Pre-installation requirements for OpenShift

3 minute read

Before you install CloudBees CI on modern cloud platforms on OpenShift, you must do the following:

Table 1. Pre-installation requirements

Ensure you are using a supported version of OpenShift.

See Supported platforms for CloudBees CI on modern cloud platforms.

Only production releases of OpenShift are supported. Beta releases are not supported.

NOTE: You must have network access to container images, such as a public Docker Hub or a private Docker Registry.

Configure a load balancer that points to the Router service.

A DNS record that points to the load balancer and TLS certificates (needed when you deploy CloudBees CI).

Create an OpenShift cluster that meets the cluster requirements

See OpenShift cluster requirements.

Set up an OpenShift project

See Setting up an OpenShift project.

Set up a CloudBees CI administrative workstation

See About setting up a CloudBees CI administrative workstation.

Set up the Helm client

See Setting up the Helm client.

Set up the CloudBees Helm chart repository

See The CloudBees Helm chart repository.

Understand the security considerations for OpenShift

See Security considerations for OpenShift.

OpenShift cluster requirements

CloudBees CI runs on an OpenShift cluster, and the cluster must meet the following requirements:

  • A production release of OpenShift and OpenShift CLI and Helm. Beta or test releases of OpenShift and Helm are not supported.

  • Network access to container images (public Docker Hub or a private Docker Registry).

  • A project in the cluster, provided by your OpenShift admin, with permissions to create Role and RoleBinding policies.

  • Access to the DNS record that points to your installation.

  • TLS certificates, which are needed when you deploy CloudBees CI.

  • A Default Storage Class defined and ready to use. See the Storage Requirements section in the AWS or On-premise Reference Architectures for more information.

See the Red Hat OpenShift documentation for complete instructions on how to deploy an OpenShift cluster on your own infrastructure or create an OpenShift cluster via the OpenShift online service.

Setting up an OpenShift project

CloudBees recommends using an OpenShift project when you install CloudBees CI.

When combined with OpenShift RBAC security, an OpenShift administrator can use an OpenShift project to restrict who has access to a project and its data.

  1. Create an OpenShift project, then set it as the current OpenShift project:

    $ oc new-project cjoc
    $ oc project cjoc
To change projects on OpenShift use the oc project <project name> command.

About setting up an administrative workstation

The CloudBees CI administrative workstation is the computer used to install, update and maintain CloudBees CI.

In organizations where multiple people are performing CloudBees CI administration duties, it may be beneficial to use a bastion host instead of setting up a workstation for each CloudBees CI administrator.

This workstation may be either the CloudBees CI administrative workstation or a Kubernetes administrative workstation. It just needs to be a workstation on which you have full command privileges for the following utilities:

Setting up the Helm client

Follow the instructions in the Helm project README to install the Helm client. Detailed instructions for specific operating systems are provided in the installation section.

If you intend to use the Helm template option, after installing the Helm client, you can skip to Using Helm template command to install CloudBees CI.

Adding the CloudBees Helm Chart Repository

CloudBees hosts the Helm chart on CloudBees' public Helm Chart Repository. Before you can use the CloudBees repository you must add it to your Helm environment with the helm repo add command.

To add the CloudBees Public Helm Chart Repository to your Helm environment:

helm repo add cloudbees (1)
helm repo update (2)
1The helm repo add adds a new Helm Chart Repository to your Helm installation.
2The helm repo update updates your local Helm Chart Repository cache. Your local Helm Chart Repository cache is used by Helm commands like helm search to improve performance.
Always run helm repo update before you execute a Helm search using helm search. This ensures your cache is up to date.

Security considerations for OpenShift

OpenShift comes with some security constraints that make it slightly harder to work with when running Jenkins agents:

  • Containers must run as a non-root user and group.

  • Containers must not be privileged.

Make sure to read Why do my applications run as a random user ID? and instructions to create images to make sure you are running Docker images that behave correctly on this platform.