Install the CloudBees CI MCP Router

3 minute read

You can deploy the CloudBees CI MCP Router as a Docker container on individual computers or in Kubernetes clusters.

Prerequisites

Before you begin, ensure that you have Set up the CloudBees CI MCP Router, and have a copy of your encoded credentials for HTTP basic authentication.

Download the CloudBees CI MCP Router image

To use the CloudBees CI MCP Router, you must have the container image available locally for Docker or in your Kubernetes cluster. Choose one of the following methods depending on your deployment environment:

Download for Docker

For local Docker use, manually download the CloudBees CI MCP Router image from Docker Hub:

docker pull cloudbees/ci-mcp-router:<my-tag>(1)
1 Replace <my-tag> with the specific version or digest you intend to use.

Download for Kubernetes

For Kubernetes deployments, the image is pulled automatically by the cluster when a pod is created. To verify the image before use (recommended for production or regulated environments), pre-pull it to a node or private registry and verify as described below.

Verify the Docker image signature

The CloudBees CI MCP Router Docker images are signed so you can verify their origin and authenticity. This helps protect against "man-in-the-middle" attacks and other forms of image tampering.

After the image is present locally (either pulled manually or by Kubernetes), verify its signature to ensure authenticity and integrity.

To verify the CloudBees CI MCP Router Docker images:

  1. Download the Cosign verification tool. Cosign is part of Sigstore, a suite of projects designed to simplify software signing.

  2. Run one of the following commands to verify the authenticity of a specific CloudBees CI MCP Router Docker image.

    • Verify by digest:

      cosign verify --key https://cdn.cloudbees.com/keyring/cloudbees.pub cloudbees/ci-mcp-router@sha256:<my-digest>(1)
      1 Replace <my-digest> with the specific SHA-256 digest of the image you want to verify, such as abc123def456….

    • Verify by tag:

      cosign verify --key https://cdn.cloudbees.com/keyring/cloudbees.pub cloudbees/ci-mcp-router:<my-tag>(1)
      1 Replace <my-tag> with the specific tag of the image you want to verify, such as latest or a version number, such as 1.2.3.

    Cosign returns a message indicating whether the images are authentic. An exit code of 0 indicates that the images are authentic. If the images are not validated as authentic, contact CloudBees Support.

Deploy the CloudBees CI MCP Router

To deploy the CloudBees CI MCP Router, choose one of the following methods based on your environment:

OpenID Connect (OIDC) configurations

If your operations center is configured to use OIDC, ensure the Allow access using a Jenkins API token without an OIDC Session? option is selected in the operations center to allow API tokens to work without a browser session.

If this option is not selected, you must first sign in to the operations center via a browser before deploying the CloudBees CI MCP Router, so your credentials are recognized as valid. If your browser session expires, you must sign in to the operations center again to refresh your session.

Before using this configuration, review and understand the security implications for your environment. If you have any questions or concerns, contact CloudBees Support.

Deploy with Docker

After verifying the image, you can run the CloudBees CI MCP Router locally using Docker:

docker run  -e OC_URL=<my-oc-url> -e OC_AUTH=<dXNlcm5hbWU6dG9rZW4=> cloudbees/ci-mcp-router:<my-tag>(1)
1 Replace <my-oc-url> with the URL for your operations center. Replace <dXNlcm5hbWU6dG9rZW4=> with your actual encoded credentials. Replace <my-tag> with the specific tag or digest you have already verified.

Deploy in Kubernetes

After verifying the image, you can reference it in your Kubernetes manifests as shown below.

The following excerpt shows only the relevant section of the deployment manifest.

 
containers:
  - name: <my-app>(1)
    image: cloudbees/ci-mcp-router:my-tag(2)
    ports:
      - containerPort: 9000(3)
    env:
      - name: JAVA_TOOL_OPTIONS
        value: "-Doc.url=<my-oc-url> -Doc.auth=<dXNlcm5hbWU6dG9rZW4=>"(4)
1 Replace <my-app> with the name of your container.
2 Replace <my-tag> with the specific tag or digest you have already verified (for example, 1.2.3 or @sha256:abc123…​). For security and reproducibility, do not use latest.
3 The internal port used by the CloudBees CI MCP Router inside the container may vary depending on the image version or configuration. When exposing it externally, you can map any available host or cluster port to the internal port used by the router. Clients must connect to the mapped external port (for example, http://localhost:9000/mcp).
4 Replace <my-oc-url> with the URL for your operations center. Replace <dXNlcm5hbWU6dG9rZW4=> with your actual encoded credentials.
Set up the CloudBees CI MCP Router