Introduction
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionSystem requirementsVerifying Docker imagesInstalling operations centerInstalling client controllersVerifying build componentsVerifying WAR files
IntroductionHA (active/active) fundamentalsInstallation on modern cloud platforms (active/active)Installation on traditional platforms (active/active)HA (active/active) considerationsSpecific High Availability (active/passive) installation for CloudBees CI on traditional platforms
IntroductionWhat is FIPS and FIPS 140 compliance?Install CloudBees CI on modern cloud platforms in FIPS modeCAP plugin support in a FIPS 140-2 environmentConfigure the Apache™ Ant plugin for FIPS complianceConfigure the Pipeline Maven API plugin for FIPS complianceKnown FIPS incompatibilities with CloudBees CI on modern cloud platformsJenkins core: FIPS 140-2 compliant artifacts with caveatsJenkins core: Non-compliant classes and libraries
Introduction
IntroductionPipeline termsPipeline project typesCloudBees Pipeline benefits
IntroductionUsing Pipeline development utilitiesDetermining plugin compatibilityPipeline best practices
IntroductionPrerequisitesCreating your first PipelineSelecting agentsCreating Pipelines in SCMCreating Pipelines in Web UIUsing Pipeline as Code
IntroductionConfig Adv ScriptedConfig Build StageConfig Deploy StageConfig Optional Step ArgsConfig Test StageCreating JenkinsfileCustomizing ParametersHandling FailuresString InterpolationUsing Multiple AgentsWorking With The EnvReusing Configuration Files
IntroductionManaging artifactsTracing artifactsTriggering jobs with a simple webhookRestoring filesVisualizing PipelineInserting checkpointsSecuring PipelinesConfiguring Pipelines with user-scoped credentialsUsing Pipeline PoliciesSpecifying a matrix of one or more dimensionsConverting a Freestyle project to a Declarative PipelinePipeline builds and HA (active/active)
IntroductionRestarting aborted buildsLong-running buildsSkip next buildConsolidated Build View pluginCloudBees Quiet Start pluginCloudBees Template pluginCloudBees Workspace Caching
IntroductionTrigger a job with a notification event using Cross Team CollaborationEnable external notification events with external HTTP endpointsCluster-wide copy artifactsCluster-wide job triggers
IntroductionSetting up a Pipeline Template CatalogDefining Pipeline Template CatalogsSetting Up A Pipeline TemplateUsing parameters in template.yamlManaging multibranch Pipeline options in template.yamlManaging Pipeline Template Catalogs in bulkExample full Maven/Java app Jenkinsfile
IntroductionUsing Declarative Pipeline syntaxUsing Scripted Pipeline syntax
IntroductionBranch SourceBitbucketGitBranch Property StrategyExamples
CloudBees Docker Build and Publish pluginCloudBees Docker TraceabilityDocker Pipeline pluginCloudBees Docker Hub/Registry Notification plugin
Introduction
Introduction
IntroductionGetting startedNavigating the operations centerProvisioning managed controllers in multiple Kubernetes clustersProvisioning agents in a separate Kubernetes cluster from a managed controllerProvisioning a controller in a different namespace than the operations centerProvisioning a controller in a different OpenShift project than the operations centerManaging controllersManage controllers in specific Kubernetes namespacesMigrating an existing managed controller to High Availability (HA)Managing agentsShared agentsShared configurationShared cloud configurationTrigger restrictionsChanging NFS storage locationQuiet startMove/Copy/PromoteCluster operationsInbound agentsUsing KanikoUsing Buildkit (docker buildx)Sidecar injector for self-signed certificates on KubernetesSidecar injector for self-signed certificates on OpenShiftUsing auto-scaling nodes on EKSUsing auto-scaling nodes on GKECloudBees Amazon Web Services Deploy EngineAmazon Web Services CLI PluginCloud Foundry CLI PluginIntegrate OpenShift CLIServiceNow integrationCreating projects based on GitHub repository structureUsing GitHub App authenticationCreate Multibranch Projects and Organization Folders with large repositoriesWikiText pluginController Lifecycle Notifications Plugin
