Introduction
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionSystem requirementsVerifying Docker imagesInstalling operations centerInstalling client controllersVerifying build componentsVerifying WAR files
IntroductionHA (active/active) fundamentalsInstallation on modern cloud platforms (active/active)Installation on traditional platforms (active/active)HA (active/active) considerationsSpecific High Availability (active/passive) installation for CloudBees CI on traditional platforms
IntroductionWhat is FIPS and FIPS 140 compliance?Install CloudBees CI on modern cloud platforms in FIPS modeCAP plugin support in a FIPS 140-2 environmentConfigure the Apache™ Ant plugin for FIPS complianceConfigure the Pipeline Maven API plugin for FIPS complianceKnown FIPS incompatibilities with CloudBees CI on modern cloud platformsJenkins core: FIPS 140-2 compliant artifacts with caveatsJenkins core: Non-compliant classes and libraries
Introduction
IntroductionPipeline termsPipeline project typesCloudBees Pipeline benefits
IntroductionUsing Pipeline development utilitiesDetermining plugin compatibilityPipeline best practices
IntroductionPrerequisitesCreating your first PipelineSelecting agentsCreating Pipelines in SCMCreating Pipelines in Web UIUsing Pipeline as Code
IntroductionConfig Adv ScriptedConfig Build StageConfig Deploy StageConfig Optional Step ArgsConfig Test StageCreating JenkinsfileCustomizing ParametersHandling FailuresString InterpolationUsing Multiple AgentsWorking With The EnvReusing Configuration Files
IntroductionManaging artifactsTracing artifactsTriggering jobs with a simple webhookRestoring filesVisualizing PipelineInserting checkpointsSecuring PipelinesConfiguring Pipelines with user-scoped credentialsUsing Pipeline PoliciesSpecifying a matrix of one or more dimensionsConverting a Freestyle project to a Declarative PipelinePipeline builds and HA (active/active)
IntroductionRestarting aborted buildsLong-running buildsSkip next buildConsolidated Build View pluginCloudBees Quiet Start pluginCloudBees Template pluginCloudBees Workspace Caching
IntroductionTrigger a job with a notification event using Cross Team CollaborationEnable external notification events with external HTTP endpointsCluster-wide copy artifactsCluster-wide job triggers
IntroductionSetting up a Pipeline Template CatalogDefining Pipeline Template CatalogsSetting Up A Pipeline TemplateUsing parameters in template.yamlManaging multibranch Pipeline options in template.yamlManaging Pipeline Template Catalogs in bulkExample full Maven/Java app Jenkinsfile
IntroductionUsing Declarative Pipeline syntaxUsing Scripted Pipeline syntax
IntroductionBranch SourceBitbucketGitBranch Property StrategyExamples
CloudBees Docker Build and Publish pluginCloudBees Docker TraceabilityDocker Pipeline pluginCloudBees Docker Hub/Registry Notification plugin
Introduction
Introduction
IntroductionGetting startedNavigating the operations centerProvisioning managed controllers in multiple Kubernetes clustersProvisioning agents in a separate Kubernetes cluster from a managed controllerProvisioning a controller in a different namespace than the operations centerProvisioning a controller in a different OpenShift project than the operations centerManaging controllersManage controllers in specific Kubernetes namespacesMigrating an existing managed controller to High Availability (HA)Managing agentsShared agentsShared configurationShared cloud configurationTrigger restrictionsChanging NFS storage locationQuiet startMove/Copy/PromoteCluster operationsInbound agentsUsing KanikoUsing Buildkit (docker buildx)Sidecar injector for self-signed certificates on KubernetesSidecar injector for self-signed certificates on OpenShiftUsing auto-scaling nodes on EKSUsing auto-scaling nodes on GKECloudBees Amazon Web Services Deploy EngineAmazon Web Services CLI PluginCloud Foundry CLI PluginIntegrate OpenShift CLIServiceNow integrationCreating projects based on GitHub repository structureUsing GitHub App authenticationCreate Multibranch Projects and Organization Folders with large repositoriesWikiText pluginController Lifecycle Notifications Plugin
IntroductionGetting startedNavigating the Operations CenterManaging client controllersMigrating from High Availability (active/passive) to High Availability (active/active) on CloudBees CI on traditional platformsManaging agentsShared agentsShared configurationShared cloud configurationTrigger restrictionsQuiet startMove/Copy/PromoteCluster operationsJava web start agentsServiceNow integrationCreating projects based on GitHub repository structureUsing GitHub App authenticationCreate Multibranch Projects and Organization Folders with large repositoriesWikiText plugin
