From ed2e4869fd6946a733bd9568831c27ed10a0110a Mon Sep 17 00:00:00 2001
From: "Vazquez,Brais (IT EDP)" <brais.vazquez@boehringer-ingelheim.com>
Date: Wed, 19 Mar 2025 17:50:49 +0100
Subject: [PATCH 1/5] Update Jenkins to rhel 9 and 4.16

---
 .../continuous-integration-workflow.yml       |   2 +-
 configuration-sample/ods-core.env.sample      |  45 +++--
 jenkins/agent-base/Dockerfile.ubi8            |  18 +-
 jenkins/agent-base/Dockerfile.ubi9            | 161 ++++++++++++++++++
 .../yum.repos.d/{ubi.repo => ubi8.repo}       |   0
 jenkins/agent-base/yum.repos.d/ubi9.repo      |  62 +++++++
 jenkins/master/Dockerfile.ubi8                |   4 +-
 jenkins/master/Dockerfile.ubi9                |  49 ++++++
 jenkins/master/plugins.txt                    |   6 +
 jenkins/master/plugins.ubi8.txt               |  18 --
 .../yum.repos.d/{ubi.repo => ubi8.repo}       |   0
 jenkins/master/yum.repos.d/ubi9.repo          |  62 +++++++
 12 files changed, 382 insertions(+), 45 deletions(-)
 create mode 100644 jenkins/agent-base/Dockerfile.ubi9
 rename jenkins/agent-base/yum.repos.d/{ubi.repo => ubi8.repo} (100%)
 create mode 100644 jenkins/agent-base/yum.repos.d/ubi9.repo
 create mode 100644 jenkins/master/Dockerfile.ubi9
 create mode 100644 jenkins/master/plugins.txt
 delete mode 100644 jenkins/master/plugins.ubi8.txt
 rename jenkins/master/yum.repos.d/{ubi.repo => ubi8.repo} (100%)
 create mode 100644 jenkins/master/yum.repos.d/ubi9.repo

diff --git a/.github/workflows/continuous-integration-workflow.yml b/.github/workflows/continuous-integration-workflow.yml
index 52560d27c..285aa76da 100644
--- a/.github/workflows/continuous-integration-workflow.yml
+++ b/.github/workflows/continuous-integration-workflow.yml
@@ -34,7 +34,7 @@ jobs:
           --imagename ods-jenkins-agent-base-ubi8 \
           --dockerdir jenkins/agent-base \
           --dockerfile Dockerfile.ubi8 \
-          --build-arg SNYK_DISTRIBUTION_URL="https://github.com/snyk/snyk/releases/download/v1.1097.0/snyk-linux"
+          --build-arg SNYK_DISTRIBUTION_URL="https://github.com/snyk/snyk/releases/download/v1.1295.4/snyk-linux"
       - name: Push UBI8 docker image
         if: success() && github.repository == 'opendevstack/ods-core' && github.event_name == 'push'
         shell: bash
diff --git a/configuration-sample/ods-core.env.sample b/configuration-sample/ods-core.env.sample
index b913cc19a..b00e55d8b 100644
--- a/configuration-sample/ods-core.env.sample
+++ b/configuration-sample/ods-core.env.sample
@@ -216,41 +216,56 @@ CONFLUENCE_URL=http://192.168.56.31:8090
 # Base image for Jenkins master.
 # For UBI8-based images (OpenShift 4):
 # - RHEL variant: https://catalog.redhat.com/software/containers/ocp-tools-4/jenkins-rhel8/5fe1f38288e9c2f788526306
-# -      Example: registry.redhat.io/ocp-tools-4/jenkins-rhel8:v4.14.0
-# -      Last tested: registry.redhat.io/ocp-tools-4/jenkins-rhel8:v4.14.0-1723454631
+# -      Example: registry.redhat.io/ocp-tools-4/jenkins-rhel8:v4.15.0
 # - Community variant: https://quay.io/repository/openshift/origin-jenkins?tab=tags
 # -           Example: quay.io/openshift/origin-jenkins:4.6
-JENKINS_MASTER_BASE_FROM_IMAGE=registry.redhat.io/ocp-tools-4/jenkins-rhel8:v4.14.0-1723454631
-
-# Dockerfile to use for Jenkins master.
-# Use "Dockerfile.ubi8" for both OpenShift 3.11 and 4  (UBI8 base image)
-JENKINS_MASTER_DOCKERFILE_PATH=Dockerfile.ubi8
+# For UBI9-based images (OpenShift 4):
+# - RHEL variant: https://catalog.redhat.com/software/containers/ocp-tools-4/jenkins-rhel9/65dc9063b7db2e8b83a5b299
+# -      Example: registry.redhat.io/ocp-tools-4/jenkins-rhel8:v4.16.0
+# -      Last tested: registry.redhat.io/ocp-tools-4/jenkins-rhel9:v4.16.0-1739898511
+JENKINS_MASTER_BASE_FROM_IMAGE=registry.redhat.io/ocp-tools-4/jenkins-rhel9:v4.16.0-1739898511
+
+# Use "Dockerfile.ubi9" for OpenShift 4  (UBI9 base image)
+# Quay image is not being maintained anymore and do not have a UBI9/RHEL9 variant
+# In case this image is being used it is recomended to use the Redhat registry rhel9 image instead
+# For more informtion see:
+# https://github.com/openshift/jenkins/issues/1829
+# https://github.com/openshift/jenkins/issues/1766
+JENKINS_MASTER_DOCKERFILE_PATH=Dockerfile.ubi9
 
