Manage CloudBees Core Plugins in a Secure Environment

Written by: Jean-Philippe Briend
3 min read

Plugins are one of the most powerful features in Jenkins and its ecosystem is unique in the continuous integration/continuous delivery (CI/CD) world: plugins enable you to interconnect Jenkins with many external tools. As of today, Jenkins has more than 1400 open source plugins. Users of CloudBees Core, which is built on Jenkins technology, can utilize this plugin ecosystem for their business needs.

When you want to deploy CD at scale across a company, very often trying to offer CD as a service, stability is critical. Plugin management is one of the actions which will help you provide a stable CloudBees Core service.

CloudBees offers a plugin catalog feature which helps you manage CloudBees Core plugins at the Client controller, Managed controller or Team controller (i.e. “controller”) level.

The main idea behind the plugin catalog feature is to offer CloudBees Core administrators the ability to define a list of authorized plugins for the controllers. Administrators will deploy a plugin catalog on each controller. When a plugin catalog is deployed on a controller, the controller will only be able to install the plugins validated by our CloudBees Assurance Program AND the plugins defined in the plugin catalog. CloudBees Core requires access to the internet to get the latest plugins and validate the plugins using the CloudBees Assurance Program. However, what if your CloudBees Core installation is in a highly secure or regulated environment, where your CloudBees Core components have restricted or no access to the Internet and need to be air-gapped?

CloudBees has a solution for that use case. You can define a plugin catalog and configure a proxy artifact repository that is connected to the internet (using Sonatype’s Nexus Repository or JFrog’s Artifactory for example) to act as a CloudBees Core Plugin repository, from which the controller (not connected to the Internet) will download its plugins.

The benefit of this approach is that with the plugin catalog, you can control the plugins allowed on your CloudBees Core installation "as code." From a plugin perspective, your controller will behave just as if it were connected to the Internet. The plugins defined in the CloudBees Assurance Program are provided in the CloudBees Core WAR files and the plugins defined in the plugin catalog are downloaded from the internal Maven repository. The benefit of this functionality is that it will allow you to have the most stable CloudBees Core service as possible, without direct access to the Internet. Customers can run CloudBees Core in highly secure environments or where there is no Internet access.

Read more about how to implement this feature in a use-case solution for managing CloudBees Core plugins in a secured air-gapped environment.

Additional Resources

Stay up to date

We'll never share your email address and you can opt out at any time, we promise.