IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionSystem requirementsVerifying Docker imagesInstalling operations centerInstalling client controllersInstalling build agentsVerifying build componentsVerifying WAR filesHigh availability
IntroductionPipeline termsPipeline project typesCloudBees Pipeline benefits
IntroductionUsing Pipeline development utilitiesDetermining plugin compatibilityPipeline best practices
IntroductionPrerequisitesCreating your first PipelineCreating Pipelines in SCMCreating Pipelines in Web UIUsing Pipeline as Code
IntroductionConfig Adv ScriptedConfig Build StageConfig Deploy StageConfig Optional Step ArgsConfig Test StageCreating JenkinsfileCustomizing ParametersHandling FailuresString InterpolationUsing Multiple AgentsWorking With The Env
IntroductionManaging artifactsTracing artifactsTriggering jobs with a simple webhookRestoring filesVisualizing PipelineInserting checkpointsSecuring PipelinesConfiguring Pipelines with user-scoped credentialsUsing Pipeline PoliciesSpecifying a matrix of one or more dimensionsConverting a Freestyle project to a Declarative Pipeline
IntroductionRestarting aborted buildsLong-running buildsSkip next buildConsolidated Build View pluginCloudBees Quiet Start pluginCloudBees Template pluginCloudBees Git Validated Merge plugin
IntroductionTrigger a job with a notification event using Cross Team CollaborationEnable external notification events with external HTTP endpointsCluster-wide copy artifactsCluster-wide job triggers
IntroductionSetting up a Pipeline Template CatalogDefining Pipeline Template CatalogsSetting Up A Pipeline TemplateUsing parameters in template.yamlManaging multibranch Pipeline options in template.yamlManaging Pipeline Template Catalogs in bulkExample full Maven/Java app Jenkinsfile
IntroductionUsing Declarative Pipeline syntaxUsing Scripted Pipeline syntax
IntroductionBranch SourceBitbucketGitBranch Property StrategyExamples
CloudBees Docker Build and Publish pluginCloudBees Docker TraceabilityDocker Pipeline pluginCloudBees Docker Hub/Registry Notification plugin
IntroductionGetting startedNavigating the operations centerProvisioning managed controllers in multiple Kubernetes clustersProvisioning agents in a separate Kubernetes cluster from a managed controllerProvisioning a controller in a different namespace than the operations centerProvisioning a controller in a different OpenShift project than the operations centerManaging controllersManaging controllers in specific Kubernetes namespacesManaging agentsShared agentsShared configurationShared cloud configurationTrigger restrictionsChanging NFS storage locationQuiet startMove/Copy/PromoteCluster operationsInbound agentsUsing KanikoSidecar injector for self-signed certificates on KubernetesSidecar injector for self-signed certificates on OpenShiftUsing auto-scaling nodes on EKSUsing auto-scaling nodes on GKECloudBees Amazon Web Services Deploy EngineAmazon Web Services CLI PluginCloud Foundry CLI PluginIntegrate OpenShift CLIServiceNow integrationCreating projects based on GitHub repository structureUsing GitHub App authenticationWikiText plugin
IntroductionGetting startedNavigating the Operations CenterManaging client controllersManaging agentsShared agentsShared configurationShared cloud configurationTrigger restrictionsQuiet startMove/Copy/PromoteCluster operationsJava web start agentsServiceNow integrationCreating projects based on GitHub repository structureUsing GitHub App authenticationUsing GitHub App authentication
IntroductionTrust modelCentrally managing security for controllersCyberark Credential Provider PluginEnabling advanced use cases: cross controller triggers and bulk operationsRestricting access and delegating administration with Role-Based Access ControlCreating secure folders with Role-Based Access Control Auto ConfigurerRestricting job triggersSetting up operations center access controlsSetting up access controls on connected controllersTesting the SSH connection to an agentConfiguring restricted credentials with the CloudBees Restricted Credentials pluginFoldersFolders PlusInjecting secrets into buildsManaging build agents with Nodes Plus pluginExtended security settingsEnhanced credentials maskingUnderstanding Beekeeper security warningsPreventing unauthorized interaction between buildsSecurity recommendationsUsing single sign-on (SSO)operations center specific permissionsAuthentication mappingExample configurationsDelegating administrationData collection for the CloudBees Analytics PluginExternal secrets managementReplacing an expired certificateList of URLs that need accessBlocking access to URL patterns using the CloudBees Request Filter PluginServing resources from JenkinsVerifying Helm Charts Published with a Signature
IntroductionConfiguring network requirementsCentrally managing security for controllersCyberark Credential Provider PluginEnabling advanced use cases: cross-controller triggers and bulk operationsRestricting access and delegating administration with Role-Based Access ControlCreating secure folders with Role-Based Access Control Auto ConfigurerRestricting job triggersTesting the SSH connection to an agentConfiguring restricted credentials with the CloudBees Restricted Credentials pluginFoldersFolders PlusInjecting secrets into buildsManaging build agents with Nodes Plus pluginUnderstanding Beekeeper security warningsPreventing unauthorized interaction between buildsSecurity recommendationsExtended security settingsUsing single sign-on (SSO)Operations Center specific permissionsAuthentication mappingExample configurationsDelegating administrationData collection for the CloudBees Analytics PluginExternal secrets managementList of URLs that need accessBlocking access to URL patterns using the CloudBees Request Filter PluginServing resources from Jenkins
IntroductionExplaining $JENKINS_HOMEBest practices for backup and restoreBacking up manuallyRestoring manuallyRestoring credentialsUsing the CloudBees Backup PluginScheduling your backups in the CloudBees Backup PluginRestoring from CloudBees Backup PluginBackup and restore on KubernetesBackup and restore on AWSUsing Velero for backup and restore of Kubernetes clustersUsing cluster operations to run backups
IntroductionGetting the CLI toolUsing the CLI toolExamples of usageConfiguring multiple client controllersConfiguring an alias for the Jenkins CLI toolConfiguring the Jenkins CLI tool to work with non-TrustStore SSL certificatesCasC bundle management on operations center
CloudBees Inactive Items Plugin
Jenkins Health Advisor by CloudBees
CloudBees Pull Request Builder for GitHub plugin
Counting and monitoring user licenses with the CloudBees User Activity Monitoring plugin