 # Base image for Jenkins agent base.
 # For UBI8-based images (OpenShift 4):
 # - RHEL variant: https://catalog.redhat.com/software/containers/ocp-tools-4/jenkins-agent-base-rhel8/6241e3457847116cf8577aea
-# -      Example: registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8:v4.14.0
-# -      Last tested: registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8:v4.14.0-1723453106
+# -      Example: registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8:v4.15.0
 # - Community variant: https://quay.io/repository/openshift/origin-jenkins-agent-base?tab=tags
 # -           Example: quay.io/openshift/origin-jenkins-agent-base:4.6
-JENKINS_AGENT_BASE_FROM_IMAGE=registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8:v4.14.0-1723453106
+# For UBI9-based images (OpenShift 4):
+# - RHEL variant: https://catalog.redhat.com/software/containers/ocp-tools-4/jenkins-agent-base-rhel9/65dc9063b7db2e8b83a5b29e
+# -      Example: registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9:v4.16.0
+# -      Last tested: registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9:v4.16.0-1739896346
+JENKINS_AGENT_BASE_FROM_IMAGE=registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9:v4.16.0-1739896346
 
 # Dockerfile to use for Jenkins agents.
-# Use "Dockerfile.ubi8" for both OpenShift 3.11 and 4  (UBI8 base image)
-JENKINS_AGENT_DOCKERFILE_PATH=Dockerfile.ubi8
+# Use "Dockerfile.ubi9" for OpenShift 4  (UBI9 base image)
+# Quay image is not being maintained anymore and do not have a UBI9/RHEL9 variant
+# In case this image is being used it is recomended to use the Redhat registry rhel9 image instead
+# For more informtion see:
+# https://github.com/openshift/jenkins/issues/1829
+# https://github.com/openshift/jenkins/issues/1766
+JENKINS_AGENT_DOCKERFILE_PATH=Dockerfile.ubi9
 
 # Snyk CLI binary distribution url
 # Leave empty to avoid installing Snyk.
 # Releases are published at https://github.com/snyk/snyk/releases.
-# Latest tested version is v1.1292.4.
-JENKINS_AGENT_BASE_SNYK_DISTRIBUTION_URL=https://github.com/snyk/snyk/releases/download/v1.1292.4/snyk-linux
+# Latest tested version is v1.1295.4.
+JENKINS_AGENT_BASE_SNYK_DISTRIBUTION_URL=https://github.com/snyk/snyk/releases/download/v1.1295.4/snyk-linux
 
 # AquaSec CLI binary distribution url
 # Leave empty to avoid installing AquaSec.
 # Releases are published at https://download.aquasec.com/scanner
 # Check Aqua versions backward compatibility at https://docs.aquasec.com/docs/version-compatibility-of-components#section-backward-compatibility-across-two-major-versions
 # To Download the aquaSec scanner cli and check their documentaion requires a valid account on aquasec.com
-# Latest tested version is 2022.4.720
+# Latest tested version is 2022.4.759
 # Example: https://<USER>:<PASSWORD>@download.aquasec.com/scanner/2022.4.759/scannercli
 JENKINS_AGENT_BASE_AQUASEC_SCANNERCLI_URL=
 
