Manage CloudBees Core Plugins in a Secure Environment

Jean-Philippe Briend's picture

Plugins are one of the most powerful features in Jenkins and its ecosystem is unique in the continuous integration/continuous delivery (CI/CD) world: plugins enable you to interconnect Jenkins with many external tools. As of today, Jenkins has more than 1400 open source plugins. Users of CloudBees Core, which is built on Jenkins technology, can utilize this plugin ecosystem for their business needs.

cloudbees coreWhen you want to deploy CD at scale across a company, very often trying to offer CD as a service, stability is critical. Plugin management is one of the actions which will help you provide a stable CloudBees Core service.

CloudBees offers a plugin catalog feature which helps you manage CloudBees Core plugins at the Client Master, Managed Master or Team Master (i.e. “master”) level.

The main idea behind the plugin catalog feature is to offer CloudBees Core administrators the ability to define a list of authorized plugins for the masters. Administrators will deploy a plugin catalog on each master. When a plugin catalog is deployed on a master, the master will only be able to install the plugins validated by our CloudBees Assurance Program AND the plugins defined in the plugin catalog. CloudBees Core requires access to the internet to get the latest plugins and validate the plugins using the CloudBees Assurance Program. However, what if your CloudBees Core installation is in a highly secure or regulated environment, where your CloudBees Core components have restricted or no access to the Internet and need to be air-gapped?

CloudBees has a solution for that use case. You can define a plugin catalog and configure a proxy artifact repository that is connected to the internet (using Sonatype’s Nexus Repository or JFrog’s Artifactory for example) to act as a CloudBees Core Plugin repository, from which the master (not connected to the Internet) will download its plugins.

The benefit of this approach is that with the plugin catalog, you can control the plugins allowed on your CloudBees Core installation “as code.” From a plugin perspective, your master will behave just as if it were connected to the Internet. The plugins defined in the CloudBees Assurance Program are provided in the CloudBees Core WAR files and the plugins defined in the plugin catalog are downloaded from the internal Maven repository. The benefit of this functionality is that it will allow you to have the most stable CloudBees Core service as possible, without direct access to the Internet. Customers can run CloudBees Core in highly secure environments or where there is no Internet access.

Read more about how to implement this feature in a use-case solution for managing CloudBees Core plugins in a secured air-gapped environment.

Additional Resources