In-place conversion of team controllers to managed controllers

4 minute readKnowledge base

Issue

CloudBees CI Teams on the operations center are deprecated, and I want to convert existing Team controllers to Managed controllers.

  • CloudBees recommends that you create a new controller and migrate jobs, rather than attempt an in-place conversion.

  • The migration of the authorization strategy performed in this guide will not result in a 1:1 mapping of the Teams authorization strategy, but will be a reasonable approximation. The notable difference is that Team Admins cannot manage groups on the operations center, so they are unable to add new Admins for the controller.

  • If you have a complicated setup, or do not use the CloudBees Role-Based Access Control plugin, please contact CloudBees support before attempting this migration. CloudBees may recommend using Integrated Success Plan points for this migration.

  • CloudBees strongly recommends that you create a backup of your operations center and controller before attempting this procedure, as errors during this procedure may leave your controller in an unusable state.

Environment

Process

Before beginning this migration, you must upgrade to CloudBees CI version 2.541.1.35570 or later, as this procedure has only been tested with CloudBees CI version 2.541.1.35570.

Operations center preparation

This step only needs to be completed once for the Operations center.

Create Role-Based Access Control roles

With Role-Based Access Control (RBAC), it is not possible to grant the Overall/ADMINISTER permission to a user to manage a specific controller, without the user being able to edit the controller configuration in the operations center. To allow Team Admins to administer their controller without being able to execute arbitrary code inside the controller, the Overall Manage permission can be used. If Team admins can be trusted to edit controller configurations in the operations center, then the Overall/ADMINISTER permission can be used instead, and the Team Admin (Trusted) permission can be used in place of the two other Team Admin Roles.

Create Roles in CloudBees RBAC to replicate the team controller roles. Refer to Configure and manage roles to create the following roles:

Table 1. RBAC roles for Teams migration
Role Permissions

Team Admin
(trusted)

  • Overall/ADMINISTER

Team Admin
(untrusted OC)

  • Overall/Manage

  • Job/Create

Team Admin
(untrusted controller)

  • Overall/ADMINISTER

Team member
(controller team folder)

  • Job/Build

  • Job/Cancel

  • Job/Configure

  • Job/Create

  • Job/Delete

  • Job/Discover

  • Job/Move

  • Job/Promote

  • Job/Read (implicit due to other permissions)

  • Job/Request

  • Job/Workspace

  • Run/Delete

  • Run/Update (If you have the hudson.security.ArtifactsPermission system property enabled, also add Run/Artifacts).

Team Viewer
(controller team folder)

  • Job/Read

  • View/Read

Migrate the controller

In the operations center:

  1. Navigate to the Team controller configuration page and copy the group membership.

  2. Navigate to the dashboard of your operations center.

  3. Select the gear icon for managing the team controller. If it is not present, first navigate to the Teams` folder.

  4. Select Groups to edit the groups on the controller.

  5. Create a new group called <teamname>-admins and grant Team Admin (untrusted OC) at the current level and Team Admin (untrusted controller) at the child level, with Propagates selected for both roles.

  6. Add the users that previously had the Team Admin role.

  7. Edit the controller configuration in the Operations center, in the in the System Properties field remove the following properties (if they exist) (cb.BeekeeperProp.autoInstallIncremental, cb.BeekeeperProp.noFullUpgrade, cb.IMProp.warProfiles) then add BLUE_ORGANIZATION_ROOT_FOLDER=<name-of-team-folder> (replace <name-of-team-folder> with the folder name found at the root of the controller, which will be based upon the name of the controller).

  8. Save the configuration.

  9. Deprovision the controller.

  10. In the script console of Operations center, run the following script after replacing teamname with the name of your team controller:

    import com.cloudbees.opscenter.server.bluesteel.ConnectedMasterTeamProperty
import java.nio.file.Files

def controller = Jenkins.get().getItemByFullName("teams/teamname")
if (controller != null) {
    controller.getProperties().remove(ConnectedMasterTeamProperty.class)
    Files.deleteIfExists(controller.getRootDir().toPath().resolve("team.xml"))
    Files.deleteIfExists(controller.getRootDir().toPath().resolve("teamSecurity.xml"))
    println "Operation was successful"
} else {
    println "Error: Controller was not found"
}

  11. Start the managed controller.

On the managed controller:

  1. Run the following script in the script console of the managed controller after updating teamname to be the name of your team controller folder:

    import com.cloudbees.opscenter.bluesteel.folder.BlueSteelTeamFolder
import java.nio.file.Files

def tf = Jenkins.get().getItemByFullName("teamname", BlueSteelTeamFolder.class)
if (tf == null) {
    println "Error: Team folder not found"
    return
}
def configPath = tf.getRootDir().toPath().resolve("config.xml")
if (configPath == null || !Files.exists(configPath)) {
    println "Error: Config file not found"
    return
}

String configXml = Files.readString(configPath)
configXml = configXml.replace("com.cloudbees.opscenter.bluesteel.folder.BlueSteelTeamFolder", "com.cloudbees.hudson.plugins.folder.Folder")
Files.writeString(configPath, configXml)
Jenkins.get().save()
Jenkins.get().reload()
println "Operation was successful"

  2. Navigate to the teamname folder, and then select Groups.

  3. Create a new group called teamname-members and grant it the Team members role, with Propagates enabled.

  4. Add the users that previously had the Team Member role.

  5. Create a new group called teamname-viewers and grant it the Team viewers role, with Propagates enabled. Add the users that previously had the Team Viewer role.

  6. If you had any custom Teams roles defined for this team, create a separate group for each custom role. The role must be created in the operations center. Refer to Restrict access and delegate administration with Role-Based Access Control for more information.

  7. Navigate to the plugin manager and uninstall the following plugins:

    • CloudBees CI Teams on Controller

    • CloudBees Blue Ocean Default Theme

      Blue Ocean will be removed from the CAP and will no longer be tested or supported. CloudBees recommends that you uninstall all Blue Ocean plugins from the managed controller and use CloudBees Pipeline Explorer for pipeline visualization. Doing so will allow you to take advantage of the latest features including HA/HS for controllers.

  8. Restart the managed controller.

  9. When the managed controller is back online, check Manage Jenkins  Security to validate the controller is using the desired security settings.

  10. Now that the migration is complete, consider uninstalling plugins that are likely no longer required, plugins that are deprecated, and community plugins that were part of team controllers or were dependencies of those plugins:

    • CloudBees Fast Archiving Plugin (cloudbees-jsync-archiver-plugin)

    • CloudBees WikiText Plugin (wikitext-plugin)

    • Git server Plugin (git-server-plugin)

    • GitHub Organization Folder Plugin (github-organization-folder-plugin)

    • Operations Center Analytics Configuration (operations-center-analytics-config)

    • Operations Center Analytics Reporter (operations-center-analytics-reporter)

    • Pipeline: Deprecated Groovy Libraries (workflow-cps-global-lib-plugin)

Post-migration steps

Once all team controllers have been either converted or migrated, the CloudBees CI Teams on Operations center plugin can be uninstalled from the operations center. Refer to Uninstall plugins from CloudBees CI.

Tested product/plugin versions

This article is part of our Knowledge Base and is provided for guidance-based purposes only. The solutions or workarounds described here are not officially supported by CloudBees and may not be applicable in all environments. Use at your own discretion, and test changes in a safe environment before applying them to production systems.