diff --git a/jenkins/agent-base/Dockerfile.ubi8 b/jenkins/agent-base/Dockerfile.ubi8
index e1f811b30..9f7fbc6b5 100644
--- a/jenkins/agent-base/Dockerfile.ubi8
+++ b/jenkins/agent-base/Dockerfile.ubi8
@@ -2,17 +2,17 @@ FROM quay.io/openshift/origin-jenkins-agent-base
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
-ENV SONAR_SCANNER_VERSION=6.2.1.4610 \
-    CNES_REPORT_VERSION=5.0.0 \
+ENV SONAR_SCANNER_VERSION=7.0.2.4839 \
+    CNES_REPORT_VERSION=5.0.1 \
     COSIGN_VERSION=2.4.3 \
     TAILOR_VERSION=1.3.4 \
-    SOPS_VERSION=3.9.0 \
-    HELM_VERSION=3.15.4 \
-    HELM_PLUGIN_DIFF_VERSION=3.9.9 \
-    HELM_PLUGIN_SECRETS_VERSION=4.6.1 \
-    GIT_LFS_VERSION=3.5.1 \
+    SOPS_VERSION=3.9.4 \
+    HELM_VERSION=3.17.1 \
+    HELM_PLUGIN_DIFF_VERSION=3.10.0 \
+    HELM_PLUGIN_SECRETS_VERSION=4.6.3 \
+    GIT_LFS_VERSION=3.6.1 \
     IMGPKG_VERSION=0.44.0 \
-    TRIVY_VERSION=0.54.1 \
+    TRIVY_VERSION=0.60.0 \
     YQ_VERSION=4.45.1 \
     JAVA_GC_OPTS="-XX:+UseParallelGC -XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=10 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90"
 
@@ -21,7 +21,7 @@ ARG SNYK_DISTRIBUTION_URL
 ARG AQUASEC_SCANNERCLI_URL
 
 # Add UBI repositories.
-COPY yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo
+COPY yum.repos.d/ubi8.repo /etc/yum.repos.d/ubi.repo
 