IntroductionGetting startedNavigating the operations centerManaging client controllersMigrating from High Availability (active/passive) to High Availability (active/active) on CloudBees CI on traditional platformsManaging agentsShared agentsShared configurationShared cloud configurationTrigger restrictionsQuiet startMove/Copy/PromoteCluster operationsJava web start agentsServiceNow integrationCreating projects based on GitHub repository structureUsing GitHub App authenticationCreate Multibranch Projects and Organization Folders with large repositoriesWikiText plugin
Introduction
Trust model
Pod Security Admission
Centrally managing security for controllers
Cyberark Credential Provider Plugin
HashiCorp Vault Plugin
Enabling advanced use cases: cross controller triggers and bulk operations
Restricting access and delegating administration with Role-Based Access Control
Creating secure folders with Role-Based Access Control Auto Configurer
Restricting job triggers
Setting up operations center access controls
Setting up access controls on connected controllers
Testing the SSH connection to an agent
Configuring restricted credentials with the CloudBees Restricted Credentials plugin
Folders
Folders Plus
Injecting secrets into builds
Managing build agents with Nodes Plus plugin
Extended security settings
Enhanced credentials masking
Understanding Beekeeper security warnings
Preventing unauthorized interaction between builds
Security recommendations
Using single sign-on (SSO)
CloudBees CI integration with Microsoft Entra ID
operations center specific permissions
Authentication mapping
Example configurations
Delegating administration
Data collection for the CloudBees Analytics Plugin
External secrets management
Replacing an expired certificate
List of URLs that need access
Blocking access to URL patterns using the CloudBees Request Filter Plugin
Serving resources from Jenkins
Verifying Helm Charts Published with a Signature
Introduction
Introduction$JENKINS_HOME directoryBest practices for backup and restoreBack up $JENKINS_HOME manuallyRestore $JENKINS_HOME manuallyRestore credentialsConfigure backups using the CloudBees Backup pluginSchedule backups in the CloudBees Backup pluginRestore backups created with the CloudBees Backup pluginBackup and restore on KubernetesBackup and restore on AWSBackup and restore Kubernetes clusters using VeleroRun backups using cluster operations
IntroductionConfiguring multiple client controllers with the Jenkins CLI toolConfigure an alias for the Jenkins CLI toolConfiguring Jenkins CLI tool with non-TrustStore TLS certificates
CloudBees Inactive Items Plugin
Jenkins Health Advisor by CloudBees
CloudBees Pull Request Builder for GitHub plugin
Count and monitor user licenses with the CloudBees User Activity Monitoring plugin
CloudBees CI Catalog Plugin - Catalog tool
Introduction
CasC fundamentals
CasC requirements
CasC permissions
IntroductionGetting startedCreating a bundleConfiguring the operations center on modern platformsConfiguring the operations center on traditional platformsRetrieving bundles using SCMUpdating a bundleBundle update timing for the operations centerViewing the operations center update logCreating itemsConfiguring RBACDetermining plugin compatibilityTroubleshooting
IntroductionGetting startedCreating a bundleAdding controller bundles to the operations centerUpdating a bundleBundle update timing for controllersViewing the controller update logConfiguring bundle availabilitySetting up a managed controllerSetting up a client controllerCreating itemsConfiguring RBACDetermining plugin compatibilityAdvanced topicsTroubleshooting
Plugin management with CasC
CasC CLI commands
CasC HTTP API
Support policies

