56 lines
2.4 KiB
Markdown
56 lines
2.4 KiB
Markdown
# Exporting configurations
|
|
|
|
The plugin supports exporting existing configurations as YAML.
|
|
This is a feature available to the Jenkins administrators under the `http://[your_jenkins_url]/configuration-as-code/` URL.
|
|
|
|
Export feature is **NOT** intended to offer a directly usable jenkins.yaml configuration.
|
|
It can be used for inspiration writing your own production-ready YAML, but be aware that export can be partial,
|
|
or fail for some components.
|
|
|
|
## Security notice
|
|
|
|
Jenkins configuration may include various sensitive information,
|
|
including, but not limited to, credentials, secrets, administrative information about the instance and user personal data.
|
|
The Configuration-as-Code plugin tracks secrets and represents them safely in the exported YAMLs,
|
|
but it cannot prevent secrets from being exported in all cases.
|
|
Ultimately, it is a responsibility of Jenkins administrators to ensure that the generated YAML files
|
|
do not include sensitive information.
|
|
|
|
See more information about the masking logic below.
|
|
|
|
## Data to be exported
|
|
|
|
Currently the plugin does not have a way to define which data should be exported.
|
|
The following data is exported:
|
|
|
|
* System configuration under the _Manage Jenkins_ link
|
|
(global configurations, descriptor configurations, etc.)
|
|
* Agent configurations
|
|
* Views
|
|
* Credentials
|
|
|
|
Jobs and users are NOT exported by the plugin.
|
|
|
|
## Secret masking
|
|
|
|
What will be masked:
|
|
|
|
* All [hudson.util.Secret](https://javadoc.jenkins-ci.org/hudson/util/Secret.html) attributes
|
|
are exported in the encrypted form
|
|
* Encrypted form is readable only on the same instance,
|
|
and hence the encrypted form cannot be restored from the file on other instances
|
|
(see [this article](http://xn--thibaud-dya.fr/jenkins_credentials.html))
|
|
* Credential and secret definitions which use `hudson.util.Secret`
|
|
internally.
|
|
All plugins are expected to do so ([documentation](https://jenkins.io/doc/developer/security/secrets/))
|
|
|
|
What will **NOT** be masked:
|
|
|
|
* Free-form fields like view and agent descriptions.
|
|
If they contain sensitive information, it will be exported.
|
|
* NOTE: Depending on the permission setup these items may be configured by non-admin users,
|
|
Jenkins admins should keep it in mind while exporting configurations
|
|
* Plugins which do not use `hudson.util.Secret` for handling secret data.
|
|
For example, unfixed plugins in [this advisory](https://jenkins.io/security/advisory/2019-04-03/)
|
|
are likely subject to this issue
|