 COPY ensure_java_jre_is_adequate.sh /usr/local/bin/
 COPY ./set-default-java.sh /etc/profile.d/set-default-java.sh
diff --git a/jenkins/agent-base/Dockerfile.ubi9 b/jenkins/agent-base/Dockerfile.ubi9
new file mode 100644
index 000000000..9f7fbc6b5
--- /dev/null
+++ b/jenkins/agent-base/Dockerfile.ubi9
@@ -0,0 +1,161 @@
+FROM quay.io/openshift/origin-jenkins-agent-base
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+ENV SONAR_SCANNER_VERSION=7.0.2.4839 \
+    CNES_REPORT_VERSION=5.0.1 \
+    COSIGN_VERSION=2.4.3 \
+    TAILOR_VERSION=1.3.4 \
+    SOPS_VERSION=3.9.4 \
+    HELM_VERSION=3.17.1 \
+    HELM_PLUGIN_DIFF_VERSION=3.10.0 \
+    HELM_PLUGIN_SECRETS_VERSION=4.6.3 \
+    GIT_LFS_VERSION=3.6.1 \
+    IMGPKG_VERSION=0.44.0 \
+    TRIVY_VERSION=0.60.0 \
+    YQ_VERSION=4.45.1 \
+    JAVA_GC_OPTS="-XX:+UseParallelGC -XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=10 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90"
+
+ARG APP_DNS
+ARG SNYK_DISTRIBUTION_URL
+ARG AQUASEC_SCANNERCLI_URL
+
+# Add UBI repositories.
+COPY yum.repos.d/ubi8.repo /etc/yum.repos.d/ubi.repo
+
+COPY ensure_java_jre_is_adequate.sh /usr/local/bin/
+COPY ./set-default-java.sh /etc/profile.d/set-default-java.sh
+
+RUN cd /etc/yum.repos.d && rm -f localdev-* ci-rpm-mirrors.repo \
+    && ensure_java_jre_is_adequate.sh \
+    && yum -y install make glibc-langpack-en openssl skopeo \
+    && yum -y update \
+    && yum clean all \
+    && rm -rf /var/cache/yum/* \
+    && skopeo --version
+
+# Copy use java scripts.
+COPY use-j*.sh /usr/local/bin/
+RUN chmod +x /usr/local/bin/use-j*.sh && \
+    chmod ugo+s /usr/local/bin/use-j*.sh && \
+    sh -c 'chmod ugo+s $(which alternatives)' && \
+    ls -la /usr/local/bin/use-j*.sh && \
+    echo "--- STARTS JDK 17 TESTS ---" && \
+    use-j17.sh && \
+    echo "--- ENDS JDK 17 TESTS ---"
+
+COPY ./import_certs.sh /usr/local/bin/import_certs.sh
+COPY ./fix_java_certs_permissions.sh /usr/local/bin/fix_java_certs_permissions.sh
+RUN import_certs.sh && fix_java_certs_permissions.sh
+
+# Install Sonar Scanner.
+RUN cd /tmp \
+    && curl -sSLO https://repo1.maven.org/maven2/org/sonarsource/scanner/cli/sonar-scanner-cli/${SONAR_SCANNER_VERSION}/sonar-scanner-cli-${SONAR_SCANNER_VERSION}.zip \
+    && unzip sonar-scanner-cli-${SONAR_SCANNER_VERSION}.zip \
+    && mv sonar-scanner-${SONAR_SCANNER_VERSION} /usr/local/sonar-scanner-cli \
+    && rm -rf sonar-scanner-cli-${SONAR_SCANNER_VERSION}.zip \
+    && /usr/local/sonar-scanner-cli/bin/sonar-scanner --version
+ENV PATH=/usr/local/sonar-scanner-cli/bin:$PATH
+
+# Add sq cnes report jar.
+RUN cd /tmp \
+    && curl -sSL https://github.com/cnescatlab/sonar-cnes-report/releases/download/${CNES_REPORT_VERSION}/sonar-cnes-report-${CNES_REPORT_VERSION}.jar -o cnesreport.jar \
+    && mkdir /usr/local/cnes \
+    && mv cnesreport.jar /usr/local/cnes/cnesreport.jar \
+    && chmod 777 /usr/local/cnes/cnesreport.jar
+
+# Install sigstore/cosign
+RUN cd /tmp \
+    && curl -sSLO https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64 \
+    && mv /tmp/cosign-linux-amd64 /usr/local/bin/cosign \
+    && chmod 755 /usr/local/bin/cosign \
+    && cosign version
+
+# Install Tailor.
+RUN cd /tmp \
+    && curl -sSLO https://github.com/opendevstack/tailor/releases/download/v${TAILOR_VERSION}/tailor-linux-amd64 \
+    && mv tailor-linux-amd64 /usr/local/bin/tailor \
+    && chmod a+x /usr/local/bin/tailor \
+    && tailor version
+
+# Install Helm.
+RUN cd /tmp \
+    && dnf install -y https://github.com/mozilla/sops/releases/download/v${SOPS_VERSION}/sops-${SOPS_VERSION}-1.x86_64.rpm \
+    && mkdir -p /tmp/helm \
+    && curl -sSLO https://get.helm.sh/helm-v${HELM_VERSION}-linux-amd64.tar.gz \
+    && tar -zxvf helm-v${HELM_VERSION}-linux-amd64.tar.gz -C /tmp/helm \
+    && mv /tmp/helm/linux-amd64/helm /usr/local/bin/helm \
+    && chmod a+x /usr/local/bin/helm \
+    && helm version \
+    && helm env \
+    && helm plugin install https://github.com/databus23/helm-diff --version v${HELM_PLUGIN_DIFF_VERSION} \
+    && helm plugin install https://github.com/jkroepke/helm-secrets --version v${HELM_PLUGIN_SECRETS_VERSION} \
+    && sops --version \
+    && rm -rf /tmp/helm /tmp/helm-v${HELM_VERSION}-linux-amd64.tar.gz
+
+# Install imgpkg.
+RUN cd /tmp \
+    && curl -sSLO https://github.com/carvel-dev/imgpkg/releases/download/v${IMGPKG_VERSION}/imgpkg-linux-amd64 \
+    && mv imgpkg-linux-amd64 /usr/local/bin/imgpkg \
+    && chmod a+x /usr/local/bin/imgpkg \
+    && imgpkg --version
+
+# Install yq.
+RUN cd /tmp \
+    && curl -sSLO https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_amd64 \
+    && mv yq_linux_amd64 /usr/local/bin/yq \
+    && chmod a+x /usr/local/bin/yq \
+    && yq --version
+
+# Install GIT-LFS extension https://git-lfs.github.com/.
+RUN cd /tmp \
+    && mkdir -p /tmp/git-lfs \
