Bake additional cert into Jenkins controller image

[jlebon]

Just like we did for the agent image, play a similar trick to have the
additional cert baked into the controller image. This is required if we
need to fetch resources from HTTPS URLs covered by the root CA in code
that runs directly on the controller. This situation comes up in RHCOS
where we want to be able to load the pipecfg from an internal repo early
on in jobs.

[dustymabe]

I don't really have a good grasp of the jenkins architecture here so it might help to name things a little more explicitly to try to hint at what the architecture is. How about we go for something like jenkins-with-cert-layer since it gets built on top of for the jenkins build. Then jenkins-agent-with-cert for the jenkins agent build. No layer there since it's not built on top of.

I wouldn't be opposed to putting controller in the name of the controller image either so that we properly are operating on either the agent or controller and it's clearer.

[jlebon]

I like the with-cert idea. It's a bit wordy, but clear. I find the layer wording confusing though. I think it'd be clearer if we remain consistent with the canonical OpenShift images? The two images are jenkins and jenkins-agent-base. So WDYT about:

• jenkins-with-cert
• jenkins-agent-base-with-cert

?

IOW, this is saying "these are the same as the regular OpenShift images, except they have a cert added". And then we rename our S2I buildconfig and output to jenkins-s2i. It's confusing to have it named just jenkins.

And I'll add a diagram somewhere showing how they're connected.

[dustymabe]

yeah let's try that and see what it looks like in the next upload.

[jlebon]

Updated this now with better naming and a diagram!

[dustymabe]

Looks much better now. Thanks for the diagram!

[dustymabe]

LGTM