Introduction
IntroductionTrust modelPod Security AdmissionCentrally managing security for controllersCyberark Credential Provider PluginHashiCorp Vault PluginEnabling advanced use cases: cross controller triggers and bulk operationsRestricting access and delegating administration with Role-Based Access ControlCreating secure folders with Role-Based Access Control Auto ConfigurerRestricting job triggersSetting up operations center access controlsSetting up access controls on connected controllersTesting the SSH connection to an agentConfiguring restricted credentials with the CloudBees Restricted Credentials pluginFoldersFolders PlusInjecting secrets into buildsManaging build agents with Nodes Plus pluginExtended security settingsEnhanced credentials maskingUnderstanding Beekeeper security warningsPreventing unauthorized interaction between buildsSecurity recommendationsUsing single sign-on (SSO)CloudBees CI integration with Microsoft Entra IDoperations center specific permissionsAuthentication mappingExample configurationsDelegating administrationData collection for the CloudBees Analytics PluginExternal secrets managementReplacing an expired certificateList of URLs that need accessBlocking access to URL patterns using the CloudBees Request Filter PluginServing resources from JenkinsVerifying Helm Charts Published with a Signature
IntroductionConfiguring network requirementsCentrally managing security for controllersCyberark Credential Provider PluginHashiCorp Vault PluginEnabling advanced use cases: cross-controller triggers and bulk operationsRestricting access and delegating administration with Role-Based Access ControlCreating secure folders with Role-Based Access Control Auto ConfigurerRestricting job triggersTesting the SSH connection to an agentConfiguring restricted credentials with the CloudBees Restricted Credentials pluginFoldersFolders PlusInjecting secrets into buildsManaging build agents with Nodes Plus pluginUnderstanding Beekeeper security warningsPreventing unauthorized interaction between buildsSecurity recommendationsExtended security settingsUsing single sign-on (SSO)CloudBees CI integration with Microsoft Entra IDOperations Center specific permissionsAuthentication mappingExample configurationsDelegating administrationData collection for the CloudBees Analytics PluginExternal secrets managementList of URLs that need accessBlocking access to URL patterns using the CloudBees Request Filter PluginServing resources from Jenkins
Introduction
Introduction$JENKINS_HOME directoryBest practices for backup and restoreBack up $JENKINS_HOME manuallyRestore $JENKINS_HOME manuallyRestore credentialsConfigure backups using the CloudBees Backup pluginSchedule backups in the CloudBees Backup pluginRestore backups created with the CloudBees Backup pluginBackup and restore on KubernetesBackup and restore on AWSBackup and restore Kubernetes clusters using VeleroRun backups using cluster operations
IntroductionGetting the Jenkins CLI toolUsing the Jenkins CLI toolExamples of usageConfiguring multiple client controllers with the Jenkins CLI toolConfiguring an alias for the Jenkins CLI toolConfiguring Jenkins CLI tool with non-TrustStore TLS certificates
CloudBees Inactive Items Plugin
Jenkins Health Advisor by CloudBees
CloudBees Pull Request Builder for GitHub plugin
Count and monitor user licenses with the CloudBees User Activity Monitoring plugin
CloudBees CI Catalog Plugin - Catalog tool
Introduction
CasC fundamentals
CasC requirements
CasC permissions
IntroductionGetting startedCreating a bundleConfiguring the operations center on modern platformsConfiguring the operations center on traditional platformsRetrieving bundles using SCMUpdating a bundleBundle update timing for the operations centerViewing the operations center update logCreating itemsConfiguring RBACDetermining plugin compatibilityTroubleshooting
IntroductionGetting startedCreating a bundleAdding controller bundles to the operations centerUpdating a bundleBundle update timing for controllersViewing the controller update logConfiguring bundle availabilitySetting up a managed controllerSetting up a client controllerCreating itemsConfiguring RBACDetermining plugin compatibilityAdvanced topicsTroubleshooting
Plugin management with CasC
CasC CLI commands
CasC HTTP API
Support policies