+    && curl -sSLO https://github.com/git-lfs/git-lfs/releases/download/v${GIT_LFS_VERSION}/git-lfs-linux-amd64-v${GIT_LFS_VERSION}.tar.gz \
+    && tar -zxvf git-lfs-linux-amd64-v${GIT_LFS_VERSION}.tar.gz -C /tmp/git-lfs \
+    && bash /tmp/git-lfs/git-lfs-${GIT_LFS_VERSION}/install.sh \
+    && git lfs version \
+    && rm -rf /tmp/git-lfs*
+
+# Optionally install snyk.
+RUN if [ -z $SNYK_DISTRIBUTION_URL ] ; then echo 'Skipping snyk installation!' ; else echo 'Installing snyk... getting binary from' $SNYK_DISTRIBUTION_URL \
+    && curl -sSL $SNYK_DISTRIBUTION_URL --output snyk \
+    && mv snyk /usr/local/bin \
+    && chmod +rwx /usr/local/bin/snyk \
+    && mkdir -p $HOME/.config/configstore/ \
+    && chmod -R g+rw $HOME/.config/configstore/ \
+    && echo 'Snyk CLI version:' \
+    && snyk --version \
+    && echo 'Snyk installation completed!'; \
+    fi
+
+# Optionally install Aquasec.
+RUN if [ -z $AQUASEC_SCANNERCLI_URL ] ; then echo 'Skipping AquaSec installation!' ; else echo 'Installing AquaSec... getting binary from' $AQUASEC_SCANNERCLI_URL \
+    && curl -sSL $AQUASEC_SCANNERCLI_URL --output aquasec \
+    && mv aquasec /usr/local/bin \
+    && chmod +rwx /usr/local/bin/aquasec \
+    && echo 'AquaSec CLI version:' \
+    && aquasec version \
+    && echo 'AquaSec installation completed!'; \
+    fi
+
+# Install Trivy.
+RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v$TRIVY_VERSION \
+    && echo 'Trivy CLI version:' \
+    && trivy version
+
+# Set java proxy var.
+COPY set_java_proxy.sh /tmp/set_java_proxy.sh
+RUN . /tmp/set_java_proxy.sh && echo $JAVA_OPTS
+
+# Customize entrypoint.
+COPY fix_openshift_run_jnlp_client.sh /usr/local/bin/fix_openshift_run_jnlp_client.sh
+RUN mv /usr/local/bin/run-jnlp-client /usr/local/bin/openshift-run-jnlp-client \
+    && fix_openshift_run_jnlp_client.sh /usr/local/bin/openshift-run-jnlp-client
+
+COPY ods-run-jnlp-client.sh /usr/local/bin/run-jnlp-client
+
+# Fix permissions.
+RUN mkdir -p /home/jenkins/.config && chmod -R g+w /home/jenkins/.config \
+    && mkdir -p /home/jenkins/.cache && chmod -R g+w /home/jenkins/.cache \
+    && mkdir -p /home/jenkins/.sonar && chmod -R g+w /home/jenkins/.sonar \
+    && mkdir -p /tmp/aqua && chmod -R g+w /tmp/aqua
diff --git a/jenkins/agent-base/yum.repos.d/ubi.repo b/jenkins/agent-base/yum.repos.d/ubi8.repo
similarity index 100%
rename from jenkins/agent-base/yum.repos.d/ubi.repo
rename to jenkins/agent-base/yum.repos.d/ubi8.repo
diff --git a/jenkins/agent-base/yum.repos.d/ubi9.repo b/jenkins/agent-base/yum.repos.d/ubi9.repo
new file mode 100644
index 000000000..88edfcc4c
--- /dev/null
+++ b/jenkins/agent-base/yum.repos.d/ubi9.repo
@@ -0,0 +1,62 @@
+[ubi-9-baseos]
+name = Red Hat Universal Base Image 9 (RPMs) - BaseOS
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/baseos/os
+enabled = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-9-baseos-debug]
+name = Red Hat Universal Base Image 9 (Debug RPMs) - BaseOS
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/baseos/debug
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-9-baseos-source]
+name = Red Hat Universal Base Image 9 (Source RPMs) - BaseOS
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/baseos/source/SRPMS
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-9-appstream]
+name = Red Hat Universal Base Image 9 (RPMs) - AppStream
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/appstream/os
+enabled = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-9-appstream-debug]
+name = Red Hat Universal Base Image 9 (Debug RPMs) - AppStream
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/appstream/debug
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-9-appstream-source]
+name = Red Hat Universal Base Image 9 (Source RPMs) - AppStream
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/appstream/source/SRPMS
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-9-codeready-builder]
+name = Red Hat Universal Base Image 9 (RPMs) - CodeReady Builder
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/codeready-builder/os
+enabled = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-9-codeready-builder-debug]
+name = Red Hat Universal Base Image 9 (Debug RPMs) - CodeReady Builder
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/codeready-builder/debug
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-9-codeready-builder-source]
+name = Red Hat Universal Base Image 9 (Source RPMs) - CodeReady Builder
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/codeready-builder/source/SRPMS
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
diff --git a/jenkins/master/Dockerfile.ubi8 b/jenkins/master/Dockerfile.ubi8
index 40639289b..598c092af 100644
--- a/jenkins/master/Dockerfile.ubi8
+++ b/jenkins/master/Dockerfile.ubi8
@@ -15,7 +15,7 @@ ENV JENKINS_JAVA_OVERRIDES="-Dhudson.tasks.MailSender.SEND_TO_UNKNOWN_USERS=true
 USER root
 