Install CloudBees CI on modern cloud platforms in FIPS mode

4 minute read

This guide explains how to install CloudBees CI on modern cloud platforms in FIPS mode into an Elastic Kubernetes Service (EKS) cluster on AWS GovCloud.

Prerequisites

  • AWS GovCloud account

  • FIPS compliant Istio (refer to Tetrate for more information)

Pre-installation

AWS does not provide a FIPS compliant AMI (Amazon Machine Image) for use as an EKS node. Follow the steps below to create a FIPS compliant AMI.

  1. Get an AWS GovCloud account.

  2. Create a FIPS AMI.

    1. Download, install, and setup the AWS CLI.

    2. Clone the amazon-eks-ami directory.

    3. In that directory, run the following command:

      make k8s=1.28 enable_fips=true source_ami_owners=045324592363 aws_region=us-gov-east-1 (1)
      1 The value for k8s should be the latest Kubernetes version supported by the version of CloudBees CI that you are installing. Refer to Supported platforms for CloudBees CI on modern cloud platforms for more information.
      If you only have access to an AWS account in GovCloud and not a AWS regular account, you may encounter an error obtaining EKS binaries from GovCloud. To resolve the issue, follow steps described here.

    4. Use the resulting AMI for node_groups in your EKS cluster.

  3. Install AWS Load Balancer.

  4. Create a certificate in the AWS Certificate Manager.

  5. Set up an External-DNS on AWS.

  6. Install the Kubernetes Gateway API.

    For more information about the Gateway API, refer to https://kubernetes.io/docs/concepts/services-networking/gateway/.

Configure your environment

Complete the following steps to configure your environment for the CloudBees CI on modern cloud platforms installation.

CloudBees CI on modern cloud platforms uses OCI container images. You can optionally Verifying the CloudBees CI on modern cloud platforms Docker images to ensure their origin and authenticity.

  1. Add the CloudBees Helm chart repository as follows:

    helm repo add cloudbees https://public-charts.artifacts.cloudbees.com/repository/public/
helm repo update

  2. Before initiating an installation, configure the namespaces to enforce Istio mTLS and use the correct Istio control pane.

    1. Run the following command to enforce the Istio mTLS.

      kubectl apply -n istio-system -f - << EOF
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
spec:
  mtls:
    #mode: PERMISSIVE
    mode: STRICT
EOF

    2. Run the following command to label the cloudbees-core namespace to use a specific Istio revision.

      kubectl label namespace cloudbees-core istio-injection
kubectl label namespace cloudbees-core istio.io/rev=${ISTIO_REVISION_TAG} --overwrite

  3. Create a file named values.yaml with the following content:

    fips140: true
OperationsCenter:
  Platform: eks
  Gateway:
    Name: cbci-gateway
    Namespace: istio-ingress (1)
  CasC:
    Retriever:
      Enabled: false
Hibernation:
  Enabled: false
Agents:
  SeparateNamespace:
    Enabled: true
    Create: false (2)
    1 This value should reference the Gateway created during Pre-installation.
    2 The Create: false means the namespace has been created previously.

Checking Istio and Kubernetes gateway

When gathering cluster information for support, the Istio and Gateway API version is crucial when in FIPS mode.

  • To gather required information on the gateway, run the following commands:

# Check namespaces
$ kubectl get namespaces
NAME                               STATUS   AGE
...
istio-ingress                      Active   XXX
istio-system                       Active   XXX
...

# Check the gateway
$ kubectl get gateways --namespace istio-ingress
NAMESPACE       NAME           CLASS ...
istio-ingress   cbci-gateway   istio

# Get all the info from the gateway
$ kubectl get gtw cbci-gateway --namespace istio-ingress -o json
...

# Or get only basic info
$  kubectl get gtw cbci-gateway --namespace istio-ingress -o go-template='{{printf " apiVersion: %s\n" .apiVersion}} {{printf "Name: %s\n" .metadata.name}} {{printf "Kind: %s\n" .kind}} {{printf "Gateway ClassName: %s\n" .spec.gatewayClassName}}'
 apiVersion: gateway.networking.k8s.io/v1
 Name: cbci-gateway
 Kind: Gateway
 Gateway ClassName: istio

  • To gather data on the Istio version and images, run the following commands:

# Get existing deployment
$ kubectl get deployment --namespace istio-system
NAME            READY   UP-TO-DATE   AVAILABLE   AGE
istiod-1-20-3   1/1     1            1           XXX

# Get revision
$ kubectl get deployment.apps/istiod-1-20-3 --namespace istio-system -o "jsonpath={.metadata.labels}" | jq
{
  "app": "istiod",
  "app.kubernetes.io/managed-by": "Helm",
  "install.operator.istio.io/owning-resource": "unknown",
  "istio": "pilot",
  "istio.io/rev": "1-20-3",
  "operator.istio.io/component": "Pilot",
  "release": "istiod"
}