Install CloudBees CI on modern cloud platforms in FIPS mode

3 minute read

This guide explains how to install CloudBees CI on modern cloud platforms in FIPS mode into an Elastic Kubernetes Service (EKS) cluster on AWS GovCloud.

Prerequisites

  • AWS GovCloud account

  • FIPS compliant Istio (refer to Tetrate for more information)

Pre-installation

AWS does not provide a FIPS compliant AMI (Amazon Machine Image) for use as an EKS node. Follow the steps below to create a FIPS compliant AMI.

  1. Get an AWS GovCloud account.

  2. Create a FIPS AMI.

    1. Download, install, and setup the AWS CLI.

    2. Clone the amazon-eks-ami directory.

    3. In that directory, run the following command:

      make k8s=1.28 enable_fips=true source_ami_owners=045324592363 aws_region=us-gov-east-1 (1)
      1 The value for k8s should be the latest Kubernetes version supported by the version of CloudBees CI that you are installing. Refer to Supported platforms for CloudBees CI on modern cloud platforms for more information.
      If you only have access to an AWS account in GovCloud and not a AWS regular account, you may encounter an error obtaining EKS binaries from GovCloud. To resolve the issue, follow steps described here.

    4. Use the resulting AMI for node_groups in your EKS cluster.

  3. Install AWS Load Balancer.

  4. Create a certificate in the AWS Certificate Manager.

  5. Set up an External-DNS on AWS.

  6. Install the Kubernetes Gateway API.

    For more information about the Gateway API, refer to https://kubernetes.io/docs/concepts/services-networking/gateway/.

Configure your environment

Complete the following steps to configure your environment for the CloudBees CI on modern cloud platforms installation.

CloudBees CI on modern cloud platforms uses OCI container images. You can optionally Verify the CloudBees CI on modern cloud platforms Docker images to ensure their origin and authenticity.

  1. Add the CloudBees Helm chart repository as follows:

    helm repo add cloudbees https://public-charts.artifacts.cloudbees.com/repository/public/
helm repo update

  2. Before initiating an installation, configure the namespaces to enforce Istio mTLS and use the correct Istio control pane.

    1. Run the following command to enforce the Istio mTLS.

      kubectl apply -n istio-system -f - << EOF
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
spec:
  mtls:
    #mode: PERMISSIVE
    mode: STRICT
EOF

    2. Run the following command to lable the cloudbees-core namespace to use a specific Istio revision.

      kubectl label namespace cloudbees-core istio-injection
kubectl label namespace cloudbees-core istio.io/rev=${ISTIO_REVISION_TAG} --overwrite

  3. Create a file named values.yaml with the following content:

    fips140: true
OperationsCenter:
  Platform: eks
  Gateway:
    Name: cbci-gateway
    Namespace: istio-ingress (1)
  CasC:
    Retriever:
      Enabled: false
Hibernation:
  Enabled: false
Agents:
  SeparateNamespace:
    Enabled: true
    Create: false (2)
    1 This value should reference the Gateway created during Pre-installation.
    2 The Create: false means the namespace has been created previously.

Using AWS Elastic Container Registry (ECR) with CloudBees CI

You can install CloudBees CI from your ECR registry, as long as your cluster has access to ECR. To install CloudBees CI from your ECR registry, update the Helm chart so that it pulls CloudBees CI container images from ECR instead of the public Docker registry.

To setup AWS ECR to store the container images for use during your CloudBees CI on modern cloud platforms installation:

  1. Create a registry in ECR from the AWS Console or the AWS SDK. The registry hostname should be formatted like this:

    # {id-number}.dkr.ecr.{region}.amazonaws.com
123456789012.dkr.ecr.us-gov-east-1.amazonaws.com

  2. Run the following commands to obtain a list of the CloudBees CI container images included in the Helm chart:

    helm repo update
helm show values cloudbees/cloudbees-core --jsonpath="{..Image.dockerImage}"

  3. Pull the CloudBees CI container images from Docker Hub.

    To continue with the previous example, use the following commands to pull the CloudBees CI container images for version 2.176.1.4:

    $ docker pull cloudbees/cloudbees-cloud-core-oc-fips:2.176.1.4
$ docker pull cloudbees/cloudbees-core-mm-fips:2.176.1.4
$ docker pull cloudbees/cloudbees-core-agent-fips:2.176.1.4

  4. Run the following commands to tag the container images. When tagging the container images, replace ecr-repo with your registry hostname. For example:

    $ docker tag cloudbees/cloudbees-cloud-core-oc-fips:2.176.1.4 {ecr-repo}/cloudbees/cloudbees-cloud-core-oc-fips:2.176.1.4
$ docker tag cloudbees/cloudbees-core-mm-fips:2.176.1.4 {ecr-repo}/cloudbees/cloudbees-core-mm-fips:2.176.1.4
$ docker tag cloudbees/cloudbees-core-agent-fips:2.176.1.4 {ecr-repo}/cloudbees/cloudbees-core-agent-fips:2.176.1.4

  5. Run the following commands to push the container images to ECR. Replace the values below with the specific names of your container images:

    $ docker push {ecr-repo}/cloudbees/cloudbees-cloud-core-oc-fips:2.176.1.4
$ docker push {ecr-repo}/cloudbees/cloudbees-core-mm-fips:2.176.1.4
$ docker push {ecr-repo}/cloudbees/cloudbees-core-agent-fips:2.176.1.4

  6. Add the following to the values.yaml file, replacing {ecr-repo} with the actual host name:

    Common:
  image:
    registry: {ecr-repo}/cloudbees

    Now install CloudBees CI on modern cloud platforms in FIPS mode.

Install CloudBees CI on modern cloud platforms in FIPS mode

Type the following command to complete the installation:

helm install cloudbees-core \
               cloudbees/cloudbees-core \
               --namespace cloudbees-ci \
               -f values.yaml

After installing CloudBees CI on modern cloud platforms, you should:

What is FIPS and FIPS 140 compliance?
CAP plugin support in a FIPS 140-2 environment