 # Add UBI repositories.
-COPY yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo
+COPY yum.repos.d/ubi8.repo /etc/yum.repos.d/ubi.repo
 
 COPY ./scripts_for_usr-local-bin/* /usr/local/bin/
 RUN rpm --import https://pkg.jenkins.io/redhat-stable/jenkins.io.key \
@@ -28,7 +28,7 @@ RUN rpm --import https://pkg.jenkins.io/redhat-stable/jenkins.io.key \
     && clean_yum_cache.sh
 
 # Copy configuration and plugins.
-COPY plugins.ubi8.txt /opt/openshift/configuration/plugins.txt
+COPY plugins.txt /opt/openshift/configuration/plugins.txt
 RUN /usr/local/bin/install-plugins.sh /opt/openshift/configuration/plugins.txt \
     && rm -r /opt/openshift/configuration/jobs/OpenShift* || true \
     && touch /var/lib/jenkins/configured \
diff --git a/jenkins/master/Dockerfile.ubi9 b/jenkins/master/Dockerfile.ubi9
new file mode 100644
index 000000000..1241114e4
--- /dev/null
+++ b/jenkins/master/Dockerfile.ubi9
@@ -0,0 +1,49 @@
+FROM quay.io/openshift/origin-jenkins
+
+ENV JAVA_HOME /usr/lib/jvm/jre-17
+
+# ODS defaults, available to use within pipelines.
+ARG ODS_NAMESPACE
+ARG ODS_GIT_REF
+ARG ODS_IMAGE_TAG
+ARG SONAR_EDITION
+ARG SONAR_VERSION
+ARG APP_DNS
+ENV TAILOR_VERSION=1.3.4
+ENV JENKINS_JAVA_OVERRIDES="-Dhudson.tasks.MailSender.SEND_TO_UNKNOWN_USERS=true -Dhudson.tasks.MailSender.SEND_TO_USERS_WITHOUT_READ=true"
+
+USER root
+
+# Add UBI repositories.
+COPY yum.repos.d/ubi9.repo /etc/yum.repos.d/ubi.repo
+
+COPY ./scripts_for_usr-local-bin/* /usr/local/bin/
+RUN rpm --import https://pkg.jenkins.io/redhat-stable/jenkins.io.key \
+    && disable_yum_repository.sh /etc/yum.repos.d/ci-rpm-mirrors.repo \
+        /etc/yum.repos.d/localdev-* /etc/yum.repos.d/epel.repo \
+    && ensure_java_jre_is_adequate.sh master \
+    && yum -y update \
+    && import_certs.sh \
+    && fix_openshift_scripts.sh \
+    && clean_yum_cache.sh
+
+# Copy configuration and plugins.
+COPY plugins.txt /opt/openshift/configuration/plugins.txt
+RUN /usr/local/bin/install-plugins.sh /opt/openshift/configuration/plugins.txt \
+    && rm -r /opt/openshift/configuration/jobs/OpenShift* || true \
+    && touch /var/lib/jenkins/configured \
+    && mv /usr/libexec/s2i/run /usr/libexec/s2i/openshift-run
+COPY configuration/ /opt/openshift/configuration/
+COPY ods-run.sh /usr/libexec/s2i/run
+COPY logging.properties /var/lib/jenkins/
+
+RUN chown :0 /etc/pki/java/cacerts && chmod ugo+w /etc/pki/java/cacerts
+
+# Install Tailor.
+RUN cd /tmp \
+	&& curl -LOv https://github.com/opendevstack/tailor/releases/download/v${TAILOR_VERSION}/tailor-linux-amd64 \
+	&& mv tailor-linux-amd64 /usr/local/bin/tailor \
+	&& chmod a+x /usr/local/bin/tailor \
+    && tailor version
+
+USER jenkins
diff --git a/jenkins/master/plugins.txt b/jenkins/master/plugins.txt
new file mode 100644
index 000000000..c8dd07110
--- /dev/null
+++ b/jenkins/master/plugins.txt
@@ -0,0 +1,6 @@
+# Aditional plugins
+sonar:2.18
+ansicolor:1.0.6
+audit-trail:382.vf64d6f626060
+Office-365-Connector:5.0.0
+mask-passwords:188.v66e477dcb_24a_
diff --git a/jenkins/master/plugins.ubi8.txt b/jenkins/master/plugins.ubi8.txt
deleted file mode 100644
index 8b932c784..000000000
--- a/jenkins/master/plugins.ubi8.txt
+++ /dev/null
@@ -1,18 +0,0 @@
-# Aditional plugins
-greenballs:1.15.1
-sonar:2.17.2
-ansicolor:1.0.4
-audit-trail:361.v82cde86c784e
-Office-365-Connector:5.0.0
-mask-passwords:173.v6a_077a_291eb_5
-
-# Plugins updated to fix dependecy errors (can be removed in next version)
-workflow-step-api:657.v03b_e8115821b_
-
-# Bundled plugins
-token-macro:400.v35420b_922dcb_
-email-ext:2.104
-junit:1265.v65b_14fa_f12f0
-blueocean:1.27.9
-kubernetes:4174.v4230d0ccd951
-openshift-sync:1.1.0.802.v45585f8cdc07
diff --git a/jenkins/master/yum.repos.d/ubi.repo b/jenkins/master/yum.repos.d/ubi8.repo
similarity index 100%
rename from jenkins/master/yum.repos.d/ubi.repo
rename to jenkins/master/yum.repos.d/ubi8.repo
diff --git a/jenkins/master/yum.repos.d/ubi9.repo b/jenkins/master/yum.repos.d/ubi9.repo
new file mode 100644
index 000000000..88edfcc4c
--- /dev/null
+++ b/jenkins/master/yum.repos.d/ubi9.repo
@@ -0,0 +1,62 @@
+[ubi-9-baseos]
+name = Red Hat Universal Base Image 9 (RPMs) - BaseOS
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/baseos/os
+enabled = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-9-baseos-debug]
+name = Red Hat Universal Base Image 9 (Debug RPMs) - BaseOS
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/baseos/debug
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-9-baseos-source]
+name = Red Hat Universal Base Image 9 (Source RPMs) - BaseOS
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/baseos/source/SRPMS
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-9-appstream]
+name = Red Hat Universal Base Image 9 (RPMs) - AppStream
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/appstream/os
+enabled = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-9-appstream-debug]
+name = Red Hat Universal Base Image 9 (Debug RPMs) - AppStream
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/appstream/debug
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-9-appstream-source]
+name = Red Hat Universal Base Image 9 (Source RPMs) - AppStream
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/appstream/source/SRPMS
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-9-codeready-builder]
+name = Red Hat Universal Base Image 9 (RPMs) - CodeReady Builder
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/codeready-builder/os
+enabled = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-9-codeready-builder-debug]
+name = Red Hat Universal Base Image 9 (Debug RPMs) - CodeReady Builder
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/codeready-builder/debug
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-9-codeready-builder-source]
+name = Red Hat Universal Base Image 9 (Source RPMs) - CodeReady Builder
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/codeready-builder/source/SRPMS
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1

