AKS installation
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
Amazon EKS installation
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
GKE installation
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
Kubernetes installation
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
OpenShift installation
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
TKGI installation
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
Traditional platforms installation
IntroductionSystem requirementsVerifying Docker imagesInstalling operations centerInstalling client controllersInstalling build agentsVerifying build componentsVerifying WAR filesHigh availability
Getting started
IntroductionPipeline termsPipeline project typesCloudBees Pipeline benefits
Planning for Pipelines
IntroductionUsing Pipeline development utilitiesDetermining plugin compatibilityPipeline best practices
Creating Pipelines
IntroductionPrerequisitesCreating your first PipelineCreating Pipelines in SCMCreating Pipelines in Web UIUsing Pipeline as Code
Automating with Jenkinsfile
IntroductionConfig Adv ScriptedConfig Build StageConfig Deploy StageConfig Optional Step ArgsConfig Test StageCreating JenkinsfileCustomizing ParametersHandling FailuresString InterpolationUsing Multiple AgentsWorking With The Env
Administering Pipelines
IntroductionManaging artifactsTracing artifactsTriggering jobs with a simple webhookRestoring filesVisualizing PipelineInserting checkpointsSecuring PipelinesConfiguring Pipelines with user-scoped credentialsUsing Pipeline PoliciesSpecifying a matrix of one or more dimensionsConverting a Freestyle project to a Declarative Pipeline
Controlling builds
IntroductionRestarting aborted buildsLong-running buildsSkip next buildConsolidated Build View pluginCloudBees Quiet Start pluginCloudBees Template pluginCloudBees Git Validated Merge plugin
Remote collaboration features
IntroductionTrigger a job with a notification event using Cross Team CollaborationEnable external notification events with external HTTP endpointsCluster-wide copy artifactsCluster-wide job triggers
Pipeline templates
IntroductionSetting up a Pipeline Template CatalogDefining Pipeline Template CatalogsSetting Up A Pipeline TemplateUsing parameters in template.yamlManaging multibranch Pipeline options in template.yamlManaging Pipeline Template Catalogs in bulkExample full Maven/Java app Jenkinsfile
Pipeline syntax reference
IntroductionUsing Declarative Pipeline syntaxUsing Scripted Pipeline syntax
Multibranch Pipeline Template syntax
IntroductionBranch SourceBitbucketGitBranch Property StrategyExamples
Docker
CloudBees Docker Build and Publish pluginCloudBees Docker TraceabilityDocker Pipeline pluginCloudBees Docker Hub/Registry Notification plugin
Modern cloud platforms
IntroductionGetting startedNavigating the operations centerProvisioning managed controllers in multiple Kubernetes clustersProvisioning agents in a separate Kubernetes cluster from a managed controllerProvisioning a controller in a different namespace than the operations centerProvisioning a controller in a different OpenShift project than the operations centerManaging controllersManaging controllers in specific Kubernetes namespacesManaging agentsShared agentsShared configurationShared cloud configurationTrigger restrictionsChanging NFS storage locationQuiet startMove/Copy/PromoteCluster operationsInbound agentsUsing KanikoSidecar injector for self-signed certificates on KubernetesSidecar injector for self-signed certificates on OpenShiftUsing auto-scaling nodes on EKSUsing auto-scaling nodes on GKECloudBees Amazon Web Services Deploy EngineAmazon Web Services CLI PluginCloud Foundry CLI PluginIntegrate OpenShift CLIServiceNow integrationCreating projects based on GitHub repository structureUsing GitHub App authenticationWikiText plugin
Traditional platforms
IntroductionGetting startedNavigating the Operations CenterManaging client controllersManaging agentsShared agentsShared configurationShared cloud configurationTrigger restrictionsQuiet startMove/Copy/PromoteCluster operationsJava web start agentsServiceNow integrationCreating projects based on GitHub repository structureUsing GitHub App authenticationWikiText plugin
Modern cloud platforms
IntroductionTrust modelCentrally managing security for controllersCyberark Credential Provider PluginEnabling advanced use cases: cross controller triggers and bulk operationsRestricting access and delegating administration with Role-Based Access ControlCreating secure folders with Role-Based Access Control Auto ConfigurerRestricting job triggersSetting up operations center access controlsSetting up access controls on connected controllersTesting the SSH connection to an agentConfiguring restricted credentials with the CloudBees Restricted Credentials pluginFoldersFolders PlusInjecting secrets into buildsManaging build agents with Nodes Plus pluginExtended security settingsEnhanced credentials maskingUnderstanding Beekeeper security warningsPreventing unauthorized interaction between buildsSecurity recommendationsUsing single sign-on (SSO)operations center specific permissionsAuthentication mappingExample configurationsDelegating administrationData collection for the CloudBees Analytics PluginExternal secrets managementReplacing an expired certificateList of URLs that need accessBlocking access to URL patterns using the CloudBees Request Filter PluginServing resources from JenkinsVerifying Helm Charts Published with a Signature
Traditional platforms
IntroductionConfiguring network requirementsCentrally managing security for controllersCyberark Credential Provider PluginEnabling advanced use cases: cross-controller triggers and bulk operationsRestricting access and delegating administration with Role-Based Access ControlCreating secure folders with Role-Based Access Control Auto ConfigurerRestricting job triggersTesting the SSH connection to an agentConfiguring restricted credentials with the CloudBees Restricted Credentials pluginFoldersFolders PlusInjecting secrets into buildsManaging build agents with Nodes Plus pluginUnderstanding Beekeeper security warningsPreventing unauthorized interaction between buildsSecurity recommendationsExtended security settingsUsing single sign-on (SSO)Operations Center specific permissionsAuthentication mappingExample configurationsDelegating administrationData collection for the CloudBees Analytics PluginExternal secrets managementList of URLs that need accessBlocking access to URL patterns using the CloudBees Request Filter PluginServing resources from Jenkins
Backup and restore
IntroductionExplaining $JENKINS_HOMEBest practices for backup and restoreBacking up manuallyRestoring manuallyRestoring credentialsUsing the CloudBees Backup PluginScheduling your backups in the CloudBees Backup PluginRestoring from CloudBees Backup PluginBackup and restore on KubernetesBackup and restore on AWSUsing Velero for backup and restore of Kubernetes clustersUsing cluster operations to run backups
Jenkins CLI
IntroductionGetting the CLI toolUsing the CLI toolExamples of usageConfiguring multiple client controllersConfiguring an alias for the Jenkins CLI toolConfiguring the Jenkins CLI tool to work with non-TrustStore SSL certificatesCasC bundle management on operations center
CloudBees Inactive Items Plugin
Jenkins Health Advisor by CloudBees
CloudBees Pull Request Builder for GitHub plugin
Counting and monitoring user licenses with the CloudBees User Activity Monitoring plugin

