		}
+		reconciler := New(config, log.Log, client.JenkinsAPIConnectionSettings{})
 		metaObject := resources.NewResourceObjectMeta(jenkins)
 
 		// when

@@ -6,17 +6,19 @@ import (
 )
 
 const (
-	createVerb        = "create"
-	deleteVerb        = "delete"
-	getVerb           = "get"
-	listVerb          = "list"
-	watchVerb         = "watch"
-	patchVerb         = "patch"
-	updateVerb        = "update"
-	EmptyApiGroups    = ""
-	OpenshiftApiGroup = "image.openshift.io"
-	BuildApiGroup     = "build.openshift.io"
-
+	createVerb = "create"
+	deleteVerb = "delete"
+	getVerb    = "get"
+	listVerb   = "list"
+	watchVerb  = "watch"
+	patchVerb  = "patch"
+	updateVerb = "update"
+	//EmptyAPIGroup short hand for the empty API group while defining policies
+	EmptyAPIGroup = ""
+	//OpenshiftAPIGroup the openshift api group name
+	OpenshiftAPIGroup = "image.openshift.io"
+	//BuildAPIGroup  the openshift api group name for builds
+	BuildAPIGroup = "build.openshift.io"
 )
 
 // NewRole returns rbac role for jenkins master
@@ -54,22 +56,23 @@ func NewRoleBinding(name, namespace, serviceAccountName string, roleRef v1.RoleR
 	}
 }
 
+// NewDefaultPolicyRules sets the default policy rules
 func NewDefaultPolicyRules() []v1.PolicyRule {
 	var rules []v1.PolicyRule
 	ReadOnly := []string{getVerb, listVerb, watchVerb}
-	Default  := []string{createVerb, deleteVerb, getVerb, listVerb, patchVerb, updateVerb, watchVerb}
-	Create   := []string{createVerb}
+	Default := []string{createVerb, deleteVerb, getVerb, listVerb, patchVerb, updateVerb, watchVerb}
+	Create := []string{createVerb}
 
-	rules = append(rules,  NewPolicyRule(EmptyApiGroups, "pods/portforward", Create))
-	rules = append(rules,  NewPolicyRule(EmptyApiGroups, "pods", Default))
-	rules = append(rules,  NewPolicyRule(EmptyApiGroups, "pods/exec", Default))
-	rules = append(rules,  NewPolicyRule(EmptyApiGroups, "configmaps", ReadOnly))
-	rules = append(rules,  NewPolicyRule(EmptyApiGroups, "pods/log", ReadOnly))
-	rules = append(rules,  NewPolicyRule(EmptyApiGroups, "secrets", ReadOnly))
+	rules = append(rules, NewPolicyRule(EmptyAPIGroup, "pods/portforward", Create))
+	rules = append(rules, NewPolicyRule(EmptyAPIGroup, "pods", Default))
+	rules = append(rules, NewPolicyRule(EmptyAPIGroup, "pods/exec", Default))
+	rules = append(rules, NewPolicyRule(EmptyAPIGroup, "configmaps", ReadOnly))
+	rules = append(rules, NewPolicyRule(EmptyAPIGroup, "pods/log", ReadOnly))
+	rules = append(rules, NewPolicyRule(EmptyAPIGroup, "secrets", ReadOnly))
 
-	rules = append(rules,  NewOpenShiftPolicyRule(OpenshiftApiGroup, "imagestreams", ReadOnly))
-	rules = append(rules,  NewOpenShiftPolicyRule(BuildApiGroup, "buildconfigs", ReadOnly))
-	rules = append(rules,  NewOpenShiftPolicyRule(BuildApiGroup, "builds", ReadOnly))
+	rules = append(rules, NewOpenShiftPolicyRule(OpenshiftAPIGroup, "imagestreams", ReadOnly))
+	rules = append(rules, NewOpenShiftPolicyRule(BuildAPIGroup, "buildconfigs", ReadOnly))
+	rules = append(rules, NewOpenShiftPolicyRule(BuildAPIGroup, "builds", ReadOnly))
 
 	return rules
 }
@@ -84,8 +87,7 @@ func NewPolicyRule(apiGroup string, resource string, verbs []string) v1.PolicyRu
 	return rule
 }
 
-// NewPolicyRule returns a policyRule allowing verbs on resources
+// NewOpenShiftPolicyRule returns a policyRule allowing verbs on resources
 func NewOpenShiftPolicyRule(apiGroup string, resource string, verbs []string) v1.PolicyRule {
-	return NewPolicyRule(apiGroup,resource,verbs)
+	return NewPolicyRule(apiGroup, resource, verbs)
 }
-
@@ -2,8 +2,10 @@ package base
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/jenkinsci/kubernetes-operator/pkg/controller/jenkins/configuration/base/resources"
+	"github.com/jenkinsci/kubernetes-operator/pkg/log"
 
 	stackerr "github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
@@ -15,20 +17,23 @@ import (
 func (r *ReconcileJenkinsBaseConfiguration) createServiceAccount(meta metav1.ObjectMeta) error {
 	serviceAccount := &corev1.ServiceAccount{}
 	err := r.Client.Get(context.TODO(), types.NamespacedName{Name: meta.Name, Namespace: meta.Namespace}, serviceAccount)
+	annotations := r.Configuration.Jenkins.Spec.ServiceAccount.Annotations
+	msg := fmt.Sprintf("createServiceAccount with annotations %v", annotations)
+	r.logger.V(log.VDebug).Info(msg)
 	if err != nil && apierrors.IsNotFound(err) {
-		serviceAccount = resources.NewServiceAccount(meta, r.Configuration.Jenkins.Spec.ServiceAccount.Annotations)
+		serviceAccount = resources.NewServiceAccount(meta, annotations)
 		if err = r.CreateResource(serviceAccount); err != nil {
 			return stackerr.WithStack(err)
 		}
 	} else if err != nil {
 		return stackerr.WithStack(err)
 	}
 
-	if !compareMap(r.Configuration.Jenkins.Spec.ServiceAccount.Annotations, serviceAccount.Annotations) {
+	if !compareMap(annotations, serviceAccount.Annotations) {
 		if serviceAccount.Annotations == nil {
 			serviceAccount.Annotations = map[string]string{}
 		}
-		for key, value := range r.Configuration.Jenkins.Spec.ServiceAccount.Annotations {
+		for key, value := range annotations {
 			serviceAccount.Annotations[key] = value
 		}
 		if err = r.UpdateResource(serviceAccount); err != nil {