From 93babcfe663a7e74972f20f59c1506c03d40bd73 Mon Sep 17 00:00:00 2001
From: "Vazquez,Brais (IT EDP)" <brais.vazquez@boehringer-ingelheim.com>
Date: Wed, 19 Mar 2025 17:53:08 +0100
Subject: [PATCH 2/5] changelog

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e6502a284..d22d32ddd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@
 ### Changed
 - Updated Aqua CLI ([#1325](https://github.com/opendevstack/ods-core/pull/1325)) & ([#1332](https://github.com/opendevstack/ods-core/pull/1332))
 - Fix Jenkins pipeline removal issue and update to golang 1.24 ([#1331](https://github.com/opendevstack/ods-core/issues/1331))
+- Update Jenkins to rhel9 and 4.16 tag ([#1336](https://github.com/opendevstack/ods-core/pull/1336))
 
 ### Fixed
 

From c962221531ac841982673931429d7876b9bd8938 Mon Sep 17 00:00:00 2001
From: "Vazquez,Brais (IT EDP)" <brais.vazquez@boehringer-ingelheim.com>
Date: Mon, 24 Mar 2025 14:35:34 +0100
Subject: [PATCH 3/5] use Ubi9 for rhel 9

---
 jenkins/agent-base/Dockerfile.ubi9 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/jenkins/agent-base/Dockerfile.ubi9 b/jenkins/agent-base/Dockerfile.ubi9
index 9f7fbc6b5..301b04786 100644
--- a/jenkins/agent-base/Dockerfile.ubi9
+++ b/jenkins/agent-base/Dockerfile.ubi9
@@ -21,7 +21,7 @@ ARG SNYK_DISTRIBUTION_URL
 ARG AQUASEC_SCANNERCLI_URL
 
 # Add UBI repositories.
-COPY yum.repos.d/ubi8.repo /etc/yum.repos.d/ubi.repo
+COPY yum.repos.d/ubi9.repo /etc/yum.repos.d/ubi.repo
 
 COPY ensure_java_jre_is_adequate.sh /usr/local/bin/
 COPY ./set-default-java.sh /etc/profile.d/set-default-java.sh