Managing client controllers

5 minute read

This chapter describes how to manage your client controllers through operations center.

Running on a TLS end-point

If the operations center instance is deployed on a TLS end-point, you must import the SSL certificate in the Java Keystore of the client controller. In case the client controller is deployed on a Tomcat web container, you might need to tell what keystore Jenkins is using. This should verify that Tomcat is using the correct keystore.

If it is not in the standard location ($JAVA_HOME/jre/lib/security/cacerts), add it as part of the Java arguments:

-Djavax.net.ssl.trustStore=$TOMCAT_LOCATION/cacert
-Djavax.net.ssl.trustStorePassword=password

Ensure that the certificates are correctly imported in both operations center and client controller.

keytool -keystore /$JRE_HOME/lib/security/cacerts -v -list

The cacert file should have file system read permission granted to the operating system user running the Jenkins JVM.

Configuring a client controller

This section describes how to configure a client controller that has already been connected to your operations center instance.

To access a client controller’s configuration:

  1. Ensure you are logged in to operations center as a user with the Client controller > Configure permission.

  2. From the operations center dashboard, select the arrow to the right of your configured client controller (avoiding its name) and choose Configure from the dropdown menu.

    Client controller dropdown menu
    Figure 1. Client controller dropdown menu

  3. On the resulting client controller configuration page, you can configure the following properties:

    • Description - Enter an optional description for the client controller.

    • Configuration as Code (CasC) - Select the configuration bundle to assign to the controller. The list of available bundles is filtered using the Availability pattern from the Configuration as Code bundles screen. By default, no bundles are included in the list. For more information, see Assigning a bundle to a controller.

    • Health Reporting - When this checkbox is selected, health-related metrics from this client controller are collected periodically. The default data collection period is once per minute, when data consumers are present (e.g. Weather columns or CloudBees Jenkins Analytics).

    • Analytics Reporting - When this checkbox is selected, report events and other metrics from this client controller for CloudBees Jenkins Analytics are collected.

    • On-controller executors - Select Enforce to specify the # of executors, which periodically ensures that the number of executors on the client controller is the value specified in this # of executors field. Allowing items (i.e. projects or jobs) to execute directly on the client controller is a security risk since such projects/jobs could potentially access the file system and the build records of all previously run projects/jobs (which may contain sensitive information). Therefore, set this value to 0 to prevent any items from being executing directly on the client controller.

    • Controller Owner - Specify the email address/es (one per line) of the "Owner/s" to be notified whenever this client controller goes offline or changes state.

      Selecting the Advanced button opens the Delay before notification field, which allows you to specify the number of minutes (a value between 1 and 60) between notifications.

