Many organizations' security policies require their build infrastructure to be installed and implemented in a secured/air-gapped [1] environment.
However, components of your build infrastructure (controller in particular) may often require access to artifact repositories on the Internet, since:
-
Artifacts and dependencies from such external trusted sources may need to be incorporated into the builds of build projects on these controllers.
-
Such external trusted repositories may house plugins that greatly extend the functionality and integration features of Jenkins.
These scenarios can be resolved by implementing (within your network infrastructure) a proxy artifact repository, which in itself has:
-
access to the Internet, as well as
-
network access to Jenkins installation.
Use-case solution
This use-case solution describes how to manage plugins with the plugin catalog feature in a secured environment using a proxy artifact repository. [2] A CloudBees CI on traditional platforms instance will be used to update the Beer plugin version 1.1 (specified in a plugin catalog) to version 1.2. [3]
-
Begin with a CloudBees CI on traditional platforms installation, consisting of a single client controller component and the operations center component.
Both of these components must be configured together as part of the same Jenkins installation (either on the same machine if you are testing out this procedure or on different machines on the same network). However, both these installed components must not have access to the Internet. -
Create a Maven proxy repository to proxy the CloudBees repository
https://repo.cloudbees.com/content/repositories/dev-connect/
. This CloudBees repository aggregates the CloudBees plugins and the Open Source plugins distributed byhttps://repo.jenkins-ci.org/releases/
. To help identify the groupId and artifactId of the plugins you can, for the Open Source plugins, browse the Open Source repositoryhttps://repo.jenkins-ci.org/releases/
and, for the CloudBees plugins, look at the "Maven coordinates" of the desired plugins by going to CloudBees plugin release notes and clicking on the name of the plugin.You may prefer to use Nexus Artifact Repository as your artifact repository system, since a free (OSS) edition of this software is available. However, your chosen artifact repository system must have access to the Internet, and therefore be installed on a different machine to your Jenkins installation’s components. -
Copy the following plugin catalog code snippet (for the Beer plugin 1.1) and save it to a file with the name
plugin-catalog-file.json
:{ "type" : "plugin-catalog", "version" : "1", "name" : "my-plugin-catalog", "displayName" : "My Plugin Catalog", "configurations" : [ { "description" : "My Plugin Catalog for Masters versions 2.121 to 2.138.1.2", "prerequisites": { "productVersion": "[2.121, 2.138.1.2]" }, "includePlugins" : { "beer": { "groupId": "org.jenkins-ci.plugins", "version" : "1.1" } } } ], "settings": { "repository": { "layout": "maven2", "url": "https://nexus.mycompany.com/repository/cloudbees-core-plugins/" } } }
Read more about this process in the documentation for defining a plugin catalog.
-
Add the plugin catalog to operations center and then validate the plugin catalog’s suitability for the client controller.
-
Deploy the plugin catalog to the client controller and then verify the plugin catalog’s deployment to the client controller.
You should see the Beer plugin version 1.1 appear in the plugin catalog’s Included plugins list, which means that this plugin (and its indicated version) can now be installed to this client controller.
-
Install the Beer plugin version 1.1 to the client controller.
-
Now, update the plugin catalog on operations center to use the Beer plugin version 1.2. Following this procedure, tweak the
plugin-catalog-file.json
file according to the following code snippet, and re-add this modified plugin catalog file to the operations center.{ "type" : "plugin-catalog", "version" : "1", "name" : "my-plugin-catalog", "displayName" : "My Plugin Catalog", "configurations" : [ { "description" : "My Plugin Catalog for Masters versions 2.121 to 2.138.1.2", "prerequisites": { "productVersion": "[2.121, 2.138.1.2]" }, "includePlugins" : { "beer": { "groupId": "org.jenkins-ci.plugins", "version" : "1.2" } } } ], "settings": { "repository": { "layout": "maven2", "url": "https://nexus.mycompany.com/repository/cloudbees-core-plugins/" } } }
Compared to the original
plugin-catalog-file.json
snippet above, the"version" : "1.2"
(within the"includePlugins"
block) is the only line of the entire code snippet which is different. -
Ensure that you have re-validated and re-deployed the updated plugin catalog to the client controller.
-
You should now be able to update the Beer plugin on the client controller to version 1.2.
This use-case solution demonstrated how you can control which Internet-based plugins are permitted on your secured Jenkins installation "as code." From a plugin maintenance perspective, your controller behaves as if it were connected directly to the Internet.
The plugins defined in the CloudBees Assurance Program are provided in the CloudBees CI WAR files; the plugins defined in the plugin catalog are indirectly downloaded from the Jenkins Community Maven artifacts repository (via the proxy artifact repository you configured above).
To sum up, this Jenkins and proxy artifact repository configuration provides a secure and stable CloudBees CI installation with tightly-controlled access to the Internet.