From 391c74d9aff8ffc498cab05fe96c4ef14cec5fb9 Mon Sep 17 00:00:00 2001
From: "Vazquez,Brais (IT EDP)" <brais.vazquez@boehringer-ingelheim.com>
Date: Wed, 23 Apr 2025 13:51:00 +0200
Subject: [PATCH 4/5] remove old java versions in runtime also

---
 jenkins/master/ods-run.sh | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/jenkins/master/ods-run.sh b/jenkins/master/ods-run.sh
index 9b0b572c8..31faf4f76 100755
--- a/jenkins/master/ods-run.sh
+++ b/jenkins/master/ods-run.sh
@@ -7,6 +7,41 @@ set -ue
 echo "Deleting .kube to avoid weird caching issues (see https://github.com/opendevstack/ods-core/issues/473)"
 rm -rf $HOME/.kube || true
 
+echo "Verifying if Java 17 is installed ..."
+yum list installed | grep -i "\(java\|jre\)" | tee -a ${JAVA_INSTALLED_PKGS_LOGS}
+if grep -qi "java-17" ${JAVA_INSTALLED_PKGS_LOGS}; then
+  echo "Java 17 is installed. Proceeding to remove other versions..."
+
+  echo "Checking and removing Java 8 if installed ..."
+  if grep -qi "java-1.8" ${JAVA_INSTALLED_PKGS_LOGS}; then
+    echo "Java 8 is installed. Removing..."
+    yum -y remove java-1.8*
+  else
+    echo "Java 8 is not installed. Skipping removal."
+  fi
+
+  echo "Checking and removing Java 11 if installed ..."
+  if grep -qi "java-11" ${JAVA_INSTALLED_PKGS_LOGS}; then
+    echo "Java 11 is installed. Removing..."
+    yum -y remove java-11*
+  else
+    echo "Java 11 is not installed. Skipping removal."
+  fi
+
+  echo "Checking and removing Java 21 if installed ..."
+  if grep -qi "java-21" ${JAVA_INSTALLED_PKGS_LOGS}; then
+    echo "Java 21 is installed. Removing..."
+    yum -y remove java-21*
+  else
+    echo "Java 21 is not installed. Skipping removal."
+  fi
+
+  echo "Cleaning up yum cache ..."
+  yum clean all
+else
+  echo "Java 17 is not installed. Skipping removal of other versions."
+fi
+
 # Openshift default CA. See https://docs.openshift.com/container-platform/3.11/dev_guide/secrets.html#service-serving-certificate-secrets
 SERVICEACCOUNT_CA='/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt'
 if [[ -f $SERVICEACCOUNT_CA ]]; then

From 4c88e37943bda00821d8fa8fbada2a217eddb846 Mon Sep 17 00:00:00 2001
From: "Vazquez,Brais (IT EDP)" <brais.vazquez@boehringer-ingelheim.com>
Date: Wed, 23 Apr 2025 17:04:55 +0200
Subject: [PATCH 5/5] fix unbound

---
 jenkins/master/ods-run.sh | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/jenkins/master/ods-run.sh b/jenkins/master/ods-run.sh
index 31faf4f76..3c03bd69b 100755
--- a/jenkins/master/ods-run.sh
+++ b/jenkins/master/ods-run.sh
@@ -4,10 +4,15 @@
 # then delegates to the original run script of the base image.
 set -ue
 
+JAVA_INSTALLED_PKGS_LOGS="/tmp/java_installed_pkgs.log"
+
 echo "Deleting .kube to avoid weird caching issues (see https://github.com/opendevstack/ods-core/issues/473)"
 rm -rf $HOME/.kube || true
 
-echo "Verifying if Java 17 is installed ..."
+echo "Removing any existing Java package logs ..."
+rm -fv ${JAVA_INSTALLED_PKGS_LOGS}
+
+echo "Verifying if Java is installed ..."
 yum list installed | grep -i "\(java\|jre\)" | tee -a ${JAVA_INSTALLED_PKGS_LOGS}
 if grep -qi "java-17" ${JAVA_INSTALLED_PKGS_LOGS}; then
   echo "Java 17 is installed. Proceeding to remove other versions..."
@@ -38,8 +43,11 @@ if grep -qi "java-17" ${JAVA_INSTALLED_PKGS_LOGS}; then
 
   echo "Cleaning up yum cache ..."
   yum clean all
+
+  echo "Removing temporary Java package logs ..."
+  rm -fv ${JAVA_INSTALLED_PKGS_LOGS}
 else
-  echo "Java 17 is not installed. Skipping removal of other versions."
+  echo "No Java version is installed. Skipping removal of other versions."
 fi
 
 # Openshift default CA. See https://docs.openshift.com/container-platform/3.11/dev_guide/secrets.html#service-serving-certificate-secrets