    • Plugin Catalog - Select Specify a plugin catalog for this controller to choose a plugin catalog to apply to this client controller. You can also allow Beekeeper plugin exceptions with a plugin catalog. See Beekeeper plugin exceptions - Setting up Beekeeper plugin exceptions for more information.

Setting up a proxy artifact repository

To maintain the security of client controllers, as well as your build environment and infrastructure, it is usually a good idea to restrict your client controllers' access to the Internet as part of a process known as air gapping.

However, Pipelines and other types of build projects configured on your client controllers and other CloudBees CI Controller are likely to require access to artifact repositories on the Internet, since artifacts from such external and/or trusted repositories may need to be integrated into these build projects' builds. Additionally, these external artifact repositories may also house custom plugins, which you can define and configure in a plugin catalog, to install these plugins on your client controllers.

For instance, the publicly accessible repository https://repo.jenkins-ci.org/releases/ is one such artifact repository to which the Jenkins Community publishes Maven artifacts, as well as hpi/plugin files.

Therefore, to provide your client controllers with access to content housed by these external artifact repositories, set up a proxy artifact repository (with access to the Internet) internally within your organization’s infrastructure.

To set up a proxy artifact repository to an external artifact repository:

  1. Ensure you have installed an artifact repository system within your organization’s infrastructure, and ensure the artifact repository has access to the Internet.

  2. In your artifact repository system, configure your proxy artifact repository to your external or publicly accessible artifact repository.

    • For Sonatype’s Nexus Repository, configure the Proxy  Remote storage option in your new proxy artifact repository’s settings. Read more about configuring a proxy artifact repository in Nexus Repository using their Repository Management documentation, as well as the Proxy > Remote Storage sub-section of the Managing Repositories and Repository Groups section of this documentation.

    • For JFrog’s Artifactory, read more about configuring a proxy artifact repository in JFrog Artifactory using their Managing Proxies documentation.

Installing and updating client controller plugins

Like how operations center makes it easy to install and update plugins, a client controller also makes it easy to install and update plugins that extend its functionality. Refer to the Plugin management guide for details.

Configuring client controllers through CLI

Jenkins allows some operations to be invoked through CLI, some of them being useful to configure client controllers. Refer to Managing plugins from the client controllers command line for details.

Configuring Plugin Catalogs

The Beekeeper Upgrade Assistant feature of the Manage Jenkins area of operations center is the main interface and entry point to the CloudBees Assurance Program.

Beekeeper Upgrade Assistant manages appropriate upgrades (and downgrades) of plugins on your operations center instance, in accordance with the CloudBees Assurance Program.

Refer to Configuring plugin catalogs for details.

Releasing a client controller

When using CloudBees CI on modern cloud platforms, if a client controller is no longer necessary or if it is no longer required for it to be connected to the operations center, it should be released.

When using CloudBees CI on traditional platforms, if you want to stop managing some of your client controllers or if you decide you do not want to use the operations center, you can release your client controllers.

Releasing a client controller will permanently remove it from the operations center cluster.

The connection details that the client controller has will be invalidated and new connection details will need to be pushed to rejoin the client controller with an operations center cluster.

Access to any licenses or other resources that have been provided by the operations center cluster will be removed.

You can release a client controller in two ways:

  1. Using the UI

  2. Using the CLI

To release a client controller from the operations center using the UI:

  1. Navigate to the dashboard of your operations center.

  2. Select the gear icon for managing the client controller you want to release.

  3. Select Disconnect under Manage in the left navigation pane.

    You must disconnect the client controller before you can release it.

  4. Select Release under Manage in the left navigation pane.

To release a client controller from operations center using the CLI:

  1. Get the Jenkins CLI tool

  2. Use the Jenkins CLI tool

  3. Enter the following command:

    java -jar jenkins-cli.jar -s https://<operations-center-url>/cjoc/ -webSocket client-master-release NAME

    Replace <operations-center-url> and NAME with your values.
In August 2020, the Jenkins project voted to replace the term master with controller. We have taken a pragmatic approach to cleaning these up, ensuring the least amount of downstream impact as possible. CloudBees is committed to ensuring a culture and environment of inclusiveness and acceptance - this includes ensuring the changes are not just cosmetic ones, but pervasive. As this change happens, please note that the term master has been replaced through the latest versions of the CloudBees documentation with controller (as in managed controller, client controller, team controller) except when still used in the UI or in code.
Navigating the Operations Center
Managing agents