# Get image
$ kubectl get deployment.apps/istiod-1-20-3 --namespace istio-system -o "jsonpath={.spec.template.spec.containers[0].image}"
docker.io/istio/pilot:1.20.3

# Or simply get all available data
$ kubectl get deployment.apps/istiod-1-20-3 --namespace istio-system -o json
...

  • To gather data on the Istio ingress, run the following commands:

# Get existing deployment
$ kubectl get deployment --namespace istio-ingress
NAME                 READY   UP-TO-DATE   AVAILABLE   AGE
cbci-gateway-istio   1/1     1            1           XXX

# Get revision
$ kubectl get deployment.apps/cbci-gateway-istio --namespace istio-ingress -o "jsonpath={.spec.template.metadata.annotations}" | jq
{
  "cert-manager.io/issuer": "zerossl",
  "istio.io/rev": "1-20-3",
...
}

# Get image
$ kubectl get deployment.apps/cbci-gateway-istio --namespace istio-ingress -o "jsonpath={.spec.template.spec.containers[0].image}"
docker.io/istio/proxyv2:1.20.3

# Or simply get all the ingress data
$ kubectl get deployment.apps/cbci-gateway-istio --namespace istio-ingress -o json
...

Using AWS Elastic Container Registry (ECR) with CloudBees CI

You can install CloudBees CI from your ECR registry, as long as your cluster has access to ECR. To install CloudBees CI from your ECR registry, update the Helm chart so that it pulls CloudBees CI container images from ECR instead of the public Docker registry.

To setup AWS ECR to store the container images for use during your CloudBees CI on modern cloud platforms installation:

  1. Create a registry in ECR from the AWS Console or the AWS SDK. The registry hostname should be formatted like this:

    # {id-number}.dkr.ecr.{region}.amazonaws.com
123456789012.dkr.ecr.us-gov-east-1.amazonaws.com

  2. Run the following commands to obtain a list of the CloudBees CI container images included in the Helm chart:

    helm repo update
helm show values cloudbees/cloudbees-core --jsonpath="{..Image.dockerImage}"

  3. Pull the CloudBees CI container images from Docker Hub.

    To continue with the previous example, use the following commands to pull the CloudBees CI container images for version 2.176.1.4:

    $ docker pull cloudbees/cloudbees-cloud-core-oc-fips:2.176.1.4
$ docker pull cloudbees/cloudbees-core-mm-fips:2.176.1.4
$ docker pull cloudbees/cloudbees-core-agent-fips:2.176.1.4

  4. Run the following commands to tag the container images. When tagging the container images, replace ecr-repo with your registry hostname. For example:

    $ docker tag cloudbees/cloudbees-cloud-core-oc-fips:2.176.1.4 {ecr-repo}/cloudbees/cloudbees-cloud-core-oc-fips:2.176.1.4
$ docker tag cloudbees/cloudbees-core-mm-fips:2.176.1.4 {ecr-repo}/cloudbees/cloudbees-core-mm-fips:2.176.1.4
$ docker tag cloudbees/cloudbees-core-agent-fips:2.176.1.4 {ecr-repo}/cloudbees/cloudbees-core-agent-fips:2.176.1.4

  5. Run the following commands to push the container images to ECR. Replace the values below with the specific names of your container images:

    $ docker push {ecr-repo}/cloudbees/cloudbees-cloud-core-oc-fips:2.176.1.4
$ docker push {ecr-repo}/cloudbees/cloudbees-core-mm-fips:2.176.1.4
$ docker push {ecr-repo}/cloudbees/cloudbees-core-agent-fips:2.176.1.4

  6. Add the following to the values.yaml file, replacing {ecr-repo} with the actual host name:

    Common:
  image:
    registry: {ecr-repo}/cloudbees

    Now install CloudBees CI on modern cloud platforms in FIPS mode.

Install CloudBees CI on modern cloud platforms in FIPS mode

Type the following command to complete the installation:

helm install cloudbees-core \
               cloudbees/cloudbees-core \
               --namespace cloudbees-ci \
               -f values.yaml

After installing CloudBees CI on modern cloud platforms, you should:

What is FIPS and FIPS 140 compliance?
CAP plugin support in a FIPS 140-2 environment