Verifying Helm charts with a signature

2 minute read

Starting with Helm version 3.8, Helm Charts can be published on OCI registries. The OCI registry allows CloudBees CI on modern cloud platforms to share Helm Charts as containers instead of .tgz files. OCI registries store containers and container signatures within the same registry. Download the Cosign verification software to sign and verify the Helm Charts stored in that OCI registry.

OCI artifact references (e.g. tags) do not support the plus sign ( + ). To support storing semantic versions, Helm adopts the convention of changing any plus ( + ) to an underscore ( _ ) in chart version tags when pushing to a registry, and then back to a plus ( + ) when pulling from a registry.

However, Cosign does not support this convention. Therefore, if you intend to verify Helm charts using Cosign, you must manually change any plus sign to an underscore when you pull the Helm chart from the OCI registry.

Verifying the origin and authenticity of signed Helm Charts is an optional step in the installation process. It can help ensure that you are not the victim of a "man-in-the-middle" attack or other types of image tampering. You should verify the signatures before you run the Helm Chart. To verify signed Helm Charts, you create a text file using the CloudBees public key, and then run the Cosign verification process. The CloudBees public key is as follows:

----- BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEiID18L4gntpfEdZS20+KXe5965cjIzA5r4X2TNQJPmInN7gmcQglubRgfA/wNLtli/3wR3jepeHulb33SbWoNw==
-----END PUBLIC KEY-----

To verify the authenticity of the signed Helm Chart, complete the following steps:

  1. Create a text file that contains the CloudBees public key. Cosign must be able to access the file to verify the images or the verification will fail.

    You can use the following command to create the text file and populate it with the CloudBees public key:

    echo -e "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEiID18L4gntpfEdZS20+KXe5965cj\nIzA5r4X2TNQJPmInN7gmcQwNLtli/3wR3jepeHulb33SbWoNw==\n-----END PUBLIC KEY-----" > cloudbees.key

  2. Type the following command to verify the Helm Chart:

    cosign verify --key cloudbees.key helm.cloudbees.com/cloudbees-core:3.43.1_7ebb8eddc91a

    In this command,helm.cloudbees.com is the OCI registry which publishes the Helm chart and cloudbees-core is the name of the Helm Chart. The signed Helm Chart version number is 3.43.1_7ebb8eddc91a. You can modify this number to match the Helm Chart version you are trying to verify. Refer to ArtifactHub for a list of the Helm Chart versions.

    You can run the following command to retrieve the CloudBees CI on modern cloud platforms version number from a Helm Chart:

    helm show chart oci://helm.cloudbees.com/cloudbees-core --version 3.43.1+7ebb8eddc91a | grep appVersion | cut -d" " -f2

    Cosign responds with a message that indicates whether the images are validated as authentic. An exit code of 0 indicates that the images are authentic. If the images are not validated as authentic, you should contact CloudBees Support.

Serving resources from Jenkins