diff --git a/contrib/single_node_ci_data.yaml b/contrib/single_node_ci_data.yaml
index 92abf75..eaf3791 100644
--- a/contrib/single_node_ci_data.yaml
+++ b/contrib/single_node_ci_data.yaml
@@ -4,6 +4,11 @@
 #vhost_name:
 project_config_repo: http://your-project-config-repo.example.com/project-config-example.git
 #serveradmin:
+# Jenkins version 1.651 is the last known version to work out of the box with
+# zuul. However, it has numerous security vulnerabilities, and should only
+# be used for installations that have other means (e.g. firewalls) that block all
+# untrusted access to Jenkins.
+#jenkins_version: present
 #jenkins_vhost_name: jenkins
 #jenkins_username: jenkins
 #jenkins_password:
diff --git a/contrib/single_node_ci_site.pp b/contrib/single_node_ci_site.pp
index 437f5ba..5d3c268 100644
--- a/contrib/single_node_ci_site.pp
+++ b/contrib/single_node_ci_site.pp
@@ -32,6 +32,7 @@ node default {
     vhost_name                  => $vhost_name,
     project_config_repo         => hiera('project_config_repo'),
     serveradmin                 => hiera('serveradmin', "webmaster@${vhost_name}"),
+    jenkins_version             => hiera('jenkins_version', 'present'),
     jenkins_vhost_name          => hiera('jenkins_vhost_name', 'jenkins'),
     jenkins_username            => hiera('jenkins_username', 'jenkins'),
     jenkins_password            => hiera('jenkins_password', 'XXX'),
diff --git a/manifests/jenkins_master.pp b/manifests/jenkins_master.pp
index 6fa136d..f3c7db9 100644
--- a/manifests/jenkins_master.pp
+++ b/manifests/jenkins_master.pp
@@ -14,6 +14,7 @@ class openstackci::jenkins_master (
   $ssl_chain_file_contents = '',
   $jenkins_ssh_private_key = '',
   $jenkins_ssh_public_key  = '',
+  $jenkins_version         = 'present',
   $manage_jenkins_jobs     = false,
   $jenkins_url             = 'http://localhost:8080',
   $jjb_update_timeout      = 1200,
@@ -36,6 +37,7 @@ class openstackci::jenkins_master (
     ssl_chain_file_contents => $ssl_chain_file_contents,
     jenkins_ssh_private_key => $jenkins_ssh_private_key,
     jenkins_ssh_public_key  => $jenkins_ssh_public_key,
+    jenkins_version         => $jenkins_version,
   }
 
   jenkins::plugin { 'build-timeout':
diff --git a/manifests/single_node_ci.pp b/manifests/single_node_ci.pp
index 2e41781..c768123 100644
--- a/manifests/single_node_ci.pp
+++ b/manifests/single_node_ci.pp
@@ -56,6 +56,11 @@
 #   The public key should not have any white space. Omit the 'ssh-rsa' prefix
 #   and comment section / e-mail address suffix.
 #
+# [*jenkins_version*]
+#   This is a Jenkins version, such as '1.651', 'present' (to install
+#   the most recent, and never upgrade), or latest' (to install the most
+#   recent version, and upgrade if a more recent version is published).
+#
 # [*gerrit_server*]
 #   This is the host name of the gerrit server this CI system will be
 #   listening for events.
@@ -153,6 +158,7 @@ class openstackci::single_node_ci (
   $jenkins_password              = undef,
   $jenkins_ssh_private_key       = undef,
   $jenkins_ssh_public_key        = undef,
+  $jenkins_version               = 'present',
   $jjb_git_revision              = 'master',
   $jjb_git_url                   = 'https://git.openstack.org/openstack-infra/jenkins-job-builder',
 
@@ -187,6 +193,7 @@ class openstackci::single_node_ci (
     serveradmin             => $serveradmin,
     jenkins_ssh_private_key => $jenkins_ssh_private_key,
     jenkins_ssh_public_key  => $jenkins_ssh_public_key,
+    jenkins_version         => $jenkins_version,
     manage_jenkins_jobs     => true,
     jenkins_url             => 'http://127.0.0.1:8080/',
     jenkins_username        => $jenkins_username,