CloudBees CI on modern cloud platforms uses Docker containers to run a cluster of computers within the Kubernetes container management system.
CloudBees CI on modern cloud platforms includes the following Docker containers:
cloudbees-cloud-core-oc: Operations center
cloudbees-core-mm: Managed controller
In a standard installation, the CloudBees Helm chart pulls the CloudBees CI
cloudbees-core-mm images from the public Docker Hub repository.
The CloudBees CI Docker images are signed, so that you can verify their origin and authenticity. Verifying the origin and authenticity of public Docker images is an optional step in the installation process. It can help ensure that you are not the victim of a "man-in-the-middle" attack or other types of image tampering.
You should verify the signatures before you run the Docker images. If you have an internal Docker registry that pulls images to use internally, you can verify the images at that time.
In order to verify the CloudBees CI Docker images, you must download Cosign verification software. Cosign is a component of the Sigstore solution, a collection of projects designed to make software signatures easier.
Use Cosign to verify signed Docker images.
To verify the authenticity of CloudBees CI Docker images, type one of the following commands:
To verify the operations center image for version 2.375.3.5, type:
cosign verify --key https://cdn.cloudbees.com/keyring/cloudbees.pub cloudbees/cloudbees-cloud-core-oc:2.375.3.5
To verify the managed controller image for version 2.375.3.5 type:
cosign verify --key https://cdn.cloudbees.com/keyring/cloudbees.pub cloudbees/cloudbees-core-mm:2.375.3.5
Cosign responds with a message that indicates whether the images are validated as authentic. An exit code of 0 indicates that the images are authentic. If the images are not validated as authentic, you should contact CloudBees Support.